IT NEWS

What game caused some players to experience seizures, allows you to have unauthorized sex with Keanu Reeves, features a lead character who can’t keep the contents of his pants contained, was pulled from the PlayStation Store weeks after release, and still managed to shatter sales and streaming records? 

Of course we’re talking about Cyberpunk 2077, the latest game from Polish developer CD Projekt Red.

In spite of countless, often embarrassing, bugs CDPR created an engrossing open world RPG that even the game’s detractors can’t stop hate-playing. Arguably, a big part of Cyberpunk’s appeal is its setting. Taking place in a fictional American metropolis known as Night City during the year 2077, this dystopian vision of the future attempts to cram every single sci-fi cyberpunk trope into one 30 hour game. Hacking, virtual reality, body modification, sentient computer AIs—it’s all in there.

For all its high tech wonder, some aspects of day to day life in Night City feel familiar. The Internet (or Net, as it’s called in the game) looks about the same as it does in real life, with players browsing websites on a monitor, a mouse, and keyboard. And it’s still possible to get a computer virus. In fact, falling victim to a computer virus is central to the game’s plot.

Since Cyberpunk features computers, hacking, viruses, and has the word “cyber” in the title, we obviously had to write about it.

So, the two members of the Malwarebytes Labs staff who actually played the game were asked to weigh in on cybersecurity in Cyberpunk 2077. And if we get to talk about video games for work, we’re all for it.

SPOILER ALERT: This discussion covers some major plot points.

Who are you?

Philip Christian: Hi! I was an avid gamer through college. Now I play a few major releases per year. I completed the main quest in Cyberpunk. All in, I’ve sunk about 70 hours into the game. I played on Google Stadia (don’t hate me). I work at Malwarebytes so I must know something about cybersecurity, but when it comes down to how threats operate on a technical level, I turn to the experts, like Chris.

Chris Boyd: I’m a Lead Malware Intelligence Analyst for Malwarebytes. I’ve played games dating back to the Atari 2600 days, have worked on a few titles you won’t have heard of many moons ago, and particularly enjoy modding the guts out of Bethesda titles. I’ve put roughly 200 hours into Cyberpunk, and spend a long time looking at hacking in games generally.

The most cringeworthy cybersecurity moment?

Philip: The hacking mini game was total baloney. When you try to hack a computer you’re shown this number matrix and you’re trying to select the correct numbers from the matrix. Not sure what this has to do with hacking unless hacking IRL has something to do with Sudoku.

If I’m being generous, it does bear a vague resemblance to brute force attacks, which are kinda big right now. With a brute force you’re just mashing in numbers, letters, and characters hoping you guess the correct login credentials, but you’re doing it really fast with an automated program entering the credentials for you.

Chris: Would have to agree, the hacking minigame is a horribly confusing pattern matching puzzle which is badly explained and not very realistic. This is common in games, and unless the game is entirely focused on hacking I think the right approach is to try and keep it simple. Sadly, that hasn’t worked here.

The most realistic cybersecurity moment?

Philip: There’s a mission in the game where you need to hack into someone’s password-protected computer. The mission entails looking at websites and figuring out the person’s password from what they’ve shared about themselves online. It’s really just a small part of a larger mission to find a missing teenager. This is a more realistic take on hacking than the numbers mini game. We all reveal way too much about ourselves via social media and cybercriminals use that info against us.

Chris: The cybersecurity realism in the game seems to come from incredibly meta real-world happenings related to the title. For example, the character Goro Takemura is a legendary personal bodyguard / security expert who trains literal cyber ninjas. The gag is he is also absolutely useless with technology, and often sends accidental selfies to the player character while trying to do something else.

Sure enough, a bug occurred in the game which could essentially break saves and prevent progress. The cause? Goro, the guy who can’t use his phone properly, would call the player character and the call would bug out.

“Videogame character who can’t use his phone breaks your game, with his phone” is meta enough. But then we have Elon Musk announcing a Tesla model will be able to play cyberpunk, at roughly the same time it’s announced his Neuralink, Musk’s neurotechnology company, may be trialling computer chips in brains by the end of the year.

Being able to play a game about the dangers of placing chips in your brain, in a car built by somebody who wants to put chips in people’s brains, is the kind of crossover I live for!

Best representation of hacking in the future?

Philip: My favorite NPC in the game is Delamain the AI taxi driver. He looks like a cross between Johnny Cab from Total Recall and Death from Bill and Ted’s Bogus Journey. Anyway, his system gets infected by a rogue AI and it’s up to you to help him clean it out and regain control of his fleet of computer controlled taxis. Cars today are computers on wheels and car hacking is already a thing.

Chris: More than the hacking mini game, the real hacking meat on the bone here concerns Biohacking and more technology-centric body modifications. Almost everyone in the game is walking round with some sort of Internet-connected body part at all times.

People can overload your ocular implants, fry chips in your body, shut down devices and leave you at a standstill, wipe your short-term memory, and more.

It’s only natural we’ll see an increasing number of technological solutions for medical issues, and the tech industry has a habit of connecting things to the Internet without much care for security. In some ways the future is already here, and has been for some time.

Pacemaker hacks already exist. “Looping”, a DIY method for hacking your own insulin pump, has brought about a surge in purchases for the device needed to do it. A killer-app remote control for insulin pumps? Yep, those exist too.

As we creep towards Transhumanism, we’re going to have to be very careful regarding our final destination. If we aren’t careful we’ll quickly arrive at a point where anybody could be running anything. How do you prepare for that? How do you secure it? It’s entirely possible that we won’t be able to.

Scariest representation of hacking in the future?

Philip: Someone put out a mod that swaps the Johnny Silverhand skin (modeled and voiced in-game by Keanu Reeves) with one of the sex workers (aka joytoys), allowing your character to have sex with an NPC that looks exactly like Keanu. It’s more weird than anything, but the incident got me thinking about deepfakes. This incident isn’t a deepfake in the strictest sense of the word, but it does give us a high profile example of a real person’s likeness being manipulated with technology. It’s something we’re just starting to see and we should expect to see more of it in the near future.

Chris: In games specifically, character swaps are nothing new. As good as Cyberpunk 2077 looks, even the highly detailed models such as Keanu’s are very much video gamey and not very realistic looking, once you get up close. It’s more an approximation of what the developers think he looks like, as opposed to even a fairly basic deepfake which can look very real indeed. Having said that, the developers were well within their rights to shut the mod down because the modder didn’t have Keanu’s permission. The issue of consent is paramount, whether the mod is ultra-realistic or some sort of PlayStation 2 callback.

I think games have a long way to catch up to deepfake levels of controversy, and this would be a subject to revisit if and when realistic models of real people work their way into VR titles.

What else caught your attention?

Philip: I liked how you could hack mundane items like soda vending machines, TVs, and security cameras as a way of distracting enemies. IRL it’s already possible to hack IoT (Internet of things) devices, control them remotely, and cause them to behave in weird ways. There’s examples of coffee machines being hacked, baby monitors, smart TVs—you name it. If it’s connected to the Internet, it’s susceptible to hacking so maybe think twice. Does your refrigerator really need to be connected to the Internet?

Chris: A major aspect of the game is trying to cheat death by any means necessary. Replacing vital organs and upgrading body parts, even when there’s no medical requirement for it, to make yourself run faster or punch harder. You can even scan people in the street with ocular implants tied to the city’s crime database (hello, facial recognition glasses).

The biggest push where that’s concerned involve’s the game’s main quest. Corporations offer immortality by copying your consciousness to a computer chip, and the ramifications thereof.

It’s amusing to me that we’re playing through this fairly common sci-fi/technology trope at the same time as Microsoft’s patent for dead relatives revived as AI chatbots was discovered.

Where this technology goes from here is anyone’s guess.

Is it safe to mod your game?

Philip: Going back to the Keanu Reeves sex mod thing. CDPR had the mod removed from the site where it was being hosted. Since it’s not available through legitimate channels I think people who are curious will try to obtain it through less safe backchannel methods. This is a perfect scenario for scammers and criminals. In fact, CDPR recently advised gamers not to install mods from unknown sources due to a vulnerability that might allow criminals to remotely execute code on the target system.

Chris: They’ve already updated the game to address issues from that vulnerability, which is great news. Having said that, there’s always a risk from modding any game where you download unknown code and files. Most major mod sites perform some sort of security check on files offered for download, but gamers should always run some tests of their own. You’re entrusting your whole system to random people offering you files.

Some of the mental safeguards we deploy to avoid sketchy downloads tend to come down when modding. “I’m on a trusted site, everything here is legit, what could possibly go wrong”. A little caution is always a good thing where modding is concerned, whether it’s your favorite game or your ocular implants.

The post Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy appeared first on Malwarebytes Labs.

In 2020, reported losses to the FTC for romance scams went up by 50% from 2019, totalling $304 million. And things weren’t exactly good before: Romance scams have cost people a fortune for 3 years running, according to the FTC. Their latest report suggests a steady rise in these kind of scams generally and ponders the impact of the pandemic. If nobody can go out, it stands to reason that dating in the virtual world would experience a surge of interest.

Love is most definitely in the air for people up to no good.

Some key findings

• Scams often begin on social media but are unexpected. Potential victims aren’t necessarily on a site for dating in the first place.
• The use of gift cards for sending money to scammers increased 70%.
• Reports of money lost increased across every age group in 2020.

Many of the old tricks are still in play, because they’re tried and tested. Throw enough of them out there and a scammer snags a bite eventually. It only takes one or two direct hits to make a small fortune. Meanwhile, people face losing huge sums of money which is often not recoverable.

Sending all my love…and my money

The report mentions many reports of large losses involve scammers claiming to send a victim money. Once the victim receives it, the scammer invents a reason why they need it sent back, or forwarded to a third party. This is how people end up as money mules. As we often mention, this is a bad situation to be in. While the mule ends up in various degrees of legal trouble, the anonymous scammer pulling the strings gets away with it.

It’s unfair, and very cruel for people who would naturally assume they’d done nothing wrong.

We see a variety of romance con-tricks involving requests to move funds. One we examined recently adds a small spin to proceedings. The scam works as follows:

• The scammer connects with a victim on a dating app, and supplies photos and audio recordings.
• After some small talk, the scammer says they want to send the victim some money. The scammer “can’t use their account” from their location, but they’re happy to give login details so the victim can do it themselves.
• The scammer sends a link to a fake banking website where the victim is likely to be asked to complete a transaction, to increase their trust in the scammer, or for their own personal or banking details.

Gift cards: a wealth of opportunity

As mentioned already, gift cards are an attractive proposition for people up to no good. They’re easy to obtain and can be bought in small amounts. Unlike a few years back, they’re not limited to a narrow selection of items or stores. This is good for fakers, because they’re less likely to make victims feel like they’re being sent on a wild goose chase. They can pretty much buy anything and it’ll be of value to the scammer, either through usage or selling on. If gift cards are ever mentioned on dating apps or on social media, you’ve every right to be suspicious.

Steering victims away from the theoretical safety of their online space is a common tactic, not specific to dating scams. (Gaming scams will often take victims away from their gaming console ecosystem to third party sites, for example.) Romance scammers often try to lure people away from the dating apps where they met. This is good for the scammer, problematic for the victim: The digital paper trail becomes muddied, certain protections and safety mechanisms may not apply or be usable, and so on.

A trick of the eye

Catfishing romance scams use fictional personas that often rely on stolen images. People will use photos of models from different parts of the world, or pretend to be U.S. Army soldiers, or even celebrities, to get the job done. All they care about is grabbing the cash, and it doesn’t matter how much the victim on the other side of the screen is impacted.

To combat this, people should make use of reverse image search to see where else the images appear. AI generated images are also common in this realm though, so reverse image search is useful but not foolproof.

On a similar note, refusing to do video calls could be suspicious. They may simply be shy, but one would probably expect video for dating is a reasonable expectation a year into the pandemic.

Tips for avoiding romance scams

Attempts to get you away from the platform where you met, requests for cash, or requests for a lot of personal information / logins should set alarm bells ringing. Asking for money for a visa / travel, or sudden medical aid, should too. Sending scans of passport pages is also a bit unusual. Anything which goes from 0 to 60 in the blink of an eye or seems too good to be true should definitely cause you to be very careful.

Be sure to check out our tips for dating safety and security before you next delve into the world of digital dating. The last thing anybody needs right now is financial fallout caused by a bogus romantic interlude. The more you can reduce the odds of that happening, the better everyone using dating platforms will be for it. Let’s consign these fakers to the digital rubbish bin, where they belong.

The post Romance scams: FTC reveals $304 million of heartache appeared first on Malwarebytes Labs.

Yandex, a European multinational technology firm best known for being the most-used search engine in Russia, has revealed it had a security breach, leading to the compromise of almost 5,000 Yandex email accounts.

The company says it spotted the breach after a routine check by its security team. They found that one of their system administrators with access to customer accounts was allowing third-parties to see some of these accounts “for personal gain”. Yandex made it clear in its official press release that no payment details were compromised.

With so much attention paid to eye-catching external threats like ransomware and BEC, it’s easy to forget that one of the biggest threats organisations face isn’t trying to force its way into their network, it was invited in.

Insider threats

Current and former employees, contractors, business partners, suppliers, third-party vendors, and service providers are all potential insiders. And they don’t have to be technologically savvy to pull off an “inside job”.

In fact, some insiders aren’t even intentionally malicious. The most common cause of incidents is employee negligence, such as the misuse of access privileges or a general inattention to keeping sensitive information private and secure, can cause employers a lot of headaches. This can be further compounded by a lack of effective cybersecurity and privacy training programs or an utter absence of an intentional culture of security.

Negligent and careless employees (or what others call “accidental insider threats”), more often than not, have zero intention to hurt their organizations; malicious employees, on the other hand, knowingly act against their employers for personal gain.

According to the 2020 Cost of Insider Threats: Global Report from the Ponemon Institute, the costliest insider threat is credential theft, which averages to nearly $875,000 USD to remediate. Not only that, incidents of credential theft have tripled in the last 5 years. With a booming demand for employees who are willing to share company secrets with criminals, it wouldn’t be a stretch to expect that cases involving this would be popping up more frequently. They pay well after all.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source forum,” said Brandon Hoffman, chief information security officer at Netenrich, an IT service management company, in an interview with Threatpost. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee.”

Organizational breaches have become a mainstay in news outlets, with many of them about outside parties forcing themselves inside private networks either by force (hacking) or social engineering (phishing). With the current pandemic and everyone working remotely, spotting insider threats has become more challenging than ever. This should make businesses more vigilant and determined in curbing insider threats before it happens. For those who don’t know where to start, here’s a good place: look at the zero trust model, and see how you can adapt it within your organization.

The post Yandex sysadmin caught selling access to email accounts appeared first on Malwarebytes Labs.

The audio-chat app Clubhouse is the latest rage in the social media landscape. What makes it so popular and, now it’s part of the social media landscape, can we trust it?

The Clubhouse app

Clubhouse was launched about a year ago and was initially only used by Silicon Valley’s rich and famous. It is different from other social media in that it focuses on the spoken word. Clubhouse members can enter virtual rooms to listen in or participate in live conversations. The conversations can only be joined when they are live and the people having the conversation determine who is allowed to listen and who can talk.

The Clubhouse app is freely available for download to every iPhone user, and an Android version is in the pipeline, but participation is kept exclusive by making it invitation only.

Every new user only gets a few (initially only two) invitations to give away. The developers claim it was done this way to allow for a controlled growth, so as not to overload the server infrastructure. Whether by design or coincidence, this also seems to work as a clever marketing scheme. Deep down, we all want to be part of the club of cool kids.

As a member you can select the subjects you are interested in and apply to be allowed in on conversations about those subjects. The conversations are not saved by the app, so the idea is that you “had to be there” to know what they talked about. But in the digital world thinking that some information is gone for good is very often an illusion. What’s to stop someone from recording a conversation they’re in?

Chinese servers

Recently Clubhouse went viral among Chinese-speaking audiences. But as soon as the Chinese government became aware of political discussions on the app, it was abruptly blocked by the country’s online censors, on Monday February 8, 2021. This line of events made some researchers wonder how private the conversations really were.

An investigation by the Stanford Internet Observatory found that some of the back-end infrastructure for the Clubhouse App was provided by Agora. Agora is a Shanghai-based start-up, with US headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. Exactly what Clubhouse needed to roll out their app.

The Stanford Internet Observatory

In their blog Clubhouse in China: Is the data safe? the Stanford Internet Observatory (SIO) team unravels the ties between Clubhouse and Agora and speculates not why the Chinese government banned the app, but rather why it took them so long.

According to the article “SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio … It is also likely possible to connect Clubhouse IDs with user profiles.”

In a series of tweets one of the team members, Alex Stamos, adds:

“We found Chinese servers being used even for conversations that only involved Americans.”

He goes on to say that neither Agora, nor another Chinese supplier, EnjoyVC, are listed as data sub-processors in the Clubhouse privacy policy.

Alex Stamos is adjunct professor at Stanford University’s Center for International Security and Cooperation. He is also the former chief security officer at Facebook, so he does know a thing or two about social media.

Clubhouse statement

Clubhouse’s reaction to the analysis done by the Stanford Internet Observatory was:

“Clubhouse is deeply committed to data protection and user privacy.

We designed the service to be a place where people around the world can come together to talk, listen and learn from each other. Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the App Store to make it available in every country around the world, with the exception of China. Some people in China found a workaround to download the app, which meant that—until the app was blocked by China earlier this week—the conversations they were a part of could be transmitted via Chinese servers.

With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client. Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.

We welcome collaboration with the security and privacy community as we continue to grow. We also have a bug bounty program that we operate in collaboration with HackerOne, and welcome any security disclosures to be sent directly to security@joinclubhouse.com.”

Countered by Alex Stamos with:

“We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated.”

Meaning that not only is the Chinese infrastructure essential for Clubhouse at this point, but it will also prove to be hard to keep the US traffic away from it.

So, is it safe?

As TikTok discovered last year, popularity comes with scrutiny. The Stanford Internet Observatory report is interesting but it isn’t a poof of malice. It should help Clubhouse improve its privacy and security though, and Clubhouse will be under no illusion that people are watching it closely on both sides of the Great Firewall.

Our advice is to treat Clubhouse the same way you do with every social media app. Once you release information on social media it is out of your control and you should treat it as if it’s freely available. It is up to each user to decide much information they are willing to share about themselves. It is not always easy to balance the scales between privacy and social interaction. But it is better to be aware of the risks and not invest your trust in a social media app, just because it is cool to be a part of. Or just because they claim to value data protection and user privacy.

Stay safe, everyone!

The post Clubhouse under scrutiny for sending data to Chinese servers appeared first on Malwarebytes Labs.

Last year, threat actors took advantage of the COVID-19 public health crisis in a way previously considered unimaginable, not only preying on uncertainty and fear during the initial months of the global pandemic, but retooling attack methods, reneging on promises, strengthening malware, and extorting victims to the tune of $100 million—and that was without the threat of ransomware encryption.

In short, in 2020, cyberthreats evolved.

Today, we are showing readers just what that evolution looked like, in our State of Malware 2021 report. This report provides our most comprehensive analysis of last year’s malware trends, with breakdowns by malware category, malware type, operating system, region, industry, and more.

Here are key takeaways of what we learned in 2020:

• Malware detections on Windows business computers decreased by 24% overall, but detections for HackTools and Spyware on Windows increased dramatically—by 147% and 24%, respectively
• Among the top five threats for both businesses and consumers were the Microsoft Office software cracker KMS, the banking malware Dridex, and BitCoinMiners; business detections for KMS and Dridex rose by 2,251% and 973%, respectively
• Detections for the most notorious business threats Emotet and Trickbot fell this year by 89% and 68% respectively, although the operators behind these threats still pulled off several big attacks in 2020
• A new ransomware called Egregor came onto the scene in late 2020, deployed in attacks against Ubisoft, K-Mart, Crytek, and Barnes & Noble
• Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%
• Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware
• ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020
• On Android, HiddenAds—which aggressively pushes ads to users—racked up 704,418 detections, an increase of nearly 149%
• We twice uncovered pre-installed malware on phones provided by Assurance Wireless through the US government-funded Lifeline Assistance program
• Stalkerware-type app detections—which include detections for Monitor apps and Spyware apps on Android—surged in conjunction with shelter-in-place orders that governments began implementing in February and March: Monitor app detections rose from January to December by 565%; Spyware app detections rose across the same time period by 1,055%
• The agriculture industry suffered through a 607% increase in malware detections, while detections in the food and beverage industry increased by 67%
• More traditional targets, such as manufacturing, healthcare and medical, and automotive all experienced drops in detections by varying degrees—education fell 17%, healthcare dropped 22%, and the automotive industry decreased by 18%

As you can see from these findings, 2020 proved to be a tumultuous year.

When COVID-19 cases first began spiking in several countries, cybercriminals preyed upon people’s fears mercilessly, with an avalanche of coronavirus phishing emails and scams.

Around the world, governments tried to stop their hospitals from being overwhelmed by ordering lockdowns, stay-in-place orders, and school closures. By April 2020, half the world’s population had been asked or ordered to stay at home. As entire businesses switched to remote working, IT teams found themselves trying to fit months-long projects into days, with security an unfortunate but understandable casualty.

Faced with a new landscape, cybercriminals ditched some old tactics and placed a new emphasis on gathering intelligence. And as people adapted to their “new normal,” scammers exploited their isolation with a resurgence in tech support scams. New adversaries crawled out of the woodwork, too. April’s global shutdown was accompanied by a staggering rise in the use of stalkerware, a short-hand term for the type of mobile monitoring and spyware apps that are sometimes deployed by abusive partners.

The pandemic also created new challenges to online privacy. As countries turned to digital contact tracing to contain outbreaks, a stark dichotomy emerged: It is possible for people to have personal privacy or effective contact tracing, but probably not both. Around the world, the progress of privacy-preserving legislation slowed to a crawl.

And what began as a global health crisis soon became a global economic crisis too, with almost no business left unscathed. The fate of different industry sectors was mirrored in the number of cyberattacks they suffered. As the manufacturing and automotive sectors contracted, attackers simply turned their faces to agriculture and other essential industries instead. Ransomware gangs reneged on early promises to stay away from hospitals and hit new lows instead, attacking hospitals and medical facilities in organized campaigns

Through it all, there is one form of business that seems to have thrived in 2020 though—the creation and operation of malicious software. The pace of innovation picked up in 2020 as many entirely new malware families emerged. Ransomware gangs continued to learn from each other too, with successful tactics spreading quickly between them. Perhaps the most important new tactic that emerged was “double extortion,” which saw cybercriminal groups extorting more money with threats to leak sensitive data than from decrypting compromised computers.

If 2020 taught us anything, it’s that cybercrime stops for nothing. There are no targets, and no opportunities for exploitation, that are beyond the pale.

Thankfully, the year had another lesson for us too: That there are heroes everywhere. The healthcare professionals, teachers and other essential workers rightly deserve the loudest acclaim, but heroes emerged in all areas of life. So, we want to offer an enormous thank you to the unsung army of sysadmins and security professionals who moved mountains in 2020 to keep millions of people safe online as the world around them was turned on its head.

To get the full story, read the State of Malware 2021 report.

The post Extortion, precision malware, and ruthless scams. Read the State of Malware 2021 report appeared first on Malwarebytes Labs.

In a collaboration between French and Ukranian law enforcement, arrests have been made that might put a dent in one of the world’s most sophisticated ransomware operations.

As reported first by France Inter, law enforcement made the arrests after French authorities traced ransom payments to individuals located in Ukraine. While the arrests have not been formally tied to Egregor the statements and circumstances surrounding it have led to a lot of speculation. Let’s start with the basic background information.

What is Egregor ransomware?

Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates. A great number of Egregor affiliates were formerly tied to the Maze ransomware. Many believe Egregor is a follow up to Maze, because of:

• The similarity of their business models—both used the data exfiltration and extortion method that was introduced at a large scale by Maze.
• The transfer of affiliates from Maze to Egregor before the Maze group announced its retirement.
• The timing of the Maze retirement and the explosive growth of Egregor led security experts to believe that at least some of Maze’s team members created Egregor in cooperation with Egregor’s predecessor Sekhmet. Egregor is considered a variant of Ransom.Sekhmet based on similarities in encryption, obfuscation, API-calls, and its ransom note.

Tracing ransom payments

Some people still believe that Bitcoin payments are completely anonymous and untraceable. This is not true.

The Bitcoin blockchain is an open and transparent ledger. Every payment is publicly visible to anyone and it’s easy to see how coins move from one address to another. Users are pseudonymous, meaning that their activity is visible, but their identity isn’t. Unmasking the flow of money is a matter of tying a real identity to one or more of the Bitcoin addresses in the chain. Successful cybercriminals know this and use mixers or tumblers to hide their tracks.

Usually, the most precarious moment for criminals is when their illegally obtained virtual currency is exchanged for a fiat currency, often referred to as a cash-out point.

Were the arrested people key players?

In the original report the arrested people were mentioned as individuals that provided logistical and financial support. In another report they were said to be people whose job was to hack into corporate networks and deploy the ransomware. But that last bit is usually what the affiliate does, which would suggest they weren’t members of the Egregor crew.

However, some parts of the Egregor infrastructure have been offline for a few days, which may indicate the people arrested played a more important role in the organization. The offline parts are mainly their extortion site, where they published exfiltrated data, and the command and control (C2) infrastructure. For now, it remains unclear what the lasting damage might be.

Arrests follow Egregor attacks in France

France Inter said French authorities got involved in the investigation after several major French companies were hit by Egregor last year, such as game studio Ubisoft and logistics firm Gefco. As a result, an investigation was started last year, and French police, together with European counterparts, were able to track down Egregor members and infrastructure to Ukraine.

This does not mean however that Egregor focused on French victims. The group is active worldwide and has achieved estimated earnings between $40 million and $50 million according to a Chainalysis report. This is since their arrival on the scene in September of last year and makes them one of the five most active and best earning ransomware groups.

The arrests come hot on the heels of the recent, dramatic takedown of Emotet and the surprise retirement of the Fonix ransomware group.

Let’s hope that Egregor is on the way to joining them.

Stay safe, everyone!

The post Egregor ransomware hit by arrests appeared first on Malwarebytes Labs.

The year 2020 will certainly be remembered as one of the most difficult and tragic years humankind has faced in modern times. The global pandemic changed the way we live and work in ways unimaginable, perhaps forever.

It also altered the cybersecurity landscape dramatically. The FBI reported a 300 percent increase in cybercrime in the first quarter of that year, and the rate and cost of ransomware attacks escalated at an unprecedented rate. Almost thirty attacks were reported in December 2020 alone, including the infamous $34 million demand levied against electronics giant Foxconn.

One of the primary reasons these attacks are growing rapidly is due to a shift from secure office locations to less secure remote work environments. Prior to the global pandemic, less than 4 percent of the population worked from home. The genie is out of the bottle now though, and there’s no going back. It’s no surprise then, that a recent Gallup poll found that 82 percent of business leaders plan to maintain a larger work-from-home (WFH) posture well after the pandemic.

While many organizations can benefit from a wider selection of job candidates and reduced maintenance and facility costs, for security professionals, work-from-home environments expand the attack surface they have to protect, and increase the risks for phishing, malware, and ransomware.

The target for today’s organized and sophisticated cybercriminals, like the ones operating Maze or Ryuk, isn’t a single computer, but an organization’s entire network. A majority of all ransomware attacks gain access to a victim’s network  through a “backdoor” approach that exploits weaknesses in Remote Desktop Protocol (RDP) software, or the way it is deployed.

The threat of RDP brute forcing has been widely reported, and brute force protection for RDP has been a “must have” for several years, and yet these attacks continue to succeed. The truth is that simply telling people to harden RDP isn’t working fast enough. Brute force protection needs to be more than just another item in an overworked system administrator’s ever growing task list. Instead, we need to see RDP brute forcing for what it is, an endpoint detection and response (EDR) problem, and handle it there.

Less well publicized are the vulnerabilities that continue to be turn up in popular RDP software. In 2020, security researchers found twenty-five vulnerabilities  in some of the most popular RDP clients used by businesses. These include:

• FreeRDP, which is the most popular open-source RDP client on Github
• Microsoft’s built-in RDP client with the executable file mstsc.exe
• Rdesktop, another open-source RDP client and a default RDP client in Kali distributions of Linux

Many security professionals may not be aware of the reverse RDP vulnerabilities that can affect a remote machine rather than the host where the user is connected. The grunt work of inventory taking and patching remains as vital as ever.

The post RDP, the ransomware problem that won’t go away appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Adam Kujawa, security evangelist and director of Malwarebytes Labs, about Emotet, the former public enemy No. 1 in the cybercrime world.

What began in 2014 as a simple banking Trojan evolved into one of the most sophisticated malware types in the world, able to insert itself into ongoing email threads between coworkers, recognize and evade virtual environments, and serve as a first step into infecting a corporate network, only to deliver separate malware at a later date. It was bad, bad news.

But on January 27, Emotet got knocked out.

Tune in to hear about Emotet’s past, its evolution, its eventual takedown through an international law enforcement effort, and what the upcoming malware power vacuum means for malware development, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• How NOT to fail at PDF redaction
• Android devices caught in Matryosh botnet
• Cyberpunk 2077 developer hit by ransomware
• Hackers try to poison drinking water at a facility in Florida
• Microsoft and Adobe fix in-the-wild exploits
• What Google learned from 1 billion evil email scams
• Researcher demonstrates new type of supply-chain attack

Other cybersecurity news:

• Eight Britons arrested over hacking phones of US celebrities (Source: Sky News)
• Scammers are selling fake COVID19 vaccination cards for $20 (Source: InfoSecurity Magazine)
• 223 vulnerabilities identified that were used in recent ransomware attacks (Source: SC Magazine)
• Malicious extension abuses Chrome sync to steal users’ data (Source: BleepingComputer)
• Junior leaders need to move past the discourse surrounding digital media (Source: Modern War Institute)

Stay safe, everyone!

The post Talking Emotet’s takedown with Adam Kujawa: Lock and Code S02E01 appeared first on Malwarebytes Labs.

The UK’s National Crime Agency (NCA)—working alongside the US Secret Service, Homeland Security, the FBI, Europol, and the District Attorney’s Office of Santa Clara California—spearheaded the arrest of eight British citizens in the UK and Scotland, aged between 18 to 26, for a string of SIM swapping attacks that occurred in 2020. These attacks targeted thousands of people and netted some high-profile victims such as online influencers, sports stars, and musicians.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but perhaps the most common involves a social engineering attack on the victim’s carrier.

Claiming to be the number’s owner, attackers call the carrier and persuade them to transfer it to their own SIM card. Because these attacks don’t scale up easily, they are typically used in a targeted way. Before an attack like this is carried out, it is expected that an attacker has already done extensive research about their target, to the point of eliminating any doubt from third-parties.

After an attacker has successfully hijacked their victim’s mobile number, they can use it to send and receive calls and messages (and the victim can’t). For that reason, SIM swapping can be used to circumvent two-factor authentication (2FA) that requires a manually-entered code, sent by SMS message. The consequences can be particularly bad if the victim has an online cryptocurrency account protected by SMS 2FA codes sent to their phone.

According to Europol, the gang used the SIM swaps to “steal money, cryptocurrencies and personal information, including contacts synced with online accounts”. It said that the gang went away with more than $100M USD worth of crypocurrency.

“SIM swapping requires significant organization by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome,” says Paul Creffield, Head of Operations in the NCA’s national Cyber Crime Unit, in a statement, “In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution.”

The gang also took over the social media accounts of their high-profile targets “to post content and send messages masquerading as the victim.”

As 2FA has become more widely used, SIM swapping stories have become a mainstay of the computer security news. Jack Dorsey, CEO of Twitter, had his Twitter account hijacked in 2019, and when a Florida teen gained access to Twitter’s backend systems and took over the accounts of Bill Gates, Elon Musk, Barrack Obama, and Kanye West in 2020.

While SMS-based 2FA is better than no 2FA protection at all, there are a number of more secure forms available now. Where users have a choice, we encourage them to use hardware keys or FIDO2 devices, or app-based 2FA instead.

The post Gang arrested for SIM-swapping celebrities, stealing $100 million appeared first on Malwarebytes Labs.

In our last blog, Barcode Scanner app on Google Play infects 10 million users with one update, we wrote about a barcode scanner found on the Google Play store that was infected with Android/Trojan.HiddenAds.AdQR. All initial signs led us to believe that LavaBird LTD was the developer of this malware, but since then, a representative from LavaBird reached out to us.  They claimed it was not them who was responsible for uploading malicious versions of Barcode Scanner, package name com.qrcodescanner.barcodescanner, but an account named “The space team.” 

Upfront, we must also say that though we attempted to reach “The space team” when writing this story, we received no response.

Here, we will show the evidence of the case presented by LavaBird.

LavaBird pleading its case

Below we have the original message from LavaBird from February 10, 2020. We have provided minor editing to conceal and remove sensitive information:

“Good day.

We have read the article and are outraged no less than you. We were the intermediary between the seller and the buyer in this situation.

And the application was transferred to the account “The space team”

Herewith the following account details:

Here is their official email (as listed in Google Play) – digitalapp@yahoo.com

We have written them a letter so they should remove their Google Play account.

Also, we reported that account and app to Google.

Lavabird LTD develops and sells applications, and sometimes we buy and sell applications.

We have a lot of useful apps on our account, who always complied to all Google Policies – https://play.google.com/store/apps/developer?id=LAVABIRD+LTD

The update that we published from our account was made by the buyer to verify the key and password from the application.

The buyer was given access to the Google Play console of this application and he updated it himself. After that in a week, we transferred an application to buyer Google Play account – it was 7th of December.

We attached a screenshot, from our developer computer the app is visible – probably because he still has got Barcode app on his device. The app is unpublished, probably, since, for people, who do not have the app installed, you can see only “We’re sorry, the requested URL was not found on this server.”

We are very sorry that the application has become a virus, for us it is not only a blow to our reputation.

We hope users will remove the app with a virus from their phones.

We ask you to change the name of the developer to the real “The space team” and attach actual screenshots if needed.

Regards LAVABIRD LTD”

Transferring of ownership

Let’s start with LavaBird’s claim of transferring ownership to The space team on December 7^th, 2020.  To verify LavaBird’s claims, we search for our own cache Google PLAY webpage of the Barcode Scanner with The space team as owner. Although we’ve included screenshots from the Italian version of the site, here is evidence of ownership to The space team of Barcode Scanner on the date of transfer, December 7, 2020:

Although this may be true, this raises another question. Why did we find evidence of LavaBird being the owner during our last blog prior to the transfer date?  The screenshot from our last blog is December 4, 2020:

Was the malware code really added on December 7, or did it exist before? Did we make a mistake of accusing the wrong developer? Further investigation was needed to verify. Thereupon, we turn to third-party app stores that grab APKs from Google Play the date they upload to Play. Keep in mind these types of app stores do not scan APKs for malware like Google Play does. We assume this is due to them trusting Google Play to do that job in advance. Thus, if malware is later revealed to have gotten onto Google Play, third-party app stores do not remove the APKs from their sites. In other words, use third-party app stores at your own risk. (But for purposes of grabbing old versions of apps, malware versions and all, third-party app stores are great.)

The following shows our findings of analyzing multiple versions of Barcode Scanner, package name com.qrcodescanner.barcodescanner, from third-party app stores. The first version containing malware is Barcode Scanner v1.67. The timestamp is November 28, 2020, before the transfer. Grabbing yet another cache Google Play webpage, we prove that v1.67 ownership belonged to LavaBird LTD at that time:

Furthermore, analyzing Barcode Scanner v1.68, the one in our last blog’s screenshot, we prove it contains malware as well. Hence, our accusation is true. LavaBird is indeed the owner during the time of infection. We then went on to analyze the previous version of Barcode Scanner—v1.62—from August 11, 2020. Lo and behold, this version is clean. This is how we can conclude that the infection starts with Barcode Scanner v1.67.

Clarifications from LavaBird

With many unanswered questions, it was time to reach out to LavaBird. I would like to state upfront that LavaBird was quick to respond to all inquiries and proved very helpful during this process.

The transfer to LavaBird

LavaBird stated originally, “We were the intermediary between the seller and the buyer in this situation.” Not being the original developer, LavaBird was transferred ownership of Barcode Scanner on November 23, 2020.

It is important to note that we were unable to find any cache Google Play webpages to find the previous owner but we can verify that previous app versions did exist based off third-party app store data.

Transferring of keys

The big question for LavaBird is this: If “The space team” is the bad actor here, why is the that first version of Barcode Scanner that contains malware, v1.67, lists its ownership to LavaBird? 

LavaBird explains: 

“To verify the authenticity of the app signing key and password, we gave them (The space team) the option to update the app. As soon as they were convinced of the correctness of the keys, the transaction took place on December 7, the application was transferred to their account.”

The quoted “app signing key” needs some explaining. App signing is setup via Google Play when an app developer first creates an app and wants to upload it onto the digital store. In this process, Google assigns them a keypair. The keypair comes with a public key and a private key.

Every app that is installed from Google Play onto a mobile device is signed with a public key. When an app developer uploads a newer update of the app to Google Play, they sign it with the assigned private key. This is due to the fact that mobile devices will only accept an update of an already installed app when its public key matches the private key. This is done to prevent others from uploading a malicious version of your app to Google Play with a different private key. For this reason, transferring of the app’s signing key when transferring ownership of the app is a legitimate part of process.  Therefore, the request by “The space team” to verify that the private key works by uploading an update to Google Play seems plausible.

Updating the analytics

LavaBird went to on to explain:

“We also agreed to update the app with their analytics (according to them it was just analytics) for half of the sum, before transferring the application.

Our agreement included the conditions that they would check the operation of the application with their analytics, as you can see there were 2 updates. One on November 27 and another on December 4. All updates were made by them. We were in the process of selling the application, so we tested the application only manually.”

Now we know the second reason for the updates is for “The space team” to modify the analytics code. Note that every Android app has some type of analytics in the code which gathers simple data points. Nothing unusual there. Looking at the code of Barcode Scanner versions for myself, there certainly is modification to the analytics code. However, during this same time period is when the adding of the malicious code occurred.

Keep in mind that allowing a developer to modify code, even analytics, before transferring is not common practice. When asked why they did not check the code themselves before allowing the update they replied:

“Usually we do not check the code, because the application will go to another publisher and if he makes mistakes, then it will be a minus for him and not for us.”

LavaBird continued, stating, “We are very sorry that this did not arouse suspicion, again, we thought that the application would be on their account soon and it would not affect us … We were very wrong.”

I also went on to ask if there was any research done on “The space team” to verify trust in them. LavaBird responded that “Unfortunately, we did not have such practice, but this lesson will remain with us for life.” LavaBird apparently found The space team as a buyer through word of mouth.

Thereafter, both updates containing malicious code on November 28 and December 4 are shown with LavaBird LTD being the owner:

It is not until December 7, the date of the transfer, that the owner shows as “The space team.”

Breaking down the timeline

For simplicity, here is a breakdown of the timeline:

• August 11, 2020: Barcode Scanner v1.62 is uploaded to Google Play and is a clean version from owners prior to LavaBird LTD
• November 23, 2020: LavaBird purchases a clean version of Barcode Scanner
• November 25, 2020: LavaBird enters agreements with “The space team”
  • “The space team” claims they need to, according to LavaBird, “verify the authenticity of the app signing key and password” and “update the app with their analytics” which led to updates on Google Play
• November 27, 2020: Barcode Scanner v1.67 is uploaded to Google Play with malicious code added with LavaBird shown as owner
  • LavaBird claims this was done by “The space team” prior to purchase, according to their agreement
• December 4, 2020: Barcode Scanner v1.68 is uploaded to Google Play still containing malicious code
• December 7, 2020: LavaBird transfers ownership of Barcode Scanner to “The space team”
• December 7, 2020: Barcode Scanner v1.69 is uploaded to Google Play with “The space team” as the owner and still contains malicious code

Here is the timeline after the transfer to “The space team”:

• December 21, 2020: Malwarebytes forum patrons first report an instance of infected Barcode Scanner
• December 24, 2020: Malwarebytes for Android adds detection originally as Android/Adware.AdQR.FBG
• December23, 2020: Barcode Scanner v1.71 obfuscates malicious code to evade detection
• December31, 2020: Barcode Scanner v1.73 further obfuscates malicious code to evade detection
• December31, 2020: Barcode Scanner v1.75 further obfuscates malicious code to evade detection
• January 5, 2020: Barcode Scanner v1.75 is last known malware-infected version released on Google PLAY
  • Somewhere thereafter Google Play must have removed the app from the store
• February 1, 2020: Malwarebytes for Android detection updated with increased severity to Android/Trojan.HiddenAds.AdQR which detects all versions
• February 5, 2020: We publish Barcode Scanner app on Google Play infects 10 million users with one update with a screenshot of a Google Play webpage showing LavaBird as owner of the infected Barcode Scanner
• February 10, 2020: We received the original message from LavaBird

More information about the The space team

Alright, so who is “The space team”? The only evidence of them on Google Play is from the Barcode Scanner mentioned and an app called Alarm Clock – Loud and Accurate Alarm, package name com.alarm.clock.wake.up. This app was only on Google Play briefly in December 2020, and is a legitimate, clean app. No other apps appear to exist under the developer’s name.  Because there is only evidence of “The space team” existing from December 2020 to January 2021, we can only assume that the developer account was created in December 2020.

When asking LavaBird of any additional information about “The space team,” they said they “do not have any other information.”

“Also,” LavaBird added, “I think that this is not a company and they can easily create account.” 

In effect, this confirmed my assumptions of them creating an account at the time of transfer. For the purpose of being fair, we did attempt to reach out to “The space team” to comment on the allegations set forth by LavaBird.  They did not respond.

Here is the only information on the “The space team” that we have:

Publisher:
The space team

Email:
digitalapp@yahoo.com

Address:
Ukraine, Krivoy Rog, Kalinina 35

Final Thoughts

From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it. In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app’s code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.

There is an important lesson here. To all app sellers, be weary to who you sell. If at all possible, verify their credibility. Furthermore, be skeptical if they are asking unreasonable requests such as modifying code, even analytics, before transfer.

Ultimately, I believe LavaBird’s claims. Unfortunately, LavaBird came in our crosshairs after firing off a blog about this malicious Barcode Scanner. As the evidence shows, we were in right in doing so. Regardless, now knowing the full story we apologize it led to this. We write this in hopes of clearing LavaBrid’s name.

The post Who is to blame for the malicious Barcode Scanner that got on the Google Play store? appeared first on Malwarebytes Labs.