IT NEWS

Following criticism, Google has decided to bring end-to-end encryption (E2EE) to its Google Authenticator cloud backups. The search giant recently introduced a feature that allows users back up two-factor authentication (2FA) tokens to the cloud, but the lack of encryption caused some commentators to warn people off using it.

Google Authenticator is an authenticator app used to generate access codes, called one-time passwords (OTPs). These OTPs are only valid for a short period and are generated on demand. They serve as an additional form of authentication by proving that you have access to the device generating the OTP. Google Authenticator is one of the most well-known authenticators. Although it’s made by Google it’s not limited to Google’s own services, but can also be used with Facebook, Twitter, Instagram, and many more.

On April 24, 2023, Google announced an update across both iOS and Android, which added the ability to safely backup the secrets used to generate OTPs to your Google Account. This allows users to create a backup which they can use if their device is lost, stolen, or damaged. Since OTPs in Google Authenticator were previously only stored on a single device, a loss of that device locked you out of any service where you used it to log in.

Shortly after the new feature was rolled out, Mysk’s security researchers advised against turning on the new feature. They analyzed the network traffic that occurs when the app syncs the secrets, and found out that the traffic was not end-to-end encrypted. This would mean that in case of a data breach or if someone obtains access to your Google Account, all of your OTP secrets would be compromised, and they would be able to generate OTPs as if they were you.

The likelihood of someone stealing the secret seeds from Google’s servers is relatively small, but since it is better to be safe than sorry and one problem less is always good to have, users asked Google to add a passphrase to protect the secrets. This would introduce an extra safeguard that makes them accessible only to their owner.

Google’s primary objection to this method was that it heightens the risk of users getting completely locked out of their own data. Meaning that if you lost your device and the passphrase, you would lose all access to your accounts.

Google Group Product Manager Christiaan Brand tweeted that end-to-end encryption (E2EE) will be made available for Google Authenticator down the line, but they are rolling out this feature carefully.

(2/4) We encrypt data in transit, and at rest, across our products, including in Google Authenticator. E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.

— Christiaan Brand (@christiaanbrand) April 26, 2023

According to Google, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves. But, if you want to try the new Authenticator with Google Account synchronization, simply update the app and follow the prompts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google is in the midst of a legal campaign designed to take down the creators of a very persistent piece of malware called CryptBot. This malware, which Google claims compromised roughly 670k computers, set about infecting users of the Chrome browser. Unfortunately for the malware campaign operators, Google’s not impressed.

This legal campaign focuses on shutting down domains associated with the stealer. The lawsuit unsealed this week reveals Google’s line of approach for tackling CryptBot’s alleged primary distributors, located in Pakistan.

It’s easy to see what piqued Google’s interest in this infection campaign. A big part of the CryptBot tactics on display involved offering up cracked or modified versions of popular Google products. The products were secretly infected with CryptBot, which would then go on to try and plunder credentials from the infected systems. From the complaint document:

(The) defendants’ criminal scheme is perpetrated via a pay-per-install (“PPI”) network known as “360installer,” which fosters the creation of websites that offer illegally modified software (“Cracked Software Sites”).

These websites offer software infected with CryptBot malware, such as maliciously modified versions of Google Chrome and Google Earth Pro, and also cracked third party software. The Malware Distribution Enterprise operated by Defendants in this case is one of the primary means of spreading the CryptBot malware to new victims.

Google highlights that CryptoBot targets users of Chrome. When it notices Chrome is installed on a PC, it attempts to “locate, collect, and extract user credentials saved to Chrome”. This can be logins, authentication methods, private data, and several types of payment information, such as card details and cryptocurrencies.

This attempt at a takedown by Google isn’t just focused on the code side of things. There’s also a trademark component, and the search giant is none too happy about their familiar product icons being used for malware-related purposes. From the blogpost:

The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement. To hamper the spread of CryptBot, the court has granted a temporary restraining order to bolster our ongoing technical disruption efforts against the distributors and their infrastructure. The court order allows us to take down current and future domains that are tied to the distribution of CryptBot. This will slow new infections from occurring and decelerate the growth of CryptBot.

As The Register notes, this goes beyond the usual restraining order approach where URL registries falling under the court’s jurisdiction must shut down rogue domains. Hardware and virtual machines can be turned off,  network providers can kill server connections powering CryptoBot, and steps can be taken to keep the infrastructure offline permanently.

In other words, the CryptoBot folks are in a lot of trouble. The complaint states that this action is being brought under the Racketeer Influenced and Corrupt Organisations (RICO) act, Computer Fraud and Abuse Act (CFAA), Lanham Act, and New York state common law. RICO alone, intended to deal with the dismantling of organised crime, should be enough to give the ringleaders pause for thought. Everything else is just a bonus.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On May 1, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies are obliged to remediate the vulnerabilities by May 22, 2023. For the rest of us it means “pay attention,” everyone else with a vulnerable entity should do this as fast as possible too.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added by CISA were:

• CVE-2023-1389 is a vulnerability in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Affected versions contain a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
• CVE-2021-45046 is a very old Apache Log4j2 deserialization of untrusted data vulnerability that still works on enough unpatched servers to be listed.
• CVE-2023-21839 affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to “critical data or complete access to all Oracle WebLogic Server accessible data.”

We would like to zoom in on that last vulnerability for a few reasons.

• First of all because Oracle WebLogic is a very wide-spread java application server and has always been a popular entrance to networks for cybercriminals.
• The vulnerability is easily exploitable. Even for copycats, since there are proof-of-concepts (PoCs) available and exploits are incorporated in pen-testing tools.
• The scope of the vulnerability. There is a real risk that a remote, unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, and turn to the rest of the internal network.

Oracle WebLogic Suite is an application server for building and deploying enterprise Java EE applications which is fully supported on Kubernetes. That makes it easy to use on-premises or in the cloud. The companies using Oracle WebLogic are most often found in United States and in the Information Technology and Services industry.

In Oracle’s January security advisory you will notice that five researchers are credited with finding and reporting CVE-2023-21839. This may be due to the fact that Oracle issues patches in a quarterly cycle, where many others publish updates monthly. This means that researchers have more time to find new vulnerabilities, but they also have to keep quiet about them for longer. Nevertheless, five separate instances could indicate that this vulnerability was not hard to find.

What’s even worse is that it is easy to exploit the vulnerability. The published exploits target the Listen Port for the Administration Server. The protocol used with this port is T3—Oracle’s proprietary Remote Method Invocation (RMI) protocol, which transfers information between WebLogic servers and other Java programs. An unauthorized attacker with remote access can send a crafted request to a vulnerable WebLogic server and upload a file via an LDAP server. Basically allowing the attacker to execute reverse shells on the target. A reverse shell or “connect-back” shell opens communications with the attacker and allows them to execute commands, which enables them to take control of the system.

Update now

Affected versions of Oracle WebLogic Server are 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. A patch for this vulnerability is available on the Oracle support site for those that have an Oracle account.

Oracle always strongly recommends that you do not expose non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Last week, OpenAI announced it had given ChatGPT users the option to turn off their chat history. ChatGPT is a “generative AI”, a machine learning algorithm that can understand language and generate written responses. Users can interact with it by asking questions, and the conversations users have with it are in turn stored by OpenAI so they can be used to train its machine learning models. This new control feature allows users to choose which conversations to use to train OpenAI models.

“Conversations that are started when chat history is disabled won’t be used to train and improve our models, and won’t appear in the history sidebar,” the company said in the announcement. “When chat history is disabled, we will retain new conversations for 30 days and review them only when needed to monitor for abuse, before permanently deleting.”

Prior incidents involving ChatGPT may have prompted these changes. Early this month, reports revealed Samsung employees had erroneously shared confidential company information with ChatGPT. Before this, OpenAI took ChatGPT offline after it exposed some chat histories to others using the tool at the same time. This incident earned the attention of a data protection agency in Italy, which then ordered a temporary ban for the AI, pending an investigation.

Along with its announcement, OpenAI also revealed a ChatGPT Business subscription that will keep users’ input out of its training data. “ChatGPT Business will follow our API’s data usage policies, which means that end users’ data won’t be used to train our models by default,” the company said.

How to opt out of OpenAI’s trianing data

Log in to ChatGPT and click the three dots next to your name to open a menu.

Choose Settings from the menu.

The Settings menu will appear in the middle of the screen. Click Show next to Data Controls to expand the window, and then toggle the switch next to Chat History & Training to the off position to stop your data being used to train ChatGPT.

Users can also export their chat history for local storage by clicking the Export data text in the expanded Settings window. Users will receive an email with a button link to the file containing all of their conversations.

Note that disabling Chat History & Training also turns off ChatGPT’s conversation history feature. Chats created after disabling the option won’t appear in the history sidebar, but cached conversations found in the sidebar of the page remain.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Don’t miss our upcoming webinar on EDR vs. MDR!

In the webinar, Marcin Kleczynski, CEO and co-founder of Malwarebytes, and guest speaker Joseph Blankenship, Vice President and research director at Forrester, discuss topic such as: 

• The difference between EDR and MDR, how EDR solutions can be challenging for businesses without dedicated security teams, and why building an in-house SOC can be expensive and difficult.
• The limitations of Endpoint Protection and EDR, specifically when it comes to advanced threats like ransomware that use Living off the Land (LOTL) attacks and fileless malware. 
• How MDR providers work with clients to understand their security technology stack, make recommendations, and agree on response actions to take.
• If EDR or MDR is better for your business based on the resources you have available and the level of security you require. 

Want to learn more about EDR and MDR and which is right for your business? Be sure to catch the full webinar on Wednesday, May 10, 2023 at 10 am PT / 1 pm ET and get valuable insights from industry experts on how to improve your security operations and protect against ransomware and fileless malware.

Register now!

Read also:

How to choose an MDR vendor: 6 questions to ask

Is an outsourced SOC worth it? Looking at the ROI of MDR

Cyber threat hunting for SMBs: How MDR can help

Website owners are once again at war with tools designed to scrape content from their sites.  An AI scraper called img2dataset is scouring the Internet for pictures that can be used to train image-generating AI tools.

These generators are increasingly popular text-to-image services, where you enter a suggestion (“A superhero in the ocean, in the style of Van Gogh”) and it produces a visual to match. Since the system’s “understanding” of images is a direct result of what it was trained on, there is an argument that what it produces consists of bits and pieces of all that training data, There’s a good chance there may be legal issues to consider, too. This is a major point of contention for artists and creators of online content generally. Visual artists don’t want their work being sucked up by AI tools (that make someone else money) without permission.

Unfortunately for the French creator of img2datset, website owners are very much dissatisfied with his approach to harvesting images. 

The free program “turns large sets of image URLs into an image dataset”. Its claimed the tool can “download, resize, and package 100 million URLs in 20 hours on one machine”. That’s a lot of URLs.

What’s aggravating site owners is that the tool is ignoring assumed good netiquette rules. Way back in 1994, “robots.txt” was created as a polite way to let crawlers know which bits of a website they were allowed to pay a visit to. Search engines could be told “Yes please”. Other kinds of crawlers could be told “No thank you”. Many rogues would simply ignore a site’s robots.txt file, and end up with a bad reputation as a result.

This is one of the main complaints where img2dataset is concerned. Website owners contend that it’s not physically possible to have to tell every tool in existence that they wish to opt-out. Rather, the tool should be opt-in. This is a reasonable concern, especially as site owners would essentially be responsible for adding ever more entries to their code on a daily basis.

One site owner had this to say, in a mail sent to Motherboard:

I had to pay to scale up my server, pay extra for export traffic, and spent part of my weekend blocking the abuse caused by this specific bot.

Elsewhere, you can see a deluge of complaints from site owners on the tool’s “Issues” discussion page. Issues of consent, custom headers, even talk of the creator being sued: It’s chaos over there.

If you’re a site owner who isn’t keen on img2dataser paying a visit, there are a number of ways you can tell it to keep a respectful distance. From the opt-out directives section:

Websites can use these http headers:” X-Robots-Tag: noai”, “X-Robots-Tag: noindex” , “X-Robots-Tag: noimageai”, and “X-Robots-Tag: noimageindex”. By default, img2dataset will ignore images with such headers.

However, the FAQ also says this for users of the img2dataset tool:

To disable this behaviour and download all images, you may pass “–disallowed_header_directives ‘[]’”

This does exactly what it suggests, ignoring the “please leave me alone” warning and grabbing all available images. It’s no wonder, then, that website owners are currently so hot and bothered by this latest slice of website scraping action. With little apparent interest in robots.txt from the creator, and workarounds to ensure users can grab whatever they like, this is sure to rumble on.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities
• Update now: Critical flaw in VMWare Fusion and VMWare Workstation
• Magecart threat actor rolls out convincing modal forms
• Fileless attacks: How attackers evade traditional AV and how to stop them
• ChatGPT writes insecure code
• Update your PaperCut application servers now: Exploits in the wild
• APC warns about critical vulnerabilities in online UPS monitoring software
• Decoy dog toolkit plays the long game with Pupy RAT
• GuLoader returns with a rotten shipment
• Black Basta ransomware attacks Yellow Pages Canada
• Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09
• Fake Flipper Zero sellers are after your money
• Adult content malvertising scheme leads to clickjacking

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

When Alvin Staffin received an email from his boss, he didn’t question it. In the email, Gary Bragg, then-president of Pennsylvania law firm O’Neill, Bragg & Staffin, asked Staffin to wire $580,000 to a Bank of China account. Staffin, who was VP and in charge of banking, sent the money through as asked. An hour later, he realized the request was fraudulent—he hadn’t been contacted by Bragg at all.

A hacker had gained access to Bragg’s email account and used it, along with information they’d learned about an ongoing loan transaction, to pose as Staffin’s boss. Nothing in the exchange made Staffin suspect that something was off until he called Bragg, who was out of town at the time, to discuss the transfer.

Both Staffin and his employer were victims of business email compromise (BEC), also known as CEO fraud, a type of social engineering attack. Social engineering attacks are cyberattacks where a criminal tricks a victim into doing something against their interests, such as revealing sensitive information of making a bank transfer.

BEC is one of the most damaging forms of social engineering attacks faced by small businesses. In the 2022 Internet Crime Report, the FBI ranked it as the second most damaging fraud, in terms of financial losses, after investment fraud.

The common forms of social engineering used by criminals are pretexting, phishing, baiting, and tailgating. Pretexting involves creating a false identity and situation to trick victims into providing information or access (BEC is a form of pretexting). Phishing attacks try to trick victims into giving away sensitive information, such as login credentials, using emails and websites designed to look like they belong to a person or business the victim trusts, such as their bank. Baiting is when malware-infected devices, such as USB sticks, are left in public places, in the hope that victims will take them and use them. Lastly, tailgating is when a fraudster follows an authorized person into a restricted area without proper authorization.

Protecting your business from social engineering

Securing a small business from social engineering attacks is an ongoing effort that requires constant vigilance. Because social engineering relies on a criminal’s powers of persuasion, your staff’s vigilance is your first line of defence. Security software forms a vital second line, protecting your business from some social engineers’ tools, such as phishing sites, and from social engineering attacks designed to deliver malware.

Your first priority should be to empower employees to be confident in identifying and effectively responding to social engineering tactics.

• Run regular training to help employees understand how to properly recognize and respond to social engineering. Consider testing your staff, too, and follow up with further education for anyone who fails the test.
• Use at least two people for financial transactions. Social engineering attacks try to isolate and hurry staff so they act without thinking. Create checks in your processes to prevent that.
• Create an intentional culture of security so that security practices come naturally to your staff. Encourage people to report suspicious activity sooner rather than later, avoid punishing staff who fall for social engineering so that others are not afraid to be accountable, and lead by example.
• Use endpoint security to protect against the effects of baiting attacks, to block phishing sites, and to detect malware delivered by social engineering.
• Monitor threat intelligence to understand current and emerging threats that could affect your business.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft issued a client roadmap update on Thursday to remind us once again that Windows 10 support is slowly coming to an end. In less than three years, all Windows 10 users will need to have moved to Windows 11. While moving to Windows 11 should be a win for security, some Windows 10 fans may be a little nervous. Upgrading isn’t always straightforward, and exacting hardware requirements weigh heavily on Windows 11.

According to the update, the company intends the current version of Windows 10, version 22H2, to be the last edition of the operating system (OS). That meant no more new and significant features for Windows 10. Instead, interesting changes and enhancements will be incorporated into Windows 11. PCMag highlighted that this process is already underway.

Microsoft will continue to release monthly security updates for Windows 10 until October 14, 2025. After that, it will officially pull the plug for consumer users but not for organizations signed up to the Long Term Servicing Channel. Support for them will extend beyond the deadline for up to 10 years. From Microsoft’s description:

The Long-Term Servicing Channel (LTSC) is designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. Examples include medical systems (such as those used for MRI and CAT scans), industrial process controllers, and air traffic control devices. We designed the LTSC with these types of use cases in mind, offering the promise that we will support each LTSC release for 10 years–and that features, and functionality will not change over the course of that 10-year lifecycle.

Microsoft recommends Windows 10 users switch to Windows 11 if they haven’t already done so. Despite that, Windows 10 remains hugely popular, with a 69 percent share of Windows desktops, globally. Windows 11 trails significantly with just 18 percent, not far off Windows 7, which still accounts for nine percent.

Windows 11’s low numbers may soon change as the sunset date approaches, which would be good news for security. Microsoft’s latest OS makes multiple improvements over what’s available in Windows 10. Microsoft’s approach has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. Many of the links in that chain rely on Virtualization Based Security (VBS), a technology that creates secure sandboxes isolated from the main OS. Doing that requires hardware-based virtualization features, which is why Windows 11 has such stringent hardware requirements.

Windows 11 also includes a more efficient way of warding off phishing attacks; warnings when users type passwords into notepad files and other programs; and a default account lockout policy to combat the dangers of Remote Desktop Protocol (RDP) brute force attacks, an automated attack wherein hackers try to guess a users’ passwords remotely, over RDP.

And, soon, Windows 11 will allow app developers to tap into its built-in human presence detection (HPD) capabilities to create and share unique experiences. HPD is a new feature that allows touch-free logins of laptops. It also automatically locks the device when a user walks away from it, giving them much-needed privacy. Of course, this feature can only be used if your laptop has the hardware to support it.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A few days ago we wrote about two vulnerabilities found in PaperCut application servers. As we noted, exploitation was fairly simple so there was some urgency to install the patches. My esteemed colleague Chris Boyd literally wrote:

“Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit.”

As it turns out, there are already two flavors of ransomware preying on those that haven’t updated yet.

A Cl0p affiliate, branded as DEV-0950 by Microsoft has already incorporated the PaperCut exploits into its attacks. This affiliate has also been known to use the GoAnywhere zero-day that basically brought Cl0p back from the dead last month.

In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in March 2023, coming out of nowhere to dethrone the usual frontrunner, LockBit.

But don’t rule the habitual frontrunner LockBit out just yet. Microsoft Threat Intelligence said in a tweet that it’s “monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment.”

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW