IT NEWS

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

Compromised website promotes software crack

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page’s title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

Malvertising via Dynamic Search Ad

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website’s content without the owner’s knowledge, automated ads may be entirely misleading.

Circling back to where our investigation started, this is what we first saw when doing a Google search for ‘pycharm’. The ad’s headline is showing “JetBrains PyCharm Professional” while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad’s title promotes (a program for developers) and the ad’s description (wedding planning).

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

Fake serial leads to malware bonanza

People searching for PyCharm may not take the time to read the ad’s description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren’t likely to forget:

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

Summary

This incident is not your typical malvertising case and in fact, it’s unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

Indicators of Compromise

Download URL for fake serial:

eplangocview[.]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton[.]top/timeSync[.]exe
109[.]107[.]182[.]2/race/bus50[.]exe
171[.]22[.]28[.]226/download/Services[.]exe
experiment[.]pw/setup294[.]exe
medfioytrkdkcodlskeej[.]net/987123[.]exe
171[.]22[.]28[.]226/download/WWW14_64[.]exe
185[.]172[.]128[.]69/newumma[.]exe
194[.]169[.]175[.]233/setup[.]exe
171[.]22[.]28[.]221/files/Ads[.]exe
171[.]22[.]28[.]213/3[.]exe
lakuiksong[.]known[.]co[.]ke/netTimer[.]exe
stim[.]graspalace[.]com/order/tuc19[.]exe
neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe
pic[.]himanfast[.]com/order/tuc15[.]exe
85[.]217[.]144[.]143/files/My2[.]exe
galandskiyher5[.]com/downloads/toolspub1[.]exe
gobr1on[.]top/build[.]exe
flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe
632432[.]space/385118/setup[.]exe
yip[.]su/RNWPd[.]exe
potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe
185[.]216[.]71[.]26/download/k/KL[.]exe
walkinglate[.]com/watchdog/watchdog[.]exe
walkinglate[.]com/uninstall[.]exe

Last week on Malwarebytes Labs:

• Malvertising via Dynamic Search Ads delivers malware bonanza
• Octo Tempest cybercriminal group is “a growing concern”—Microsoft
• Update now! Apple patches a raft of vulnerabilities
• Patch…later? Safari iLeakage bug not fixed
• Update vCenter Server now! VMWare fixes critical vulnerability
• Cyberattack hits 5 hospitals
• Face search engine PimEyes stops searches of children’s faces
• Announcing NEW Malwarebytes Identity Theft Protection
• Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram
• 1Password reports security incident after breach at Okta
• Google Chrome wants to hide your IP address
• MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22
• Battling a new DarkGate malware campaign with Malwarebytes MDR

Stay safe!

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

Apple has released security updates for its phones, iPads, Macs, watches and TVs.

Updates are available for these products:

• iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later get iOS 17.1 or iPadOS 17.1.
• iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later get iOS 16.7.2 or iPadOS 16.7.2.
• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) get iOS 15.8 or iPadOS 15.8.
• Macs get one of macOS Sonoma 14.1, macOS Ventura 13.6.1, macOS Monterey 12.7.1, and Safari 17.1.
• Apple TV HD and Apple TV 4K (all models) get tvOS 17.1.
• Apple Watch Series 4 and later get watchOS 10.1.

The important vulnerabilities that have been addressed in this raft of updates are:

CVE-2023-40423, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.

CVE-2023-40413, a vulnerability in Find My that could allow another to read sensitive location information.

CVE-2023-40416, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.

CVE-2023-42847, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.

CVE-2023-42841, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.

CVE-2023-41982, CVE-2023-41997, and CVE-2023-41988 are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.

CVE-2023-40447 and CVE-2023-42852 are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2023-32434 is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVE-2023-41989 could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.

CVE-2023-38403 is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

CVE-2023-42856 could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I/O. Model I/O provides the ability to access and manage 3D models.

CVE-2023-40404 could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.

CVE-2023-41977 is a vulnerability in Safari that could allow a malicious website to reveal browsing history.

Notably absent from the bugs that have been fixed is iLeakage, a sophisticated side-channel attack in the Spectre family.

The updates above may already have reached you, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad or your Mac.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations all over the world.

Initially the group made a name for itself by SIM swapping. SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but the most common ones involve social engineering attacks on the victim’s carrier.

In a security blog about Octo Tempest Microsoft states:

“Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”

Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group.

In our monthly ransomware reviews you will typically see ALPHV as the world’s third most used ransomware-as-a-service (RaaS).

ALPHV is a typical RaaS group where several criminal organizations work together to extort victims for data theft and/or encryption of important files. ALPHV provides the ransomware, the infrastructure for negotiating ransoms, and a dark web site where stolen data is leaked. The service is used by criminal gangs called affiliates who actually carry out attacks.

As an ALPHV affiliate, Octo Tempest focused its deployments primarily on VMWare ESXi servers and other complex hybrid environments.

Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. 

Having Octo Tempest as an affiliate brings specialized knowledge to ALPHV, such as SMS phishing, SIM swapping, and advanced social engineering techniques. The group includes members with extensive technical knowledge and multiple hand-on-keyboard operators.

Its social engineering attacks target accounts that have sufficient administrator rights to build out an impactful attack. For example, to keep their tracks hidden, Octo Tempest will target the accounts of security personnel, which allows them to disable security products and features.

The group uses all kinds of social engineering attacks and, as a last resort, they do not shy away from threatening targets with physical violence if they fail to comply.

A unique technique used by Octo Tempest is to use the data movement platform Azure Data Factory, and automated pipelines, to extract data to external servers, aiming to blend in with typical big data operations.

Similar to that the group uses many Living off the land (LOTL) techniques that make it hard to spot its activities. One of Microsoft’s recommendations is to keep close tabs on administrative changes in your environment.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what’s happening under the hood. It’s like a thief looking at your house and concluding from the fact that there are no lights on and the car isn’t in the driveway that you aren’t home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU’s microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that’s available on Apple’s Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, “When Lockdown Mode is enabled, your device won’t function like it typically does.”

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it’s macOS only and it’s not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users’ comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under “How can I defend against iLeakage.” We suggest that unless you’re a high value target you probably don’t need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

We’ve always been committed to keeping you safe and secure online. But these days, cybersecurity isn’t just about defending you from malware; it’s about protecting your—and your family’s—entire digital identity.

We know that people are worried. In fact, in our latest report, titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” we found that 79% of internet users are “very concerned” about online privacy and security risks.

More specifically, we found that 81% worry that identity theft and fraud could happen to them, and 71% say that having their data leaked and identity stolen is one of their biggest fears.

So today, I’m excited to announce we’re extending our product offering to introduce Malwarebytes Identity Theft Protection. Our comprehensive solution scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit¹ —and it’s all backed by an up-to-$2 million identity theft insurance².

Here’s what you get (based on your selected plan):

• Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
• Real-time alerts: Immediate notifications if we identify suspicious activity
• Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
• Identity restoration helpline and top-notch customer support.

It’s not easy being online today, but our coverage helps keep your digital identity safe, giving you the confidence to scroll, swipe, click, and post in peace.

Learn more

Existing customers

Already a Malwarebytes customer and want to add Malwarebytes Identity Theft Protection to your subscription? Log into your account at my.malwarebytes.com and go to your subscription page. Click Upgrade, make the selection, and choose Submit Order. You’ll then receive your activation email.

¹ Credit scores provided are based on the VantageScore ® 3.0 model (likely to be different than what lenders may use to assess your credit worthiness).  Credit monitoring is US only.

² $1 or 2 million (based on selected plan). $2 million is US only.

Note: Malwarebytes Identity Theft Protection is not available in all regions.

In what may come as a surprise, subscription-based face search engine PimEyes seems to have realized that their service can be used for nefarious purposes.

PimEyes’ CEO Giorgi Gobronidze told the New York Times that it has taken technical measures to block such searches as part of a “no harm policy.”

PimEyes is a search service that uses facial recognition technology to find online photos of people. The company says it has a database of nearly three billion faces, and it enables about 118,000 searches per day.

We have previously reported about PimEyes being accused of “surveillance and stalking on a scale previously unimaginable” after privacy campaign group Big Brother Watch filed a complaint in 2022 with the UK’s Information Commissioner’s Office (ICO), claiming that PimEyes facilitates stalking.

Facial recognition technology already represents an invasion of privacy. While the service says you can look for your own face, there is nothing to stop you from searching based on someone else’s photo.

The measures to limit searches for minors was a work in progress, but seems to have been accelerated due to an earlier article in the New York Times on AI-based threats to children.

Facial recognition has been a controversial topic right from the start. Because of the privacy implications, some tech giants have backed away from the technology, and halted their development. A major concern is that some organizations have built large databases just from harvesting pictures from social media. You might be amazed about what a simple reverse image search could bring up, let alone one backed by Arificial Intelligence (AI).

As with most tools, the user decides whether it’s used for good or bad reasons. Parents have used the search engine to find pictures of their children that they were unaware off, for example. But it’s clear that individuals with a twisted moral compass might use the service for undesirable purposes. For that reason PimEyes already banned over 200 accounts for inappropriate searches of children’s faces.

PimEyes will still allow searches of minors’ faces by human rights organizations that work on children’s rights issues. It also admitted having some accuracy issues with the AI that is used to determine whether the requested photo belongs to a minor, especially teenagers. Testing by the New York Times showed that the accuracy also depends on the angle the picture was taken from.

Meanwhile PimEyes, and other similar search engines, keep collecting photos of people’s faces without their awareness or consent and making them searchable. And since a PimEyes subscription allows you to follow links to any website on which a matching picture was found, anyone could  piece together all the information associated with these images, for example the text of a blog post, or a photo on a workplace website. Allowing a stalker to work out a person’s place of work, or indications of the area in which the person lives.

Don’t get us wrong, we’re glad PimEyes is taking these steps to protect our young ones—better late than never.

Opt out

PimEyes does allow people to opt out of their image appearing in results. To do so, go to the PimEyes website and fill in the Opt-Out Request Form. If not for yourself, do it for your children. Not only to keep the predators at bay, but also to protect them against identity theft.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Canadian health service provider TransForm has published an update about the cyberattack at its member hospitals.

TransForm is a not-for-profit, shared service organization founded by the five hospitals in Erie St. Clair to manage their hospital IT, supply chain, and accounts payable needs.

The five affected hospitals, Bluewater Health, Chatham Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital, have had to reschedule appointments with their patients due to the attack.

On October 23, 2023, Transform released news that its member hospitals and Windsor-Essex Hospice were experiencing a systems outage, including email. In an update later that day it said that the incident is impacting the hospitals’ provision of care in various ways.

“For those patients who have care scheduled in the next few days, the hospitals will contact you directly, if possible, to reschedule or provide alternate arrangements.”

Even though TransForm does not provide any more details about the nature of the attack, it’s highly likely that this is a supply chain attack since all member hospitals are experiencing problems.

In a media release, the affected hospitals asked patients to reduce the impact by only visiting the hospitals if they need emergency care.

Because there is no clarity about the nature of the attack, it’s hard to say what other consequences it may have on the hospitals and their patients.

“We are investigating the cause and scope of incident, including whether any patient information was affected. Our investigation is ongoing and we will provide further updates, as appropriate.“

All parties have declined to comment until more information becomes available.

The risks of compromised supply chains keeps growing, and as long as organizations continue to rely on them without fully understanding the implications the risks are here to stay. It is essential for businesses and their suppliers to work together to harden their defenses, to minimize the risk of having their supply chain compromised.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server.

Since there are no in-product workarounds, customers are advised to apply the updates urgently.

The affected products are VMware vCenter Server versions 7.0 and 8.0  and VMware Cloud Foundation versions 5.x and 4.x.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are CVE-2023-34048 and CVE-2023-34056.

CVE-2023-34048, an out-of-bounds write vulnerability in the vCenter Server’s implementation of the DCERPC protocol. A malicious actor with network access to could trigger an out-of-bounds write, potentially leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.8 out of 10.

DCE/RPC, which is short for “Distributed Computing Environment / Remote Procedure Calls”, is the remote procedure call system developed to allow programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

VMware is not currently aware of exploitation “in the wild,” but urges customers to considered this an emergency change, and your organization should consider acting quickly.

CVE-2023-34056, a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server could use this issue to access unauthorized data. It has a CVSS score 4.3 out of 10.

Patching

While VMware normally does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and the lack of a workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

Fixed version(s) and release notes:

VMware vCenter Server 8.0U2
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105

VMware vCenter Server 8.0U1d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378

VMware vCenter Server 7.0U3o
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262

Cloud Foundation 5.x/4.x
https://kb.vmware.com/s/article/88287

VMWare also published an FAQ about this update.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn’t the user’s device that was added to the WhatsApp account, but rather the threat actor’s.

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.

Malicious WhatsApp ad leads to QR code page

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:

The text of the ad reads as follows (translated from Chinese):

WhatsApp New Version – WhatsApp Official Authorization

We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time.

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:

What’s interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:

The domain used to generate those QR codes (lawrencework[.]com) was registered just two days ago. A search on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.

Telegram ad links to malware

The second ad we saw related to this campaign was using Telegram as a lure. We know it is related to the above WhatsApp attack because the ad is from the same advertiser.

The text of the ad reads as follows (translated from Chinese):

telegram official website – telegram Chinese version – telegram download Telegram Chinese version is a Telegram client specially developed for Chinese users. Welcome to the Chinese channel, a new era of information, delivering more exciting information

It links to a Google Docs page pretending to be a download site:

Telegram instant messaging – simple, fast, secure and syncs across all your devices. It is one of the most downloaded apps in the world, with over 500 million active users. The latest official Telegram Chinese computer version TG-Chinese version: Click to download TG-PC: Click to download

The two links (identical) download an MSI installer from the following URL:

kolunite.oss-ap-southeast-7.aliyuncs[.]com/HIP-THH-19-1.msi

This installer has been injected with malware, which we can see once we execute it:

Targeted malvertising and motives

These two campaigns abusing the WhatsApp and Telegram brands could be used for a variety of reasons. We did not investigate further what the ultimate ploy was, although both lead to data theft, impersonation and malware. The threat actor could use any private information from past conversations, phish the victim’s contacts and much more.

This was our first foray into malvertising attacks targeted at Hong Kong. Given that this special administrative region of the People’s Republic of China has a long history of tensions with Beijing, we could not help but think that malvertising campaigns such as these could be used for political reasons, although we saw no evidence of it.

Linking additional devices via QR code is a useful feature but it can also easily be abused. It’s important to be cautious when scanning QR codes by verifying which site is issuing those. It’s a good idea to periodically check which devices have access to your accounts, and revoke any that you don’t recognize.

Thanks to Nathan Collier for the assist with the QR code scanning on Android.

Indicators of Compromise

Malicious WhatsApp domains

uaa.vvg2rt[.]top
wss.f8ddcc[.]com

QR code hostname

119srv[.]lawrencework[.]com

Telegram MSI URL

kolunite.oss-ap-southeast-7.aliyuncs[.]com/HIP-THH-19-1.msi

Telegram MSI

36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b