IT NEWS

Last week on Malwarebytes Labs:

• New Go loader pushes Rhadamanthys stealer
• Canada revisits decision to ban Flipper Zero
• Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now
• 19 million plaintext passwords exposed by incorrectly configured Firebase instances
• Apex Legends Global Series plagued by hackers
• Tax scammer goes after small business owners and self-employed people
• The ‘AT&T breach’—what you need to know
• Upcoming webinar: How a leading architecture firm approaches cybersecurity
• Social media influencers targeted by identity thieves
• Store manager admits SIM swapping his customers

Stay safe!

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

Malicious ad targets system administrators

PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

In this example, the ad looks suspicious simply because the ad snippet shows a domain name (arnaudpairoto[.]com) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.

Fake PuTTY site

The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:

Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.

The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.

puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php

astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"

We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.

That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).

Its author may have given it the name “Dropper 1.3“:

Follow-up payload

Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.

zodiacrealm[.]info/api.php?action=check_ip&ip=[IP Address]

If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:

To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.

That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:

Malvertising / loader combo

We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.

We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as Trojan.Script.GO.

ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.

Indicators of Compromise

Decoy ad domain

arnaudpairoto[.]com

Fake site

puttyconnect[.]info

PuTTY

astrosphere[.]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm[.]info

Rhadamanthys

192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

In February 2024 the Canadian government announced plans to ban the sale of the Flipper Zero, mainly because of its reported use to steal cars.

The Flipper Zero is a portable device that can be used in penetration testing with a focus on wireless devices and access control systems.

If that doesn’t help you understand what it can do, a few examples from the news might help.

Flipper Zero made headlines in October because versions running third-party firmware could be used to crash iPhones running iOS 17 (since resolved in iOS 17.2).

Later, reporters found information that car thieves could use the Flipper Zero to intercept, record, and sometimes mimic the signal of a vehicle’s key fob, and if the car was in a garage, the signal of the garage door opener too.

Importantly, this only works on older car models that use fixed numeric codes for their fobs. Not on cars that use rolling codes, which change the numeric code transmitted from a key fob with each use. As a result, car thieves continued to ignore the Flipper Zero in favour of key fob signal boosters and keyless repeaters which are a lot more powerful.

Oddly enough, the car thieving option was mentioned as the main reason for putting a ban on the Flipper Zero in Canada. Although Canada’s Minister of Innovation, Science, and Industry, François-Philippe Champagne said:

“We are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Very recently, a group of security researchers presented a series of vulnerabilities in the widely used Dormakaba Saflok electronic RFID locks. This vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries, mostly in hotels.

Reportedly, an attacker only needs to read one keycard from the property to perform the attack against any of its doors. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.

Any device capable of reading and writing or emulating MIFARE Classic cards is suitable for this attack. MIFARE is a contactless card technology introduced in 1994. It’s primarly used for transport passes, but its technological capabilities quickly made it one of the most popular smart cards for storing data and providing access control.

One device that can be used for this attack is the Flipper Zero, but an attacker could just as easily use a Proxmark 3 or any NFC capable Android phone.

After an appeal by the security community, Canada now looks like it’s going to move forward with measures to restrict the use of devices like Flipper Zero to legitimate actors only. The specifics will be revealed after deliberation with Canadian companies, online retailers, and the automotive industry.

Conclusions

None of the technology housed within the Flipper Zero is very new, all it does is combine multiple functions into one handheld device. We have never seen any officially confirmed cases of theft using a Flipper Zero. If you want to ban something that helps against car theft, look at keyless repeaters, on the market for a host of car brands and which have no other purpose.

For all the vulnerabilities we described, updates came out that fixed the issues and made the world a safer place, although the patches haven’t been applied everywhere—it’s a lot of work to update all the locks in a hotel, and it’s not feasible to update the fob systems of older cars. Nevertheless, the research by pen testers has led to security improvements, so why would we want to take away their tools?

If we have peaked your interest to buy a Flipper Zero, we urge you to be careful. Due to limited availability there are scammers active that will take your money and send nothing in return.

You can learn more about Flipper Zero by listening to our Lock and Code podcast below. In December 2023, host David Ruiz had a long conversation in with Cooper Quintin, senior public interest technologist with the Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device.

Ivanti has issued patches for two vulnerabilities. One was discovered in the Ivanti Standalone Sentry, which impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. The other vulnerability impacts all supported versions of Ivanti Neurons for ITSM—2023.3, 2023.2 and 2023.1, as well as unsupported versions which will need an upgrade before patching.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-41724 (CVSS score 9.6 out of 10), which allows an unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

This vulnerability was reported to Ivanti by the NATO Cyber Security Centre. Ivanti says it’s not aware of any customers being exploited by this vulnerability at the time of disclosure. The attack option is limited because an attacker without a valid Transport Layer Security (TLS) client certificate enrolled through Ivanti Endpoint Manager Mobile (EPMM) cannot directly exploit this issue on the internet.

Ivanti says its customers can access the patch (9.17.1, 9.18.1 and 9.19.1) via the standard download portal.

CVE-2023-46808 (CVSS score 9.9 out of 10) which allows an authenticated remote user to perform file writes to ITSM server. Successful exploitation can be used to write files to sensitive directories which may allow attackers to execute commands in the context of a web application’s user.

The patch has been applied to all Ivanti Neurons for ITSM Cloud landscapes. On-premise customers are advised to act immediately to ensure they are fully protected. Ivanti says it is not aware of any customers being exploited by this vulnerability prior to public disclosure.

The patch is available on the Ivanti Neurons for ITSM downloads page for each respective 2023.X version. This will require upgrading to 2023.X to apply the patch.

The vulnerabilities have a 2023 CVE because of a reservation made towards the end of 2023, when they were first found and reported. It is Ivanti’s policy that when a CVE is not under active exploitation to disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.

Get patching!

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Three researchers scanned the internet for vulnerable Firebase instances, looking for personally identifiable information (PII).

Firebase is a platform for hosting databases, cloud computing, and app development. It’s owned by Google and was set up to help developers build and ship apps.

What the researchers discovered was scary. They found 916 websites from organizations that set their Firebase instances up incorrectly, some with no security rules enabled at all.

One of the researchers told BleepingComputer that most of the sites also had write enabled (meaning anyone can change it) which is bad, and one of them was a bank.

During a sweep of the internet that took two weeks, the researchers scanned over five million domains connected to Google’s Firebase platform.

The total amount of exposed data is huge:

• Names: 84,221,169
• Emails: 106,266,766
• Phone Numbers: 33,559,863
• Passwords: 20,185,831
• Billing Info (Bank details, invoices, etc): 27,487,924

And as if that isn’t bad enough, 19,867,627 of those passwords were stored in plaintext. Which is a shame given that Firebase has a built-in end-to-end identity solution called Firebase Authentication that is specifically designed for secure sign-in processes and does not expose user passwords in the records.

So, an administrator of a Firebase database would have to go out of their way and create an extra database field in order to store the passwords in plaintext.

The researchers have warned all the affected companies, sending 842 emails in total. Only 1% of the site owners replied, but about a quarter of them did fix the misconfiguration.

In this case we can consider it a blessing that these researchers managed to get a lot of those instances correctly configured. On the other hand it’s frightening that the rest lives on in a state of insecurity.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

While most tax payers don’t particularly look forward to tax season, for some scammers it’s like the opening of their hunting season. So it’s no surprise that our researchers have found yet another tax-related scam.

In this most recent scam, we’ve not seen the lure the scammer uses, but it is likely to be an email telling the target to quickly go to this site to apply for your IRS EIN/Federal tax ID number.

EIN is short for Employer Identification Number. The IRS uses this number to identify taxpayers who are required to file various business tax returns. EINs are used by employers, sole proprietors, corporations, partnerships, non-profit associations, trusts, estates of decendents, government agencies, certain individuals, and other business entities.

Given the flow of the scam it’s very likely that the targets are self-employed and/or small business (SMB) owners. It’s possible that the phisher has obtained or bought a collection of email addresses from a data broker that fit a certain profile (for example, self-employed US residents).

To start this operation, the scammer doesn’t need a lot of information about their targets. A valid email address for a self-employed US resident could cost just a few cents on an underground forum on the dark web. However, the scammer might not even need to venture that far, as Senior Director of Technology and Engineering and Consumer Privacy at Malwarebytes, Shahak Shalev told us:

“I don’t think one would have to go to the dark web to get information like this as there are regular companies selling this information. They would probably qualify it as “lead generation”. According to our sources, pricing for one million self-employed US citizens usually goes for $1USD per contact, but for such a large amount it would probably be $0.1 per contact.”

The information the phishers are after is quite extensive and includes a person’s social security number (SSN).

A compromised social security number poses a major problem. A SSN stays with you for a lifetime, and is closely tied to your banking and credit history. Adding a person’s SSN to the scammers’ data could create far more opportunities for identity theft and fraud.

And if that wasn’t serious enough, the scammers here have the audacity to charge you for the tax ID number, even though applying for an Employer Identification Number (EIN) is a free service offered by the Internal Revenue Service (IRS).

We also found the scammer made a mistake when setting up their fake website. By looking at the privacy policy of the scammer’s site it became apparent that they forgot a small edit when they copied the privacy policy from someone else, but neglected to edit the original domain in one place.

If you’ve received a mail or other invitation including a link to the domain irs-ein-gov.us, please let us know in the comments. We would love to have a copy so we can complete this attack profile.

How to avoid falling for a tax scam

Before acting on an email’s request, stop and think about the following:

• Remember: The IRS doesn’t ask taxpayers for personal or financial information over email, text messages, or social media channels. This includes requests for PINs, passwords or similar access information for credit cards, banks, or other financial accounts.
• Do not interact with the sender, click any links, or open any attachments.
• Send the full email headers or forward the email as-is to phishing@irs.gov. Do not forward screenshots or scanned images of emails because this removes valuable information.
• Delete the email.

If you are unsure if a certain communication is from the IRS, you can go to IRS.gov and search for the letter, notice, or form number. If it is legitimate, you’ll find instructions on how to respond. If there’s a form to fill in the verify that it is identical to the same form on IRS.gov by searching forms and instructions.

Malwarebytes Premium customers are protected against this particular scam if they have Web Protection enabled.

IOCs

Domains

ustaxnumber[.]org

ustaxnumber[.]com

irs-ein-gov[.]us

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The North American finals of online shooter game Apex Legends has been postponed after games were disrupted by hacking incidents.

Apex Legends, published by EA, is currently in an important stage of its Global Series, the regional finals mode. This is a big deal for the top players since there is a $5 million prize pool, with a few of the top teams in each region set to battle it out in the finals.

But on Monday, the Apex Legends official X account tweeted that it had postponed the contest after deciding the “competitive integrity” of the series had been compromised.

According to PCGamer, there were at least two major incidents:

“First, Noyan “Genburten” Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip “ImperialHal” Dosen of TSM was given an aimbot.”

An aimbot is a program or patch that allows the player to cheat by having the character’s weapon aimed automatically. Using cheats like those would lead to immediate disqualification and total loss of respect if done on purpose.

The volunteers of the Anti-Cheat Police Department warned players against playing any games protected by Easy Anti-Cheat (EAC) or any EA titles for a while, because they suspected a Remote Code Execution (RCE) exploit was being used against the players.

However, recent developments point less toward an RCE being the cause and more to an actual infection on the players’ computers…

Malwarebytes to the rescue

In a livestream, affected gamer ImperialHal spoke to cybersecurity expert “PirateSoftware,” who has been investigating the attacks.

ImperialHal uses Malwarebytes to scan his machine which flags an inbound connection from an IP address linked to a server known for malicious activities.

It appears that the attacker had direct access to ImperialHal’s computer, likely via a Trojan. PirateSoftware concluded:

“I don’t see evidence of Apex having RCEs. It does not mean that it’s impossible but I still don’t see evidence, while I do see evidence of him having direct access to your machine.”

Protect yourself

We recommend that all gamers scan their computers with reliable security software. Malwarebytes Premium for Windows’ Brute Force Protection feature blocked the connection from being made to ImperialHal’s computer, so make sure you enable that feature.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Earlier this week, the data of over 70 million people was posted for sale on an online cybercrime forum. The person selling the data claims it stems from a 2021 breach at AT&T.

Back in 2021, a hacker named Shiny Hunters claimed to have breached AT&T and put the alleged stolen data up for sale for $1 million for a direct sell. Fast forward three years and another threat actor calling themselves MajorNelson has leaked what they say is the same data.

However, AT&T denies (both in 2021 and, now, in 2024) that the data came from its systems, telling BleepingComputer that it’s seen no evidence of a breach. No response was received to a follow-up question on whether the data could come from a third-party provider.

The data posted online includes names, addresses, mobile phone numbers, dates of birth, social security numbers, and other internal information. Almost the same set was offered for sale in 2021, but the encrypted date of birth and social security numbers have since been decrypted and added to the set as supplemental files for most records.

Several sources have verified the dataset (or parts thereof) contains valid data.

What to do

AT&T still hasn’t confirmed that the data came from its systems, nor from a third party. However, there are some general actions you can take if you are an AT&T customer:

• Watch out for people posing as AT&T. Data breaches are great for scammers because they can contact you pretending to be from the (in this case alleged) breached company. If you receive an email, phone call or something similar from someone claiming to be from AT&T be cautious and contact AT&T directly to check it’s real.
• Take your time. Scammers often use themes that require urgent attention to hurry you into making a decision, filling in a form or giving away personal data. Take a step back and don’t give away any personal or financial information.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Our Digital Footprint records now include the AT&T data so you can check if your information has been exposed online. Submit your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

How does a company navigate over 80 years of technical debt? Which tools do a security team of 5 rely on everyday? What threats are considered most dangerous?

On March 28, 2024, Malwarebytes CEO, Marcin Kleczynski, and Payette Associates Director of Information Technology, Dan Gallivan, will answer these questions and more in our live Byte into Security webinar.

Event details

Date: March 28, 2024
Time: 10 AM PST / 1 PM EST
Registration: Open Now

In this webinar, you’ll discover…

• How Payette Industries ensures the security of remote teams while handling extensive data repositories.
• The impact of moving workloads to the cloud and simplifying systems on enhancing security measures.
• Why adopting Managed Detection and Response (MDR) services is crucial for providing round-the-clock monitoring and augmenting the capabilities of internal teams.

Why attend?

This Byte into Security webinar is a must for anyone eager to see how top-tier cybersecurity tactics are applied in real-world scenarios. Whether you’re involved in IT or simply keen on learning about state-of-the-art security practices, Marcin and Dan’s discussion will equip you with valuable insights.

Register now to secure your spot!

Social media influencers are attractive targets for identity thieves. With large followings and a literal influence on their followers, it’s no wonder they are targeted by scammers and spreaders of fake news.

A subset of influencers are the so-called “finfluencers”: influencers that provide their followers with financial advice. Such a person influences the financial investment decisions of their followers by doling out advice or recommendations. This comes in the form of get-rich-quick schemes, cryptocurrency related advice, stock investment, financial planning, or just about anything people can do to make money.

On the platforms that matter these days, like YouTube, TikTok and Instagram, the number of followers of some of the well-known finfluencers far exceeds the numbers of followers of some of the biggest broking houses. In May of 2023, India banned a YouTube finfluencer with over a million followers from the securities markets for a year for allegedly providing advisory services—daily stock investment/trading calls—without registering with the regulator.

With enough followers that heed their advice, these finfluencers also can have an effect on the financial markets. With enough demand, prices go up and if you know that’s going to happen, making money is indeed easy.

And as an exit scam in which you make one big whopper and then disappear, that’s a very profitable strategy. But most influencers are in it for the long run and don’t want to ruin the reputation they built. Unless their account falls into the wrong hands.

In October of 2023, the Federal Trade Commission warned people with a lot of social media followers they might be the target of scammers. These scammers would come up with fake job offers of offering to pay them for product promotion as “brand ambassadors.” But in reality the scammers are after personal and financial information.

Typically, the scammers say they’ll send you free products and pay you large amounts of money to promote those products in your social media posts. All you have to do is to accept the offer and give them your personal and banking information so they can pay you.

What the scammers are really after can vary from cleaning out the influencers’ bank accounts to taking over their social media accounts. “If you provide us with your login credentials, you don’t have to do the work, we’ll post the promotional content ourselves.”

The scammers will then leave the influencer behind with an account that has a bad reputation and lost a good part of its followers.

Some good news might come from the regulation side. The governments of ten nations have called on social media operators to improve their ability to detect and prevent fraud on their platforms. Australia, Canada, France, Germany, Italy, Japan, New Zealand, the Republic of Korea, Singapore, the United Kingdom, and the United States did this because:

“Fraudsters operate at scale, exploiting telecommunications networks, cyberspace and a population that spends an increasing amount of time online.”

In a communiqué issued as a result of the Global Fraud Summit, which also included representatives from INTERPOL, the Financial Action Task Force, the UN Office on Drugs and Crime, and the European Union, the partakers listed 29 action points that should help reduce online fraud.

It will be hard to accomplish this goal but as we have seen, similar actions led to a promising decline in robocalls. Australia also reported progress towards their vision of making Australia the world’s hardest target for scammers with, for example, a 38% decrease in losses due to investment scams.

What can influencers do to protect themselves

• Always assume that if it’s too good to be true, then it’s probably not true.
• Never give out your personal or financial information without doing proper research first.
• Contact the company directly to confirm the offer. Use a phone number or contact method you know to be legitimate.
• Check if the person contacting you is using an email address that’s affiliated with the company they claim to represent.
• Don’t let any person or app create posts on social media on your behalf.
• Don’t let scammers rush you into decisions. They will always claim it’s urgent or you need to act fast.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.