IT NEWS

This post was authored by Hossein Jazi

As tensions between Azerbaijan and Armenia continue, we are still seeing a number of cyber attacks taking advantage of this situation. On March 5th 2021, we reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, we have been monitoring this actor and were able to identify new activity where the threat actor switched their RAT from .Net to Python.

Document Analysis

The document targets the government of Azerbaijan using a SOCAR letter template as lure. SOCAR is the name of Azerbaijan’s Republic Oil and Gas Company. The document’s date is 25th March 2021 and the letter, related to export of catalyst for analysis, is written to the Ministry of Ecology and Natural Resources. The document’s creation time is 28th March 2021 and is aligned with the date mentioned on the letter. Based on the dates we believe that this attack happened between 28th and 30th of March 2021.

The embedded macro in this document is almost similar to what we have reported before with some small differences. We will talk about the similarities between these two documents in the next section.

The macro has two main functions “Document_Open” and “Document_Close”. In “Document_Open” after defining the required variables it creates a directory (%APPDATA%Roamingnettools48) for its Python Rat.

It then copies itself in a new format to the file path defined before in order to be able to extract the required data from an embedded PNG file (image1.png).

To extract the embedded data, it calls the “ExtractFromPng” function to identify the chunk that has the embedded data. After finding the chunk, it extracts the files from the PNG file and writes them into “tmp.zip”.

The “tmp.zip” is then extracted into “%APPDATA%Roamingnettools48” directory. It contains the Python 3.6 interpreter, NetTools Python library, Python Rat, the RAT C2 config, as well runner.bat.

The Python Rat will be executed when the document is closed. The “Document_Close” first delays execution to bypass security detection mechanisms by creating a junk loop for 100 times and then executes the runner.bat by calling Shell function.

The runner.bat is also delaying execution for 64 seconds and then it calls Python to execute the Python RAT (vabsheche.py)

SET /A num=%RANDOM% * (80 - 60 + 1) / 32768 + 60
timeout /t %num%
set DIR=%~dp0
"%DIR%python" "%DIR%vabsheche.py"

Python RAT Analysis

The Python RAT used by the attacker is not obfuscated and is pretty simple. It is using the platform library to identify the victim’s OS type.

The C2 domain and port are hardcoded within a file in the RAT directory. The RAT opens this file and extracts the host and port from this file.

In the next step if the victim is running Windows, it makes itself persistent through creating a scheduled task. It first checks if a scheduled task with the name “paurora*” exists or not. If it does not exist, it reads the content of bg.txt file and creates a bg.vbs file. Then adds the created VBS file to the list of scheduled tasks.

The created VBS file calls the runner.bat to execute the Python RAT.

The main functionality of the RAT is through a loop that starts by creating a secure SSL connection to the server using a certificate file (cert.pem) that was extracted from the PNG file and dropped into the RAT directory.

After building the secure connection to the server it goes to a loop that receives a message from the server and executes different commands based on the message type.

Here is the list of commands that can be executed by the RAT:

• OPEN_NEW_CONNECTION: Sends a message to the server with False as content
• HEART_BEAT: Sends a message to the server that the victim is alive
• USER_INFO: Collects victim info including OS Name, OS Version and User Name
• SHELL: Executes shell commands received from the server
• PREPARE_UPLOAD: Checks if it can open a file to write the received data from server into it and if that is the case it sends a “Ready” message to the server
• UPLOAD: Receives a buffer from the server and writes them into file
• DOWNLOAD: Archives files and sends them to the server

Similarity Analysis

In this sections we provide the similarities between two documents and TTPs used by them. This will help hunters to identify the future campaigns associated with this actor.

TTPs similarities

• Used steganography to embed RATs within the embedded images.
• Used scheduled tasks for persistence. In both cases It created a VBS file to execute the batch runner.
• Used a batch file with the same name (runner.bat) to execute the final RAT.
• Used the same technique to exfiltrate data. (Archive them and send them to the server)

Documents similarities

• Both have been obfuscated using same obfuscation techniques: Inserting random characters within the meaningful names to obfuscate the functions and variables names. After deobfuscation, the function graph of these two documents are almost similar.

• Both have used the similar method to obfuscate strings: using “MyFunc23” function that receives an array of numbers and decodes them into a string.

Other similarities

• both C2 domains have resolved to the same IP address.
• There are overlaps between the commands used by both .Net and Python RATs.

Conclusion

Due to tensions between Azerbaijan and Armenia, cyber attacks against these countries have been increasing in the past year. The Malwarebytes Threat Intelligence Team is constantly monitoring actors that are targeting these countries and was able to identify an actor that has targeted Azerbaijan using different RATs. This actor has used .Net and Python RATs to infect victims and steal data from them. The actor used spear phishing as initial vector that has used steganography to drop a variant of its RATs.

IOCs

The post Aurora campaign: Attacking Azerbaijan using multiple RATs appeared first on Malwarebytes Labs.

Users primarily located in Germany are experiencing malware that downloads and installs on their Gigaset mobile devices—right out of the box! The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app. This app is not only the mobile device’s system updater, but also an Auto Installer known as Android/PUP.Riskware.Autoins.Redstone.

Infected devices and other important notes

Although this issue seems to be primarily found on Gigaset mobile devices, we have also found other manufacturers involved. Here is a list of make/model/OS version of mobile devices found with Android/PUP.Riskware.Autoins.Redstone:

• Gigaset GS270; Android OS 8.1.0
• Gigaset GS160; Android OS 8.1.0
• Siemens GS270; Android OS 8.1.0
• Siemens GS160; Android OS 8.1.0
• Alps P40pro; Android OS 9.0
• Alps S20pro+; Android OS 10.0

We should note that the names Gigaset and Siemens have considerable overlap—Gigaset was formerly known as Siemens Home and Office Communications Devices. We listed both to erase any confusion.

It important to realize that every mobile device has some type of system update app. Unless you are experiencing the exact behaviors in the next section, you are most likely not infected. Another key point is that this pre-installed update app is the not the same as what is described in Android “System Update” malware steals photos, videos, GPS location. In that case, the malware is simply hiding as an update app, but is not a pre-installed system app.

Malware behavior

For most Gigaset users experiencing this infection, com.redstone.ota.ui installs three versions of Android/Trojan.Downloader.Agent.WAGD. The package name of this malware always starts with “com.wagd.” and is followed by the name of the app. Here are some examples:

• Package name: com.wagd.gem
• App name: gem

• Package name: com.wagd.smarter
• App name: smart

• Package name: com.wagd.xiaoan
• App name: xiaoan

According to forum users and analysis, Android/Trojan.Downloader.Agent.WAGD is capable of sending malicious messages via WhatsApp, opening new tabs in the default web browser to game websites, downloading more malicious apps, and possibly other malicious behaviors. The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices.

In addition, some users also experience Android/Trojan.SMS.Agent.YHN4 on their mobile devices. The downloading and installation of this SMS Agent is due to Android/Trojan.Downloader.Agent.WAGD visiting gaming websites containing malicious apps. Thereupon, the mobile device contains malware capable of sending malicious SMS messages. Like with the malicious WhatsApp messages, it can in addition send malicious SMS messages to further spread the infection.

Awaiting resolution

Because com.redstone.ota.ui is a system app, you cannot remove it using traditional methods. Further, past evidence from Adups and other variants shows that disabling pre-installed update apps is either impossible or it re-enables shortly after disabling. Therefore, just as the case with UMX back in January 2020, it is up to the device manufacturer to push an update to truly fix this issue. Keep in mind that even after the manufacturer fixes the issue, they can push out yet another update in the future to re-infect. There is some evidence that this has been the case with UMX as of recent, but that is another blog for another day. 

In the case of Gigaset, German blogger Günter Born on his blog Borncity has already gotten the ball rolling by contacting Gigaset to resolve. In the meantime, according to an Attention pinned at the bottom of Mr. Born’s blog he suggests the following (translating from German to English using Google Translator):

Attention: I recommend all Gigaset Android device owners to heed the information in the blog post Malware attack: What Gigaset Android device owners should do now and to lay the device dead. At least until Gigaset has responded and the process has been completely clarified.

A safe workaround

The aforementioned recommendation to quote, lay the device dead, may not be an option for some users if this is their only mobile device. Allow me to suggest another option that still gives users the ability to use their Gigaset mobile device safely.

Yes, it is true you cannot remove it using traditional methods, but we have a workaround!

We can use the method below to uninstall Update (com.redstone.ota.ui) for current users (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

From the tutorial above, use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k –user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining malware apps.

Checking for updates

Here is the kicker. Remember that the Update app is also the mobile device’s only way to update the system. Thus, if and when Gigaset comes up with a resolution, you will need to check for system updates by re-installing Update.

You can re-install using this command:

adb shell pm install -r –user 0 <full path of the apk>

The two full path of the apk’s we have seen so far are as follows:

/system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

/system/app/Rsota/Rsota.apk

If neither of these paths work, you can find the correct path, even after uninstalling for current user, by running this command:

adb shell pm list packages -f -u

Copy/paste the output into a text editor (like Notpad) and search for com.redstone.ota.ui to find the correct path.

If there are no updates to install or if the update that does install does not resolve the issue, remember to once again uninstall Update for the current user.

Never ending battle

Assisting customers with resolving pre-installed malware is a reoccurring action by me and our mobile support staff. Fortunately, in the case of Gigaset users, there is a workable resolution. If you are experiencing similar or other mobile malware issues you can reach us on our Malwarebytes Forum or for more thorough support submit a support ticket. As always, stay safe out there!

The post Pre-installed auto installer threat found on Android mobile devices in Germany appeared first on Malwarebytes Labs.

If you’re an Android phone user, now might be a good time to invest in a good pair of ear plugs. Fans of iPhones aren’t known for being shy when it comes to telling Android users that Apple products are superior, and things may be about to get worse, thanks to a new research paper (pdf). 

Researchers of the School of Computer Science and Statistics at Trinity College Dublin, Ireland decided to investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. Whilst it may not be the smoking gun some think it is (we think the sheer amount of telemetry data may come as a surprise for both sides of the argument), it didn’t go well for Android.

Research outline 

To get fair results a researcher needs to define experiments that can be applied uniformly to the handsets studied, to allow for direct comparisons, and the experiment needs to generate reproducible behavior. The research team decided to focus on the handset operating system itself, separate from optional services such as maps, search engines, cloud storage, and other services provided by Google and Apple. Although these come with practically every device, privacy-conscious minds are prone to disable these services.

The user profile was set to mimic a privacy-conscious but busy/non-technical user, who when asked does not select options that share data with Apple and Google. Otherwise, the handset settings were left at their default value. 

Test moments 

Data transfer was measured at 6 specific points of action during the phones’ normal use: 

• On first startup following a factory reset 
• When a SIM was inserted/removed 
• When a handset was left idle 
• When the settings screen was viewed 
• When geolocation services were enabled/disabled 
• When the user logged in to the pre-installed app store 

Test results 

Both iOS and Google Android transmit telemetry, despite the user settings. According to the research, both Android and iOS handsets shared data with Google and Apple servers every 4.5 minutes, on average.

Android handsets however, share 20 times more telemetry data than iPhones, it seems. During the first 10 minutes of startup the Pixel handset in the test sent around 1MB of data to Google, compared with the 42KB of data the iPhone sent to Apple. When the handsets were sitting idle the Pixel sent roughly 1MB of data to Google every 12 hours compared with the iPhone’s 52KB sent to Apple.

We should be careful not to draw too many conclusions from just the size of the data though. The quantity of data can be affected by things like the choice of protocols and whether or not compression is used. What matters far more, is the type of information being shared.

Type of information 

Researchers noted that devices on default privacy settings share information related to the IMEI, SIM serial number, phone number, hardware serial number, location, cookies, local IP address, nearby WiFi MAC addresses, and advertising ID. When a user has not yet logged in, Android phones don’t send location, IP address, and nearby WiFi MAC addresses, while iPhones don’t send their own WiFi MAC address. 

Unused apps and services 

Several of the pre-installed apps/services are also observed to make network connections, despite never having been opened or used. In particular, on iOS these include Siri, Safari and iCloud. On Google Android these include the YouTube app, Chrome, Google Docs, Safetyhub, Google Messaging, the Clock and the Google Search bar. 

Concerns 

The collection of so much data by Apple and Google raises some major concerns. Firstly, this device data can be fairly easily linked to other data sources. This is certainly no hypothetical concern since both Apple and Google operate payment services, supply popular web browsers, and benefit commercially from advertising.  

Secondly, every time a handset connects with a back-end server it necessarily reveals the handset’s IP address, which is a rough proxy for location. The high frequency of network connections made by both iOS and Google Android (on average every 4.5 minutes) therefore potentially allow tracking by Apple and Google of device location over time.  

And last but not least, the apparent inability for users to opt out. In the report the head researcher outlines a method to prevent the vast majority of the data sharing but noted that it needs to be tested against other types of handhelds. And from my perspective it’s not easy to pull it off, and it would not stop everything. 

Apple and Google do not agree 

The head researcher sent his findings to both companies. Google offered some clarifications and expressed its intention to publish documentation on the telemetry data collection soon. 

Apple noted that the report gets many things wrong. For instance, the company says that personal data sent to Apple is protected, and the company doesn’t collect data that can be associated with a person without their knowledge or consent. Google calls into question the methods used to determine the telemetry volume on Android and iOS. It claims the study didn’t capture UDP/QUIC traffic, nor did it look at whether the data was compressed or not, which could skew the results. 

The post Research claims Google Pixel phones share 20 times more data than iPhones appeared first on Malwarebytes Labs.

Unless you keep your social media at a pole’s distance, you have probably heard that an absolutely enormous dataset—containing over 500 million phone numbers—has been made public. These phone numbers have been in the hands of some cybercriminals since 2019 due to a vulnerability in Facebook that allowed personal data to be scraped from the social media platform, until it was patched it in 2019.

But now some miscreant has posted the entire dataset on a hacking forum, so every lowlife out there has access.

When did this happen?

In an apparent attempt to play down the seriousness of the situation, Facebook spokesperson Liz Bourgeois tweeted Saturday that the leak involved “old data that was previously reported on in 2019.” Some reports say the data was scraped in 2019, others talk about early 2020. To be honest, between scraping vulnerabilities dating back to 2010, and the Cambridge Analytica scandal, an old data breach is still a data breach, and you’re probably still going to need to pay attention to it. Whether you like it or not.

If you are, or were, a Facebook user this may very well concern you.

Why it still matters

Access to personal data allows cybercriminals to seem more believable when they pretend to be somebody, making social engineering and ID theft easier, and unlike passwords, many of them can’t be changed. There are countless examples of how personal information helps criminals, but here are three to give you a sense of what’s at stake.

The first thing that comes to mind is a scam where people text you pretending to be a relative or dear friend. First, they tell you they have a new phone number and then they ask you to transfer some money on their behalf.

The scam is more likely to succeed if the threat-actor has some private information that can convince you they are who they claim to be. And with the correlation between your Facebook profile and your telephone number, depending on your settings they can look up:

• Who your family and friends are
• How you phrase your responses to each other
• Some events from your life to talk about

Together with your phone number, that gives them an excellent attack vector for this type of scam.

Another devilish scheme can unfold if they have enough information about you to convince your telephone company that they are the cell phone owner. This can usually be done by providing the carrier with a phone number, a home address and the last four digits of a Social Security number.

Or you could become a victim of a text variant of a Business Email Compromise (BEC). One of the most profitable phishing scams, which is easier to pull off if the threat actor has more information available.

Limiting what you share

First off, cybercriminals don’t care where or how they get your information, so take care to hide your personal information on Facebook from profile visitors that are not friends. Facebook has a help page for this called Control Who Can See What You Share.

Go through that list and ask yourself if everyone needs to see all of that, and what you would rather hide from prying eyes.

Also, now that you know the information is out there, be vigilant, especially about unsolicited texts and phone calls. If any new tactics evolve from this you can always read about it right here.

How to check if your phone number is involved

There are a few sites that offer you the chance to look up your phone number and see if it’s been leaked. One that we trust, and that allows visitors to look for phone numbers from every country is the well-known have i been pwned?

Troy Hunt, the security guru that runs HaveIBeenPwned, explains in detail why he decided to include this dataset as a searchable entity on his blog. If you are too curious and want to dive right in, please note that you need to enter your phone number in the E.164 international standard format. Which is not as hard as it sounds. Replace the trailing 0 with your country code, only use numbers, and you should be good to go.

Stay safe, everyone!

The post Has Facebook leaked your phone number? appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our podcast featured Malwarebytes senior security researcher JP Taggart, who talked to us about why you need to trust your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

On Malwarebytes Labs, we also wrote about six social media safety sins to say goodbye to, and we advised Steam users not to fall for the “I accidentally reported” scam that is making rounds right now. We also covered how a 5G slicing vulnerability could be used in DoS attacks, the one reason your iPhone needs a VPN, what you need to know about malicious commits found in PHP code repository, the latest ransomware attacking schools, called PYSA, and we tried to report on the npm netmask vulnerability in a way that anyone can actually understand it.

Finally, we looked at the latest Android “System Update” malware that steals photos, videos, GPS location, and we thought it was time to cool down some fervor and say that, you know what, Internet password books are OK.

Other Cybersecurity news:

• Fraud team response: More organizations look to grow their fraud teams (Source: Help Net Security)
• A fine old time: Dutch watchdog fines Booking.com after customer data theft fallout (Source: The Register)
• Gaming the system: Game cheat mod malware demonstrates risk of unlicensed software (Source: SC Mag)
• 365 ways to phish town: Credential attacks on the rise with Office 365 as top target (Source: Bdaily)
• Bad ads on the prowl: Bogus investment ads cause misery (Source: This is Money)
• Old data dump comes around again: Half a billion Facebook users’ information posted to hacking website (Source: CBS58)
• Older Americans under fire: Top scams targeting older Americans in 2021 (Source: AARP)
• Heartbreak: Tech makes romance scams easier than ever (Source: Dispatch)
• Tracing your steps: A long way to go where tracking protection is concerned (Source: Spread Privacy / DuckDuckGo)
• A digital throw-down: How Russian hackers targeted US cyber first responders in SolarWinds breach (Source: CNN)

Stay safe!

The post A week in security (March 29 – April 4) appeared first on Malwarebytes Labs.

Passwords are a hot topic on social media at the moment, due to the re-emergence of a discussion about good password management practices.

There’s a wealth of password management options available, some more desirable than others. The primary recommendation online is usually a software-based management tool. Some include online syncing alongside web browser extensions. Others involve syncing passwords with services such as Dropbox.

That’s before we get to the notepad on desktop aficionados, or the time-honoured tradition of the Post-It note on the office monitor. Today, we’re here to talk about perhaps the most controversial method of password storage though.

The big book of passwords

There’s one password management tool which experiences more than its fair share of derision—the oft-maligned Internet password book. These are, as you may expect, physical books which are little more than empty notepads with “Internet password book” written on the front. Some allow owners to group logins by category, or add additional notes as they see fit.

For various reasons, you’ll usually see them being rubbished on social media as the worst thing around for password management. It’s a passionate debate, and one which comes back to life every 6 months or so. The most recent bi-annual flurry of excitement was kicked off by BBC technology reporter Zoe Kleinman:

One important aspect of whether these books should be used at all is something called a threat model. If you’re hoping for a brief run down of what a threat model is, then great news…that’s exactly what we’re going to do.

Threat models

The best description I’ve seen of what threat modelling consists of, is in an article by Katie Nickels who says it’s “the process of figuring out what you have that adversaries care about”.

We don’t all face the same risks, and we don’t all need to take the same precautions as a result. When you see the latest sophisticated nation state attack in the news, it’s bad. But, like most people, you can probably go on as if nothing has happened. That clever spearphishing attack targeting a dozen or so individuals worldwide?

It’s targeting a dozen or so individuals worldwide.

You’ll never see it, and you almost certainly won’t receive messages from Google about it. It’s not in your threat model.

My personal security concerns are based around what’s important to me, what I want to secure, which bits I’m not bothered about, and what is absolutely mission critical at all costs. That’s my threat model.

Sizing up your adversary

You may not need to worry about nation state attacks, but you’ll almost certainly have something in place for the 600^th fake tax return invoice landing in your mailbox. That’s an aspect of your threat model you know your business is up against, you know what they’re after, and you’ve put solutions in place to ward it off. It may or may not be the single most important threat your organisation faces…or it might be mid-tier. It will differ from place to place, and that’s fine.

What tends to happen when we see the infamous password book on display, is we apply a one-size-fits-all approach and dismiss it as silly or bad practice.

Well, it could definitely be sub-optimal for someone working with sensitive data. There’s far better ways for those individuals to secure their digital demands, in ways that scale up to the likely threats they face. On the other hand, there’s many people out there who the books will be a perfect fit for:

• People who are simply unfamiliar or uncomfortable with computers. This isn’t uncommon.
• Those with accessibility or cognitive issues.
• Folks who feel a lack of control at placing all their password eggs in one (digital) basket.

Password managers

The two pillars of bad password practices are reuse, and poor password selection. Software-based password managers are excellent tools for dealing with both problems, which is why they are so widely recommended. They are great for creating increasingly complex passwords all gated behind a variety of secure login methods. Everything from 2FA, to regional login lockouts are yours for the taking. That’s great! The more choice, the better.

Even so, many people won’t ever bother with password managers.

Maybe they’re overwhelmed for choice, or the tools they know of don’t meet specific operational requirements. Perhaps the tool they really want to use has no browser extension, or it’s offline only instead of syncing online. It’s also possible they may just find the whole thing too fiddly or complicated, or simply not know they exist.

Depending on OS, type of device, and feature set, something that should be easy can very easily become a chore. From there, bad habits can start to set in, including the eventual removal of the password manager. It’s then a short hop back to Password123.

Password management books: what works and what doesn’t

Some common objections to password books are as follows:

• If you lose the book while out and about, you’ve lost access to everything.
• Having to type in your passwords while reading them from a book, instead of having a password manager do it for you, could encourage people to use simple passwords instead of complex ones.
• Books become a form of abandonware over time, with missing entries, torn pages, logins which have been changed online and not updated, and other logins which never end up in the book at all.

The counters to these points are lengthy, so they get their own sections:

Loss or theft of a password book

Losing the book while outside the home isn’t that different from losing access to a password vault because of technical problems, forgotten master passwords, or other unforeseen happenings. In both cases, something has gone wrong. At least in the case of the book, it’s likely to be kept at home and is reliant on multiple real-world layers of physical security.

That’s much more reliable than “password management tool has their database broken into by anonymous criminals, and there’s nothing you can do about it”. If your home is burgled, you have bigger fish to fry than worrying about your logins. Also, realistically, burglars are looking for expensive items they can take and then sell on. They do not care about the password book in your clothes draw.

Password books: encouraging simple passwords?

Could books encourage simple passwords? It’s quite possible. Some may find it rather aggravating to hammer out dozens of complicated passwords from page to screen whenever they log in. In my experience, people writing passwords down tend to take more of an interest in making everything unique. After all, nobody is filling 30 pages of a password book with “password123”. What’s the point? Sure, we could end up with a variety of password1234/5/6 instead, but it’s still a bit more varied than the alternative.

I’ve also seen people write passwords only – not usernames or service / website on the pages. What they do instead, is associate certain pages with certain services. This is a great defence against theft or loss, but I’d be worried about forgetting the order. This is also a major negative if the book owner dies and family members need to attempt some form of data recovery. Where would you even begin?

Abandonware in paper format?

Abandonware books, what a concept. I think there’s some merit to this one, but I also think it offers a glimmer of hope. I know someone who did this, and what was happening was a slow transition to software password managers. If filling in some passwords in a book is the stepping-stone someone needs to feel more confident about moving logins to the PC, more power to them. It’s also possible some folks have typed out passwords from books so many times that they can remember the important ones anyway.

This concludes my lengthy counterpoint section.

Maybe they’re not the worst idea after all

The takeaway here is we’re dealing with an imperfect, messy solution for a messy, imperfect requirement to use our accounts. In situations where friends or relatives simply won’t entertain a password manager, it could be a decent (if not the only!) alternative. It really depends on the individual, and how safe it’ll be to drag their logins from screen to page. The password book won’t work for everybody, but it will definitely work for somebody and I think that’s perfectly fine.

The post Relax. Internet password books are OK appeared first on Malwarebytes Labs.

A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data—but the infrastructure behind the malware obscures its developer’s primary motivations.

First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.

FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.

Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”

Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.

According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.

If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical—pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.

But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.

First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.

At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are—it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.

That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.

Which brings us to the second point: If this piece of malware isn’t being advertised—or if it isn’t really known—as a stalkerware-type app, then it’s less likely that it’s been built as one.

Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.

Without knowing how FakeSysUpdate is being advertised—which relates to our lacking information on how it is primarily being delivered to devices—we cannot definitively ascertain its purpose.

Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.

We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.

The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malwarebytes Labs.

The popular npm netmask library recently encountered a serious problem, explained as follows:

The npm netmask package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.

Got that?

In case you can’t read mumbo jumbo, hold on, and I’ll try to explain.

The basics

The npm library netmask is used by hundreds of thousands of applications and amasses over 3 million weekly downloads. It is used to read and manipulate IP addresses.

If you understand IP addresses and octals, you can skip the next section.

IP address

An IP address tells us how to find a certain device within a network. For each network a computer is connected to, it has an IP-address on that network. The IP address for this website is 130.211.198.3, for example.

Some things that happen inside a computer rely on an IP address too. For that we can use either 0.0.0.0 or 127.0.0.1, which is why that one is called “home” or “localhost”.

Domains, names used to address computers, are associated with IP-addresses. The Domain Name System (DNS) translates domain names used by people, like blog.malwarebytes.com into the IP addresses used by computers, like 130.211.198.3. The DNS system is often compared to a phone book where you can look up a person’s name to find their phone number.

IPv4 octets

When you see an IP address you will probably recognize it for what it is. The typical format of an IP version 4 address is very familiar: Four numbers between 0 and 255 separated by three dots.

In fact, an IP address is a decimal representation of a 32-bit number. The 32-bit number is grouped 8 bits at a time, each group of 8 bits is an octet. The octets are separated by a dot, and represented in decimal format, this is known as dotted decimal notation. The possibilities range from 0.0.0.0 to 255.255.255.255.

The difference between decimal and octal

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the digits 0 to 9, whereas octal means the number system that uses the eight digits 0, 1, 2, 3, 4, 5, 6, 7.

Since an IP address is a 32 bit number it makes a lot of sense to use the octal number system. In that system the dotted octal 127.0.0.1 looks like 0177.0000.0000.0001. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Using different numerical systems is no problem for computers, as long as it’s clear which one you are using. Allowing mixed input for an application is asking for problems, however.

The netmask vulnerability

Zeroes

To understand the problem it helps to understand how things are supposed to work, copy the octal IP address 0177.0000.0000.0001 into your browser address bar. It should get correctly translated to 127.0.0.1. And try 0177.0.0.1 in the same browser you used before. And act surprised when it still takes you to 127.0.0.1 despite the fact that we did not write out the last three octets in full.

127.0.0.1 and 0177.0.0.1 look like they are in the same notation but they are not. The first zero on 0177.0.0.1 makes all the difference, and your browser knows this.

The bug

The problem with tnetmask was that it stripped leading zeroes from IP addresses. So, if you fed it an address that starts with a zero, like 0177.0000.0000.0001, it will not recognise it as an octal address and turn it into the decimal version, 127.0.0.1 like your browser. Instead it would treat it a decimal address, 177.0.0.1, which is an address for a completely different computer.

While this may seem more of an inconvenience than a security problem at first sight, but when an attacker is able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities.

Private IP or not?

Remember when I wrote that your computer has an IP address in every network it is connected to? Some IP address ranges are reserved for internal networks and can’t be used on the Internet. The most well-known is probably 192.168.1.0 to 192.168.1.255, often written as 192.168.1.xxx. Many home networks use the 10.0.1.xxx network range.

Importantly, many systems are set up to be more trusting towards traffic coming from inside a private network. See how that might pose a problem? If an attacker fed a vulnerable version of netmask the address 012.0.0.1, netmask would read it as the public address 12.0.0.1 instead of the private address 10.0.0.1.

According to netmask’s own maintainer, the vulnerability could have allowed an attacker to abuse this trust and gain access to all kinds of things they shouldn’t:

A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts

CVE-2021-28918

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This zero-day is listed as CVE-2021-28918.

The fix for CVE-2021-28918 has been released in version 2.0.1 of netmask on npm downloads. The Perl component Net::Netmask also suffered from this flaw, and its maintainer, Joelle Maslak has released a fix in the 2.0000 version today.

Stay safe, everyone!

The post The npm netmask vulnerability explained so you can actually understand it appeared first on Malwarebytes Labs.

You’ve probably heard that PHP’s Git repository was recently compromised, allowing backdoors to be added to the code located there. You may also be wondering what that means, what a supply chain attack is, and how you could be affected. Read on and we’ll lead you though a straightforward description of this attack’s many moving parts.

What is a supply chain attack?

This is where an attacker compromises something a project or organisation depends on. In the world of modern software development, where third-party code is reused on a massive scale, it often means compromising something used by lots of other organisations, which can result in the compromise of everyone else further down the chain too.

The bigger the target they snag initially, the wider the reach as the attack slides downstream. This can be very messy to sort out afterwards as news of the attack slowly comes to light over time. It’s a win for attackers, as organisations can’t typically build everything they need themselves. Third-party tools and software will come into play eventually and if one of them is compromised by attackers, everything that uses or includes them is affected.

In this case, attackers going after PHP, which is used the world over, would qualify as a potentially huge supply chain attack.

What is Git?

Git is a version control system which tracks changes to your file(s) over a period of time. It makes this rather cumbersome process much more straightforward thanks to its repository. You can roll back changes if you make a mess of things, move files around, merge contributions from others, and so on.

That may sound a bit confusing, but don’t worry. A very basic comparison would be the page history view on Wikipedia, where you can see all changes made from creation of the page onward. If you understand how that works, then you’ll grasp how Git allows you to outline the who’s and what’s of edits made, the file reversions, the ability for different developers to work on projects in a non-chaotic fashion, and so on.

Put simply, it’s really good and very handy for all sorts of projects.

What is PHP?

PHP is something you almost certainly run into all the time. PHP, created in 1994, is a scripting language which is ideal for web development. It’s also incredibly popular. If something went wrong with or for PHP in terms of malicious actions, that could be quite bad.

As it happens…

A backdoor was added to the PHP code repository, which is definitely up there in the “quite bad” stakes. The PHP team aren’t sure how it happened yet.

What did the attackers do?

Remember the Wikipedia mention earlier? You know how some pages attract trolls and an edit war with defacements and roll-backs is the end result? A similar thing happened here. The malicious code additions were made by someone disguising their alteration as a typo fix, under the name of the creator of PHP.

The rogue code allowed for backdoor access into websites running the non-legit version of the code. It was removed, put back, and removed again some time later.

As a result of this attack, the PHP team are making some changes to how they operate moving forward. According to PHP’s Nikita Popov, “everything points towards a compromise of the git.php.net server”, meaning that the computer that Git was running on was compromised, rather than individuals’ Git accounts. So, like much of the rest of the world, the team is moving its code to GitHub:

While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.

Contributors will also have to be part of the PHP organization on GitHub, which requires two-factor authentication.

This will hopefully make it much more difficult for something like this to happen again.

Am I affected?

According to ZDNet’s reporting, the commits (changes) were caught in the nick of time. As a result, users shouldn’t be affected. The PHP team are also digging into everything available, to ensure no other dubious alterations were made without anybody realising.

In short, you’re likely fine. The story is still developing, so it’d be wise to keep an eye on the news for the next few weeks. As for the attack itself? Opinion is split in some quarters as to how malicious it was intended to be. Although the commits were done in a way to suggest they wanted to stay hidden, it was almost inevitable they’d be found. Some folks have suggested a zero day was publicly “burnt” (used up) to warn of the danger of such a technique. Others maintain it was flat out malicious, end of story.

Whatever the truth of the story, it’ll be fascinating to see how things pan out. A little less excitement for stories related to code keeping 79% of websites ticking over would be a nice status quo to go back to.

The post Malicious commits found in PHP code repository: What you need to know appeared first on Malwarebytes Labs.

The education sector’s cybersecurity problem has compounded in the last few months. A recent warning from the FBI, in mid-March, put schools in the US and UK on notice of increased attacks from the threat actors behind the PYSA ransomware.

If this is the first time you’ve heard of this family, read on.

What is PYSA ransomware?

The PYSA ransomware is a variant of the Mespinoza ransomware.

PYSA, which stands for “Protect Your System Amigo”, was first named in open source documents in December 2019, two months after Mespinoza was spotted in the wild. Mespinoza originally used the .locked extension on encrypted files, and then shifted to using .pysa. Because of this, many use the names PYSA and Mespinoza interchangeably.

PYSA, like many known ransomware families out there, is categorized as a ransomware-as-a-service (RaaS) tool. This means that its developers have rented out this ready-made ransomware to criminal organizations, who may not be technically savvy enough to produce their own. PYSA customers can customize it based on options provided by the RaaS groups, and deploy it to their liking. PYSA is capable of exfiltrating data from its victims before encrypting the files to be ransomed.

According to Intel 471, a threat intelligence company, PYSA/Mespinoza is a tier 2 RaaS operator as it has been gaining reputation in the underground. Operators or crews who do this have a page—called a “leak list”—where they name and shame victims who decide not to pay the ransom. Victims are listed with an accompanying attachment containing files the threat actors exfiltrated from them.

PYSA ransomware has at least three known infection vectors: Brute-force attacks against management consoles and Active Directory (AD) accounts, phishing emails, and unauthorized Remote Desktop Protocol (RDP) connections to domain controllers. Once inside a network, the threat actors take their time scanning files using Advanced Port Scanner and Advanced IP Scanner, both are free software, and move laterally within the network using PsExec.

The threat actors then manually execute the ransomware within the network after exfiltrating all the data they need for leverage. Files are encrypted using AES implemented with RSA-encrypted keys.

Who has been attacked by PYSA?

PYSA is known to target large private organizations and those belonging in the healthcare industry. They have also hit government groups across multiple continents. Recently, PYSA has increasingly been used against educational institutions in the US and UK.

Below is a non-exhaustive list of incidents involving PYSA:

• In March 2020, CERT France issued a warning to French local governments of PYSA’s increased attacks.
• In May 2020, MyBudget, Australia’s money management firm, experienced an “outage” that lasted 13 days (from 9 May to 22 May). Leaks of exfiltrated data landed on PYSA’s blog. The company then later confirmed to iTWire on 29 May that the long outage was caused by a ransomware attack. The next month, however, sources noticed that MyBudget’s name and files were taken down from PYSA’s blog, leading some to speculate that it may have paid the ransom, despite assurances that it had “no intention of engaging with ransom demands.”
• In October 2020, a “serious cyberattack” affected London’s Hackney Council in the UK, leaving it unable to process housing benefit payments and causing house purchases to fall. Although they were tight-lipped about the entire incident at first, it has become known that the PYSA ransomware threat actors were behind the attack after leaking the data they exfiltrated from the company in January 2021.

Does Malwarebytes detect PYSA ransomware?

We sure do. We detect is as Ransom.Mespinoza.

Indicators of compromise (IOCs)

SHA256 hashes:

• 7fd3000a3afbf077589c300f90b59864ec1fb716feba8e288ed87291c8fdf7c3
• e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8
• 327934c4c11ba37f42a91e1b7b956d5a4511f918e63047a8c4aa081fd39de6d9
• f0939ebfda6b30a330a00c57497038a54da359e316e0d6e6e71871fd50fec16a
• 48355bd2a57d92e017bdada911a4b31aa7225c0b12231c9cbda6717616abaea3
• 0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50
• 61bb42fe06b3511d512af33ef59baa295b29bd62eb4d0bf28639c7910a65e4ae
• 425945a93beb160f101d51de36363d1e7ebc45279987c3eaf5e7f183ed0a3776
• a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
• 5510ae74b7e2a10fdafa577dc278612f7796b0252b7d1438615e26c49e1fc560
• 1a0ff707938a1399e23af000567806a87fff9b8789ae43badb4d28d4bef1fb81
• b1381635c936e8de92cfa26938c80a359904c1d709ef11ee286ba875cfb7b330

Ransom note file, Readme.README, containing the following content:

Hi Company,

Every byte on any types of your devices was encrypted.
Don’t try to use backups because it were encrypted too.

To get all your data back contact us:
{2 @protonmail.com email addresses}

————–

FAQ:

1.

Q: How can I make sure you don’t fooling me?

A: You can send us 2 files(max 2mb).

2.

Q: What to do to get all data back?

A: Don’t restart the computer, don’t move files and write us.

3.

Q: What to tell my boss?

A: Protect Your System Amigo.

The post PYSA, the ransomware attacking schools appeared first on Malwarebytes Labs.