IT NEWS

Apple has released security updates for several products to address a handful of zero-day vulnerabilities that may already have been used by criminals. Updates are available for:

• iOS 16.7 and iPadOS 16.7
• iOS 17.0.1 and iPadOS 17.0.1
• watchOS 9.6.3
• watchOS 10.0.1
• macOS Ventura 13.6
• macOS Monterey 12.7
• Safari 16.6.1

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

• CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation.
• CVE-2023-41992, a flaw that could be used by a local attacker to elevate their privileges.
• CVE-2023-41993, a problem with processing web content that could be used for arbitrary code execution.

Apple states says that all these vulnerabilities may have been actively exploited against versions of iOS before iOS 16.7.

It’s important to note that CVE-2023-41993 is a vulnerability in WebKit. WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

All three vulnerabilities were credited to the same researchers—Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School, and Maddie Stone of Google’s Threat Analysis Group. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. It is renowned for its research of the use of spyware against journalists, activists, and dissidents.

About two weeks ago, we reported about two Apple issues that were added by CISA to its catalog of known exploited vulnerabilities. Those vulnerabilities were also discovered as zero-days by CitizenLab. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

It is not hard to see how these three new vulnerabilities could be used to compromise a device just by viewing specially crafted malicious web content, so it’s highly recommended to install these updates at your earliest convenience, especially iPhone users with a high profile threat model.

We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

If you’ve received a message from a company saying your data has been caught up in a breach, you might be unsure what to do next. We’ve put together some tips which should help you when the (more or less) inevitable happens.

1. Check the company’s advice

Every breach is different, so check the company’s official channels to find out what’s happened and what data has been breached. Organizations often put out a rolling statement on their website, blog, or X (Twitter). Follow any specific advice they offer first, and keep an eye out for any further communications.

2. Change your password

If your password has been caught up in a breach, you should immediately change it. If you’ve used the same password on another site or service then you also need to change that. Cybercriminals will often try one password on multiple sites because they know people reuse them, so make sure you use a different password for every single site you have an account on. If you don’t already use one, it’s worth considering a password manager, which will generate and store passwords for you so you don’t have to remember them all in your head.

3. Enable multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of security when logging in to your online accounts, and stops anyone from logging in with just your password. One of the most common ways of adding MFA to your online accounts is with an app—such as Google Authenticator, Authy, or Microsoft Authenticator—which generates a code that you enter into the site you’re logging into. You can also use SMS MFA, where you are sent a code via text that you then enter into the website, or a hardware key such as a YubiKey which you plug into your computer. 

It’s worth bearing in mind that a code can be phished as easily as a password so code-based MFA can’t protect you from phishing, but it’s still much better to have it turned on than not use it at all. Remember to never give an MFA code to anyone else, even if they pressure you into revealing it.

4. Freeze your credit report

If you’re in the US, a credit freeze stops new creditors and potential thieves from accessing your credit report. Credit freezes must be set (and removed) at each of the three bureaus.

5. Set up credit monitoring

Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you, but you can also get different levels of monitoring solutions, depending on your individual need.

6. Watch out for scammers

Scammers often try to take advantage of data breaches. They know that the breached company is likely to be contacting victims, and that the victims will be looking out for emails from the company. It’s easy to spoof an email to make it look like it comes from somewhere else, and then send someone malware or a link to a phishing site.

We suggest you monitor the company’s website for information about the breach and be very sceptical of messages that appear to come from that company. All the usual advice applies: Look for inconsistencies, odd email addresses, and strange links, and watch out for the two major red flags: urgency and a request for money or personal information.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The dangers of cryptocurrency phishing are back in the news, after tech investor Mark Cuban was reported to have lost around $870k via a phishing link. Cuban lost a combination of coin types as asset movement flagged up after months of inactivity from his wallet.

Cuban discovered some of the transactions taking place and was able to save about $2.5m of tokens by logging in and sending what remained to a safe location.

As for the specifics of the phishing tactic deployed, Cuban is reported as saying he may have downloaded a bogus wallet tool via a search engine query. Accidentally falling victim to rogue downloads in search engine results is an ancient technique, but as we can see here, it paid off big time for the scammers. 

Fake tools and websites for cryptocurrency are common. You’ll see them in search engines, download portals, even promoted on social media.

As an example of this, a simple search for “metamask download” reveals sites claiming to offer MetaMask extensions for various browsers and mobile devices.

The MetaMask site is a secret recovery phrase phish. The site claims:

MetaMask cannot recover your password. We will use your secret recovery phrase to validate your ownership, restore your wallet, and set up a new password. First, enter the secret recovery phrase that you were given when you created your wallet. You can paste your entire secret recovery phrase below.

Of all the things you never want to do where cryptocurrency management is concerned, pasting your recovery phrase into a random website has to be somewhere near the top of the list. No matter the third party website, offer, video, service, or any form of giveaway: don’t do it. You’re handing the scammer the keys to your cryptocurrency kingdom.

It’s a similar deal for random extensions asking to connect to your wallet. You could well be granting access in ways that you’ll quickly come to regret.

Anyone can fall victim to a cryptocurrency scam, whether you’re just starting out or a billionaire tech professional holding a huge amount of digital currency in reserve.

Thanks to Jerome for finding this.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The German police in cooperation with the US Secret Service have executed search warrants against suspected members of the DoppelPaymer ransomware group in Germany and Ukraine.

In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.

Since then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA NRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike against people associated with the criminal network.

Two men in particular became the focus during blockchain investigations by the LKA NRW and the US Secret Service. They are a 44-year-old Ukrainian who apparently held a key position within the organization and a 45-year-old man from southern Germany who is suspected of having received suspicious funds, possibly originating from ransomware attacks.

Cryptocurrency investigators use specialized strategies to track down criminals. The investigators use tools to collect evidence, trace funds through the blockchain, and try to determine who converted them into fiat currencies. Although cryptocurrency is anonymous, that doesn’t mean it’s untraceable. All the transactions are recorded on a public ledger, which provides a treasure trove of data to search, analyze, and categorize.

Over the last years, DoppelPaymer claimed responsibility for a high-profile ransomware attack on Kia Motors America. The gang was also responsible for a costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

Since March of 2021, DoppelPaymer has been missing from our monthly ransomware reviews, and the last known leak site address we had on record for them has been taken offline.

During their active period (2017 – 2021), more than 600 victims worldwide were extorted, some of them up to double-digit millions. The investigations by the German authorities, which have been ongoing since 2020, led to the international public search for Igor Olegovich Turashev and Igor Garshin in March 2023. Both of these suspects are currently on EUROPOL’s “Most-Wanted” list. The suspicion against a third person could not be sufficiently substantiated during further investigations, so the public search was withdrawn.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A researcher specializing in Software Supply Chain security named Dan Lorenc recently raised an interesting topic on LinkedIn. 138 new vulnerabilities in open-source projects were all entered the same day to the CVE database.

To understand what the problem is there are a few things you’ll need to know.

• CVSS – The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability, and is an integral component of many vulnerability scanning tools.
• CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
• NVD – The National Vulnerability Database (NVD) is a database, maintained by the National Institute of Standards and Technology (NIST), that is fully synchronized with the MITRE CVE list.

The Common Vulnerabilities and Exposures (CVE) database is used to list publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The NVD provides enhanced information above and beyond what’s in the CVE list, including patch availability and severity scores. NVD also provides an easier mechanism to search on a wide range of variables.

The way it should work is that vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the identification of the minimum required data elements for a CVE record, the record is published to the CVE List.

Details include but are not limited to affected product(s); affected or fixed product versions; vulnerability type, root cause, or impact; and at least one public reference.

When you register a CVE you typically get it with the year you request it and so new CVE IDs would start with CVE-2023. However, Lorenc says that an unknown party has submitted a bunch of CVEs which are backdated and have a high CVSS score.

For example, CVE-2020-19909 was listed as an integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay.

In the screenshot you can see that the entry is “DISPUTED”

In his blog Daniel Haxx, a Swedish open source developer and curl maintainer, explains that this is not a security vulnerability. It was, in fact, a bug reported and fixed in 2019. Haxx criticizes the NVD for not trying very hard to actually understand or figure out the problem they grade.

As Lorenc pointed out, it looks as if a bot or AI has been scraping old issues and commits and filing them in an automated fashion, without ever getting maintainers involved.

The problem is that many have automated scanning for vulnerabilities or are using specialized vulnerability triage or management platforms. When no maintainers are involved or even notified about these non-issues, they may live on. Many of these scanners will not see or disregard the “DISPUTED” status and will end up wasting a lot of precious time that could have been spent on actual vulnerabilities.

The question that remains: Is there a fundamental problem with the CVE reporting process which allows for the automated submission of bogus vulnerabilities?

Let’s say that the experts agree that any form of automated filing of CVEs without any previous contact with the developers/maintainers of the list completely misses the whole point of getting vulnerabilities fixed before they are made public. And filing vulnerabilities that are in fact bugs that were resolved long ago is a weird form of fear mongering.

Knowing this can happen, by accident or on purpose, warrants a more robust checking than looking for the minimum required data elements for a CVE record.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A recently released report from New York University claims that the Metaverse, an all-in-one virtual online space, poses a potentially major risk to user privacy. This is because headsets and other similar devices can collect an incredible amount of personal, physical and biometric information. The user isn’t always aware of the collection, or how it could be used in ways they don’t expect.

It’s worth asking at this point: what is the Metaverse?

Most folks would think of Mark Zuckerberg and Meta, with a virtual reality headset thrown in for good measure. Others may associate it with “game hub” style online places to meet others taking place on their computer screens only. For some, mobile devices making use of augmented or mixed reality will be their first association.

The truth is that “Metaverse” can incorporate any or all of these different aspects. While some people hope for a world of entirely connected systems, the reality is that this is not going to happen for a very long time and may not happen at all. In fact, the Metaverse overall is not in the most robust of health, with proclamations of its demise across the web.

While it continues to struggle on, it’s still worth considering some of the potential privacy pitfalls waiting for any curious users. A good chunk of these come from the gaming space, and in particular advergaming (the art of displaying targeted adverts inside of virtual realms).

When playing a virtual reality game, the headset is an important part of gameplay. It typically contains several cameras (pointing both in and out), along with various sensors and microphones. These tools all help to track eye movements, interact with the digitally realised space around the user, and assist the game to keep track of what the player is doing.

While this is generally fine for an offline game with no data being sent elsewhere, once additional first or third-party systems are introduced this can become a risk. Is an ad network layered across the game? How does the network serve targeted ads? What is it tracking? Is player data sent to the advertisers, or does the game provider start building up a profile for non-gaming purposes? Is any of this disclosed?

This is just one basic example. Now consider that all of those eye movements, those motions, those biometrics are also up for grabs in terms of being able to build up pictures of users.

The research notes that Meta’s approach is more about harvesting user data (via profiles) for targeted ads. Apple, meanwhile, shifts its cost toward expensive high-end devices instead of purely advertising. Additionally, Apple does not collect eye-movement data whereas Meta “disclaims responsibility for the data practices of third-party developers with whom the company shares user data”.

Even so, Apple has not yet revealed what it intends to do with face-tracking and body-motion data. The researchers note that the specifics for the company’s upcoming Vision Pro device does not yet have a detailed privacy policy.

This is just one small consideration of the upcoming data collection landscape where Metaverse is concerned. However, with the downsizing in expectation for these virtual worlds as a whole, these issues may not be as far reaching as they potentially could have been.

The report comes with numerous recommendations for safety features and privacy functionality, some of which have existed in video game/VR circles for some time now, though not always with success.

For example, Meta ran into several problems with regard to sexual harassment in virtual spaces. One of many issues was that a “bubble” around users in VR realms can prevent others from harassing or getting too close. Bafflingly, this wasn’t enabled in Meta as a default setting until the damage was already done.

Child safety is also another concern, given that headset use isolates the user and makes it harder for parents to see at a glance what their child may be doing.

Gaming platforms and consoles often come with a wide range of granular privacy and security controls. In VR, these controls aren’t always obvious and users may not know how to reach them. For example, hiding names, blurring faces, preventing the sending of data to unwanted third-parties and so on. These options should always be clear and evident to whoever happens to be using the device.

The full report is available to read here. Metaverse may not be the hot property it once was, but it’s still worth learning about the possible dangers and privacy risks inherent in the headset.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Warnings about including credentials, keys, and tokens when sharing code on publicly accessible repositories shouldn’t be necessary. It should speak for itself that you don’t just hand over the keys to your data. But what if a misconfiguration ends in a supposed internal storage account becoming suddenly accessible to everyone?

That’s how Microsoft managed to leak access to 38 terabytes of data.

Wiz Research found that Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations. The backups contained sensitive data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

An Azure feature called Shared Access Signature (SAS) tokens, which allows users to share data from Azure Storage accounts, was the source of the problem.

SAS token can be used to restrict:

• What resources a client can access
• What operations a client can perform (read, write, list, delete)
• What network a client can access from (HTTPS, IP address)
• How long a client has access (start time, end time)

Blob storage is a type of cloud storage for unstructured data. A “blob,” which is short for Binary Large Object, is a mass of data in binary form. Azure Storage SAS tokens are essentially strings that allow access to Azure Storage services in a secure manner. They are a type of URI (Uniform Resource Identifier) that offer specific access rights to specified Azure Storage resources, like a blob, or a whole range of blobs.

A Microsoft employee shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive SAS token for an internal storage account.

The URL allowed access to more than just the open-source models. It was configured to grant permissions on the entire storage account, thus exposing the additional sensitive data by mistake.

But exposing sensitive data is not even the worst that could have happened, Wiz explains.

“An attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.”

After Wiz shared its findings with Microsoft on June 22, 2023 Microsoft revoked the SAS token two days later.

Microsoft stated that:

“The information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations. No customer data was exposed, and no other Microsoft services were put at risk because of this issue. Customers do not need to take any additional action to remain secure.”

Microsoft also said that as a result of Wiz’s research, it has expanded GitHub’s secret spanning service, which monitors all public open source code changes for plaintext exposure of credentials and other secrets to include any SAS token that may have overly permissive expirations or privileges.

Best practices for SAS tokens

Allowing others to learn from their mistakes, Microsoft shared some tips on working with SAS URLs.

• Apply the principle of least privilege: Scope SAS URLs to the smallest set of resources required by clients (e.g. a single blob), and limit permissions to only those needed by the application (e.g. read-only, write-only).
• Use short-lived SAS: Always use a near-term expiration time when creating a SAS, and have clients request new SAS URLs when needed. Azure Storage recommends one hour or less for all SAS URLs.
• Handle SAS tokens carefully: SAS URLs grant access to your data and should be treated as an application secret. Only expose SAS URLs to clients who need access to a storage account.
• Have a revocation plan: Associate SAS tokens with a stored access policy for fine-grained revocation of a SAS within a container. Be ready to remove the stored access policy or rotate storage account keys if a SAS or shared key is leaked.
• Monitor and audit your application: Track how requests to your storage account are authorized by enabling Azure Monitor and Azure Storage Logs. Use a SAS Expiration Policy to detect clients using long-lived SAS URLs.

Wiz advises against the external usage of SAS tokens.

“{SAS] tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal. In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

We don’t just report on cloud security.

Cybersecurity risks should never spread beyond a headline. Detect sophisticated threats across Box and other vendors’ cloud repositories by using Malwarebytes Cloud Storage Scanning.

In a public announcement, Free Download Manager has acknowledged that a specific web page on its site was compromised by a Ukrainian cybercrime group, exploiting it to distribute malware.

Free Download Manager is—unsurprisingly—a download manager for Windows, macOS, Android, and Linux that allows users to manage their downloads and lets them grab large files, torrents, music, and videos.

In the announcement the service says the actual security incident took place in 2020. So why was the issue only recently discovered?

First and foremost, the cybercriminals only redirected users that aimed for the Linux version of the software.

Not all of these visitors were redirected to the malicious domain. They were “fingerprinted” based on as yet unknown criteria and only some were served the malicious Debian package. According to Free Download Manager the compromised website contained an exception list of IP addresses from various subnets, including those associated with Bing and Google. Visitors from these IP addresses were always given the correct download link.

Furthermore, the victims received a full functional Free Download Manger, so they had no reason to assume that something was amiss, even though some users reported errors that said “Waiting for process: crond” when they tried to shut down or reboot their system.

According to the statement made by Free Download Manager:

“It’s estimated that much less than 0.1% of our visitors might have encountered this issue.”

The number of victims might even have been less, if it weren’t for the fact that several posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, pointed to the malicious domain as a reliable source for getting the Free Download Manager tool.

Unfortunately, malware scanners for Linux are considered useless by many home users, and only some companies add them to their endpoint security solution. So, there is not much overlap to be expected between the users of Free Download Manager and those that have deployed an anti-malware solution for Linux systems.

Debian packages are typically used to install software on Debian-based Linux distributions, including Ubuntu. The malicious package dropped an information-stealing script and a crond backdoor that established a reverse shell from the C2 server. Crond is a daemon used to execute cron jobs in the background. It is a service process that handles and executes commands to run automated tasks (cron jobs) in accordance with a specified schedule.

The stealer in question was after system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

Remediation

The compromised Free Download Manager website has been replaced. All the Free Download Manager users who downloaded FDM for Linux between 2020 and 2022 should scan their computers for malware.

Malwarebytes Browser Guard users will receive a warning when they try to visit this domain.

Browser Guard blocks fdmpkg.org

Indicators of Compromise (IOCs):

File hashes (SHA-256):

b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d

2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349

93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea

d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5

File locations:

/etc/cron.d/collect

/var/tmp/crond

/var/tmp/bs

/var/tmp/atd

IP and domain:

172.111.48.101

fdmpkg.org

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The recent attack on MGM Resorts generated lots of speculation with regard to what the cause was. Some folks claimed the culprit was ransomware. Well, confirmation is now forthcoming as an affiliate of the BlackCat/ALPHV ransomware group is said to be the one responsible for the attack and subsequent outage.

The statement is quite long, takes a few digs at MGM Resorts, and seeks to correct what the group feels to be inaccurate statements made by security vendors and others with regard to the attack.

It begins:

Statement on MGM Resorts International: Setting the record straight

9/14/2023, 7:46:49 PM

We have made multiple attempts to reach out to MGM Resorts International, “MGM”. As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams. 

MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan. 

On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to “take offline” seemingly important components of their infrastructure on Sunday.

As with so many break ins, this begins with a social engineering attack. There have been claims on social media that this was done by finding an employee on LinkedIn, and calling the helpdesk for what would presumably be a password reset attempt. However, the statement is quite light with regard to the specifics:

We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner if he so chooses.

The rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it. Starting to the actors’ identities as they are so well-versed in them.

There are also claims that the attackers still have access to the MGM Resorts network, despite the shutdown and clean up operation taking place:

The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim that we had claimed responsibility for the attack before we had.

We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks.  We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.

We’ve written about BlackCat/ALPHV many times on the Malwarebytes Labs Blog. Their range is large, with high-publicity takedowns ranging from major cosmetics firms and leaked hospital photographs to point of sale outages and video game publishers.

In this specific case, Bleeping Computer describes the alleged group behind the chaos as “Scattered Spider”. This particular group has a fondness for social engineering tactics used to slip into corporate networks. They don’t just use password reset impersonation, but also phishing, SIM swapping (hijacking someone’s mobile number), and even MFA fatigue where your mission is to annoy an employee with so many alerts that they eventually say “yes”.

An interesting development, then. Even so, with so much speculation and claim/counterclaim flying around it’s probably best to keep an open mind on these latest developments. The truth will out one way or another, but the biggest concern has to remain potential data theft and leakage of those making use of MGM Resort facilities.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Included in the September 2023 Patch Tuesday updates was a fix for a vulnerability which has been dubbed ThemeBleed. A Proof-of-Concept (PoC) exploit has been released by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as CVE-2023-38146: a Windows Themes Remote Code Execution (RCE) vulnerability.

Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying:

“An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.”

A .theme file is a configuration (.ini) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets ([]) inside the .ini file. A .theme file enables you to change the appearance of certain desktop elements.

A related file format, .themepack, was introduced with Windows 7 to help users share themes. A .themepack must include your .theme file, as well as the background picture, screen saver, and icons files.

Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.

The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted .theme file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

The .theme files contain references to .msstyles files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the .msstyles file will also be loaded.

The researcher found that invoking a check of the theme version calls the ReviseVersionIfNecessary function and does not safely load a signed DLL (_vrf.dll), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.

Another problem lies in the fact that if a user were to download a theme from the web, this triggers the ‘mark-of-the-web’ (MOTW) warning. MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. However, this could be bypassed if the attacker wrapped the theme into a .themepack file. When using the .themepack file, the contained .theme opens automatically without serving the MOTW warning.

While Microsoft’s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of .msstyles files. Nor has it added MOTW warnings to .themepack files.

The researcher notes that the vulnerability appears to be only present in Windows 11.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.