IT NEWS

A document accidentally uploaded to Google’s VirusTotal service has resulted in the potential exposure of defence and intelligence agency names and email addresses. The service, used to scan files for signs of potential malicious activity, is used by security professionals and folks just interested in the files making their way to their systems.

The list makes up roughly 5,600 of the site’s customers, and identities multiple security-centric entities. The Record cites individuals affiliated with the NSA, FBI, Pentagon, and other US military service branches. Meanwhile, the UK tally includes “a dozen Ministry of Defence personnel”, and emails tied to CERT-UK/National Cyber Security Centre, a part of the UK’s Government Communications Headquarters (GCHQ).

Sadly the emails listed are not entirely anonymous. There are full names tied to emails from the Ministry of Defence, Pensions Regulator, and the Cabinet Office, among others.

The file was removed by VirusTotal within an hour of it being uploaded. Commentary from some of the impacted organisations suggest this isn’t that big of a deal. The UK’s Ministry of Defence told The Record that they consider the data to be non-sensitive, and also low risk. This is of course good news, and much better than everyone running around yelling that the sky is falling.

While there is some element of risk here, it’s important not to get carried away. Someone genuinely determined to pull up a name or email address can usually do it by checking relevant websites or simply asking around. After all, what use is an email address if you can’t email people?

As for VirusTotal itself, submitted files can be shared and analysed via the security organisations tied to the scanning service. The results are often findable online via search engine, or hunting for specific file characteristics while on the VirusTotal website. You may also sometimes see VirusTotal pages linked directly from security blogs such as our own. Accidents of this nature tend to come about because folks making use of the service don’t quite realise the way data is used once submitted.

In March of last year, semi-automated uploads to VirusTotal were flagged by the German Bundesamt für Sicherheit in der Informationstechnik (BSI). This translates as the Federal Office for Security in Information Technology. In some cases, the documents being uploaded were confidential and should not have made their way to the VirusTotal service.

As we said at the time, files uploaded are not only shared with the 70 or so security vendors making up the bulk of the visible scanning service. They’re also potentially accessible to those making use of the premium features. If you make a mistake when uploading, it could be a costly one. In fact, a mistake uploading can be costly anywhere.

I’d be surprised if there’s anyone reading this who hasn’t, at some point, hit publish when they shouldn’t have, mailed a file that should have stayed where it is, or posted a message publicly when it was supposed to be private. It happens!

There is almost never a need to rush a process, and plenty of need to double check whatever you happen to have in the “about to send” box. Some organisations will restrict what can (and cannot) be uploaded. In most cases though, the onus will be on the uploader to get it right the first time.

We have some tips with regard to VirusTotal below:

Receivers:

• If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
• Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
• Never click on links in emails or email attachments.
• Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

• Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
• Inform recipients about the fact that you are sending them an attachment and for what reason.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at Orca Security have found a design flaw in the Google Cloud Build service. Attackers would have been able to gain Privilege Escalation resulting in unauthorized access to code repositories in Google’s Artifact Registry.

The researchers dubbed the vulnerability Bad.Build and say it could have far reaching consequences comparable to supply chain attacks like those caused by exploitation of flaws in 3CX, MOVEit, and SolarWinds.

The vulnerability was fixed in June and according to Google no further user action is required. But the security researchers claim that Google’s fix only limits the discovered Privilege Escalation (PE) vector and organizations are still vulnerable to the larger supply chain risk.

Since the researchers go on to explain how the Bad.Build design flaw can be exploited, users of Google Cloud Build are under advice to take action. We’ll let you know what to do below (under Mitigation).

First, let’s have a look at the problem.

In traditional software development, programmers code an application in one computing environment only to find bugs or errors when deployed in another environment. To account for this, developers bundle their application together with all its related configuration files, libraries, and dependencies required to run in containers hosted in the cloud. This method is called containerization.

Google Cloud Build is a managed continuous integration and delivery (CI/CD) service provided by Google Cloud that makes it easy getting container images on the cloud. Cloud Build also provides pre-built images that you can reference in a Cloud Build config file to execute your tasks.

The Artifact Registry provides an overview of the packages you use while continuously monitoring and updating the state of those artifacts. This provides insight and control over the packages, images, and other dependencies used in your software development and delivery process.

The flaw uncovered by the researchers enables the impersonation of the default Cloud Build service account. By exploiting the flaw, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code. If these images are intended to be used by customers of the supplying organization, the risk crosses from the supplying organization’s environment to their customers’ environments, constituting a supply chain attack.

When notified about the problem, Google revoked the logging.privateLogEntries.list IAM permission from the Cloud Build service account to adhere to the security principle of least privilege. When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the permission, which allowed the build to have access to list private logs by default. But, the revoked permission wasn’t related to Artifact Registry.

As a result, an attacker could use the artifactregistry permissions to download and exfiltrate an image that is being used inside Google Kubernetes Engine (GKE). They could then inject malicious code into the image and push it back to the artifact registry, which is then deployed once again to the GKE. Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root.

Mitigation

If there is anything the researchers made clear, is that it’s important that organizations pay close attention to the behavior of the default Google Cloud Build service account. Some important elements to keep in mind:

• Principle of least privilege. Limit permissions to what’s needed and keep track of given permissions.
• Implement cloud detection and response. If something goes wrong, it’s important to learn about it as early as possible.
• Prioritize risks, but don’t lose sight of the fact that a combination of two or more seemingly harmless vulnerabilities can be chained into a fatal attack.

Google denied Orca Security’s assessment, explaining that the access given to service accounts is the “nature of automated systems that run independently,” but both agreed that it’s important to check permissions and adjust them as you see fit, depending on your threat model.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

You may be getting ready to jump on a plane and head off for a few days or weeks of rest and relaxation. So the last thing you need before flying is a technology related horror show. Sadly, scammers are aware of families getting ready to hit the skies, and have tailored their threats accordingly. Several trip-related scams are doing the rounds right now, and we’re going to highlight some of the more prevalent ones.

Fake customer support on social media is one current major area of concern. This is often aimed at banking customers looking for assistance. The risk of this has increased since Twitter started charging for blue checkmarks, as many legitimate accounts now sport no visible means of authentication. 

With popular airline easyJet cancelling 1,700 flights between July and September due to air traffic control delays, fraudsters have been busy creating fake support accounts. For people stuck in an airport and hearing the flight is off, or getting ready to make the trip, their first reaction may be to hop onto social media for breaking advice and information.

Bogus airline accounts are directing potential victims to fake airline websites and other portals in an effort to steal credentials (and most likely any payment data they can scoop up along the way).  There’s currently somewhere in the realm of 100+ Twitter accounts using the easyJet branding. Of those, at least two have a gold verified check mark which are used exclusively for approved business accounts. Here’s the main easyJet account, for example.

The rest are a combination of “temporarily restricted” accounts, accounts set to private (and so not visible to non-followers), private individuals, video game themed(!), and more. Many of the accounts claim to be customer support and ask Twitter users to send them their mobile number for assistance. If you’re not talking to the verified account, or directed somewhere by that account, you may end up running into trouble.

Meanwhile, scammers elsewhere are targeting folks looking to dodge some of the Arizona heat. Phony travel agents lie in wait with fake websites and non-existent plane tickets. These sites appear in search engine results or random emails promising fantastic prices. Once you’ve paid and turned up on the day of the flight, or even just tried to check in online the day before, you’re in for a nasty surprise.

The fraudster has merely reserved a seat, as opposed to booking the desired ticket. Meanwhile, they were off using your payment details to try and buy who knows what. A fraught call to your bank or credit card’s customer service department now beckons.

If you’re looking for good deals, airlines and travel agents will be able to direct you to legitimate ticket sources. If you stumble upon a site you’ve not heard of, look up reviews and keep an eye out for any reference to wrong doing. One word of caution: you may also have to check the legitimacy of the reviews, too.

A final warning: be careful what you post online. We’ve previously talked about how posting up a photograph of your home environment can reveal important information. An envelope with your address on it, a box with your full name, even being geolocated because of traceable landmarks outside of your window. Well, the same warning applies to your airplane tickets too. If you’re getting into the holiday swing of things, keep all the small bits and pieces of data related to your trip out of shot. Using the information on your boarding ticket, or even your passport, people up to no good can get a good handle on who you are and what you’re doing.

If you’re revealing your name, frequent flyer number, and passport information online then you’re a possible meal ticket for scammers. This isn’t even necessarily a case of stealing your banking data. They can potentially social engineer their way into accessing your account under the guise of you having “forgotten” your login details. Maybe they’ll sell your frequent flyer account on, or do something else to cause you a headache. They may even just wait a few months and then send a targeted phish. The sky really is the limit with scams, so keep your personal info private.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk.

In traditional software development, programmers code an application in one computing environment only to find bugs or errors when it’s deployed in another environment. To solve this, developers bundle their application together with all its related configuration files, libraries, and dependencies required to run in containers hosted in the cloud. This method is called containerization.

Docker images are one of the most common methods used in containerization. Docker is an open-source project that automates the deployment of applications inside software containers. Docker Hub is a cloud-based repository which facilitates the widespread use and sharing of Docker images. Docker Hub comprises more than 9,000,000 images anybody can use.

Since containerization started out as a means for efficient development and cost savings and quickly ballooned into adoption and implementation, security was unfortunately a low priority in its design—as it often is in tech innovation.

The researchers analyzed 337,171 images from Docker Hub and 8,076 private registries and found that more than 1 in 12 of these images contained sensitive information, including private keys and API secrets. To be precise, they found 52,107 private keys and 3,158 leaked API secrets. This is not just a huge security risk, the researchers documented that the leaked keys were actually used in the wild.

The researchers discovered that some of the exposed keys were in use, which means elements such as certificates were also at risk. In fact, more than 22,000 compromised certificates were found to be relying on the exposed private keys. That includes more than 7,500 private and more than 1,000 public certification authority (CA) signed certificates.

Most of the secrets were found in images of single owners, which makes sense assuming users do not share their secrets intentionally. The researchers also found that image creators upload secrets to Docker Hub more often than to private registries (9% vs 6.3%). This could be an indication that private registry users have a better security understanding, maybe due to a deeper technical understanding required for hosting a registry.

To highlight the security implications around internet communications, the researchers found 216 Session Initiation Protocol (SIP) hosts used for telephony as well as 8,165 SMTP, 1,516 POP3, and 1,798 IMAP servers used for email. Since these hosts are susceptible to impersonation attacks due to their leaked private keys, attackers can eavesdrop, relay, or alter the sensitive data transmitted here.

All in all it poses a massive problem when image creators are unaware or careless about sharing secrets. Together these exposed secrets create a huge attack surface.

Mitigation

Secrets can be copied:

• Actively, when copying secrets from their local file system into the image.
• Passively, by using images with secrets included during creation of the image.

Both behaviors lead to compromised secrets and affect the security of both image creators and users, but they need a different approach for mitigation.

On the one hand, image creators and editors must be warned that they are uploading their secrets to publicly reachable Docker registries. On the other hand, when deploying containers based on downloaded images, users should be informed about included secrets, especially private keys, which might already be compromised, putting the authentication of deployed services at stake. When uploading or downloading an image, tools like TruffleHog or SecretScanner could then scan all layers of the image for included secrets.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were targeted and lasted for about a month before they were first discovered.

The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA).

Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs). Attribution is based on Microsoft Threat Intelligence assessment that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives.

At first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and Outlook.com.

This was only possible because of a validation error in Microsoft code. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. Microsoft says it still doesn’t know how Storm-0558 stole the inactive MSA signing key.

An authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit. Instead, the user logs in once, and a unique token is generated and shared with connected applications or websites to verify their identity.

These tokens are validated with a signing key, so with access to such a key an attacker is able to create valid tokens to access the associated services. Storm-0558 was able to obtain new access tokens by presenting one previously issued from GetAccessTokenForResource Application Programming Interface (API) due to a design flaw. This flaw in this API has since been fixed.

When asked, China denied it was involved and basically said people in glass houses shouldn’t throw stones.

“We noted the reports saying that the spokesman for the White House National Security Council claimed that US officials found hackers linked to China took advantage of a security weakness in Microsoft’s cloud-computing to break into unclassified email accounts of the US, and the US has notified Microsoft about this. I would like to say that in the past, it was usually the world’s No.1 hacking group–the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.”

What has been done

Microsoft says it has completed mitigation of this attack for all customers and has not found any evidence of further access. The impacted customers have been contacted so no additional customer action is needed to prevent hackers from using the same tactics to access their Exchange or Outlook accounts.

On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which stopped Storm-0556 ‘s ability to use tokens issued from the Azure program.

On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA, blocking the usage of tokens signed with the key that had been acquired.

On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge new tokens.

Microsoft blocked the use of the stolen private signing key for all impacted customers on July 3, 2023 and says it has “substantially hardened key issuance systems since the acquired MSA key was initially issued.”

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz.

Now, there is a potential new competitor in the “fake updates” landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim’s browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could rival potentially rival with SocGholish.  

Campaign similarities

We first heard of this new campaign thanks to a Mastodon post by Randy McEoin. The tactics, techniques and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.

Templates

FakeSG has different browser templates depending on which browser the victim is running. The themed “updates” look very professional and are more up to date than its SocGholish counterpart.

Website injections

Compromised websites (WordPress appears to be the top target) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates. The source code is loaded from one of several domains impersonating Google (google-analytiks[.]com) or Adobe (updateadobeflash[.]website):

That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self-contained Base64 encoded images.

Installation flow

There are different installation flows for this campaign, but we will focus on the one that uses a URL shortcut. The decoy installer (Install%20Updater%20(V104.25.151)-stable.url) is an Internet shortcut downloaded from another compromised WordPress site.

This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server:

This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload (NetSupport RAT).

Malwarebytes’s EDR shows the full attack chain (please click to enlarge):

The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut. The RAT’s main binary is launched from “C:Users%username%AppDataRoamingBranScaleclient32.exe“.

Following a successful infection, callbacks are made to the RAT’s command and control server at 94.158.247[.]27.

Roomates

Fake browser updates are a very common decoy used by malware authors. In addition to SocGholish, the Domen toolkit was a well-built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. Stolen credentials can be resold to other threat actors tied to ransomware gangs.

It is interesting to see another contender in this relatively small space. While there is a very large number of vulnerable websites, we already see some that have been injected with multiple different malicious code. From a visitor’s point of view, this means there could be more than one redirect but the “winner” will be the one who is able to execute their malicious JavaScript code first.

We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes. Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks.

Indicators of Compromise (IOCs)

FakeSG infrastructure

178.159.37[.]73
google-analytiks[.]com
googletagmanagar[.]com
updateadobeflash[.]website

WebDav launcher

206[.]71[.]148[.]110
206[.]71[.]148[.]110/Downloads/launcher-upd[.]hta

NetSupport RAT

pietrangelo[.]it/wp-content/uploads/2014/04/BranScale[.]zip
pietrangelo[.]it/wp-content/uploads/2014/04/client32[.]exe

NetSupport RAT C2

94[.]158[.]247[.]27

MITRE ATT&CK techniques

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Tax preparation firms shared sensitive information with Meta
• Ransomware making big money through “big game hunting”
• Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment
• From Malvertising to Ransomware: A ThreatDown webinar recap
• Ransomware review: July 2023
• Zero-day deploys remote code execution vulnerability via Word documents
• How to secure your business before going on vacation
• Update now! Microsoft patches a whopping 130 vulnerabilities
• Proposed Massachusetts law to ban sale of your mobile location data
• Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts
• Apple issues Rapid Security Response for zero-day vulnerability
• “TootRoot” Mastodon vulnerabilities fixed: Admins, patch now!
• Threatening rogue finance apps removed from the Apple Store
• MOVEit Transfer fixes three new vulnerabilities
• Malwarebytes Browser Guard introduces three new features
• Warning issued over increased activity of TrueBot malware

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The language of a data breach, no matter what company gets hit, is largely the same. There’s the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn’t theirs. 

But what happens if a cybercriminal takes something that may have already been stolen? 

In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That’s because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of other people that LetMeSpy users want to track. 

Want to read your child’s text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of “control and safety” of their business? Look no further than LetMeSpy, of course.  

While LetMeSpy’s website tells users that “phone control without your knowledge and consent may be illegal in your country,” (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of “stalkerware.” 

Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device’s text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device’s WiFi, and take control of the device’s camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. 

Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy’s hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are “good.” 

“I’m the person on the podcast who can say ‘We should hack things,’ because I don’t work for Malwarebytes. But the thing is, I don’t think there really is any other way to get info in this industry.”

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.

In our June 2023 ransomware review we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml() function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.

.@_clem1 discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days https://t.co/lqwt0kOFWA

— Maddie Stone (@maddiestone) July 13, 2023

Earlier vulnerabilities in Zimbra allowed cybercriminals to steal emails in targeted attacks against organizations in the European government and media sectors.

Mitigation

The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Then open to edit the active file and go to line number 40
3. Change
   <input name="st" type="hidden" value="${param.st}"/>
   to
   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can do it without any downtime.

We will keep you posted when a patch is made available and in case there are other developments around this bug.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Ransomware generates big money for the groups behind it, with new research confirming (some) of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six months.

As The Record correctly notes, the actual figure will likely be significantly higher because only monitored wallets are included in the study. In terms of what’s going on out there, payments under $1,000 and above $100,000 are both on the up. It’s claimed that ransomware groups could pull in around $900 million in 2023, with the return of “big game hunting” being one of the key factors for the bump.

What is big game hunting? Well, this is the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts. Even with the increase in attacks on smaller companies, taking on the big entities is where the most enticing payouts are waiting to be had.

As an example of payout sizes, BlackBasta’s 2023 average payment size is $762,634 and its median is $147,106. Cl0p checks in with a $1,730,486 average and a $1,946,335 median. At the other end of the scale the smaller, less sophisticated deployments such as Phobos creep into view with a $1,719 average and a $300 median.

No matter the size of the payment, they are ultimately securing said payments and continuing to make bank. It’s also suspected that as more firms refuse to pay their extortionists, so too are the ransomware authors responding by increasing their ransom demands. The research also notes that additional tactics are being used in cases of non payment to up the ante further. Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics ransomware authors can make use of.

It’s not all doom and gloom where cryptocurrency payments are concerned. With the notable exception of ransomware, cryptocurrency crime across 2023 is in “sharp decline”. Cryptocurrency businesses are getting a handle on scams, users new and old are learning about how to protect their investments, and law enforcement pressure on cryptocurrency fraud is likely having an impact.

Back in the realm of ransomware, things aren’t perhaps quite as good with some of the big hitters from our June ransomware review serving up exploits, dubious “charity donation” requests, and an increase in attacks on education.

Elsewhere, we have students being used to apply pressure to impacted organisations and relentless attacks on schools. It would be unwise to think the scale of ransomware’s day to day impact is in any danger of dropping off anytime soon.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW