IT NEWS

Mac users targeted in new malvertising campaign delivering Atomic Stealer

Summary

  • Malicious ads for Google searches are targeting Mac users
  • Phishing sites trick victims into downloading what they believe is the app they want
  • The malware is bundled in an ad-hoc signed app so it cannot be revoked by Apple
  • The payload is a new version of the recent Atomic Stealer for OSX

Introduction

The majority of the malvertising campaigns we have tracked for the past few months have targeted Windows users. That’s not surprising considering that Microsoft holds the largest market share for both desktop and laptop computers.

However, we recently captured a campaign that was pushing both Windows and Mac malware, the latter being an updated version of the new but popular Atomic Stealer (AMOS) for Mac.

AMOS was first advertised in April 2023 as a stealer for Mac OS with a strong focus on crypto assets, capable of harvesting passwords from browsers and Apple’s keychain, as well as featuring a file grabber. The developer has been actively working on the project, releasing a new version at the end of June.

Criminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also impersonating legitimate websites and using ads on search engines such as Google to lure victims in. In this blog post, we will provide details on one campaign targeting TradingView, a popular platform and app to track financial markets.

Distribution

Users looking to download a new program will naturally turn to Google and run a search. Threat actors are buying ads matching well-known brands and tricking victims into visiting their site as if it were the official page.

The ad below for TradingView uses special font characters (tradıņgsvıews[.]com is embedded with unicode characters: tradu0131u0146gsvu0131ews[.]com) perhaps as an attempt to appear like the real domain and evade detection from Google’s ad quality checks:

Malicious ad

Google’s Ads Transparency Center page shows this advertiser account belongs to someone from Belarus. This is likely a compromised ad account that is being used by the threat actors.

Advertiser

When the user clicks on the ad they are redirected to a phishing page hosted at trabingviews[.]com:

Traffic

Phishing page

The decoy site (trabingviews[.]com) looks quite authentic and shows three download buttons: one each for Windows, Mac and Linux. One way to detect a potential phishing site is by checking when it was created, which in this case was only a few days ago.

Phishing page

Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops NetSupport RAT:

https://cdn[.]discordapp[.]com/attachments/1062068770551631992/1146489462025629766/TradingView-x64[.]msix

The Mac download is hosted at:

https://app-downloads[.]org/tview.php

Payload

The downloaded file (TradingView.dmg) comes with instructions on how to open it in order to bypass GateKeeper. Unlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed.

The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in.

PayloadThe attacker’s goal is to simply run their program and steal data from victims and then immediately exfiltrate it back to their own server. The image below shows the kind of data that can be collected:

StealerA critical part of any infostealer operation is the back end server that will receive the stolen data. AMOS developers are advising their customers to use a bulletproof server such as the one below:

Panel

Protection

Malvertising continues to be an effective vector to target new victims by abusing the trust they have in their search engines. Malicious ads coupled with professional-looking phishing pages make for a potent combo that can trick just about anyone.

While Mac malware really does exist, it tends to be less detected than its Windows counterpart. The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection.

Before running any new program, make sure to double check its origins. If you clicked on an ad to download a new application, you may want to go back and revisit the official website directly, or at least spend some time verifying that the current website really is the right one, and not a fake.

With stealers such as AMOS, it’s also important to run an antivirus that has real time protection so that it blocks the malware before valuable data gets stolen.

Malwarebytes detects this malware as OSX.AtomStealer.

MBAM

Indicators of Compromise

Ad domain:

xn--tradgsvews-0ubd3y[.]com

Phishing domain:

trabingviews[.]com

AMOS installer download:

app-downloads[.]org/tview.php

AMOS installer (dmg):

6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0

AMOS malware:

ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a

AMOS C2:

185.106.93[.]154

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FreeWorld ransomware attacks MSSQL—get your databases off the Internet

When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the Internet is of interest to cybercriminals.

Microsoft’s Remote Desktop Protocol has been a favourite point of entry for ransomware gangs for several years now. Cybercriminals seek out machines with RDP exposed to the Internet and attempt to guess their passwords, hoping to gain entry. They like RDP because it gives them exactly the same access as sitting at a chair in front of the computer, and because there are millions of targets to choose from.

But other systems can be abused to gain entry in a similar way, and the Securonix Threat Research team reports that it has spotted attackers targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.

In an attack described by Securonix, attackers brute forced a MSSQL password and then used the database’s xp_cmdshell feature to run commands on the host machine the database was running on.

Next, discovering that the MSSQL function xp_cmdshell stored procedure was enabled, the attackers began running shell commands on the host. This function allows for command execution and should normally not be enabled unless required.

The attackers used this ability to run commands on the host machine to try to give themselves RDP accesss. When that failed, they used AnyDesk remote access software instead. From there they explored the network the server was running on, before ultimately running FreeWorld ransomware. Securonix provide a detailed breakdown of the precise steps taken by the attackers, and its article is well worth reading.

The attack is a timely reminder of an old security adage, one that’s at least as old as the 25 years or so I’ve been messing around with databases: Never expose your databases to the Internet. Typically, databases contain sensitive information that should be at the centre of your network and not the periphery, and that should only be accessbile to internal systems. Where data needs to be accessed from the Internet it should be made available via an application or API.

Although the situation is much improved now, historically, some databases made the situation worse by shipping with default passwords, or even no authentication at all.

As I mentioned before, one of the things that attracts attackers to RDP is the large number of available targets, so I wondered how many databases I could find via Shodan, the search engine that finds Internet-connected computers.

For comparison, every time I’ve looked in the last five years or so, there have been around two or three million computers running RDP accessible via Shodan, meaning that attackers have two to three million targets to choose from.

Finding databases on the Internet

The first database I looked up was MSSQL, the target in the attack spotted by Securonix. A simple search on Shodan found almost 90,000 potential targets. Although there are seemingly far fewer Internet-exposed computers running MSSQL than RDP, a server running MSSQL is likely to be a far higher value target than a desktop running RDP.

Anything connected to the Internet should expect to be the subject of relentless password guessing, and these are no exception.

Shodan search for MSSQL

Next up was MongoDB, a “noSQL” database with a that has been the subject of significant ransomware campaigns in the past. Historically, some configurations of MongoDB made it possible to install it without setting a password, and attackers made hay with those who didn’t.

The problem was so serious that in 2017, the MongoDB website published an article called How to Avoid a Malicious Attack That Ransoms Your Data, reminding its users to use the product’s security features.

Evidently, plenty of people didn’t read it and in 2020, an automated ransomware campaign dropped ransom notes on 22,900 databases left exposed without a password. At the time this was said to represent 47% of Internet-connected MongoDB databases.

Those mass exploitation events are a thing of the past, but according to Shodan there are now almost 110,000 MongoDB databases connected to the Internet for potential attackers to probe.

Shodan search for MongoDB

Next I searched for MySQL, the world’s most popular database. Shodan found more than three million servers running MySQL, giving it parity with RDP in terms of the total number of potential targets. Alongside those there are a further 800,000 instances of the MySQL fork, MariaDB, making a huge, four million-strong pool of targets.

Shodan search for MySQL

MySQL and MariaDB often act as the source of data for websites, rather than as an enterprise data store like MSSQL, so may carry less business-critical data, but they still represent a prize, and a potential entry point into a network.

While there are exceptions to every rule, it’s always good to start with the assumption that you should probably follow the rule. It remains good advice to keep your databases off the Internet, so think long and hard before you decide that’s the right solution. And whether they are on the Internet or not, databases should always be secured with an exceptionally strong password.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Smart chastity device exposes sensitive user data

A security breach or piece of inadvertent exposure can be a devastating thing, not just for the company impacted but also the people whose data is stolen or exposed to the world. The usual roll-call of “name, address, phone number and card details” is bad enough. If such things are tied to sensitive material or websites, it can be many times worse.

This is the case for a recent piece of Internet of Things technology tied to people’s love lives. TechCrunch reports that a wearable “chastity device” which allows the user’s partner to control it over the internet (via Android app) has exposed all manner of user details which includes:

  • Home addresses
  • IP addresses
  • Plaintext passwords
  • Email addresses
  • GPS coordinates

The researcher who discovered the issue claims it’s due to “several flaws” in the servers being used by the company behind the device. Two vulnerabilities were how the researcher was able to view no fewer than 10,000 user records. Despite contacting the organisation responsible on June 17, there’s been no word back and the issue is still out there.

Due to this potentially snowballing in a much worse way if the device name is made public, the details are so far being kept under wraps. As a result, if you use an internet connected chastity cage with your partner you won’t know for sure if you’re potentially affected or not.

At this point the story would unusually end, and we’d advise you to think carefully when using IoT devices tied to more private aspects of your life. Well, not just yet! As it happens, the researcher was so frustrated by the lack of response that they took to compromising the device’s website with the following message:

The site was disabled by a benevolent third party. [REDACTED] has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what [REDACTED] has claimed, also shipping addresses. You’re welcome!” the researcher wrote. “If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.

We can’t condone breaking into a website and while trying to warn people is commendable, doing it in this fashion is likely to lead to more problems. If you want to keep a lid on the issue and not have it spill out across the internet, nothing can make something go public quicker than a spectacular web page defacement.

In this case, it doesn’t seem to have happened (yet). Even so, the message was gone a day later and the issue which led the researcher to so many user details still exists.

The above is bad enough. PayPal payment logs being exposed is possibly even worse, tying payments to email addresses. All of this alongside the GPS details for some users makes public activities that some folks will find embarrassing and not for public consumption. In specific circumstances this kind of thing can lead to harassment, trolling, and more.

With this in mind, we suggest an abundance of caution when making use of devices and technology similar to the above.

A product with no internet connection is safer from a data exposure perspective, but will naturally be somewhat less functional. If you need to make payments, use anonymous emails set up for exclusive use with sensitive devices. And keep in mind that enabling features like GPS will give potentially pinpoint accuracy to your daily movements.

We can only hope that the flaws in the above device are patched as soon as possible, but it’s possible that nothing will ever be done about it. While it should be quite shocking that such a personal device is able to be exploited in this way, IoT has been a flashpoint of poor security practices and lack of responsibility for years now. Buyer most definitely beware.


We don’t just report on threats—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

X wants your biometric data

Users of X (formerly Twitter) paying for a checkmark under what used to be called Twitter Blue (now X Premium) have some biometric related decisions to make. The BBC reports that Elon Musk, having dismantled the old checkmark system to replace it with the all new Premium, is (re)introducing identity verification.

The old verification system typically verified users by requesting a copy of government issued ID like a passport scan. This system is now returning, but with some additional features along for the ride.

People signed up to the subscription service can now choose to provide an image and photo ID for verification. In relation to the updated privacy policy, X had this to say to the BBC:

X will give the option to provide their government ID, combined with a selfie, to add a verification layer.

“Biometric data may be extracted from both the government ID and the selfie image for matching purposes. This will additionally help us tie, for those that choose, an account to a real person by processing their government-issued ID. This will also help X fight impersonation attempts and make the platform more secure.

That’s not all. Users may be able to submit additional information like employment and education history. The policy continues:

We may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on) to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising.

As with so many proposed changes to how the platform operates, there are potentially frustrating gaps in how this would work in relation to certain possible issues. If the concept behind ID verification for paying users is to “fight impersonation attempts”, making it optional may not help unless X clearly shows which paying users have confirmed ID.

As a proposed solution to impersonation, it may end up being needlessly messy. At time of writing we have the blue badge, a grey badge for Government officials, and gold badges with square profile pictures instead of circular for business entities. From those, some are paid, some have been given to users free of charge depending on popularity, and others are entirely bogus and show up in rogue adverts.

Yet more badges or qualifiers to wade through when trying to establish the genuine nature of an account could be a hassle. You knew exactly where you stood with a single blue badge under the old system. More quirks, wrinkles, and caveats for “at a glance” assessment feels like needless friction on a fast moving platform.

The general response from paying users so far has not been particularly positive, so it remains to be seen if there’ll be a big push for biometric sign ups. Even under the old system, verified accounts could be compromised and used for nefarious purposes. If you could swipe an identity verified Twitter account back in the day, would you also be able to swipe an identity verified X account? The smart money will be on “Yes, absolutely”.

The oft-stated desire from Elon Musk to turn X into the “everything app” managing everything from job applications to banking and payments may largely depend on a big biometric uptake. Given the many issues prevalent across all of social media, I would suggest holding off to see how things turn out before handing over this kind of valuable data.


We don’t just report on threats—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Password-stealing Chrome extension smuggled on to Web Store

Researchers at the University of Wisconsin–Madison have demonstrated that Chrome browser extensions can steal passwords from the text input fields in websites, even if the extension is compliant with Chrome’s latest security and privacy standard, Manifest V3.

To prove it, they created a proof of concept browser extension that could steal passwords and put it through the Chrome Web Store review process.

Browser extentions are small applications like ad blockers and password managers that extend the capabilities of browsers. In order to do what they do they enjoy a high degree of access to both the web browser and the pages the browser displays. This creates a significant challenge for vendors like Google.

On the one hand, the more access browser extensions enjoy, the more they can do and the more useful and featureful they can be. On the other hand, extensions are made by third-parties who may or may not be trustworthy, and the more access they have, the more harm they can do if they are malicious.

Google’s best, most recent stab at enforcing a sensible balancing act between those two things is the Manifest V3 standard, which has also been adopted by Microsoft Edge and Mozilla Firefox.

Manifest V3 tightens up security in a number of ways, most notably by stopping extensions from downloading code from remote websites. This stops them from changing their functionality after they’ve been installed, which makes it easier for Google to understand what an extension does during the Chrome Web Store review process.

Although Manifest V3 makes life tougher for malicious extensions that want to steal passwords and other sensitive information, the researchers have demonstrated it’s still possible to get a password-stealing extension through the review process.

The attack is feasible because the interaction between the extensions and the web pages has not changed. The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security Numbers (SSN), and Credit Card information.

The attack’s success hinges on the fact that extensions have full and unfettered access to the Document Object Model (DOM) of every web page you visit. The DOM is a representation of a web page in computer memory that can be accessed and changed, allowing the page to be modified on-the-fly.

…when an extension is loaded onto a website, it is integrated into the DOM tree, obtaining unrestricted access to all DOM elements via the DOM APIs. This exposes a critical security issue – the lack of a security boundary between the extension and the rest of the DOM tree.

Full access to a page’s DOM gives extensions tremendous power, which includes reading or modifying text input fields, like the ones you type your passwords into. The success of the researchers’ technique depends on the way the page is designed, but the paper claims that most of the top 10,000 websites are vulnerable, including the likes of google.com, facebook.com, gmail.com, cloudflare.com, and amazon.com, among others.

To prove the technique was viable in the real world the researchers created a browser extension disguised as a “GPT-based assistant offering ChatGPT-like functions on websites”. This allowed the extension to plausibly ask for permission to run on all websites. (It was withdrawn as soon as it passed the review process.)

Having established that it was possible for a malicious extension using these techniques to pass the review process, the researchers analysed the extensions already on the web store and found that 12.5% of them had the necessary permissions to exploit the password input field vulnerabilities, and identified 190 extensions that directly access password fields.

The researchers offer two potential fixes: A “bolt on” remedy for vulnerable sites and a “built in” remedy for browsers. The bolt on is a JavaScript library that can be added to websites to prevent unwanted access to password fields. To be successful it would need to be widely adopted and, frankly, history suggests it probably wouldn’t be. The built in remedy suggests changing Chrome to alert users whenever any JavaScript function accesses any password fields. This would be no small undertaking, but seems more likely to succeed if Google can be persuaded to adopt it.


Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A week in security (August 28 – September 3)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Supply chain related security risks, and how to protect against them

By definition, a supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. In only a few rare cases does one organization have full control over every step in the entire process. The links in such a supply chain often work closely together, sometimes so much so that they have access to parts of each other’s systems.

Although it is important to guard every aspect of your supply chain to avoid disruptions, for the scope of this article we will focus on the cybersecurity element of it.

From a security perspective, it’s imperative to choose your partners wisely. An organization’s security posture is its readiness and ability to identify, respond to and recover from security threats and risks. If you are the one paying, you can often make demands about the security posture of the partner, but the other way around is usually much harder. 

We probably all know the compliance audits that are the result of these demands. And it makes sense we do not wish to fall victim to the mistakes made in another organization that we have no control over. It’s usually more than enough to worry about the processes we need to control inside our own organization.

Compliance with security protocols and legal regulations like FedRAMP and SOC2 (System and Organization Controls) may not just be mandatory for your own organization. More often than not it also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.

But it’s not just the partners that you work with to create the end product. There are also vendors that we use to get the work done, like software, infrastructure, and services. The more organizations are using a particular software package, the more appealing an attack vector that software becomes. As a few reminders, remember Log4Shell,  the MOVEit vulnerability that was exploited by ransomware operator Cl0p, or the SolarWinds attack.

Similar attacks will continue to surface time and again and if there is a lesson to be learned it’s not to rely on the security provided by the supplier, but always keep security in mind when we decide whether and how to use something provided by a third-party.

Having a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management. So, in a supply chain your security posture is definitely a selling point and can be used as such. A partner that has their security in order has every right to emphasize that.

Some tips

Regardless of the varying needs based on your organization and your place in the supply chain, here are some tips that are worth considering to avoid being the weakest link:

  1. Make an inventory of the data you need to keep safe, along with who has access to what, in order to give you a complete understanding of your needs.
  2. Then make an inventory of your software and hardware products and their weaknesses. Based on that inventory, you can decide whether to use network segmentation in order to keep the sensitive data separated from the parts that need internet access.
  3. Use the cloud carefully. Organizations of all kinds are increasingly reliant on cloud computing. This is for good reasons, but it does complicate security, given the recent malicious targeting of cloud computing environments. So, it might be a good idea to use the cloud only for variably sized elements and have the fixed parts under your own control.
  4. Connect your internal team with your organization’s third-party partners and vendors. Work together to identify major risks and potential damage to your organization, as well as plans for mitigation. Make sure there is an actionable incident response plan with a clear division of roles.
  5. Trust is good, regular checks or constant monitoring are better. Strictly limit access to those that really need it, and deploy the rules of least privilege. Monitoring will also turn out to be helpful in case of an attack to help you backtrace the origin.
  6. Secure valuable assets with advanced encryption, both in storage as well as during transfer.
  7. Consider penetration testing and/or a bug bounty program to check your security measures. A bug bounty allows organizations to continuously test the security of their systems, whereas a penetration test is an assessment of the security level of an asset at a given point in time.
  8. Look at best practices. In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using its framework for cyber supply chain risk management or C-SCRM.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A firsthand perspective on the recent LinkedIn account takeover campaign

Not long ago I wrote about a recent campaign to hold LinkedIn users’ accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they’d been a target of the campaign.

His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn’t asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.

Frustration #1: The promised “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.

Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.

screenshot of the location of the new connection

Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.

A reset of the account’s password worked, but failed to remove the unwanted active session.

Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”

But despite his troubles this didn’t remove the unwanted active session either.

Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.

Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.

Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:

“Hey there! ? We’re experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we’re doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! ?”

It took them 3 to 4 days to reply with the following message:

Status: Closed

Hi Pearce,

Thanks for contacting us about this. To secure your account, we’ve taken the following actions:

  1. We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.
  2. We sent a password reset link to the primary email address listed on your account.

There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:

  • If you’ve recently signed into your account from a public computer or a shared device at your workplace or home, and didn’t completely sign out of your account, the next person to access the site on that device may have unintentionally signed in to your account.
  • An email or phone number registered in your account is outdated and access to the email or phone number has been recycled or compromised.
  • If the same password is used in multiple websites, this could have been compromised through unaffiliated sites or a phishing attack.
  • We’d recommend these best practices for your online privacy:

If you continue to see anything suspicious, please report it to us immediately.

Regards,

LinkedIn Member Safety and Recovery Consultant

Fortunately this worked and Pearce has regained control of his account. But this ordeal could have been much worse than with just a few added new connections. Had the account been taken over, it could have been used for malicious activities, damaging Pearce’s reputation in the process.

Note: LinkedIn has added an option to end individual sessions since this incident, but a few quick tests showed that this doesn’t always work as advertised. We may dive into that at a later point.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Prompt injection could be the SQL injection of the future, warns NCSC

The UK’s National Cyber Security Centre (NCSC) has issued a warning about the risks of integrating large language models (LLMs) like OpenAI’s ChatGPT into other services. One of the major risks is the possibility of prompt injection attacks.

The NCSC points out several dangers associated with integrating a technology that is very much in early stages of development into other services and platforms. Not only could we be investing in a LLM that no longer exists in a few years (anyone remember Betamax?), we could also get more than we bargained for and need to change anyway.

Even if the technology behind LLMs is sound, our understanding of the technology and what it is capable of is still in beta, says the NCSC. We barely have started to understand Machine Learning (ML) and Artificial Intelligence (AI) and we are already working with LLMs. Although fundamentally still ML, LLMs have been trained on increasingly vast amounts of data and are showing signs of more general AI capabilities.

We have already seen that LLMs are susceptible to jailbreaking and can fall for “leading the witness” types of questions. But what if a cybercriminal was able to change the input a user of a LLM based service?

Which brings us to prompt injection attacks. Prompt Injection is a vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. The first prompt injection vulnerability was reported to OpenAI by Jon Cefalu on May 3, 2022.

Prompt Injection attacks are a result of prompt-based learning, a language model training method. Prompt-based learning is based on training a model for a task where customization for the specific task is performed via the prompt, by providing the examples of the new task we want to achieve.

Prompt Injection is not very different from other injection attacks we are already familiar with, e.g. SQL attacks. The problem is that an LLM inherently cannot distinguish between an instruction and the data provided to help complete the instruction.

An example provided by the NCSC is:

 “Consider a bank that deploys an ‘LLM assistant’ for account holders to ask questions, or give instructions about their finances. An attacker might be able send you a transaction request, with the transaction reference hiding a prompt injection attack on the LLM. When the LLM analyses transactions, the attack could reprogram it into sending your money to the attacker’s account. Early developers of LLM-integrated products have already observed attempted prompt injection attacks.”

The comparison to SQL injection attacks is enough to make us nervous. The first documented SQL injection exploit was in 1998 by cybersecurity researcher Jeff Forristal and, 25 years later, we still see them today. This does not bode well for the future of keeping prompt injection attacks at bay.

Another potential danger the NCSC warned about is data poisoning. Recent research has shown that even with limited access to the training data, data poisoning attacks are feasible against “extremely large models”. Data poisoning occurs when an attacker manipulates the training data or fine-tuning procedures of an LLM to introduce vulnerabilities, backdoors, or biases that could compromise the model’s security, effectiveness, or ethical behavior.

Prompt injection and data poisoning attacks can be extremely difficult to detect and mitigate, so it’s important to design systems with security in mind. When you’re implementing the use of an LLM in your service, one thing you can do is apply a rules-based system on top of the ML model to prevent it from taking damaging actions, even when prompted to do so.

Equally important advice is to keep up with published vulnerabilities and make sure that you can update or patch the implemented functionality as soon as possible without disrupting your own service.


Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Qakbot botnet infrastructure suffers major takedown

The Qakbot botnet has suffered a major setback after its infrastructure was heavily disrupted by US and European law enforcement agencies. Operation DuckHunt, as it was codenamed, is possibly the largest US-led financial and technical disruption of a botnet infrastructure.

Not only did the agencies shut down the core of the Qakbot infrastructure, they also cleaned the malware from infected devices. US authorities also seized around 8.6 million dollars-worth of illicit cryptocurrency profits.

Qakbot has been active for over a decade and allowed the botnet operators to steal login credentials from affected devices as well as install additional malware on them. Often that malware included a ransomware variant, with Black Basta the most recent ransomware of choice.

Thanks to that, Black Basta repeatedly made it to the top three most prolific ransomware variants in our monthly ransomware reviews.

The international investigation involved judicial and law enforcement authorities from the US, France, Germany, Latvia, the Netherlands, Romania, and the UK. The examination of the seized infrastructure uncovered that the malware had infected over 700,000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale. Of the 700,000 infected devices, around 200,000 were located in the US.

On impounded servers that belonged to the botnet’s infrastructure the authorities found 6.43 million email addresses and passwords that have now been shared with HaveIBeenPwnd (HIBP). HIBP allows you to search across multiple data breaches to see if your email address or phone number has been compromised. But HIBP has also assisted governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. 57% of the Qakbot related email addresses were already in the database. The Qakbot data has been labeled sensitive, which means you’ll have to verify the email address is under your control to receive the information.

The information was also shared with Spamhaus which will contact email providers and other hosts of affected email addresses to initiate a password reset to further protect the owners of those addresses.

Qakbot is mostly spread through phishing campaigns that include malicious documents as attachments or links to download malicious files. Once Qakbot is installed, the malicious code is injected in the memory location of a legitimate Windows process to avoid detection. At first, it searches the infected machine for email addresses and other useful information. Then it persists in the memory of the device to await further instructions, for example to download additional malware.

So, one characteristic of a botnet is that the bots can be controlled by the operators. Based on that principle, the FBI came up with a method to uninstall the malware from all the connected bots.

Once the FBI got hold of the administrators’ computers, they were able to map out the botnet’s Command & Control (C2) structure and use this information to roll out a special removal tool. The FBI managed to lock out the Qakbot administrators of their own command and control infrastructure by changing the encryption keys used to communicate with the servers.

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware.”

Additional information and resources, including for victims, can be found on the following website, which will be updated as additional information and resources become available: www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW