IT NEWS

Last week on Malwarebytes Labs we kept you updated on the SolarWinds attack, we warned about the special dangers that come with the Christmas season, published a threat profile for the Egregor ransomware, warned how a lead generation scam was targeting potential Malwarebytes MSP partners, and talked about smart toy security. We also posted a follow-up about the many ways you can be scammed on Facebook.

A VideoBytes episode spoke about the increase in brute force attacks due to more open RDP ports.

SolarWinds related cybersecurity news:

Several publications dealt with different angles and consequences of the SolarWinds attack:

• Researchers at Prevasio explained how reverse engineering the Domain Generation Algorithm (DGA) revealed the list of victims. (Source: Prevasio blog)
• Experts have begun pointing to concerns about potentially substandard security protocols, like an update server that was accessible with a simple password. (Source: NewsWeek)
• Microsoft confirmed it found compromised SolarWinds code in its systems, but denied that its own software was compromised in a supply-chain attack to infect customers. (Source: Engadget)

Other cybersecurity news:

• The CEO of decentralized finance (DeFi) insurer Nexus Mutual has lost the equivalent of over $8 million in a targeted attack. (Source: Coindesk)
• Researchers found more than 45 million medical imaging files, including X-rays and CT scans, freely accessible on unprotected servers. (Source: betanews)
• The Irish Data Protection Commissioner has announced a €450,000 fine on Twitter for data breaches under GDPR. (Source: Independent.ie)
• A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game, which install a ransomware calling itself CoderWare. (Source: BleepingComputer)
• Five human rights defenders that were victims of NSO Group’s WhatsApp hacking have stepped forward to tell their stories. (Source: AccessNow)
• Researchers have called for a determined path to cybersecurity because issues surrounding governance and a sense of responsibility are preventing mission success. (Source: SecureList)
• A company called Capella Space launched a satellite capable of taking clear radar images of anywhere in the world, even through the walls of some buildings. (Source: Futurism)

Stay safe, everyone!

The post A week in security (December 14 – December 20) appeared first on Malwarebytes Labs.

In part 1 of this article series, we looked at data mining schemes, scam ad campaigns, concert tickets scams, and PayPal fund transfer scams. Today, we continue to list down the other scams you might encounter on Facebook.

Bitcoin trading scam

Who would have thought that a “simple” phishing scheme would be a front to a global Bitcoin trading scam?

Researchers from vpnMentor uncovered a scam operation with “many complex layers” not so long ago. According to their blog post, it starts off as an attempt to harvest Facebook credentials.

How do the fraudsters get users to hand over their credentials? They lure them in with the promise of revealing details on who has visited their profile.

After a Facebook user keys in their username and password, they are shown a purported number of people—32 of them—and a list of who has. viewed their profile. Or not, as some users report.

Fraudsters then use the stolen Facebook credentials to hijack victim accounts and spam comments to their network. The spam contains a link to another batch of scam websites, intending to point people to a Bitcoin scheme that is fraudulent.

Not all spammy post contain a link to the fake Bitcoin sites though. At times, users are deliberately directed to fake and even legitimate news sites, according to vpnMentor researchers. This is to confuse Facebook’s algorithm, thus preventing hijacked accounts from getting blocked. However, the fake sites eventually lead to fake Bitcoin sites, too.

Facebook users who arrive at this point are encouraged to sign up for a free Bitcoin trading account and deposit 250 Euros so they can start trading.

Facebook grant scams

COVID-19-related scams appear to be the scam du jour. And since Facebook began its grants program to small businesses heavily affected by the pandemic, scammers have angled their phishing campaigns to make it sound like Zuck is doling out money to all Facebook users affected by COVID-19.

Kaspersky has reported on one variant of this phishing scam, which started off with a fake CNBC report about Facebook giving grants to users hit by the pandemic and a link to where they can apply for one.

Users who visit the URL are taken to a site that resembles the official site of Mercy Corps, an organization offering humanitarian aid, where they are asked for their Facebook username and password. The site also asks for more personally identifiable information (PII), such as physical address, SSN, and even an ID scan, to verify your Facebook account, which the fake site claims is needed to accept a grants application.

At this point, users have not only granted fraudsters access to their Facebook account, but also fed them enough information to enable them to pose as you and attempt to access your other accounts.

The Federal Trade Commission (FTC) has also reported not just on grant scams but also other pandemic-driven money offers, such as food support coupons and giveaways, purportedly being spread by accounts using big-name brands like Target, Walmart, Pepsi, and Whole Foods.

In addition, Facebook users may have received messages on Messenger and WhatsApp, in English or Spanish, from a friend, family member, or contact asking them to click a link where they can claim “free money”. This campaign, the FTC has noted, would lead users to a survey scam phishing page asking for personal information.

Like the PayPal fund transfer scam in part I, fraudsters pose as someone their victim knows in the hope they will let their guard down and freely talk in confidence. Letting the conversation take place in a private space benefits the bad guys because oblivious owners of hacked or mimicked accounts won’t be able to warn anyone about their hacked account or accounts impersonating them.

“Secret sister gift exchange” scam

This is probably one of the most common pyramid schemes seen on Facebook.

Malwarebytes reported on this holiday-specific scam a couple of years ago, but the Secret Sister scam has been going on and off Facebook since 2015. That said, it shouldn’t surprise anyone to see it rear its ugly head once more.

In this scam, a Facebook user tags some contacts in a post with a message along the lines of this: buy an item from a shop worth $10, send to someone, and expect a 6-to-36-fold return of items from others who participate in it.

This may seem harmless, and one may feel this has merit considering what a terribly difficult year 2020 has been to a lot of us. After all, who doesn’t want to receive gifts from all your friends and family, or random strangers?

But while the act of exchanging gifts among school friends, family, or even colleagues is encouraged and very much allowed, gift chains like the secret sister gift exchange, on the other hand, is not. Participating in it is considered gambling and, thus, you’re actually breaking the US Postal Inspection Service’s gambling and pyramid scheme laws.

As we’ve also pointed out, taking part in the secret sister gift exchange—along with its other variants—could potentially result in data harvesting, especially if the prerequisite to participate is handing over your personal information along with the personal information of friends or family.

Like-farming

Like-farming is an oldie but goodie practice that both legitimate commercial parties and scammers do to raise the popularity of a post via likes and shares.

Liked and shared posts are generally benign. But they suddenly become dangerous when, after accumulating a target amount of likes and shares, scammers edit the original posts to include links to a malicious file download or a phishing website, or to promote spammy products. Facebook pages that have garnered a huge following can also be sold on the underground market, either to be used by other scammers for their campaigns or to harvest follower data that Facebook, by default, provides them.

In June, the Better Business Bureau (BBB) put out an article warning people about a Facebook post advertising a free RV and using the pandemic to lure people in. The post goes like this:

“With a lot of people out of work and Covid-19 keeping them out of work we know money is tighter more now than ever! So by 4 PM Monday someone who shares and also comments will be the new owner of this 2020 Jayco Greyhawk RV, paid off and ready to drive away, keys in hand – Jayco.”

This is reportedly the content of the Facebook post on the fake Jayco RV campaign that made the rounds in June.

The company the scammers were impersonating, Jayco, reported the page to Facebook.

How to stay safe on Facebook

• Report dubious social media posts. It’s good that Facebook has a feature that enables their users to easily report posts they deem are suspicious, scammy, illegal, or downright harmful to other Facebook users’ wellbeing. You can find this feature by clicking in the upper-righthand corner of the Facebook post in question and picking either “Report post” or “Report photo”.
• Never give out details about you and others. Don’t let you or any of your Facebook contacts become targets to scams or identity theft. Be wary of anyone or anything that asks for personal information.
• Like and Share wisely. If a supposed giveaway sounds too good to be true, it probably is. So, hold off liking or sharing that post, and report it instead.
• Always look for the blue checkmark on pages of popular brands and public personalities. Verifying their legitimacy is an amazingly simple yet often neglected practice. So if you want to like or share something that is legitimate and safe for your contacts to like and share, too, make sure that post is from a verified account.
• Update your browser regularly. This doesn’t only keep new vulnerabilities at bay, it’s another layer of protection you can depend on.
• Scrutinize URLs closely. Not every scammy campaign is sophisticated or difficult to spot. Start with the URL – if it’s obviously not for the website in question then step away.
• Reach out to friends and family outside of Facebook or Instagram. If you’re not sure if a message is from the person it says it’s from, give them a call or send them a text message to check they really did send it.
• Be wary of “free”. Yes, free things are nice—but it shouldn’t cost you anything, and that includes your personal details or a small amount of money that you must pay first. If you see a supposed government grant doing the rounds on Facebook, go to that agency’s official webpage to verify it or give them a call.
• Change your login credentials immediately. No one is immune from being sucked into a fraud. If it does happen to you, contact your bank, report it, and consider credit monitoring, too. And if you used the same password on other sites, change them and remind yourself that reusing passwords is always a wrong move.

Facebook scams will always be around, so make sure you stay up to date, keep your eyes open, and lend a helping hand to your friends and family who use Facebook too. Remember that helping one contact stay safe on Facebook also helps you secure your account and others’, too.

Stay safe!

The post The many ways you can be scammed on Facebook, part II appeared first on Malwarebytes Labs.

Hello Folks! In this Videobyte, we’re talking about why brute force attacks are increasing and why that is a problem for everyone.

The number of RDP ports exposed to the Internet grew from about three million in January 2020 to over four and a half million in March.  The reason for this increase is likely the shift to working from home by many organizations during the pandemic.

Attackers have taken notice of this trend and as a result we’ve seen an increase in criminals targeting vulnerable RDP ports to infiltrate a system or network and manually launch malware. This method of intrusion is less common than the automated approach of sending phishing emails.

This video talks about reasons why we are seeing an increase in RDP port attacks and it also provides tips on how to protect yourself.

An increase in RDP attacks means an increase in manual attacks, where criminals are actively pushing their way onto a network.  Using this approach, attackers could disable security controls that allow additional threats to run on the network, like ransomware or information stealing trojans.

Links:

• Brute force attacks increase due to more open RDP ports – Malwarebytes Labs

The post VideoBytes: Brute force attacks increase due to more open RDP ports appeared first on Malwarebytes Labs.

Christmas is coming, and so are the smart toys. The ever-present pandemic has meant a lot more staying at home this year. Videogame playing has increased considerably, because why not? Screentime for kids has gone up, because again, it’s bound to. It hasn’t brought about the end of civilisation and the kids are still alright.

You’d expect a big surge in smart/IoT toys all over the place given the current mood. However, there seem to be very few toys like this in the various “top Xmas toy gift” lists currently. I’ve yet to find an internet connected Baby Yoda, or a big brand doll acting as a Wi-Fi hotspot. Having said that, similar toys do exist, will be bought, and at least a few random gifts will be in the news next year for all the wrong reasons.

With this in mind, here’s how to keep smart toy security top of your Christmas list, and keep your kids safe from harm.

How to improve your smart toy security this Christmas

1. Read product descriptions thoroughly. If they link to EULAs, read them. If they mention internet connectivity, find out what specifically the toy needs it for.
2. Consider these questions. Does it plug into a database, and if so, for what purpose? Does it do facial recognition, and is it storing your child’s image outside of the device? Is it saving data like name, address, age? Where is the data stored, and is it secure? Does the company purge everything on a regular basis, or does it hang onto it for a while? How long? If the answer is “indefinitely”, is there some sort of data protection law it falls under which allows you to request deletion yourself?
3. Watch out for “faux” connectivity. There’s a lot of toys which imply internet features, but merely present that as a kind of façade for the kids. Cameras/recorders exist which present themselves as kids making their own social media styled clips, but, everything stays on the device and associated USB cards. It’s just the kids having fun, maaan. If in doubt then, as above, have a dig around for EULAs or additional product information. Worst case scenario: if it has connectivity, you’ll still need to go dig out internet options, punch in your router code, and so on. This is probably beyond your toddler, though mileage will vary depending on how many years use you expect to get from the device.
4. Security may be an afterthought. We’ve probably all heard the horror stories about cheap devices, knocked out with no security functionality whatsoever. Even with privacy policies and safety assurances, you may wish to limit how much data is exposed either way.
5. Advertisements and data collection is probably more of a gaming/tablet concern than random physical toys. This is almost certainly somewhere at the bottom of the “Things I should be concerned about” list. You may well take a totally different approach if said ads and tracking are tied to digital games, of course.
6. What websites/portals are tied to the toy? Often, we see non smart toys promoted with cool rewards and gifts should you sign up to their official website. Treat those sites with caution. There may be questions over what data they’re collecting, how they store it (similar to data beamed to servers by smart toys), whether or not the website is SSL and so on. Kids’ sites could be hot targets for scammers in December, so ensure you visit with your full complement of security software in full operation.
7. Your smart toy may need software updates, especially to ward off potential security threats. If it gets them, that’s great! However, keep in mind that support for most devices is limited. Even major software is eventually put out to pasture by the biggest corporations. Your child’s cuddly talking robo-toy won’t be supported forever. Once that happens it could be vulnerable to future attacks or old exploits which were missed first time around.

Have fun but be sensible

There is absolutely a risk from smart/IoT toys, and IoT products generally sell well over the holiday period. They’re a big deal. Having said that, there’s no need to panic. If you’re in the market for some fun smart toy action, do your usual fact finding before the purchase. Scour reviews, see what the toy does, check for any server-based antics, and make an informed decision.

Keeping your kids safe from products which spend all their time in their room has to be a priority above everything else.

We wish you a safe and entirely pleasant toy time this Christmas.

The post Smart toy security: How to keep your kids safe this Christmas appeared first on Malwarebytes Labs.

Recently, Malwarebytes discovered a potential lead generation scam targeting companies that are interested in our Malwarebtyes Managed Service Provider (MSP) Program.

In the scam, an individual who used the name “Jenny” aggressively contacted potential MSP partners claiming to represent Malwarebytes. In one instance in New Zealand, “Jenny” repeatedly called an MSP from the following phone number:

(628) 239-0412

According to one Malwarebytes customer who dealt with this rude scammer, “Jenny” repeatedly called their offices “10 to 20” times a day, each time asking to “speak to executives in our business.”

A quick Google search of the phone number shows that this is far from an isolated incident.

Dating back to last year, multiple individuals have reported difficult run-ins with the aggressive users behind this phone number. According to multiple forum posts of users reporting potential scam behavior from unknown phone numbers, the calls from this number are almost always the same.

The person making the call initially asks to speak to someone at the company—sometimes by name, sometimes by title—and only vaguely mentions the reason for the call. Several calls may take place in the span of one hour, and when asked to identify themselves by name, the caller sometimes gets angry and hangs up, or offers a “garbled” last name. Many forum posters also reported seeing the same caller ID when receiving the call:

SNFCJunpr

Despite the many similarities, the company that the callers claim to represent almost always changes. Forum posters said that the callers have claimed to be from cybersecurity company Proofpoint, IT management and MSP software company ConnectWise, and even Intel.

As of last week, the callers added “Malwarebytes” to their faked personas.  

Let’s be immediately clear. These calls are not coming from Malwarebytes, and our company will not engage with customers or potential customers in such scam-like, suspicious ways.

So, what’s actually going on here?

This is likely what’s called a “lead generation scam.” The first thing to understand about these scams is “lead generation” is a routine part of almost every single company’s marketing and sales operations. Companies often ask visitors to their website to fill out their contact information if they are interested in a certain product or program. As those visitors engage with the company and show a continued interest in a product, they become a “lead.”

A “lead generation scam” is when companies obtain leads through clandestine, untoward methods.

Last year, the US Federal Trade Commission sued a company for allegedly engaging in just this type of behavior. According to a lawsuit announced in April 2019, the company Day Pacer LLC had obtained individuals’ phone numbers from websites that allegedly offered assistance in finding jobs, securing unemployment benefits, gaining healthcare, or signing up for other types of assistance. Once Day Pacer had the information in hand, though, it used it to make “millions of illegal, unsolicited calls about educational programs,” the FTC said.

As for the current scam at hand, we think it’s similar, with an added twist.

While we cannot be sure whether the scammers themselves have already obtained a list of contact information from another resource online, there is a possibility that they are working for themselves to turn a profit. By repeatedly calling multiple businesses, these scammers might be trying to do some low-level corporate intelligence gathering. Once the scammers have called enough times and built up a list of internal leads from one company, they could take that information and try to sell it to that company’s competitors for a high price.

That motivation could also explain the rude, aggressive tactics. The callers don’t care if they strike out 100 times in a row, so long as they get enough people to divulge just enough basic information that they can turn around and try to sell it at a high price.

Be on the lookout for these types of scams, and stay safe out there, everyone.

The post Likely lead generation scam targets potential Malwarebytes MSP partners appeared first on Malwarebytes Labs.

In early December, the National Cyber Security Centre, a UK-based cybersecurity body and a part of GCHQ, kicked off the next chapter of its Cyber Aware campaign initiative, focusing on online shopping threats during the Christmas season.

Cyber Aware is the UK government’s “national campaign on cybersecurity” aimed at helping the public and businesses of all sizes understand how they can stay safe online.

According to the National Fraud Intelligence Bureau (NFIB), a police unit that gathers and analyzes intelligence regarding financially motivated cybercrime, 13.5M GBP was lost to shopping fraud between November 2019 and January 2020. That’s an average loss of 775 GBP per reported incident.

“This year we have spent more time online than ever before. Whether it be working or shopping online, criminals and others often see the internet as another means to cause harm,” says Penny Mordaunt, Paymaster General in the Cabinet Office of the United Kingdom. “As we approach the Christmas season, we should all be on our guard and take the practical Cyber Aware actions to keep us safe as we work, shop and socialise online.”

With more and more internet users expected to shop online this festive season, thanks to the current pandemic, it is more important than ever for shoppers to be on the lookout for potentially fraudulent activity and practice the necessary behaviors to protect themselves against it. Cyber Aware has listed six such behaviors, as follows:

• Use a strong and separate password for your email
• Create strong passwords using 3 random words
• Save your passwords in your browser
• Turn on two-factor authentication (2FA)
• Update your devices and apps
• Back up your data

You can read and learn more about these points in depth by visiting this page.

“If you are shopping online this year, spend the time you would have spent wrapping up warm to head out to the shops on checking your online security,” says Sian John, Microsoft UK’s Chief Security Advisor, “Let’s make sure the gifts we give this Christmas go to the people we love, not to the fraudsters who just want to steal your money.”

The announcement of this new Cyber Aware campaign came on the heels of the release of the NCSC’s fourth Annual Review Report [PDF]. In it, the NCSC covers its activities and achievements from September 2019 to August 2020.

Highlights include the launch of its Suspicious Email Reporting Services, wherein 2.3 million reports were submitted by the British public; the publication of multiple guidelines on relevant cybersecurity topics, such as the secure usage of smart security cameras, safe ways to work from home during the coronavirus pandemic, the proper procurement of mobile devices of the workplace, and things to consider before buying cyber insurance; and partnering with other organizations to advocate a cause, such as helping increase female representation in cybersecurity.

Stay safe!

The post NCSC: Be Cyber Aware, especially during the Christmas season appeared first on Malwarebytes Labs.

What is Egregor?

Egregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on making its way to the top right now. Egregor is considered a variant of Ransom.Sekhmet based on similarities in obfuscation, API-calls, and the ransom note.

As we’ve reported in the past, affiliates that were using Maze ransomware started moving over to Egregor even before the Maze gang officially announced they were calling it quits. Egregor has already targeted some well-known victims like Barnes & Noble, Kmart and Ubisoft.

How does Egregor spread?

The primary distribution method for Egregor is Cobalt Strike. Targeted environments are initially compromised through various means (RDP probing, phishing) and once the Cobalt Strike beacon payload is established and persistent, it is then used to deliver and launch the Egregor payloads.

But since Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates, the delivery and weaponization tactics can vary. We’ve also seen it being spread via phishing emails recently. The attack typically unfolds in two steps: initial compromise with email lure that drops Qakbot, followed by the actual Egregor ransomware. The latter is deployed manually by the attackers who have previously gained access as a result of the initial compromise.

There have also been some reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player), and CVE-2018-15982 (Adobe Flash Player).

The most common attack method seems to entail an initial spray-and-pray tactic, after which the threat actors make a selection of the available openings. They will obviously go for the easiest and most profitable ones based on primary reconnaissance data from the first stage of the attack. They will then try to enlarge their foothold on the breached network and look for the data and servers that are most critical for the victim. This will give the attackers extra leverage and a bigger chance to cash in their ransom demand.

Egregor does not seem to have a geographical preference, even though Sekhmet has seemed to focus on the US in the past 7 weeks.

Egregor threatens to leak exfiltrated data

According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, the attackers will announce the breach through mass media so the company’s partners and clients will know that the company was victimized.

In all three the cases we mentioned earlier, the attackers published information on a leak site showing that they had accessed files during the attack, but didn’t necessarily reveal source code or anything particularly sensitive.

Education by the hands-on experts

A very typical trait of the Egregor ransomware is that the attackers offer to educate their victims in order to help them escape future attacks.

Cybersecurity advice is promised to those victims that pay the ransom as an extra bonus. What these recommendations look like is unknown at the time of writing. A truthful explanation about how the victim in question was infected, infiltrated, and how data was exfiltrated would certainly help in a forensic investigation of the incident.

Egregor victim Randstad

One of the latest victims seems to be Netherlands-based Randstad, one of the largest recruitment- and head-hunting agencies in the world. In its press release, Randstad specifically calls out Egregor as the attacker.

“We believe the incident started with a phishing email that initiated malicious software to be installed,” a Randstad spokesperson said in an email.

The press release confirms the stolen data but is unclear about the exact content.

Depending on the stolen data, and given the line of business, the content could be very sensitive and confidential. According to Randstad, the company was able to limit the impact, and the stolen data are in particular related to their operations in the US, Poland, Italy and France.

Third party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident.

IOCs

Tor Onion URLs:

• egregorwiki.top
• wikiegregor.top
• sekhmet.top
• sekhmetleaks.top

SHA256 hashes:

• 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321
• aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7

Ransom note:

RECOVER-FILES.txt (some parts of the ransom note can be seen in the article)

The post Threat profile: Egregor ransomware is making a name for itself appeared first on Malwarebytes Labs.

Last week on Malwarebytes podcast we talked to Doug Levin, founder of the K12 cybersecurity resource center and advisor to the K12 Security Information Exchange, about how schools can plan for a cybersecure 2021.

We also released a Malwarebytes Labs report revealing that 50 percent of schools did not prepare for secure distance learning.

In our blogs we discussed defending against tax scams, the dangers of buying COVID-19 vaccines from the Dark Web, a VideoByte edition talked about why hospitals are being targeted by the Ryuk ransomware, and we reassured our customers that Malwarebytes detects the leaked tools from the FireEye breach.

Other cybersecurity news:

• A Florida COVID-19 data manager was investigated, and raided for allegedly sending a mass text using a shared password. (Source: ArsTechnica)
• The European Medicines Agency (EMA) responsible for approving medicines like the COVID-19 vaccine has been the subject of a cyberattack. (Source: EMA website)
• US cybersecurity firm FireEye disclosed a breach and subsequent theft of hacking tools. (Source: Yahoo! Finance)
• A team of researchers in Belgium has uncovered one of the world’s largest known online disinformation networks, dubbed Indian Chronicles, which has existed for 15 years. (Source: Intelnews)
• US agencies have warned K-12 educational institutions are being targeted by malicious actors for extortion, data theft, and general disruption of normal activity. (Source: BleepingComputer)
• A web skimmer gang have been hiding their malicious code inside websites’ CSS files. (Source: ZDNet)
• Microsoft warned that there’s an ongoing Adrozek campaign to distribute malware that modifies web browsers. (Source: The Register)
• Engineers at Cloudflare and Apple say they’ve developed a new internet protocol that will shore up one of the biggest holes in internet privacy. (Source: TechCrunch)
• Researchers discovered a sharp rise in gift card scams as cybercriminals launch tactics to take advantage of the giving season. (Source: Bolster)
• The Federal Trade Commission sued Facebook for illegally maintaining its personal social networking monopoly. (Source: FTC website)

Stay safe, everyone!

The post A week in security (December 7 – December 13) appeared first on Malwarebytes Labs.

Over the weekend we learned more about the sophisticated attack that compromised security firm FireEye, the US Treasury and Commerce departments and likely many more victims.

Threat actors hacked into IT company SolarWinds in order to use its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This scenario, referred to as a supply-chain attack, is perhaps the most devious and difficult to detect as it relies on software that has already been trusted and that can be widely distributed at once.

The Department of Homeland Security has issued an emergency directive to order all federal agencies to take immediate steps in putting affected SolarWinds Orion products offline and reporting back any incident by Monday.

We do know that the threat actors were in for a much bigger prize than the offensive tools stolen from security firm FireEye, although this incident helped to uncover a very advanced operation with deep ramifications. As this story is still unfolding we will keep our customers informed of any newer developments.

Call to action

• Immediately isolate any systems running the Orion platform versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
• Scan your premises using Malwarebytes and look for any detection, and in particular Backdoor.Sunburst and Backdoor.WebShell.
• Use the Indicators of Compromise at the end of this blog to hunt within your logs, telemetry and other SIEM data to give a timeline perspective to any potential intrusion.
• Perform a comprehensive security sweep to review and harden your physical and cloud infrastructure.
• Upgrade to Orion Platform version 2020.2.1 HF 1 and restore systems once you feel confident with the previous steps.

Further reading

Indicators of Compromise (IOCs)

This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.

SolarWinds.Orion.Core.BusinessLayer.dll
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af

CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

appweblogoimagehandler.ashx.b6031896.dll
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

Network indicators

avsvmcloud[.]com
deftsecurity[.]com
freescanonline[.]com
thedoccloud[.]com
websitetheme[.]com
highdatabase[.]com
incomeupdate[.]com
databasegalore[.]com
panhardware[.]com
zupertech[.]com

13.59.205[.]66
54.193.127[.]66
54.215.192[.]52
34.203.203[.]23
139.99.115[.]204
5.252.177[.]25
5.252.177[.]21
204.188.205[.]176
51.89.125[.]18
167.114.213[.]199

Additional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules

The post SolarWinds advanced cyberattack: What happened and what to do now appeared first on Malwarebytes Labs.

Even though we hope that this is an unnecessary warning, we do want to put it out there. As soon as there was talk about a vaccine being available against the COVID-19 virus there were vendors on the Dark Web offering Russian and Chinese COVID-19 vaccines for sale. Now that the UK has started its inoculation program, we’ve see the first offers of “tested COVID-19 vaccines” appearing online.

Granted, it didn’t take the genius of Shakespeare to come up with that plot.

In a single day, 645 COVID-19 listings were discovered across 12 dark web markets, a study from the Australian National University found.

One example

Below is a screenshot of a Dark Web vendor selling a “Corona virus vaccine” (sic) developed in Israel. The vendor states it will be ready in a few days, most likely to extend the period before they start getting complaints that could drive other potential buyers away. As you can see, they envisioned a vaccine far before anyone thought it was even feasible.

Will you receive a real COVID-19 vaccine?

As I see it, there are a few possible scenarios that might play out should you decide to order a “tested COVID-19 vaccine” on the dark web:

1. You will receive nothing at all. You should be happy, all you lost is some money.
2. Possibly a shipment will be sent to your address, but it will not be a real vaccine. With any luck it will be a harmless placebo.
3. The shipment contains a vaccine, but it isn’t the coveted coronavirus vaccine. You have no idea what it really is. Let’s hope you are not allergic to it.
4. In the very unlikely case you receive an actual COVID-19 vaccine, there’s a good chance that it’s not an FDA approved vaccine. The only approved vaccine to date has to be stored and transported at -94°F (-70’C). Will our Dark Web vendor use the cold chain distribution method?

Seriously, there is a huge demand for the real vaccines, and worldwide logistics experts are working out plans to get these vaccines to those that need them the most, in the safest and fastest way.

Warnings

At Malwarebytes Labs we have warned in the past against buying illegal drugs on the internet. You can heed the same warnings for medicines.

A researcher at CloudSEK contacted one of these vendors and requested proof of what they were selling. In response they sent a stock image. You can read their back and forth here.

A warning was issued after ‘Pfizer COVID-19 vaccine’ was found for sale on the Dark Web – at around £1,000 a dose. As we pointed out earlier, given the controlled temperature required for this vaccine’s storage and transport, these are highly unlikely claims.

Europol warned in April about the potential harm of offline and online scams offering alleged versions of the COVID-19 vaccine. Then, in October, it discovered a Mexico-based operation pushing fake influenza vaccines on the cybercrime underground. It’s likely that the same actors will see another opportunity with the rollout of a COVID-19 vaccine, Europol said.

It’s a golden opportunity for cybercriminals, who can use fake vaccine offers as bait. Europol said high demand for the vaccine and potential shortages will likely drive consumers online looking for alternatives.

“Some dark web markets feature advertisements for fake COVID-19 vaccines. The number of offers is limited at this stage but will likely increase once a legitimate vaccine becomes available. Criminals advertise their fake vaccines using the brands of genuine pharmaceutical companies that are already in the final stages of testing.”

The Food and Drug Administration said the first Covid-19 vaccine being considered for US distribution “met the prescribed success criteria” in a clinical study, paving the way for the agency to green-light distribution as early as this weekend. It’s likely this will increase the number of fraudulent offers.

Stolen vaccine data

Documents related to the development of one COVID-19 vaccine have been unlawfully accessed in a cyberattack on the European Medicines Agency  (EMA), which is the EU version of the Food and Drug Administration (FDA).

You can expect scammers to use this information to give extra credibility to their lures. For example, by claiming they have fabricated a COVID-19 vaccine using the information that was in the stolen documents. Again, this concerns the vaccine that needs to be handled under cold chain conditions, so any vaccine based on those specifications will require the same treatment.

Don’t let panic control your actions

While we understand the reasons why some people may want to get the vaccine before their government decides it’s their turn, panic – and greed – are always bad advisors. They are the exact basic instincts that scammers thrive on.

Don’t add an unfortunate accident with an unlikely vaccine sold by a shady Dark Web vendor to the list of things that went wrong in 2020.

Stay safe, everyone!

The post Buying COVID-19 vaccines from the Dark Web? No thanks! appeared first on Malwarebytes Labs.