IT NEWS

This week on the Lock and Code podcast…

When you think of the modern tools that most invade your privacy, what do you picture?

There’s the obvious answers, like social media platforms including Facebook and Instagram. There’s email and “everything” platforms like Google that can track your locations, your contacts, and, of course, your search history. There’s even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here’s a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 

According to the team’s research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person’s age and gender and whether they’re using your seatbelt, and it can use that information for targeted marketing purposes. 

But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: 

Last week on Malwarebytes Labs:

• Emergency update! Apple patches three zero-days
• T-Mobile spills billing information to other customers
• Involved in a data breach? Here’s what you need to know
• Steer clear of cryptocurrency recovery phrase scams
• DoppelPaymer ransomware group suspects identified
• The privacy perils of the Metaverse
• The mystery of the CVEs that are not vulnerabilities
• Microsoft AI researchers accidentally exposed terabytes of sensitive data
• Compromised Free Download Manager website was delivering malware for years
• ThemeBleed exploit is another reason to patch Windows quickly
• Ransomware group steps up, issues statement over MGM Resorts compromise

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Some T-Mobile customers logged into their accounts on Wednesday to find another customer’s billing and account information showing on their online dashboards.

T-Mobile denied there was an attack, but confirmed there had been a data leak. It said a “temporary system glitch” had misplaced some subscriber account information, causing it to appear on other subscribers’ profile pages.

“There was no cyberattack or breach at T-Mobile. This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.”

Given the great number and the nature of the complaints on social media, one might suspect that T-Mobile is underplaying or underestimating the situation. Some users said they could access the information of several other subscribers and that they had complained about the issue before.

Multiple users who reported the issue online said they were seeing the same alternate account as others. These T-Mobile app users discovered that thei Bill tab was displaying someone else’s account information, and allowed users to view and access the bill pages and profile settings of other customers.

To worsen the problem, some users started changing the information they saw, believing they were correcting errors in their own details. Many payments were made on these accounts as well. This was likely also done by users unaware of the fact they were accessing someone else’s account.

The exposed information included customers’ names, phone numbers, addresses, account balances, and the expiration dates and last four digits of credit cards.

Victims should monitor their credit reports and be on alert for scammers using leaked information to trick them into giving up additional information, like bank account credentials.

Credit card companies have sophisticated fraud detection and alert systems. One way to be alerted to possible fraudulent activity on your account is to opt in to text message, call or email alerts. When you discover a fraudulent charge, call your credit card issuer right away to report the unauthorized charge. In most cases, if you report suspected fraud right away, you will not be liable for any unwanted charge, no matter the amount.

We will keep you posted here if more information about the issue becomes available. So, stay tuned!

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Don’t become a victim of identity fraud. Keep your identity, finances, and devices safe by using Cyrus.

Apple has released security updates for several products to address a handful of zero-day vulnerabilities that may already have been used by criminals. Updates are available for:

• iOS 16.7 and iPadOS 16.7
• iOS 17.0.1 and iPadOS 17.0.1
• watchOS 9.6.3
• watchOS 10.0.1
• macOS Ventura 13.6
• macOS Monterey 12.7
• Safari 16.6.1

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

• CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation.
• CVE-2023-41992, a flaw that could be used by a local attacker to elevate their privileges.
• CVE-2023-41993, a problem with processing web content that could be used for arbitrary code execution.

Apple states says that all these vulnerabilities may have been actively exploited against versions of iOS before iOS 16.7.

It’s important to note that CVE-2023-41993 is a vulnerability in WebKit. WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

All three vulnerabilities were credited to the same researchers—Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School, and Maddie Stone of Google’s Threat Analysis Group. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. It is renowned for its research of the use of spyware against journalists, activists, and dissidents.

About two weeks ago, we reported about two Apple issues that were added by CISA to its catalog of known exploited vulnerabilities. Those vulnerabilities were also discovered as zero-days by CitizenLab. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

It is not hard to see how these three new vulnerabilities could be used to compromise a device just by viewing specially crafted malicious web content, so it’s highly recommended to install these updates at your earliest convenience, especially iPhone users with a high profile threat model.

We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

If you’ve received a message from a company saying your data has been caught up in a breach, you might be unsure what to do next. We’ve put together some tips which should help you when the (more or less) inevitable happens.

1. Check the company’s advice

Every breach is different, so check the company’s official channels to find out what’s happened and what data has been breached. Organizations often put out a rolling statement on their website, blog, or X (Twitter). Follow any specific advice they offer first, and keep an eye out for any further communications.

2. Change your password

If your password has been caught up in a breach, you should immediately change it. If you’ve used the same password on another site or service then you also need to change that. Cybercriminals will often try one password on multiple sites because they know people reuse them, so make sure you use a different password for every single site you have an account on. If you don’t already use one, it’s worth considering a password manager, which will generate and store passwords for you so you don’t have to remember them all in your head.

3. Enable multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of security when logging in to your online accounts, and stops anyone from logging in with just your password. One of the most common ways of adding MFA to your online accounts is with an app—such as Google Authenticator, Authy, or Microsoft Authenticator—which generates a code that you enter into the site you’re logging into. You can also use SMS MFA, where you are sent a code via text that you then enter into the website, or a hardware key such as a YubiKey which you plug into your computer. 

It’s worth bearing in mind that a code can be phished as easily as a password so code-based MFA can’t protect you from phishing, but it’s still much better to have it turned on than not use it at all. Remember to never give an MFA code to anyone else, even if they pressure you into revealing it.

4. Freeze your credit report

If you’re in the US, a credit freeze stops new creditors and potential thieves from accessing your credit report. Credit freezes must be set (and removed) at each of the three bureaus.

5. Set up credit monitoring

Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you, but you can also get different levels of monitoring solutions, depending on your individual need.

6. Watch out for scammers

Scammers often try to take advantage of data breaches. They know that the breached company is likely to be contacting victims, and that the victims will be looking out for emails from the company. It’s easy to spoof an email to make it look like it comes from somewhere else, and then send someone malware or a link to a phishing site.

We suggest you monitor the company’s website for information about the breach and be very sceptical of messages that appear to come from that company. All the usual advice applies: Look for inconsistencies, odd email addresses, and strange links, and watch out for the two major red flags: urgency and a request for money or personal information.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The dangers of cryptocurrency phishing are back in the news, after tech investor Mark Cuban was reported to have lost around $870k via a phishing link. Cuban lost a combination of coin types as asset movement flagged up after months of inactivity from his wallet.

Cuban discovered some of the transactions taking place and was able to save about $2.5m of tokens by logging in and sending what remained to a safe location.

As for the specifics of the phishing tactic deployed, Cuban is reported as saying he may have downloaded a bogus wallet tool via a search engine query. Accidentally falling victim to rogue downloads in search engine results is an ancient technique, but as we can see here, it paid off big time for the scammers. 

Fake tools and websites for cryptocurrency are common. You’ll see them in search engines, download portals, even promoted on social media.

As an example of this, a simple search for “metamask download” reveals sites claiming to offer MetaMask extensions for various browsers and mobile devices.

The MetaMask site is a secret recovery phrase phish. The site claims:

MetaMask cannot recover your password. We will use your secret recovery phrase to validate your ownership, restore your wallet, and set up a new password. First, enter the secret recovery phrase that you were given when you created your wallet. You can paste your entire secret recovery phrase below.

Of all the things you never want to do where cryptocurrency management is concerned, pasting your recovery phrase into a random website has to be somewhere near the top of the list. No matter the third party website, offer, video, service, or any form of giveaway: don’t do it. You’re handing the scammer the keys to your cryptocurrency kingdom.

It’s a similar deal for random extensions asking to connect to your wallet. You could well be granting access in ways that you’ll quickly come to regret.

Anyone can fall victim to a cryptocurrency scam, whether you’re just starting out or a billionaire tech professional holding a huge amount of digital currency in reserve.

Thanks to Jerome for finding this.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The German police in cooperation with the US Secret Service have executed search warrants against suspected members of the DoppelPaymer ransomware group in Germany and Ukraine.

In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.

Since then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA NRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike against people associated with the criminal network.

Two men in particular became the focus during blockchain investigations by the LKA NRW and the US Secret Service. They are a 44-year-old Ukrainian who apparently held a key position within the organization and a 45-year-old man from southern Germany who is suspected of having received suspicious funds, possibly originating from ransomware attacks.

Cryptocurrency investigators use specialized strategies to track down criminals. The investigators use tools to collect evidence, trace funds through the blockchain, and try to determine who converted them into fiat currencies. Although cryptocurrency is anonymous, that doesn’t mean it’s untraceable. All the transactions are recorded on a public ledger, which provides a treasure trove of data to search, analyze, and categorize.

Over the last years, DoppelPaymer claimed responsibility for a high-profile ransomware attack on Kia Motors America. The gang was also responsible for a costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked by DoppelPaymer in the past include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

Since March of 2021, DoppelPaymer has been missing from our monthly ransomware reviews, and the last known leak site address we had on record for them has been taken offline.

During their active period (2017 – 2021), more than 600 victims worldwide were extorted, some of them up to double-digit millions. The investigations by the German authorities, which have been ongoing since 2020, led to the international public search for Igor Olegovich Turashev and Igor Garshin in March 2023. Both of these suspects are currently on EUROPOL’s “Most-Wanted” list. The suspicion against a third person could not be sufficiently substantiated during further investigations, so the public search was withdrawn.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A researcher specializing in Software Supply Chain security named Dan Lorenc recently raised an interesting topic on LinkedIn. 138 new vulnerabilities in open-source projects were all entered the same day to the CVE database.

To understand what the problem is there are a few things you’ll need to know.

• CVSS – The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability, and is an integral component of many vulnerability scanning tools.
• CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
• NVD – The National Vulnerability Database (NVD) is a database, maintained by the National Institute of Standards and Technology (NIST), that is fully synchronized with the MITRE CVE list.

The Common Vulnerabilities and Exposures (CVE) database is used to list publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The NVD provides enhanced information above and beyond what’s in the CVE list, including patch availability and severity scores. NVD also provides an easier mechanism to search on a wide range of variables.

The way it should work is that vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the identification of the minimum required data elements for a CVE record, the record is published to the CVE List.

Details include but are not limited to affected product(s); affected or fixed product versions; vulnerability type, root cause, or impact; and at least one public reference.

When you register a CVE you typically get it with the year you request it and so new CVE IDs would start with CVE-2023. However, Lorenc says that an unknown party has submitted a bunch of CVEs which are backdated and have a high CVSS score.

For example, CVE-2020-19909 was listed as an integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay.

In the screenshot you can see that the entry is “DISPUTED”

In his blog Daniel Haxx, a Swedish open source developer and curl maintainer, explains that this is not a security vulnerability. It was, in fact, a bug reported and fixed in 2019. Haxx criticizes the NVD for not trying very hard to actually understand or figure out the problem they grade.

As Lorenc pointed out, it looks as if a bot or AI has been scraping old issues and commits and filing them in an automated fashion, without ever getting maintainers involved.

The problem is that many have automated scanning for vulnerabilities or are using specialized vulnerability triage or management platforms. When no maintainers are involved or even notified about these non-issues, they may live on. Many of these scanners will not see or disregard the “DISPUTED” status and will end up wasting a lot of precious time that could have been spent on actual vulnerabilities.

The question that remains: Is there a fundamental problem with the CVE reporting process which allows for the automated submission of bogus vulnerabilities?

Let’s say that the experts agree that any form of automated filing of CVEs without any previous contact with the developers/maintainers of the list completely misses the whole point of getting vulnerabilities fixed before they are made public. And filing vulnerabilities that are in fact bugs that were resolved long ago is a weird form of fear mongering.

Knowing this can happen, by accident or on purpose, warrants a more robust checking than looking for the minimum required data elements for a CVE record.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A recently released report from New York University claims that the Metaverse, an all-in-one virtual online space, poses a potentially major risk to user privacy. This is because headsets and other similar devices can collect an incredible amount of personal, physical and biometric information. The user isn’t always aware of the collection, or how it could be used in ways they don’t expect.

It’s worth asking at this point: what is the Metaverse?

Most folks would think of Mark Zuckerberg and Meta, with a virtual reality headset thrown in for good measure. Others may associate it with “game hub” style online places to meet others taking place on their computer screens only. For some, mobile devices making use of augmented or mixed reality will be their first association.

The truth is that “Metaverse” can incorporate any or all of these different aspects. While some people hope for a world of entirely connected systems, the reality is that this is not going to happen for a very long time and may not happen at all. In fact, the Metaverse overall is not in the most robust of health, with proclamations of its demise across the web.

While it continues to struggle on, it’s still worth considering some of the potential privacy pitfalls waiting for any curious users. A good chunk of these come from the gaming space, and in particular advergaming (the art of displaying targeted adverts inside of virtual realms).

When playing a virtual reality game, the headset is an important part of gameplay. It typically contains several cameras (pointing both in and out), along with various sensors and microphones. These tools all help to track eye movements, interact with the digitally realised space around the user, and assist the game to keep track of what the player is doing.

While this is generally fine for an offline game with no data being sent elsewhere, once additional first or third-party systems are introduced this can become a risk. Is an ad network layered across the game? How does the network serve targeted ads? What is it tracking? Is player data sent to the advertisers, or does the game provider start building up a profile for non-gaming purposes? Is any of this disclosed?

This is just one basic example. Now consider that all of those eye movements, those motions, those biometrics are also up for grabs in terms of being able to build up pictures of users.

The research notes that Meta’s approach is more about harvesting user data (via profiles) for targeted ads. Apple, meanwhile, shifts its cost toward expensive high-end devices instead of purely advertising. Additionally, Apple does not collect eye-movement data whereas Meta “disclaims responsibility for the data practices of third-party developers with whom the company shares user data”.

Even so, Apple has not yet revealed what it intends to do with face-tracking and body-motion data. The researchers note that the specifics for the company’s upcoming Vision Pro device does not yet have a detailed privacy policy.

This is just one small consideration of the upcoming data collection landscape where Metaverse is concerned. However, with the downsizing in expectation for these virtual worlds as a whole, these issues may not be as far reaching as they potentially could have been.

The report comes with numerous recommendations for safety features and privacy functionality, some of which have existed in video game/VR circles for some time now, though not always with success.

For example, Meta ran into several problems with regard to sexual harassment in virtual spaces. One of many issues was that a “bubble” around users in VR realms can prevent others from harassing or getting too close. Bafflingly, this wasn’t enabled in Meta as a default setting until the damage was already done.

Child safety is also another concern, given that headset use isolates the user and makes it harder for parents to see at a glance what their child may be doing.

Gaming platforms and consoles often come with a wide range of granular privacy and security controls. In VR, these controls aren’t always obvious and users may not know how to reach them. For example, hiding names, blurring faces, preventing the sending of data to unwanted third-parties and so on. These options should always be clear and evident to whoever happens to be using the device.

The full report is available to read here. Metaverse may not be the hot property it once was, but it’s still worth learning about the possible dangers and privacy risks inherent in the headset.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In a public announcement, Free Download Manager has acknowledged that a specific web page on its site was compromised by a Ukrainian cybercrime group, exploiting it to distribute malware.

Free Download Manager is—unsurprisingly—a download manager for Windows, macOS, Android, and Linux that allows users to manage their downloads and lets them grab large files, torrents, music, and videos.

In the announcement the service says the actual security incident took place in 2020. So why was the issue only recently discovered?

First and foremost, the cybercriminals only redirected users that aimed for the Linux version of the software.

Not all of these visitors were redirected to the malicious domain. They were “fingerprinted” based on as yet unknown criteria and only some were served the malicious Debian package. According to Free Download Manager the compromised website contained an exception list of IP addresses from various subnets, including those associated with Bing and Google. Visitors from these IP addresses were always given the correct download link.

Furthermore, the victims received a full functional Free Download Manger, so they had no reason to assume that something was amiss, even though some users reported errors that said “Waiting for process: crond” when they tried to shut down or reboot their system.

According to the statement made by Free Download Manager:

“It’s estimated that much less than 0.1% of our visitors might have encountered this issue.”

The number of victims might even have been less, if it weren’t for the fact that several posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, pointed to the malicious domain as a reliable source for getting the Free Download Manager tool.

Unfortunately, malware scanners for Linux are considered useless by many home users, and only some companies add them to their endpoint security solution. So, there is not much overlap to be expected between the users of Free Download Manager and those that have deployed an anti-malware solution for Linux systems.

Debian packages are typically used to install software on Debian-based Linux distributions, including Ubuntu. The malicious package dropped an information-stealing script and a crond backdoor that established a reverse shell from the C2 server. Crond is a daemon used to execute cron jobs in the background. It is a service process that handles and executes commands to run automated tasks (cron jobs) in accordance with a specified schedule.

The stealer in question was after system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

Remediation

The compromised Free Download Manager website has been replaced. All the Free Download Manager users who downloaded FDM for Linux between 2020 and 2022 should scan their computers for malware.

Malwarebytes Browser Guard users will receive a warning when they try to visit this domain.

Browser Guard blocks fdmpkg.org

Indicators of Compromise (IOCs):

File hashes (SHA-256):

b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d

2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349

93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea

d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5

File locations:

/etc/cron.d/collect

/var/tmp/crond

/var/tmp/bs

/var/tmp/atd

IP and domain:

172.111.48.101

fdmpkg.org

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW