IT News

The US Federal Trade Commission (FTC) has announced that it took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach.

CafePress is a popular online custom T-shirt and merchandise retailer. According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection:

“CafePress employed careless security practices and concealed multiple breaches from consumers.”

CafePress waited seven months to publicly disclose a 2019 breach, and only did so after it had been reported in the news.

The FTC complaint also takes issue with the way CafePress handled customer information, saying that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.” This is considered an unfair and deceptive practice under Section 5 of the FTC Act.

The breach

In February 2019, a threat actor was able to access millions of email addresses and passwords. According to the complaint by the FTC this was made possible because CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network.

The passwords are said to have been protected by “weak encryption”, an absolute security no-no. Passwords that are secured using a properly configured password hashing function—such as bcrypt or scrypt—take so long to crack that they are essentially useless to attackers, even if they are leaked.

Leaked email addresses and passwords are a serious problem because many people re-use their passwords across multiple websites and services. Cybercriminals know this and will try stolen usernames and passwords in as many different places as they can—a practice known as credential stuffing.

The threat actor also captured millions of unencrypted names, physical addresses, and security questions and answers. As well as over 180,000 unencrypted Social Security Numbers (SSNs), along with tens of thousands of partial payment card numbers (last 4 digits) and expiration dates. A treasure trove for social engineers.

Informing customers

Despite warnings from several sides, including a foreign government, CafePress decided not to inform its customers, but instead only told customers to reset their passwords as part of an update to its password policy. CafePress apparently patched the vulnerability the cybercriminals made use of, but failed to properly investigate the breach for several months despite additional warnings.

Data from the breach eventually ended up in Troy Hunt’s HaveIBeenPwnd (HIBP) database, which tipped off journalists. It wasn’t until news of the breach was reported in the press that CafePress actually informed its customers.

Lax security

In the complaint the FTC mentions several cases of bad security practices, before and after the breach. According to the FTC, CafePress…

• Failed to investigate the source of several malware infections that occurred on its network prior to the 2019 attack.
• Failed to implement reasonable security measures to protect the sensitive information of buyers and sellers.
• Stored SSNs and password reset answers in clear text, alongside millions of unencrypted names and physical addresses.
• Retained customers’ data longer than was necessary.
• Failed to apply readily available protections against well-known threats and to adequately respond to security incidents.
• Continued to allow people to reset their passwords by answering security questions known to the attackers.

As a result of its lax security practices, it should not come as a surprise that CafePress’ network was breached multiple times.

Proposed settlement

As part of the proposed settlement, Residual Pumpkin and PlanetArt (the previous and current owners of CafePress) will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures—such as security questions—with multi-factor authentication methods, minimizing the amount of data it collects and retains, and encrypting SSNs.

PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third-party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

In addition, Residual Pumpkin will have to make a $500,000 payment to data breach victims, the FTC said in the statement. CafePress has already settled with seven US states as a result of this data breach.

Reusing passwords

We have warned users often against reusing passwords across different services. This case is a prime example that shows why this is important. Users were left in the dark about their compromised passwords for several months. This gave the criminals behind the breach plenty of time to perform credential stuffing attacks on other services.

Since shopping services usually store credit card details and people’s home addresses alongside login credentials, there is no reason to treat these accounts as if they have a lower security priority. On the contrary, it could turn out to be a costly mistake. Use a password manager to make it easier to create and use strong, unique passwords for each service you use.

Lessons for web shops

What can web shops do to avoid becoming the next CafePress?

• In the long run, the chance you can keep a breach secret is slim to none.
• Deploy strong policies and controls and inform the public about them on your website.
• Disclose breaches to your customers early, with as much detail as you can. This will reduce the damage to them, and to your brand, and reduce the chance of being fined.
• Utilize best practices such as strong password hashing and rate limiting password attempts.
• Encourage customers to use Multi-factor Authentication (MFA).

Keep your customers safe and happy and they will come back.

Stay safe, everyone!

The post CafePress faces $500,000 fine for data breach cover up appeared first on Malwarebytes Labs.

Every so often, fines hit the news as a result of phone/communication spam. Much of it targets older members of society. Sometimes folks say these calls are “just” irritants and nothing to particularly worry about. But it can be really serious, resulting in big chunks of people’s savings being wiped out.

Now, five companies have been fined a grand total of £405,000 for such practices—with the potential for more to come.

Listing all the possibilities

Several companies have had these fines issued for collectively making huge numbers of calls to people registered to the TPS (Telephone Preference Service).

The TPS is the equivalent of a “do not call” service and is the UK’s sole register for this purpose. People who sign up their mobile and/or landline numbers are placed into the TPS register and are opted out of receiving any and all unsolicited calls. Supposedly.

However, one organisation alone made 229,483 unwanted calls to people on the TPS service over the course of around seven months. They were hit with a £100,000 fine. Another made 412,556 calls to people on the TPS service over a period of around eight months. For this, they received a fine totalling £110,000.

The ICO (Information Commissioner’s Office), which ensures that UK organisations do the right thing where data protection and communications are concerned, suspects that at least some of the companies involved were sharing information on their cold-call targets.

The calls themselves asked for personal information of people aged 60 and over who owned their own homes and possessed landline numbers. This primarily seems to have tied back to insurance services for household products, and complaints allege the calls to have been both “threatening and coercive”. That they did this to people who may have felt less comfortable dealing with confrontation over the phone is particularly awful.

So what’s the point in the TPS?

Crucially, it’s a legal requirement that companies do not call people on the TPS register without their consent. The aim is to significantly reduce live (not automated) cold-calling, and businesses are supposed to check their call lists against the TPS register every 28 days.

Where this goes wrong for potentially unsuspecting cold-callers is that TPS contacts the callers over every complaint made, and these complaints are also fed back to the ICO. You can imagine how seriously the ICO took hundreds of thousands of complaints lighting up against the same organisations on a daily basis.

Mistakes can happen; according to the TPS site, legislation allows companies a maximum of 28 days to update their lists of who to call (and not call). Despite this, nobody is making simple mistakes hundreds of thousands of times.

Avoiding nuisance calls

As far as this story is concerned, the primary tactic to avoid nuisance calls is to sign up to the TPS list. You can also make use of additional services from your network providers in terms of blocking spam or even automated calling when possible. Some mobile operators will, for example, tell you if a number calling is suspect. Keep in mind that these may or may not be paid services.

Cold-call campaigns may make use of data from third-parties, or even scraped from various sources without permission. If an organisation has their database stolen or scraped, there isn’t a lot you can do about that. However, you can try to limit your exposure.

You could use forwarding numbers for services you sign up to, which helps shield your real number. If you sign up for something make sure the right tick boxes are checked (or unchecked!) to prevent someone sharing your details or contacting you.

Combining these tactics should stand you in good stead for keeping pesky cold-callers at bay.

The post “Threatening and coercive” cold-callers who targeted the elderly hit with big fines appeared first on Malwarebytes Labs.

Royal Mail scams are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. A quick reminder:

Your parcel is waiting for delivery

This is the go-to tactic for fake Royal Mail phishing attacks. You receive a text claiming there’s a parcel in your name, waiting for collection. The SMS contains a link to a fake Royal Mail website. There, you’re asked to pay a small charge for “settlement”. Once payment details are entered, they’re in the hands of the scammer. With your payment details, they can take litterally everything.

Something frequently overlooked is the impact wrought on people by these attacks. It isn’t “just” a throwaway phish. Like any bogus website asking for payment information, it can have a severe impact on people who’ve handed over their card details. Losing all your money, and access to payment methods, during times where people are essentially trapped indoors is plumbing the depths of awfulness.

Avoiding analysis

We’ve seen evidence of otherwise standard Royal Mail phishing sites attempting to evade detection and analysis. They do this by borrowing techniques from malware trying to avoid inspection in virtual machines. Anything from forms of rendering associated with VMs to causing issues in anonymising browsers such as TOR will do the job. They really don’t want people interfering with this particular money stream.

This is what they’ve been up to over the last year or so. We haven’t really seen any major developments in fake Royal Mail land for a while. This may be about to change, however. Step up to the plate, Which? Magazine.

A new year brings new tactics

Which? brings word of a new round of bogus messages. So far, so much business as usual although it mentions these messages are arriving via email rather than SMS. This doesn’t mean fake SMS messages are AWOL this time around, but email seems to be the focus here. People clicking links in the email are taken to a website which now seems to be offline. It’s also not stored in any search engine caches or the Internet Archive, so all we have to go on is video footage.

Here’s what happens (well, happened) while people visited the site in question:

Visitors are greeted by a “chatbot”, talking to them directly about a missing parcel. The chatbot cycles through some text, claiming the parcel is damaged in some way. It reads as follows:

Hello, welcome to the interactive parcel management system. I’m your virtual guide Suzy and I’ll be helping you today. Please confirm that this is your tracking number: [tracking number]. We have a parcel with you as a recipient, but the label was damaged—attached is a picture of your parcel.

It then asks if they should “deliver this parcel to a private or business address”. Once a reply is given, it then goes on to say:

Thank you, in order to deliver your parcel, we need to get your details, as we currently only have your name and phone number / email address on record. The rest of the label is not readable. I will direct you to a form where you can fill in your delivery details. As the details of the sender also are not readable on the label, we have to charge you for the manual handling of the package, as we cannot bill it back to an unknown sender. Since you used this automated flow, the price will be less than $3

You’ll note a potentially glaring error in that the “chatbot” that’s supposed to be part of the UK postal service, the Royal Mail, mentions dollars rather than UK pounds. This may well have tipped a few people off that what they were dealing with isn’t genuine.

From Royal Mail chatbots to…something completely unexpected

If the person in front of the screen clicks the schedule delivery and pay button, they’re taken to a distinctly non-Royal-Mail-looking website. It appears to be a sign-up form to get your hands on a “new iPhone 12”. There’s also a sign-up for a monthly rolling subscription, at a cost of £59 every 30 days.

Essentially, the scammers came up with an idea for an evolving Royal Mail phish—AI chatbots—and then inexplicably undermined themselves with a completely unrelated landing page promoting mobile phone competitions. You’d hope this would lower the chances of people signing up, but you never know.

As for the chatbot itself, there’s no way to know for sure how it operated. It may be like one of those pornography chatbots on spam sites which run through the same handful of replies no matter what you type. Perhaps it was coded to detect a handful of different responses. It might even have been the scammer themselves, for that added splash of interactivity.

The site sporting the competition itself informed Which? magazine that an affiliate is responsible for this one and they’ve refunded 3 people who fell for it. Hopefully this low number does indeed indicate that starting off with a Royal Mail delivery and ending with mobile phones is a bridge too far. This is definitely a better end result than if the landing page was a carefully crafted Royal Mail fakeout, so it’s possible we’ve all scored a lucky break here.

As with all these scams: Should you find a mysterious text or mail telling you a parcel is waiting, contact your local Royal Mail depot. Sites asking for delivery fees should be viewed with skepticism, and that goes double for offers of a distinctly non-postal variety.

The post Fake Royal Mail chatbot offers up…a new iPhone? appeared first on Malwarebytes Labs.

Apple has released patches for macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4. In these security updates, released on March 14, 2022, Apple tackles 39 vulnerabilities, several of which could allow an attacker to execute arbitrary code on an affected device.

One of the vulnerabilities can be exploited by having the victim open a crafted PDF file, and a few just require the victim to visit an specially crafted website.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.

Accelerate Framework

CVE-2022-22633

Opening a maliciously crafted PDF file can lead to arbitrary code execution. The vulnerability exists due to a boundary error when processing PDF files within Accelerate Framework. The vulnerability was caused by a memory corruption issue, that was addressed with improved state management.

An attacker would need to trick the victim into opening their PDF file. Anything that can be triggered just by a victim opening a file that can be sent as an attachment is of great value to cybercriminals. In a “spray and pray” attack there is a reasonable chance of success. This might also be useful to attackers performing a targeted attack on an individual.

AppleAVD

CVE-2022-22666

Processing a maliciously crafted image may lead to heap corruption. AppleAVD is a decoder that handles certain media files. The vulnerability exists due to a memory corruption issue, that was addressed with improved validation. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

AVEVideoEncoder

The AVEVideoEncoder is a component that is used when creating video files. This round there were three vulnerabilities fixed in this component.

CVE-2022-22634

A malicious application may be able to execute arbitrary code with kernel privileges. The vulnerability exists due to a buffer overflow, that was addressed with improved bounds checking. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

CVE-2022-22635

An application may be able to gain elevated privileges. The vulnerability exists due to an out-of-bounds write issue, that was addressed with improved bounds checking. If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

CVE-2022-22636

An application may be able to execute arbitrary code with kernel privileges. Another out-of-bounds write issue, that was addressed with improved bounds checking.

GPU Drivers

CVE-2022-22667

An application may be able to execute arbitrary code with kernel privileges. This vulnerability exists due to a use after free issue, that was addressed with improved memory management. An attacker would need authenticated access to exploit this vulnerability. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

ImageIO

The Image I/O framework allows applications to read and write most image file formats. Two vulnerabilities were fixed during this round.

CVE-2022-22611

Processing a maliciously crafted image may lead to arbitrary code execution. This vulnerability exists due to an out-of-bounds read, that was addressed with improved input validation. An out-of-bounds read means that the software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. But it can also allow an attacker to run any commands or code in the target process.

CVE-2022-22612

Processing a maliciously crafted image may lead to heap corruption. This vulnerability exists due to a memory consumption issue, that was addressed with improved memory handling. The heap is the name for a region of a process’ memory which is used to store dynamic variables.

The usuaul suspects

Besides these specific CVEs there were vulnerabilities found in what we would call the usual suspects. The kernel and WebKit are both very important components of Apple’s operating systems. Not only because everyone uses them, but also because they are attractive targets for attackers.

Kernel

The kernel is a core component of any operating system and serves as the main interface between the computer’s physical hardware and the processes running on it. As such, the kernel is responsible for low-level tasks such as disk management, memory management, task management, etc.

Seven vulnerabilities were fixed during this round. Most of them cause an application to be able to execute arbitrary code with kernel privileges. Something you really don’t want to happen. Running arbitrary code with kernel privileges means that an attacker basically owns your system.

WebKit

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux. Six vulnerabilities in WebKit were fixed this round. Most of them have the worrying description of processing maliciously crafted web content may lead to arbitrary code execution. What that means is that all an attacker has to do is lure a victim to their malicious site.

As far as we are aware none of these vulnerabilities are used in the wild, which doesn’t mean that they won’t be in the future. So, our advice, as always, is to get the updates at your earliest convenience.

Stay safe, everyone!

The post Update now! Apple fixes several serious vulnerabilities in iOS and macOS appeared first on Malwarebytes Labs.

Several government websites in Israel—those using the .gov.il domain—were inaccessible after a distributed denial of service (DDoS) attack hit Israel’s telecommunication provider, Cellcom. NetBlocks, a network disruption watchdog, initially detected “a significant disruption” aimed at the provider, which appeared to have also affected another provider, Bezeq, before the Israeli National Cyber Directorate confirmed the cyberattack in a tweet.

According to Haaretz, an Israeli newspaper, websites of the health, interior, justice, and welfare ministries were taken offline. The website of the Office of the Prime Minister was also affected. The newspaper’s source is also quoted saying that the incident was “the largest-ever cyberattack carried out against Israel.”

Ram Levi, CEO of Konfidas, a cybersecurity consulting firm, told Jerusalem Post that the cyberattack started at 6:15 PM and ended at 7:30 PM, declaring Tehran hackers behind the attack.

However, Mike Sexton, a cyber and Middle East policy expert, called the attack “unsophisticated, but something that nonetheless requires significant resources.”

“Israel and Iran have recently been engaged in a low-level cyber tit-for-tat, so Iran is an obvious source to attribute, but we should not jump to conclusions,” Sexton told The National, “Iran possesses much more sophisticated capabilities, so I think it would be unusual for them to use this sort of primitive attack.

Sexton also asserted that this cyberattack is likely linked to the crisis in Ukraine, given that Israel has just joined other countries in sanctioning Russia after remaining neutral. “This kind of attack is very characteristic of Russian patriotic hackers. We saw them use this same kind of attack against the Estonian government in 2006,” he said.

The post DDoS barrage against Israel described as the “largest ever” cyberattack its faced appeared first on Malwarebytes Labs.

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed “Escobar”—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package name of com.escobar.pablo and the application name of “McAfee”.

BleepingComputer found a post on a Russian-speaking hacking forum that says Escobar’s creators are renting the beta version of the malware for $3,000 a month and plan to increase it to $5,000 once development is finished:

Hello dear {redacted}. I came to this group with an advice and recommendation of a friend. I am an Android malware developer and I want to start renting my private Android banking bot here. The bot is still in BETA version and it is possible to encounter errors and bugs so for this month I will rent the bot to maximum 5 customers.

This new Aberebot variant widens its information-stealing capabilities by accessing features built-in to smartphones to get as much information as it can, to take complete control of victim accounts, empty accounts, and perform unauthorized transactions.

Among the 25 permissions it asks from users, it abuses 15, enabling the malware to (among other things) record audio, read and send SMS messages, take screenshots, uninstall apps, get the precise location of device, and download media files from victims’ devices.

Escobar can steal Google Authenticator multi-factor authentication (MFA) codes, SMS call logs, key logs, and notifications, which it sends to its C2 server.

Lastly, Escobar gives device control to affiliate malware distributors using VNC Viewer, a screen-sharing tool with remote control features. Once the phone is unattended, threat actors can, essentially, do what they want with the device.

Cyble, the cybersecurity company that wrote extensively about Aberebot and Escobar, asserts that highly sophisticated malware like Escobar can only be distributed from sources outside the Google Play Store.

Google Play is far from perfect, but the best way to minimize the chance of becoming infected with Escobar is to stick to downloading apps from there. Android users should also enable Google Play Protect on their device, and use a mobile security solution.

Malwarebytes users are already protected from Escobar. We detect it as Android/Trojan.BankBot.Esco.c.

Stay safe!

The post Escobar is the new Android banking Trojan we’ve met before appeared first on Malwarebytes Labs.

As we wrote on March 3, 2022 Nvidia, was recently attacked by the LAPSUS$ ransomware group. The ensuing data leak included two of NVIDIA’s code signing certificates. Those certificates are now being used to sign malware.

Leaked signing certificates from major vendors like Nvidia come with huge security implications. And the fact that the certificates have expired does not lessen the burden much.

A code signing certificate is used to authenticate the identity of a software developer or publisher, and it provides cryptographic assurance that a signed piece of software has not been altered or tampered with. Signing certificates are considered trustworthy because they are cryptographically signed by a Certificate Authority (CA). This creates a “chain of trust” between a signature on a piece of software and a CA—like DigiCert or Let’s Encrypt—that operating systems trust.

Code signing is used by Windows and macOS to ensure that users only run software from trusted sources. This is a powerful security feature, provided that code signing certificates are kept out of the hands of cybercriminals.

Leaked Nvidia certificates

The data the LAPSUS$ group stole from Nvidia contained two code signing certificates. As is often the case in ransomware attacks, the exfiltrated data was published on a leak site. From there, any cybercriminal that wanted to could grab the certificates and use them to sign their malware.

The two leaked Nvidia certificates have expired, being valid from 2011 to 2014 and 2015 to 2018. But, Windows will accept expired certificates for drivers, which makes the leaked certificates very useful to cybercriminals.

So useful, in fact, that the first malware samples signed with these certificates started to show up only one day after they were leaked.

Expired certificates

A compromised certificate can only be revoked by its CA. CAs maintain Certificate Revocation Lists (CRLs) which—as the name implies—list certificates that have been revoked. But certificates only get revoked if they are compromised before their expiration date.

Unless a system knows that a certificate has been revoked or suspended, the system will continue to trust that certificate.

Microsoft has always made an exception for signed drivers, so that drivers don’t brick a system just because the certificate that signed them has expired. To prevent these drivers from getting loaded, it requires that the certificates are added to the CRL. Then your system needs to be made aware of the revocation. Which basically means they get added to the “Untrusted Certificates” after a Windows update. Microsoft may be reluctant to do this because doing so could block legitimate Nvidia drivers.

But until then, malware can get loaded as a driver that’s been signed with these leaked certificates.

Mitigation

There are some additional protection mechanisms that can protect you from malicious signed drivers.

• Normally, users running a system protected by Secure Boot would be protected because Secure Boot does not allow certificates without a time-stamp. Unfortunately an exception was made for certificates that were created before July 29, 2015. And both of the leaked certificates were created before that date. One of them just barely (by two days).

• The signing certificates do not stop anti-malware solutions from recognizing the malware.

Should you decide to update your Nvidia drivers, make sure to get them from the Nvidia download site and check the installer before you run it, to see that the driver’s certificate is still valid and not expired or revoked. To check, right click and select Properties, look at the Digital Signatures tab and select the Nvidia signature > click on the Details button > on the General tab click on View Certificate > then look at the Details tab for the Valid to date.

For system administrators, David Weston, Vice President of OS Security and Enterprise at Microsoft, has tweeted some guidance on how you can configure Windows Defender Application Control policies to control which Nvidia drivers can be loaded.

If you want to check if any of the leaked certificates are on your systems, the serial numbers of the leaked certificates are:

43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518

There is also a Yara rule to be found on GitHub that can be used by security teams to search for files signed with these certificates in their environments.

Stay safe, everyone!

The post Stolen Nvidia certificates used to sign malware—here’s what to do appeared first on Malwarebytes Labs.

Three years ago, a journalist for Gizmodo named Kashmir Hill wanted to understand what life was like without “Big Tech.”

Far from a “digital detox” retreat—the kind of which were popular with exceedingly plugged-in, very online types of mid-20s and early-30s folks—Hill’s experiment with technology abstinence was colored by restrictions. Swearing off Apple, Google, Facebook, Microsoft, and Amazon meant no iPhone, no Android phone, no MacBook, no PC running Windows, and no Chromebooks, and that’s just hardware. Hill was also unable to visit Facebook or use its owned subsidiaries, Instagram and WhatsApp, and similarly, she could not use Microsoft’s many tools, including the entire Microsoft Office suite, but also LinkedIn, Skype, and Teams (but that was far less a need in pre-pandemic times). Also off the table were any sites hosted by Amazon Web Services, which Hill managed to avoid with the help of a VPN that a technologist programmed for her.

After weeks without Big Tech, Hill said plainly: “It was hell.”

The takeaways from Hill’s reporting are many, but one obvious lesson is that big tech is so entrenched in our lives that, without it, we’d be unable to function in quite the same way. And that’s a bit of a bummer for anyone who wants to lessen their reliance on these companies because of their corporate practices or their notoriously flippant attitudes about data privacy.

In 2022, then, one cybersecurity evangelist saw an opportunity: Don’t remove every Big Tech company all at once, but just one, and do it in phases where you can introduced privacy-preserving alternatives along the way. No more Google Chrome? No problem, just use Brave, he said. No more Gmail? That’s also fine, he said, because you can use FastMail, or ProtonMail.

In today’s episode of Lock and Code, with host David Ruiz, we speak to Carey Parker, host of the podcast Firewalls Don’t Stop Dragons, about how he has progressively removed Google and Google services from his life, opting into new providers for crucial services like email, calendaring, document-writing, spreadsheets, and more.

“The first step in any of these things is understanding the problem. And, so, what you really need to do, first of all, is understand what Google has on you.”

Carey Parker, cybersecurity evangelist and host of Firewalls Don’t Stop Dragons

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. You can also learn more about de-Googling your own life from Carey Parker’s website and podcast, which is having a giveaway for its fifth anniversary in which 10 lucky winners will get a one-year, consumer premium license for Malwarebytes (hey we know those people!).

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post De-Googling Carey Parker’s (and your) life: Lock and Code S03E06 appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• The struggle to reduce bug-fixing time is real
• Update now! Mozilla patches two actively exploited vulnerabilities
• Google takes on Docs notification spammers
• When fake dating profiles try the military approach
• Azure AutoWarp brings automation headaches
• RagnarLocker ransomware gang breached 52 critical infrastructure organizations
• FormBook spam campaign targets citizens of Ukraine
• Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday
• Twitter makes the leap to Tor
• Brave browser goes the extra mile to block third-party cookies
• Extortion scheme impersonates government officials, law enforcement
• Ransomware: February 2022 review
• Linux “Dirty Pipe” vulnerability gives unprivileged users root access
• HBO sued for sharing subscriber data with Facebook
• Blunting RDP brute-force attacks with rate limiting

Stay safe!

The post A week in security (March 7 – March 13) appeared first on Malwarebytes Labs.

On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.

This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.

But even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list can act as a good guide for your patch management strategy.

95 new ones?

CISA normally sends out a mail every few days in which it details a few important vulnerabilities it’s added to the Catalog. However, on March 3 it didn’t even enumerate the list. Instead, it just emailed a link to the Catalog and included instructions on how to find the most recently added vulnerabilities. If you’re looking yourself, you need to click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.

Not so new

The first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is CVE-2002-0367, an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco’s Small Business RV160, RV260, RV340, and RV345 series routers by the way.

This brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for Cisco products. Other products include those by Microsoft (27), Adobe (16), and Oracle(7).

Of the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL)  on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021,  the company started blocking Flash content from running. In fact, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

Possible reasons

Pondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:

• It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.
• It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.
• The nature of actively exploited vulnerabilities has changed.

Some examples

Personally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.

However, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.

Examples:

• A vulnerability in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.
• Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.

Other vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a PowerPoint vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.

Some Flash Player vulnerabilities were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean “Lazarus” group.

A vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was attributed to the Russian “SANDWORM” operation.

I also found an Elevation of Privilege (EoP) vulnerability in a Windows Installer on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.

Other interesting items on the list are some IoT vulnerabilities that got some fame in 2020 under the name Ripple20.  Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.

So, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?

According to Adam Kujawa, Security Evangelist and Director of Malwarebytes’ Threat Intel team:

“In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of “playground” for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.

With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.

I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine?  Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don’t have endpoint patching as their top priority?”

Mitigation

Given the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can subscribe to receive the updates. Besides the usual security advice, now seems to be a good time to invest in clever patch management, and ditch that software which has reached EOL and no longer receives security updates.

Stay safe, everyone!

The post CISA list of 95 new known exploited vulnerabilities raises questions appeared first on Malwarebytes Labs.