IT News

After a decent amount of pressure, Owl Labs has finally released updates for vulnerabilities in Meeting Owl, and Whiteboard Owl cameras. The vulnerabilities were reported to Owl Labs in January,

One of the vulnerabilities, CVE-2022-31460 has been added to the Known exploited vulnerabilities catalog by the Cybersecurity & Infrastructure Security Agency (CISA) and needs to be updated by June 22, 2022.

Owl Labs

Owl Labs makes 360-degree video conferencing equipment for classrooms and boardrooms. It produces several pieces of hardware, including the Meeting Owl Pro, a speaker fitted with cameras, microphones and an owl-like face, and a whiteboard camera for hybrid meetings.

The research

Researchers at modzero examined the Meeting Owl and found serious defects in the built-in security mechanisms.

And these vulnerabilities were not minor. By exploiting the vulnerabilities an attacker could find registered devices, their data, and owners from around the world. Attackers could also access confidential screenshots of whiteboards or use the Owl to get access to the owner’s network.

The researchers found the existence of at least four different ways to bypass the PIN protection (passcode), which protects the Owl from unauthorized use.

The vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below you will find the CVEs assigned to the vulnerabilities:

• CVE-2022-31460: Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded credentials. The tethering mode turns the Owl into an access point (AP) by creating a new Wi-Fi network while staying connected to the existing Wi-Fi. This basically allows any authorized user to turn the Owl into a rogue access point. A rogue access point by definition constitutes a wireless access point installed on a secure network without explicit authorization from a local network administrator. Hard-coded credentials is where embedded authentication data, like user IDs and passwords, are included the source code of the device.

Passcode bypasses

• CVE-2022-31463: Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. To extend the range of devices and provide remote control by default Owl Labs uses the Bluetooth functionality. The vulnerability makes it possible for an attacker in proximity to control the devices to the extent that they can disable any set passcode.
• CVE-2022-31462: Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password which can be found in Bluetooth broadcast data. A hardcoded backdoor passcode exists which depends on the serial number of the device. This hardcoded passcode is the SHA-1 hash representation of the devices’ software serial number. The hash is broadcasted as the name of the Owl over Bluetooth Low Energy (BLE). So an attacker in close proximity can simply get hold of the hardcoded backdoor passcode. Also, it is possible to generate all existing serial numbers by a script.
• CVE-2022-31461: Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain message from the companion app. An attacker would have to be close enough to the Owl to communicate over BLE to exploit this vulnerability.
• CVE-2022-31459: Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the SHA1 hash of the passcode over BLE. It is possible to brute-force the passcode from the hash in seconds since it consist only of digits. An attacker with knowledge of the BLE endpoint can use this knowledge to control any Meeting Owl in their proximity.

What is Bluetooth Low Energy (BLE)?

BLE is a Bluetooth protocol which launched in 2010, especially designed to achieve low power consumption and latency, while at the same time accommodating the widest possible interoperable range of devices. The BLE protocol also does not require paring between the sender and receiver and it can send authenticated unencrypted data.

For those interested, a full disclosure report by modzero is available online.

Slow pokes

Another worrying factor in the report is the timeline of disclosure which gives the impression of an uninterested attitude and unwillingness to fix on the part of Owl Labs. Given the seriousness of the vulnerabilities and the nature of Owl Labs’ clients one might have wished it was treated with more urgency.

The researchers shifted the time of disclosure several times until they were finally fed up with the unresponsiveness of Owl Labs. And only after the vulnerabilities had been disclosed Owl Labs came up with patches for the vulnerabilities. On June 6, 2022, Owl Labs stated that all high-security issues had been addressed, and said it was in the process of implementing a few additional updates. Earlier Owl Labs said that the likelihood that its customers were affected by these issues is low.

Mitigation

Meeting Owl Pro and Whiteboard Owl will automatically send over the air software updates to Owls that are connected to Wi-Fi and plugged into power over night.

To determine what version of software is on your Owl, follow these steps.

If your Owl’s software is out of date, please follow these instructions for how to update your Owl’s software.

We are pretty sure this owl will have a tail and will keep you updated about any developments here.

The post Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices appeared first on Malwarebytes Labs.

BlackBasta, an alleged subdivision of the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linux servers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VM is a bare-metal hypervisor software. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

On Linux: BlackBasta 101

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communities associate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .basta is appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

A section of the ransom note reads:

Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
{URL redacted}

Protect your Linux ESXi VM against ransomware attacks

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

• Harden the SSH (Secure Shell) access to allow only a specific user to use it.
• Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
• Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

You can also read our article on 5 Linux malware families SMBs should protect themselves against.

The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.

The United States Department of Justice has announced a major takedown of a criminal marketplace that traded Personally Identifiable Information (PII). Not just any old marketplace; this was a major, years-long operation with several failsafes to prevent permanent takedown. It took quite the assortment of law enforcement worldwide to shut this one down for good.

SSNDOB (Social Security Number, Date of Birth) marketplace was seized as the result of an international operation involving the FBI, Department of Justice, the IRS, and authorities in both Latvia and Cyprus.

A big underground business

According to the press release, the ring of sites associated with SSNDOB:

…were used to sell personal information, including the names, dates of birth, and Social Security numbers belonging to individuals in the United States. The SSNDOB Marketplace has listed the personal information for approximately 24 million individuals in the United States, generating more than $19 million USD in sales revenue.

Social Security numbers are hugely popular on underground portals. They’re frequently cheap to buy, stolen in large numbers, and can be bundled with other documents such as passport, driver’s licence, email, and more.

SSNDOB attempted to ward off a permanent shut down by spreading the data across four different URLs. As Bleeping Computer notes, this is one tactic to get around attempts to shut down the service. DDoS attacks from rivals are common, so several domains working together keeps things ticking over. Shutdowns generally via abuse reports or law enforcement raids are also less of a threat as a result.

SSNDOB advertised its services on dark web forums and offered customer support for buyers. Digital payment methods such as Bitcoin were used to preserve the operator’s anonymity.

The Bitcoin boon

According to research from Chainalysis, SSNDOB received “$22 million worth of Bitcoin across over 100,000 transactions” since 2015. We’ve noted the gradual emergence of Bitcoin ATMs in scams previously; here, cryptocurrency ATMs are more popular as a payment method to SSNDOB than other dubious online services.

Chainalysis also notes a potential connection between SSNDOB and another dark web market trading in credit cards which called it quits in 2021. Joker’s Stash, trading since 2014, received more than $100,000 in Bitcoin from SSNDOB.

The threat of stolen PII

Once your data is out there, you can’t get it back. Criminals will make use of it however they can to make money. You run the risk of being targeted for spear phishing, or having your personal information used for fraudulent applications.

Data breaches are so common that multiple services exist to check if you’ve been impacted. Password reuse is one big reason for credential stuffing (using stolen data across additional sites) being so popular. One breach taking your login from a gaming forum can quickly become something that exposes Government service logins or bank accounts. The data exposure risk creeps ever upwards and one small mistake can have severe consequences.

Tips for locking down after an SSN breach

This is a great result for law enforcement, but still a drop in the ocean of underground sales portals. If you’re a victim of Social Security number fraud, there are some steps you can take according to Experian:

• Report the theft to the FTC
• Request a credit freeze, and also a Fraud Alert.
• Notify companies where your data has been used fraudulently.

Stay safe out there!

The post SSNDOB stolen data marketplace shut down by global law enforcement operation appeared first on Malwarebytes Labs.

There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.

But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.

1.   Cloud Snooper

In early 2020, researchers found something weird going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.

How it works

The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan which can steal sensitive data from the servers.

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.

It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.

2.   QNAPCrypt

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.

How it works

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .encrypt extension being appended to affected files.

According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).

3.   Cheerscrypt

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.

How it works

Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .Cheers extension.

The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.

4.   HiddenWasp

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.

How it works

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence of the trojan. The trojan, in turn, helps the rootkit remain operational.

From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.

5.   Mirai

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.

How it works

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants including Hajime, SYLVEON, and SORA.

Stop Linux malware from getting a hold on your organization

It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.

With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.

Learn more about Malwarebytes EDR.

Read the data sheet.

The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.

“A robot may not injure a human being or, through inaction, allow a human being to come to harm”

Science fiction readers, and many others, will recognize Asimov’s first law of robotics. After reading about a bot called GPT-4chan I was wondering whether we should include:

“A bot may not insult a human being or, through interaction, allow a human being to be discriminated”

GPT-4chan was based on an AI instance trained using 3.3 million threads from 4chan’s infamously toxic Politically Incorrect /pol/ board. Once trained, the creator released the chat bot back onto 4chan. And, no surprise here, the AI behaved just as vile as the posts it was trained on, spouting racial slurs and engaging with antisemitic threads.

While many outside the industry may have found the experiment interesting, serious AI researchers commented that this did not qualify as a serious experiment, but as an unethical one.

Déjà vu

Reading the above may cause some people to think they have seen this before. What you may remember reading about is a Microsoft Twitter AI chat bot that went rogue in less than 24 hours. The more someone chats with Tay (the name of the chat bot), said Microsoft, the smarter it gets, learning to engage people through casual and playful conversation.

However, quickly Twitter users proved that artificial intelligence (AI) and machine learning (ML) adhere to the “garbage in, garbage out” law in computer science. Twitter users managed to turn Tay into a racist and misogynist in less than a day.

GPT-3

The name GPT-4chan was partly based on the Generative Pre-trained Transformer 3 (GPT-3) language model that uses deep learning to produce human-like text. In January 2022, OpenAI introduced a new version of GPT-3, which should do away with some of the most toxic issues that plagued its predecessor.

Large language models like GPT-3 use vast bodies of text for training. Often these texts originate from the internet. In these texts they encounter the best and worst of what people put down in words. As such, the training material includes toxic language as well as falsehoods. Filtering out offensive language from the training set can make models perform less well, especially in cases where the training data is already sparse. In its new InstructGPT model, OpenAI tries to align language models with user intent on a wide range of tasks by fine-tuning with human feedback.

Accidental bias

Despite the obvious potential, recent events have exposed how automated systems can both intentionally and unintentionally lead to bias. For example, women see fewer advertisements about entering into science and technology professions than men do. Not because companies are preferentially targeting men, but as a result derived from the economics of ad sales.

Simply put, when an advertiser pays for digital ads, including postings for jobs in science, technology, engineering and mathematics,  it is more expensive to get female views than male ones. So the algorithm targets men to enhance the number of eyeballs per spent dollar.

Another well-known example is an algorithm that selected new candidates for a job based on the current population of employees. By doing this, the algorithm amplified the outdated model that says some jobs are predominantly done by men, or women.

As AI becomes a mandatory strategic tool across multiple industries, companies using AI as part of their strategies need to accept their roles and responsibilities in reducing the risk and impact of bias inherent in their products and services.

Regulation

As you may have guessed, my call for regulation was not a novel idea. In 2020, Google CEO Sundar Pichai stated he felt that AI needed regulation in order to prevent the potential negative consequences of tools including deepfakes and facial recognition. In his mind, this was not a conversation to save for tomorrow while the building and implementing of AI tools is happening today. But by nature, laws and regulations are mostly created as a response to abuse, rather than as a visionary approach of what could go wrong.

An ongoing discussion

The responses to the GPT-4chan experiment are another step in an ongoing discussion to determine whether AI and ML are here to save the world or whether they will destroy what’s left of it. This discussion seems pointless. The focus should not be on the product, but on the way in which we use it. As with every new development, we obtain a new tool, which we can wield for good, for evil, or just for profit.

As we pointed out in our 2019 Labs report “When artificial intelligence goes awry: separating science fiction from fact”,

“There’s a crucial period in artificial intelligence’s development—in fact, in any technology’s development—where those bringing this infant tech into the world have a choice to develop it responsibly or simply accelerate at all costs.”

To some, one of the biggest issues of artificial intelligence and machine learning is the impact on the climate. The big issue is that many high-profile ML advances just require a staggering amount of computation.

On that note, at best the GPT-4chan experiment was a waste of energy producing the kind of garbage that humanity, unfortunately, does not need help with.

Don’t be like GPT-4chan!

The post Awful 4chan chat bot spouts racial slurs and antisemitic abuse appeared first on Malwarebytes Labs.

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.

FakeUpdates (SocGholish) lookalike

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through a similar malvertising campaign involving the RIG exploit kit.

MakeMoney connection

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.

Security researcher @na0_sec saw the “MakeMoney gate”, named after the domain makemoneywithus[.]work (188.225.75.54), redirect to the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime[.]xyz (185.220.35.26).

Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime[.]xyz was hosted on the same server (185.220.35.26) as makemoneyeazzywith[.]me. Staying with the MakeMoney theme, we see makemoneywith[.]us on 188.225.75[.]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery[.]xyz.

There is also activity on 185.220.33.3, 185.230.140.210 and 188.225.75.54 hosting a number of impersonation hostnames such as magicpropeller[.]xyz (PropellerAds), magicpopcash[.]xyz (PopCash).

We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.

We don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.

Indicators of Compromise

IP addresses (malvertising domains, gates)

185.220.35.26
188.225.75.54
185.220.33.3
185.230.140.210

IP addresses (fake template)

188.227.107.121
188.227.107.92

Domains (malvertising domains, gates)

References

https://twitter.com/MBThreatIntel/status/1483235125827571715
https://twitter.com/MBThreatIntel/status/1361824286499950601
https://twitter.com/malware_traffic/status/1412128664721014785
https://twitter.com/malware_traffic/status/1357513424566124548
https://twitter.com/FaLconIntel/status/1351739449932083200
https://twitter.com/tkanalyst/status/1226125887256416256
https://twitter.com/david_jursa/status/1346562997305696262
https://twitter.com/nao_sec/status/1334289601125445633
https://twitter.com/FaLconIntel/status/1298661757943087105
https://twitter.com/nao_sec/status/1294871134001799168
https://twitter.com/david_jursa/status/1232996830520193024
https://twitter.com/david_jursa/status/1229354505583628288
https://twitter.com/nao_sec/status/1211975197219151876

The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.

A mobile app violated Canada’s privacy laws via some pretty significant overreach with its tracking of device owners. The violation will apparently not bring the app owners, Tim Hortons, any form of punishment. However, the fallout from this incident may hopefully serve as a warning to others with an app soon to launch. That’s one theory, anyway. In reality, this level of data collection is not as uncommon as is being suggested.

The app collects how much data?

It all begins in June 2020, when a reporter finds the Tim Hortons app is going above and beyond what one would expect as a reasonable level of tracking. Despite an FAQ claiming tracking only takes place “with the app open”, reporter James McCleod submits a request under Canada’s Personal Information protection and Electronic Documents Act. He discovers the app has recorded his longitude and latitude coordinates “more than 2,700 times in less than five months”, and not just when the app was in use.

In fact, he’d never have known this level of tracking was taking place save for a notification saying the app had collected his location. The twist: he hadn’t used the app in hours. This one tiny mobile notification quickly snowballed into the story we have today.

The notification was due to an Android system update giving users the option to limit an app’s access to location information. When people and organisations say it’s a good idea to update your device, this story is a perfect example of why that is.

How can apps collect data?

We’ve previously covered Bluetooth beacons and geofencing on this site. These are a staple diet of Out of Home (OOH) advertising. If you’re unfamiliar with how this technology typically operates, here’s a brief rundown:

1. You enable Bluetooth on your phone. It’s not a major battery drain and becoming more useful to mobile users than ever before so this isn’t a hassle for most people.
2. Stores you enter may have a Bluetooth beacon which fires out a rapid pulse signal. If you have an app for the store you’re in and have granted it permission to interact, this is where the fun begins. The store can track your movements, and figure out which items you hovered in front of and which you ignored completely. The store can then offer discounts, flash sales, and even optimal item placement based on this data.
3. Geofencing will help get you to the store in the first place. With app and permissions enabled, you may well have adverts sent directly to your phone when driving. You may even experience digital billboard Geofence marketing.

It’s not just about coffee

The biggest concern here for McCleod wasn’t that the app was tracking him on coffee runs. That was expected behaviour. What really stood out was the kind of deep-dive data collection that was generating “events” everywhere he went and building up a picture of his daily life.

A spokesperson for Tim Hortons said this was to “tailor marketing and promotional offers” inside the app, and that no data was shared with the other companies. This wouldn’t be enough to avert some pretty serious conclusions made from the app investigation.

The investigation findings

Tim Hortons stopped continuous tracking in 2020 after Government investigations began, but there were still concerns over the data collected. Tim Hortons’ contract with a third-party location services supplier allowed for the possibility of selling “de-identified” data. De-anonymisation is a big problem.

Despite explanations from Tim Hortons, the investigation concluded that

“…continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”

It also found the app continued collecting large amounts of location data for a year after deciding against using it for targeted data, despite there being no need to do so. The four privacy authorities involved recommended Tim Hortons:

• Delete any remaining location data and direct third-party service providers to do the same;
• Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
• Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed.

The full findings on this case can be seen in the report here.

Climbing under the fences: Tips for avoiding tracking

There are several ways to avoid or opt-out from tracking which you may feel is overly invasive.

1. Keep your mobile device up to date. It’s the difference between having basic “on/off” privacy settings or waking up to find you have multiple granular controls for all aspects of app use.
2. Not using Bluetooth? Turn it off. You won’t enjoy a massive battery bump, but you will go some way towards staying below the beacon radar.
3. Think carefully about agreeing to GPS permissions for apps. It’s as specific a way to track your movements as can be, and some apps/services save this data online for you to view at a later date. This isn’t great if the service or account is compromised, so always ensure there’s an option to delete historical data. Depending on mobile device or OS, you may have very basic location options or several options tied to different services. It’s well worth taking some time to see what’s in there.
4. Introduce some security to your mobile ecosystem. Mobile ad blockers, privacy and anonymity tools will all help with regard prevention of advertising profiles tied to your real world location and identity. It may not just be the app, but the other sites, services, and ad networks it plugs into which you have to consider.
5. Always read the EULA. It’s a pain, but it’s really worth checking out the privacy policies and EULAs of the apps you use. See how they share data, how long information is stored for, and which advertising networks the apps partner with. Of course, this may have limited use considering portions of the Tim Hortons app FAQ were incorrect but it’s a good way to get up to speed on an app more broadly.

The post Coffee app in hot water for constant tracking of user location appeared first on Malwarebytes Labs.

Apple’s App Review process may have received ill wishes from many benevolent developers, but Apple has now revealed how effective it is and why it is so stringent.

According to its review of the year 2021, Apple protected customers from nearly $1.5 billion in potentially fraudulent transactions, and stopped over 1.6 million risky and vulnerable apps and app updates from defrauding users.

Bad apples

In 2021, Apple rejected or removed over 835,000 problematic new apps, and an additional 805,000 app updates. Some were removed because they were found to be unfinished or contained bugs that impeded functionality, others because they needed improvements in their moderation mechanisms for user-generated content.

The App Review team also rejected over 343,000 apps for requesting more user data than necessary or mishandling the data they already collected.

To put these numbers in perspective, 107,000 new developers managed to get their apps onto the store. Some of which may have gone through rejection on earlier occasions, but received a stamp of approval in the end.

Rotten apples

Over the same year, the App Review team rejected more than 34,500 apps for containing hidden or undocumented features. They also rejected upward of 157,000 apps because they were found to be spam, copycats, or misleading to users, for example, by manipulating them into making a purchase.

Also, Apple removed over 155,000 apps from the App Store because the developers altered the concept or functionality of the app after receiving approval at first. Altering the app after release is a method threat actors can use to try and bypass the App Review process.

Fraudulent accounts

When developer accounts are used for fraudulent purposes, the offending developer’s Apple Developer Program account and any related accounts are terminated.

As a result of these efforts, Apple terminated over 802,000 developer accounts in 2021. Apple rejected an additional 153,000 developer enrollments over fraud concerns, preventing these threat actors from ever submitting an app to the store.

Financial fraud

Using both human and tech review, Apple stopped more than 3.3 million stolen cards from being used to make potentially fraudulent purchases. Nearly 600,000 accounts were banned from ever transacting again. In total, Apple protected users from nearly $1.5 billion in potentially fraudulent transactions in 2021.

User concerns

If users have concerns about an app, they can report it by clicking on the Report a Problem feature on the App Store or calling Apple Support, and developers can use either of those methods or additional channels like Feedback Assistant and Apple Developer Support.

As part of the App Review process, any developer who feels they have been incorrectly flagged for fraud may file an appeal to the App Review Board.

Passwords

Apple also announced at its annual Worldwide Developers Conference (WWDC) that it will introduce support for third-party two-factor authentication apps with the built-in Passwords feature in the Settings app.

iOS 16, which is expected to be released in September 2022, will permit users to edit strong passwords suggested by Safari to adjust for site‑specific requirements.

Apple also confirmed it’s bringing support for passkeys in the Safari web browser, a next-generation passwordless sign-in standard that allows users to log in to websites and apps across platforms using Touch ID or Face ID for biometric verification.

Passkeys never leave your device and are specific to the site you created them for. Which makes phishing for them almost impossible. The passkey mechanism was established by the FIDO Alliance and is already backed by Google and Microsoft. As such, it aims to replace standard passwords by providing unique digital keys stored locally on the device.

The post Rotten apples banned from the App store appeared first on Malwarebytes Labs.

Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts before they are even created? That’s something you’d never think possible—but it is.

Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a “pre-hijacking attack.” Unfortunately, many websites and online services, including high-traffic ones, are not immune to it. In fact, the researchers found that more than 35 of the 75 most popular websites are vulnerable to at least one pre-hijacking attack.

Sudhodanan and Paverd identified five types:

Classic-Federated Merge (CFM)

This exploits a flaw in how two account creation routes interact. Two accounts can be created using the same email address—one normal account by the user (deemed the “the classic route”) and one federated identity by the hijacker (deemed the “federated route”)—allowing both to access the account.

This attack is most successful when the user uses a single sign-on (SSO) to log in, so they never change the actual account password the hijacker sets.

Non-Verifying Identity Provider (NV)

This is a mirror image of the CFM attack. Using the same email address, the hijacker creates an account using the classic route while the user takes the federated route. The hijacker then uses an identity provider (IdP) that doesn’t verify ownership of an email address. If the website or online service incorrectly merges the two accounts based on the email address, both hijacker and user will have access to the account.

Unexpired Email Change (UEC)

This exploits a flaw where the website or online service fails to invalidate an email change request when the user resets their password.

The hijacker creates an account with the victim’s email address and then submits a change request to replace the email for their own but doesn’t confirm it. When the victim does a password reset, the hijacker then validates control, allowing them to assume control of the account.

Unexpired Session (US)

This exploits a flaw in which authenticated users are not signed out of an active account after a password reset.

The hijacker keeps the account active using an automated script after creating an account. Even after the user creates an account using the same email address and resets the password, the hijacker maintains access to the account.

Trojan Identifier (TID)

This is a combination of CFM and US attacks.

Issues in common

These attacks vary in severity, but they were all caused by the websites’ inability to verify an identifier the user supplies before allowing the account to be used.

Many websites and online services do verify, but, as the researchers noted, they do so asynchronously, which improves website usability but unfortunately opens the door to pre-hijacking attempts.

From the report:

“As with account hijacking, the attacker’s goal in account pre-hijacking is to gain access to the victim’s account. The attacker may also care about the stealthiness of the attack, if the goal is to remain undetected by the victim.

The impact of account pre-hijacking attacks is the same as that of account hijacking. Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim’s identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.).”

How account pre-hijacking works

Attackers attempting to pre-hijack must already know some unique identifiers related to the target whose account they want to take over. These identifiers could be an email address, phone number, or other information that can be retrieved via scraping social media accounts or leaked data.

From here, attackers can then use any of the five attack types. Regardless, everything boils down to the hijacker and the user having concurrent access to the same account.

In their case studies, the researchers mentioned a handful of known online brands vulnerable to pre-hijacking attacks. These include Dropbox, Instagram, LinkedIn, WordPress, and Zoom.

Pre-hijacking attacks are preventable

Although the root cause of pre-hijacking attacks stems from weaknesses on the side of the websites and online services, protecting against them is never one-sided.

The researchers advise website and service owners to do the following:

• Require verification of an email address used in registration to be completed before allowing any features of the website or service to be used. A similar approach must be adopted when using other verification means, such as SMS or automated phone calls.
• If the website or online service uses an IdP, ensure the IdP performs the verification process or conducts additional verification steps.
• When a user requests a password reset, the website or service should sign out all active sessions and invalidate all authentication tokens.
• Set the validity period of change confirmation emails as low as possible. Doing this doesn’t remove the risk of an attack altogether, but it minimizes it.
• Delete unverified accounts regularly.

Microsoft has listed some in-depth steps on its website for further mitigation.

Users can also protect themselves from pre-hijacking attacks using multi-factor authentication (MFA) if the website or online service supports this feature.

Stay informed and stay safe!

The post Hackers can take over accounts you haven’t even created yet appeared first on Malwarebytes Labs.

This blog is part of our live coverage from RSA Conference 2022:

US President Joseph R. Biden Jr., The White House, and law enforcement agencies across the world paid close attention last year when a group of more than 60 cybersecurity experts launched the Ransomware Task Force, heeding the group’s advice on how to defend against ransomware attacks and deny cybercriminals their ill-gotten riches.

Of the Ransomware Task Force’s initial 48 recommendations—published in their report last year—12 have resulted in tangible action, while 29 have resulted in preliminary action, said Philip Reiner, chief executive officer for the Institute for Security and Technology and member of the Ransomware Task Force.

The progress, while encouraging, is not the end, Reiner said.

“Not enough has been done,” Reiner said. “There is still a great deal of work that remains to be done on this front to blunt the trajectory of this threat.”

At RSA Conference 2022, Reiner moderated a panel of other Ransomware Task Force members which included Cyber Threat Alliance President and CEO Michael Daniels, Institute for Security and Technology Chief Strategy Officer Megan Stiflel, and Resilience Chief Claims Officer Michael Phillips. The four discussed how separate levels of the government responded and acted on the five priority recommendations made by the Ransomware Task Force last year.

In short, many promising first steps have been made, the panelists said.

“Look at what the US government has done in the past year—the impressive speed at which [they’ve] organized and focused on the ransomware threat,” Daniels said. “Everything from presidential statements, to work in the international area, to convening a ransomware task force inside the government to start working on this issue.”

He continued: “I think it’s clear that governments are really engaged in this issue in a way that they weren’t just a couple of years ago.”

Last year, governments across the world collaborated together in taking down ransomware threat actors. In June 2021, Ukrainian law enforcement worked with investigators from South Korea to arrest members affiliated with the Clop ransomware gang, and months later, members of the FBI, the French National Gendarmerie, and the Ukrainian National Police arrested two individuals—and seized about $2 million—from an unnamed ransomware group.

Around the same time as the undisclosed arrests, President Biden traveled to Switzerland to speak at a cybersecurity summit that was also attended by Russia President Vladimir Putin. When the two met, Biden reportedly told Putin that the United States was willing to take “any necessary action” to defend US infrastructure. The US President’s statement came shortly after the ransomware attack on Colonial Pipeline, which was attributed to the cybercriminal group Darkside, which is believed to be located in Russia.

“I’m gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved,” President Biden said of the attack at the time, according to reporting from the BBC. But, Biden added, “there’s evidence that the actors’ ransomware is in Russia—they have some responsibility to deal with this.”

Separately, Stifel from the Institute for Security and Technology welcomed recent developments—which may take many more years to solidify—to create a standardized format and timeline for companies and organizations to report ransomware attacks.

“It will be some time, and some of you may be retired by the time it’s in place,” Stifel said, “but it’s there. You have to start somewhere.”

The panelists also acknowledged recent government efforts to appropriate cybersecurity recovery and response funds in the latest infrastructure bill. While the Ransomware Task Force specifically asked for funds for ransomware recovery and response, a broad package of millions of dollars for overall cybersecurity events is still considered a win.

One underdeveloped priority area that every panelist stressed was the need for faster, more accurate data on ransomware attacks and recovery costs. Without a centralized database—and without a requirement to report both attacks and ransom payments—the government and cybersecurity companies are working with limited information.

The panelists also lamented the difficulties posed in trying to remove safe havens for ransomware actors. As the governments that already provide cover for ransomware groups have little to no impetus to change their positions, it’s up to global governments to start working together.

“I can see the US government trying to, internationally, build a collation of countries—not just US agencies, but multiple agencies across multiple jurisdictions at the same time,” Daniels said.

He continued: “This threat has become so large that no government can really just ignore it.”

The post Ransomware Task Force priorities see progress in first year appeared first on Malwarebytes Labs.