IT News

A vulnerability in the Linux kernel, nicknamed “Dirty Pipe”, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.

If you’re not sure what that means but you think it sounds bad—you are correct!

The vulnerability was found and explained in detail by Max Kellerman of CM4all. The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25 and 5.10.102.

CVE-2022-0847

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Dirty Pipe is the nickname for the vulnerability listed as CVE-2022-0847.

It is described as a flaw in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

To understand the name you need to know that a pipe is a data buffer in a Linux system’s memory that can be used as if it was a file. Pipes are used to pass information from one program to another by storing the output of the first program and then passing it to the second. For example, if you want to pass information from the list command ls to the paging program less, you’d join them with a pipe. On the command line, it looks like ls | less.

The Dirty Pipe vulnerability can be abused by creating a pipe—which the attacker has permission to change—and then confusing the Linux kernel into thinking that the pipe is a file the attacker doesn’t have permission to change.

If you are up for a full technical analysis, and would like to read about the journey of finding this vulnerability, feel free to read Max Kelderman’s post.

For those that want the short, less technical version, the confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be “read-only” for a user without root permissions.

In this way, it is possible for an attacker to gain root privileges, which ultimately allows him to take control of an affected system.

Impact

The vulnerability is serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning about it. Maybe because this vulnerability is similar to an older vulnerability disclosed in 2016, Dirty COW (CVE-2016-5195), which has been actively exploited by malicious actors since then. And according to the experts, this vulnerability is easier to exploit than Dirty COW was.

Proof-of-Concept has already been published by several researchers.

And while many readers may think: “Oh, it’s Linux, nothing for me to worry about”, the Linux kernel underpins an enormous number of websites and cloud services, and is a base for many other operating systems.

The Linux kernel is an extremely important part of the software on nearly every Android device, and some smartphones are therefore vulnerable to Dirty Pipe.

Mitigation

The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102, so make sure to get those or a later one if you are a Linux user.

For Android users it is a bit more complicated. There are so many devices and kernel versions, that it is hard to give a clear statement. We can say that version 5.x under normal circumstances will only be found on the latest models. My smartphone (1 year old) and many other legacy devices are not vulnerable, because the vulnerability does not affect 4.x versions, which account for the majority of devices from Google and other vendors. You can view your kernel version under Settings > About phone > Android/Software version > Kernel version. Android users with 5.x versions should check whether they are vulnerable and, if so, be on the lookout for an update to be rolled out to fix this vulnerability.

Stay safe, everyone!

The post Linux “Dirty Pipe” vulnerability gives unprivileged users root access appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this February 2022 ransomware review, we go over some the most successful ransomware incidents based on both open source and dark web intelligence.

BlackByte

• Observed since: July 2021
• Ransomware note: BlackByteRestore.txt
• Ransomware extension: .BlackByte
• Kill Chain: Some victims reported that attackers used known Microsoft Exchange Server vulnerabilities to gain access to their networks. > BlackByte Ransomware 
• Sample hash: 1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad

HermeticRansom (PartyTicket)

• Observed since: February 2022
• Ransomware note: read_me.html
• Ransomware extension: <original file name>.[vote2024forjb@protonmail[.]com].encryptedJB
• Kill Chain:  On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack
• Sample hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

SFile (Escal)

• Observed since: February 2022
• Ransomware note: .<company_name>.!README.log
• Ransomware extension: .<company_name>.<random>
• Kill Chain:  Smaller ransomware strains used in targeted attacks
• Sample hash: 6a7cef95a501cce16dce6f5a645fc97c4bcbb568c83dde5a7f2e4a0d7555dd98

LockBit 2.0

• Observed since: September 2019
• Ransomware note: Restore-My-Files.txt
• Ransomware extension: .lockbit
• Kill Chain: Brute force attack on a web server containing an outdated VPN service > LockBit
• Sample hash: 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af

Magniber

• Observed since: October 2017
• Ransomware note: readme.txt
• Ransomware extension: dihlxbl
• Kill Chain:  Being Distributed via Microsoft Edge and Google Chrome (Korean users)
• Sample hash: 06ea8f2b8b70b665cbecab797125733f75014052d710515c5ca2d908f3852349

Surtr

• Observed since: December 2021
• Ransomware note: SURTR_README.hta
• Ransomware extension: .surtr
• Kill Chain:  Spear-Phishing > MalDoc > Surtr Ransomware
• Sample hash: 40e5bb0526169c02126ffa60a09041e5e5453a24b26bc837036748b150fa3fae

Sugar

• Observed since: January 2021
• Ransomware note: BackFiles_encoded01.txt
• Ransomware extension: .Encoded01
• Kill Chain:  Spear-Phishing > MalDoc > Sugar Ransomware
• Sample hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

Conti

• Observed since: June 2021
• Ransomware ext: .CONTI
• Ransomware notes: CONTI.txt – R3ADM3.txt – readme.txt – CONTI_README.txt
• Kill Chain: Spear-Phishing > Bazar backdoor, or IcedID  > Cobalt Strike > Conti Ransomware 
• Sample hash: 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59

Mitigations

Source: IC3.gov

• Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real-time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.
• Ensure routine auditing is conducted for all accounts.
• Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Recommended reading: How to protect your RDP access from ransomware attacks

The post Ransomware: February 2022 review appeared first on Malwarebytes Labs.

Brave is testing a new feature to stop bounce tracking, a sneaky method that websites use to load third-party tracking cookies so they can gather more information about who is visiting their site.

The Brave browser

As you may remember from our post about the best browsers for privacy and security, Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Brave Nightly is the version of Brave that is used for testing and development. The releases are updated every night, hence the name, and may contain bugs. Nightly automatically sends out crash reports when things go wrong. Nightly is now used to test a feature that’s designed to prevent what’s known as bounce tracking.

Why third party cookies are out of fashion

Many browsers and, especially, ad-blockers will refuse to load third-party cookies, which are cookies that do not originate from the site that you are currently visiting. From a website administrator’s point of view, third-party cookies are tracking codes that are placed on a web visitor’s computer after being generated by another website other than their own. When a web visitor visits their site and others, the third-party cookie tracks this information and sends it to the third-party who created the cookie. The most common third-parties are advertisers, marketers, and social media platforms.

Google has long since changed its ways and adopted other methods of tracking users. But not everyone is a tech giant with the necessary resources to pull that off, so some have resorted to bounce tracking.

Bounce tracking

Tracking protection has become a mainstream feature in many browsers these days, including Apple’s Safari, Mozilla’s Firefox, and Microsoft’s Edge. So the targeted ad industry felt it had to find a way to circumvent those measures. Enter Bounce tracking, also known as redirect tracking. Another, even more invasive method is fingerprinting, which identifies users based on their computers’ unique attributes.

Bounce tracking abuses the fact that browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors. To limit their tracking to first-party cookies, a site that wants to track you can load an intermediary site—or tracking site—first before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.

But there are other methods of bounce tracking like link decoration, which means a website can add a unique identifier to the links you click on, serving as a flag to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies. Facebook adverts use this method in the fbclid parameter which allows the destination site to recognize you as a specific Facebook user.

Stopping bounce tracking

Some browsers have some methods to detect and stop bounce tracking but it is not always easy, since the browser doesn’t know beforehand that it will be directed through a tracking site.

In a privacy update, Brave explained how it plans to improve the existing methods. It is calling the new feature Unlinkable Bouncing. The browser will notice when you’re about to visit a privacy harming (or otherwise suspect) website, and route that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal because your visit will look like a unique, first-time visit. The temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.

The Unlinkable Bouncing feature is now enabled in Brave Nightly, and will be in Brave’s full release on version 1.37.

A possible weak point in the Unlinkale Bouncing feature is that it relies on consulting filter lists, but you can think of it as an extra layer on top of the existing features designed to stop bounce tracking, like the query parameter stripping, debouncing, and bounce-tracking interstitial features.

Stay safe, everyone!

The post Brave browser goes the extra mile to block third party cookies appeared first on Malwarebytes Labs.

The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies.

The scam starts off either as a call from the “police” or a text message from a “government agency”. The content of the calls and text messages vary, but they are all bogus.

In the case of phonecalls, victims are either informed that their identities have been used in a crime, such as drug dealing or money laundering, or told they missed jury duty. The victim is then pressed to verify their identity using their social security number (SSN) or date of birth (DOB). If the victim resists, they are threatened with fines, arrest and imprisonment.

The text messages don’t involve accusations but instead ask victims for information related to either passport, driver’s license, or medical license renewals. The scammers threaten the revocation of licenses or registration if the victims refuse to renew or hand over the information.

Other tactics include extorting money from romance scam victims to “clear their name for participating in a crime” or as means to aid law enforcement in capturing their romance scammer. The scammers also impersonate law enforcement and say they are collecting taxes and fees from lottery scam victims. Lastly, the scammers call victims to tell them they are due to recieve a government grant, but say they need to pay some money before they can claim it.

Victims are offered a variety of means of payment, including prepaid cards, wire transfers, and cash sent by mail or cryptocurrency ATMs.

The FBI says legitimate law enforcement personnel and government officials would never request payment via the above means. It also remindes people to never give out personal information over the phone without verifying that the caller is who they say they are.

The warning included some red flags to pick up on: “Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”

The post Extortion scheme impersonates government officials, law enforcement appeared first on Malwarebytes Labs.

Azure is Microsoft’s cloud computing service providing a wide range of features for businesses worldwide. It’s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.

Researchers at Orca Security have discovered an issue with Azure which they’ve called “AutoWarp”. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean “…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer”.

How could this issue be used in an attack?

The flaw enables interaction with servers managing sandboxes belonging to other entities. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs.

Here’s a description of what went down from the Microsoft Security Response Center:

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

A timeline of token disaster…almost

This flaw was reported to Microsoft on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don’t appear to have found any. Not only that, but it also seems there’s no evidence of this having been exploited out in the wild.

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That’s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.

Why Azure is an appealing target for attackers

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.

Whether we’re talking about OMIGOD exposing virtual machines, the Mirai botnet, brute forcing, or four-year long source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.

You can’t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.

The post Azure AutoWarp brings automation headaches appeared first on Malwarebytes Labs.

In a FLASH publication issued by the FBI in coordination with DHS/CISA, the FBI says it has identified at least 52 organizations across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.

Threat profile

RagnarLocker can be recognized by the extension of the encrypted files which contains “.RGNR_<ID>,”  or “.ragnar_<ID>” where <ID> is a hash of the computer’s NETBIOS name.

The ransom note is called “.RGNR_[extension].txt” and states the files and data have been encrypted by RAGNAR_LOCKER.

Exfiltrated data of victims that refuse to pay will be published on the “Wall of Shame” leak site.

RagnarLocker iterates through all running services and terminates services commonly used by Managed Service Providers (MSPs) to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files.

Don’t call the cops

In the past, RagnarLocker has warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter. In September 2021, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

But, in the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces to drive policy changes that would require organizations to report certain cyberincidents to the federal government. Importantly, the legislation would give organizations 72-hours to report a cyberincident. Ransomware attacks by an entity believed to originate from the CIS would certainly qualify as such.

The FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI says it would like the following information:

Short term items:

• Copy of the ransom note (screen shot/picture/text file)
• Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs)
• Virtual currency addresses/amount of demand
• Any malicious files (executables/binaries)
• Summary of timeline of events (dates of initial observation/malicious activity)
• Evidence of data exfiltration

Long term items:

• Brief summary of where the IOCs came from
• Incident response report
• Copy of any communications with malicious actors
• Forensic images and memory captures
• Host and network logs
• Any available decryptor
• Scope of impact (amount of loss)

CIS

As mentioned in our blog post Ransomware’s Russia problem, RagnarLocker is believed to be of Russian origin and will try to avoid making victims in the Commonwealth of Independent States (CIS). To do so, Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

IOCs

In the pdf file that carries FLASH Number CU-000163-MW you can find the current IOCs, including IP addresses, Bitcoin addresses, and email addresses.

Mitigation

To stay out of the claws of the RagnarLocker group the usual mitigation techniques for ransomware apply. The FBI lists:

• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyberthreat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

The FBI recommends backup strategies to speed up recovery from a ransomware attack:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.

Stay safe, everyone!

The post RagnarLocker ransomware gang breached 52 critical infrastructure organizations appeared first on Malwarebytes Labs.

Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be

The post FormBook spam campaign targets citizens of Ukraine️ appeared first on Malwarebytes Labs.

The updates for Microsoft’s March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities.

Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote code execution (RCE).

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

The first three are publicly disclosed vulnerabilities, which makes them zero-day vulnerabilities, but so far none of them has been seen to be exploited in the wild.

Remote Desktop Client

CVE-2022-21990: A Remote Desktop Client remote code execution vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. This vulnerability might be hard to exploit since it requires an attacker to control a malicious server and that the user must willingly connect to it. There is Proof-of-Concept (PoC) code available for this vulnerability.

Windows Fax and Scan service

CVE-2022-24459: Windows Fax and Scan service elevation of privilege vulnerability is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. An LPE vulnerability means that an attacker should already have some level of access and can take their privileges to a higher level by exploiting this vulnerability. Such vulnerabilities can be useful in an attack chain. There is Proof-of-Concept (PoC) code available for this vulnerability.

.NET and Visual Studio

CVE-2022-24512: A .NET and Visual Studio Remote Code Execution vulnerability. The ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. This is because successful exploitation of this vulnerability would require a user to trigger the payload in the application.

Next up are the vulnerabilities that were rated as critical.

Exchange Server

CVE-2022-23277: A Microsoft Exchange Server remote code execution vulnerability. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. So the attacker needs some form of authentication to exploit this vulnerability. Which makes it all the more important to change or remove compromised accounts. Stolen or leaked credentials can be used to wreak havoc.

HEVC video extensions

CVE-2022-24508: A HEVC Video Extensions arbitrary code execution vulnerability. The High Efficiency Video Coding (HEVC) extensions allow a buyer to playback files in HEVC format. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately.

VP9 video extensions

CVE-2022-24501: A VP9 video extensions arbitrary code execution vulnerability. Very much the same as the above. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. VP9 is the successor to VP8 and competes with HEVC.

Finally, one vulnerability that is listed as Important and not as Critical, but which looks like a likely candidate to be exploited.

SMBv3 client/server

CVE-2022-24508: A Windows SMBv3 client/server remote code execution vulnerability. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected. The attacker needs to be authenticated to exploit the vulnerability. The Microsoft page provides a workaround that requires administrators to disable SMBv3 compression.

Other vendors

Other vendors have published security related updates as well:

• Cisco released security updates
• Google released Android security updates
• Samsung released a Security Maintenance Release package that includes patches from Google and Samsung.
• HP released a security update to deal with 16 disclosed UEFI firmware vulnerabilities.

Stay safe, everyone!

The post Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday appeared first on Malwarebytes Labs.

Tor is getting another visibility boost for people who may not otherwise come into contact with it. The reason: an attempt to navigate increasing amounts of censorship.

What is Tor?

The Tor network is something designed to keep communications anonymous. A variety of tools exist to make use of it, including messaging, web browsers, and other clients. Most people new to this realm would likely have their first experience via the standalone Tor browser. This works like any other browser download, with a lot of the same functionality. The big difference is that when you load it up, it connects to the Tor network. From the Tor browser manual:

Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet.

Additional security tools and precautions abound in the browser to reduce the risk of fingerprinting, unwanted tracking, and more. The default search engine in DuckDuckGo. All data vanishes when the browser is closed (think Incognito mode), and three levels of security increasingly strip out page aspects such as JavaScript and media which could present problems.

That’s not all. Many sites have a .onion version available to make it even harder to perform surveillance on the user. When an onion version of a page you’re on exists, an “Onion available” notification is displayed next to the URL bar. That is highly relevant in this instance.

Peeling the onion

Onion pages are considered to have more advantages than regular sites where anonymity and privacy are concerned. Going back to the Tor manual:

• Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators.
• All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS.
• The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with.

The second bullet is particularly useful for those perhaps increasingly rare occasions of dealing with a non HTTPs site. They do still exist! The third bullet is handy for service operators, and the first is good for everybody involved.

Why is the potentially obscure world of onion addresses (to regular web users at least) getting an airing in the media?

Social media makes the leap (again)

Twitter has launched an onion version of its service, available immediately. It now joins Facebook, who went live with its own onion service in 2014. While some may flag this as a response to events in Ukraine, it seems this has been in the works for some time. Indeed, one of the people behind it says they’ve been toying with the idea for several years.

Elsewhere, major news services have had onion pages for a few years now:

They’re also actively promoting relevant language specific pages:

So, then, it really depends what you’re looking for via Tor. If your personal circumstances currently require access to blocked services to communicate with friends and family, or you simply need a variety of news sources in a hurry, then you may well want to consider downloading the Tor browser, because there’s a good chance what you need is already available.

Just keep in mind that, as with all things, risks do exist, and factor in additional security precautions as appropriate. Navigating directly to the Onion pages from official links likely presents minimal risk, but forewarned is most definitely forearmed.

The post Twitter makes the leap to Tor appeared first on Malwarebytes Labs.

Cloud-based document suites have always been a hot target for scammers. When it’s easy to dip in and out for collaboration purposes, or just share things generally, then it’s likely that bad people will want in on the action.

In 2019, Google calendar users were wading through endless spam invites/event notifications when spammers worked out how to game the system. It was fixable, with the caveat that the fix was a multi-stage process. Quite likely a bit too much work for people who just want to access their calendars without spam, and who can blame them?

Anyway, these things come around time and time again. When a new feature appears, so too do the spam vultures. Time to cast our minds back to the end of 2020.

Of comments and exploits

The pandemic has helped nudge along additional features into collaboration tools to make remote work more straightforward. One such Google Docs revamp is the “tag tool” which fetches lists of recommended people. This operates in a similar way to how when you type in a username on Twitter, it prefills a bunch of suggestions after the “@”.

So far, so good.

Around October 2020, spam messages via Google Docs came to light. Specifically: the comments feature. It’s worth noting this behaviour wasn’t just restricted to Docs; other apps like Slides were affected too.

Spammers figured out they were able to send messages via tagging to “nearly any email address” (as per this article). Inserting a tag would generate and send mail to the tagged individual’s mailbox, with the mail appearing to have come from Google. While we can question if that alone is enough to add the legitimacy sheen required, at the baseline it’s sailing past spam filters and related precautions.

The messages included everything from “inappropriate PDFs” and fake financial transaction links to more general bogus notifications and supposed financial compensation.

Filtering out the rogues

As with the workaround for calendar spam, the process to block the mails required setting up custom filters, although I suspect a lot of regular Google users didn’t bother with figuring out the mechanics of such a procedure.

As mentioned, one really big problem with this spam technique was the absence of additional sender information. Good news: Google has now addressed this. Notifications will now also show the commenter’s email address, in order to allow recipients to be sure about who it came from.

The change is scheduled to take place over a 15-day period, and as this rollout started on March 3rd, you may well already have the new functionality. According to the Times of India, this will also be a default option. No digging around for obscure options or menus, which is always appreciated.

If you’ve been weathering the storm of spam missives via Google apps over the last few weeks or even longer, then help is now officially on the way. Let’s hope we can all get back to being productive without the risk of bogus messages as soon as possible.

The post Google takes on Docs notification spammers appeared first on Malwarebytes Labs.