IT News

In another cyberattack on a healthcare system, threat-actors have tried to throw a wrench into the ongoing COVID-19 vaccine roll-out in the region of Lazio, Italy. The large and densely populated region is the country’s second most populous and includes the country’s capital, Rome.

On Sunday the Facebook page of the region informed the public that hackers had disabled the systems of the regional health care agency.

Only 10 hours later the region communicated through the same channel that standing vaccination appointments could proceed as planned. But it was not yet possible to make new appointments. Later it turned out that besides the vaccination appointment system, more of the region’s systems had suffered from the attack.

The attack

Details of the attack are sparse, most likely because the investigation is still ongoing. The Facebook page mentions a “virus” but this could be the result of a common misconception where many people call every malware a virus. But there is no mention anywhere about a ransom either, which you would expect if this was yet another ransomware attack on healthcare or other critical infrastructure. What we do know is that it was labelled as a “powerful” attack that disabled all the region’s systems, including the information site Salute Lazio portal, which was still unreachable at the time of writing.

Unofficial sources claim to know that the attackers managed to get hold of the credentials for an administrator’s account and released a “cryptolocker” which would suggest that this was a ransomware attack, or possibly a “wiper” attack, where attackers use ransomware to scramble a target’s computer, but with no intention of asking for a ransom or providing a way to unscramble them. The investigation will be  done by the Italian Postal and Communications Police Service which is the police department responsible for cybercrime.

Attackers

The region’s officials have called the attackers both criminals and terrorists. The question which of the two qualifications is the most accurate is closely correlated with the nature of the attack. There have been a lot of protests in Italy against the introduction of the so-called Green Pass, which shows people have been vaccinated, tested negative or recovered from COVID-19. Based on the Green Pass, which comes into effect on 6 August, holders will have access to places where non-holders will be barred.

While some see the Green Pass as a way to increase vaccination rates and persuade the undecided, some see it as a step too far. Looking at the number of vaccination requests the persuasion technique seems to work. Which might have triggered this attack on the Lazio region’s systems. But it might just turn out to be the next ransomware or wiper attack (although this scenario would be very surprising).

Recovery

Even though most IT systems were offline, some have been restored, including emergency networks, time-dependent networks, and hospital systems. The local government has reiterated that the vaccination drives would continue in spite of the attack. The vaccination appointment system for the Lazio region has been transferred to the Italian national vaccination to keep the momentum going.

Critical infrastructure

The disruption of Lazio’s vaccine appointment system is just one of a number of notable and disturbing attacks against critical infrastructure in 2021. To learn more about the threat cybercriminals pose to critical infrastructure, Lock and Code podcast host David Ruiz spoke to Lesley Carhart, principal threat hunter with Dragos and a globally-respected expert on the subject.

You can hear their conversation below, or find it on your preferred platform, including Apple Podcasts, Spotify, and Google Podcasts.

The post COVID-19 vaccine appointment system attacked in Italy appeared first on Malwarebytes Labs.

It’s been an interesting journey for security messaging where browsers are concerned. Back in the day, many of the websites you’d visit on a daily basis weren’t secure. By secure, I mean that they didn’t use HTTPS. There was no padlock, which meant that the traffic between you and the website wasn’t encrypted, and so it was vulnerable to being snooped on or changed.

Sites you bought goods from tended to use HTTPS so your credit card number couldn’t be intercepted as it traversed the Internet. But random blogs? Forums? Information portals? Not so much. People would often say that it wasn’t really dangerous if blogs or information sites weren’t using HTTPS. No personal data was being sent or received, no purchases were being made. What’s the big deal?

And yes, that sort of makes sense up to a point. However, as the Mozilla blog highlights, anyone on the network can potentially read or modify a website’s data before it reaches you. This is a bad thing whether or not you’re shopping or simply looking at humorous memes. It means that bad actors can insert ads into the pages you see, add malware to your downloads or redirect you to fake versions of the sites you want to visit.

Why was it so difficult to make sites HTTPS?

Cost factored into this. HTTPS certificates and setup were pricey, many thought HTTPS impacted performance, and the benefits of using it were often unclear.

In theory it was possible to get yourself a free HTTPS service as far back as 8 to 10 years ago, but in practice it’d often only be free for a year or the service might not be very good. On top of this, HTTPS was a pain to set up and non-technical site owners stood little chance of doing it themselves.

As an example: Until relatively recently, if you used a Google Blogspot blog with a custom domain (a domain hosted elsewhere) you couldn’t use HTTPs.

Worse, Google decided to ding search rankings for sites not running HTTPS and also mark them as “not secure”. Imagine having your blog on Google’s Blogspot, and Google both not offering HTTPS and penalising you for not using HTTPS!

In short, many were the obstacles for getting HTTPS up and running. If you managed to dodge the cost bullet back in the day, there was still the complexity bullet waiting in the wings. Considering many folks run different services with different orgs based on price, functionality, and location, firing up HTTPS on your site was not an easy task. For every person dismissing concerns with “that’s easy”, you could find a dozen more who follow all the steps and end up with something not working regardless.

What changed?

Google’s decision to penalise the search rankings of non-HTTPS sites was just one of a raft of carrots and sticks that emerged in the second half of the last decade which pushed HTTPS adoption from the niche to the mainstream.

The trend started about ten years ago with Firesheep, a browser plugin that shamed the big social media sites for not using HTTPS, before being accelerated enormously by Edward Snowden revealing the vast scale of Internet surveillance.

The response came in many forms including changes to search engines, free HTTPS services, better web hosting, new web protocols, and, as we’ll see later, web browsers.

A fanfare and a big parade for the good stuff

There is a tendency in security to focus on good security practices as unusual and point-from-across-the-street jaw dropping, and bad security practices as commonplace and not-very-pointworthy.

There’s a few problems with this. We’ll return to the ubiquitous padlock as an example.

If you go back a few years, when padlocks on sites became the Latest Big Deal(), it was an instant banner moment for “this is definitely a good thing”. You couldn’t move in some circles for endless promotion of the padlock, our new hero.

And hey, the padlock most definitely is good! However, it doesn’t mean it’s not also used for evil deeds.

A common talking point is “Look for the padlock. If it’s there, it means the site is safe”.

Well, no. It means it’s secure in as much as the data can’t be peeked at by random observers. The data can still be received as intended by an evil site owner. What do you think this means?

It means, lots of phishers and scammers started setting up HTTPs websites.

As a result of the “Padlock = safe” messaging at the time, some would-be victims probably didn’t land on a fake bank site and think “Oh my, this looks dubious. Time to leave. Nice try, phishers”. They likely assumed “The design is slightly off, but it’s got a padlock and everyone told me a padlock means that it’s safe. Phew.”

This problem became even worse once free HTTPS became popular and affordable, if not completely free for most folks. All of a sudden, we had lots of security resources and training saying “padlock means it’s the real deal” while lots of fake sites started sporting padlocks.

This is a small example of how hyping up a secure feature which becomes available to all, can go wrong without the consideration that bad people will use them too.

Back to browsers.

A fanfare and big parade for the bad stuff

Chrome is following the trend of rolling back on “this is secure” notifications, which as we’ve seen may not be 100% helpful, in favour of just saying “This one here is not secure. Avoid it”. This mirrors (deliberately) the change the web has undergone HTTPS being unusual to being the norm.

Sure, people trained to look for padlocks are suddenly not able to view them. On the other hand, padlock sites are so common now that seeing the padlock isn’t that useful anymore.

From now on, it’s business as usual until Chrome says BAD SITE.

This isn’t a recent plan, by any means. If nothing else, Chrome tends to give lots of advance warning of changes coming up so people can adjust for them as needed. It first mentioned this move way back in 2018, when it said “Users should expect that the web is safe by default”. To be more specific, they decided to change what displayed in your URL bar as follows:

[Padlock icon] | [Secure],

They stated their aim to remove the word “secure” so you’d only see

[Padlock icon],

Which would eventually lead to their final intended state of

[Website]

…with no padlock, or the word “Secure” next to it. Do you remember when Chrome used to say “Secure” next to the padlock indicator? I don’t! It hasn’t hurt my browsing in any way. I strongly suspect the padlock icon being removed won’t harm it either. Why continually highlight the norm, if the norm is functioning as expected?

It seems more sensible to hang a big sign saying “This is bad” on the bad stuff and call it a day. It’ll be interesting to see which browsers follow suit, assuming there’s some out there which haven’t already taken this step. If you’re a Chrome user, don’t be alarmed when our little padlock pal takes its last steps into the distance.

The post Chrome casts away the padlock—is it good riddance or farewell? appeared first on Malwarebytes Labs.

By releasing an information sheet that provides guidance on securing wireless devices while in public (pdf)—for National Security System, Department of Defense, and Defense Industrial Base teleworkers—the NSA has provided useful information on malicious techniques used by cyber actors, and ways to protect against them.

And anyone that does not belong to that group of teleworkers can still take advantage of the knowledge it has shared!

While the NSA’s advice and best practices aren’t a guarantee of protection, they will hep to reduce the risks you face while you’re out and about. The most obvious advice in the information sheet is not to use public Wi-Fi hotspots when more secure options are available. Use a corporate or personal Wi-Fi hotspot with strong authentication and encryption whenever possible, use HTTPS and a VPN when it isn’t.

Wi-Fi and encryption

Even if a public Wi-Fi network requires a password, it might not encrypt traffic going over it. And even if the Wi-Fi network does encrypt the data, malicious actors can decrypt the captured data if they know the pre-shared key. In either case, the network traffic (including login credentials) is easily captured using a couple of methods:

Masquerading

Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated to evade defenses and/or observation. For example, in this context it means that a cyber-criminal might broadcast an SSID (the name of a wireless network) that looks legitimate just to trick you into using their Wi-Fi hotspot.

As we have discussed before, anyone can spoof a well-known SSID and your device will happily connect to it again if it’s connected to an open SSID with the same name before. Once you are connected to this malicious hotspot masquerading as one you’ve used before, its operator can redirect you to malicious websites, inject malware or ads, and spy on your network traffic.

Network sniffing

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Adversaries can join a network and “sniff” the traffic passing over the wireless network, capturing information about the environment and the traffic of other Wi-Fi users, including authentication material passed over the network.

Please encrypt your traffic

You can’t stop masquerading or network sniffing, but you can make the useless to an attacker by adding a layer of encryption to your traffic with a VPN. The NSA strongly advises using a personal or corporate-provided virtual private network (VPN) to encrypt the traffic.

Other interfaces

The NSA rightly warns that in addition to Wi-Fi, cyber actors may also compromise other common wireless technologies, such as Bluetooth and Near Field Communications (NFC). The risk isn’t merely theoretical since these malicious techniques are publicly known and in use.

NFC

NFC is the technology behind contactless payments and other close device-to-device data transfers. As with any network protocol, there may be NFC vulnerabilities that can be exploited although due to NFC range limitations, opportunities to exploit vulnerabilities are limited.

Bluetooth

Bluetooth technology transmits data wirelessly over short distances. Keeping a device’s Bluetooth feature enabled in public can be risky. Malicious actors can scan for active Bluetooth signals, potentially giving them access to information about a targeted device.

The NSA highlights a few specific Bluetooth related attack techniques:

• Bluejacking, sending unsolicited messages (often unsolicited anatomical pictures sent to women) over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers.
• Bluesnarfing, the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs.
• Bluebugging manipulates a target phone into compromising its security, this to create a backdoor attack before returning control of the phone to its owner.
• Blueborne, a Bluetooth vulnerability that can allow malicious actors complete control over a user’s Bluetooth device.

Do’s and don’ts

The information sheet goes on to provide some do’s and don’ts. Most of them are very generic and you will probably have read them many times before. We are sure we have listed them ourselves time and again.

That doesn’t mean they’re bad advice though, and it suggests that some people aren’t paying close enough attention, so here goes:

Mobile devices

• Keep software and applications updated with the latest patches.
• Use anti-virus/anti-malware software.
• Use multi-factor authentication (MFA) whenever possible.
• Reboot regularly, especially for mobile phones after using untrusted Wi-Fi. (Rebooting a device will remove non-persistent threats from memory.)
• Do not leave devices unattended in public settings.
• Do not use personal information—like your name—in the names of the devices.

Wi-Fi

• Disable Wi-Fi when you aren’t using it.
• Disable Wi-Fi network auto-connect.
• Ensure your device is connecting to the correct network.
• Log out of the public Wi-Fi network and “Forget” the access point when you’re finished.
• Use HTTPS where you can.
• Only browse to, or use, necessary websites and accounts.
• Do not connect to open Wi-Fi hotspots.
• Do not enter sensitive data or conversations.
• Do not click unexpected links, attachments, or pop-ups.
• Do not set public Wi-Fi networks to be trusted networks.
• Do not browse the Internet using the administrator’s account of the device.

Bluetooth

• Disable the Bluetooth feature when it is not being used.
• Ensure the device is not left in discovery mode when Bluetooth is activated and discovery is not needed.
• Monitor Bluetooth connections by periodically checking what devices are currently connected to the device.
• Do not use Bluetooth to communicate passwords or sensitive data.
• Do not accept non-initiated pairing attempts.
• Use an allow-list or deny-list of applications that can use the device’s Bluetooth.

NFC

• Disable NFC feature when not needed (if possible).
• Do not bring devices near other unknown electronic devices. (This can trigger automatic communication.)
• Do not use NFC to communicate passwords or sensitive data.

More advanced advice for laptops

• Configure Web-Proxy Autodiscovery Protocol (WPAD) to use only corporate proxy servers.
• Enable firewalls to restrict inbound and outbound connections by application.
• Disable Link-Local Multicast Name Resolution (LLMNR) if applicable. LLMNR is a deprecated and vulnerable protocol for quick resolution of names that are on the same subnet.
• Disable Netbios Name Service.
• Turn off the device file and printer sharing on public networks.
• Use virtual machines (VMs) for an additional layer of security.

While it may seem trivial for the NSA to provide guidance in this field, since most security professionals have given up hope that we’ll ever learn, it just may be that when it comes from a source like the NSA people might actually start paying attention. So, while most of the advice will look familiar, hearing it for the umpteenth time might actually persuade someone to follow it.

Stay safe, everyone!

The post NSA issues advice for securing wireless devices appeared first on Malwarebytes Labs.

Zoom has agreed to an $85m settlement regarding privacy, zoom-bombing, and data sharing. The class action privacy lawsuit filed in the US against the embattled company wasn’t particularly impressed with the following:

• Zoom-bombing running wild in video sessions. Zoom-bombing, the practice of joining sessions without permission and causing mayhem, exploded into life during 2020.
• Claiming to offer end-to-end encryption, when they were using something called transport encryption in places. They later had to clarify that they meant data was encrypted at Zoom endpoints. In theory, the company could access the data but said they don’t directly access it.
• Sharing data with social media companies even if you don’t have an account with them. Zoom used Facebook’s Software Development Kit for app features, which resulted in data being sent to Facebook. The part about data being sent even without an account wasn’t made clear, according to Motherboard. As a result of the linked investigation, Zoom decided to remove the Facebook SDK. They also apologised for the oversight, and shut down “unnecessary device data” collection.

Interestingly, one part of the settlement is a request for Facebook to delete US user data obtained via the SDK.

The numbers game

How badly have Zoom done off the back of this settlement? Well, it’s complicated. It essentially boils down to around $15 for people without subscriptions, or $25 for folks with pricier accounts. It’s worth noting these amounts are specifically for US-based Zoom users, with a few exceptions. If you’re using Zoom outside of the US, you almost certainly won’t be getting fractionally rich from this one. Sorry!

As for Zoom, your mileage will definitely vary as to whether or not you think these costs are sufficient. According to reports, they made around $1.3 billion in subscriptions from paying US customers. The plaintiff’s legal team says the $85m is “reasonable” considering other costs tied to legal action. They’re also seeking $21.3m in legal fees from Zoom.

A fitting punishment?

Is it reasonable, though? Or should the total be higher? According to The Register, the $85m amount is “around 6% of the total revenues collected based on allegedly unlawful activities”. In many ways, Zoom wandered into a metaphorical gunfight they couldn’t hope to put a lid on. Nobody could’ve predicted the pandemic, or the massive shift to working from home. Much less which remote communication tools would rise or fall as a result. It just so happened the fates aligned and picked Zoom. It’s arguable no company could have weathered such a dramatic spike in users and rapid-fire improvements. It’s also arguable many issues could’ve been avoided if Zoom had shown a little more foresight, instead of seemingly playing catchup a lot of the time. 

Trolls have been crashing private forums, chat sessions, web-chats and anything else they can get their hands on for years. Was it really a surprise the same would happen to Zoom sessions? Was a tipping point required before passwords and waiting rooms were enabled by default for all meetings? Biometrics, tracking, and monitoring people working at home is increasingly frowned upon. Did anyone really think features like Attention Tracking would be popular?

A hard lesson learned, but some may feel the lesson should have been much harder.

How do users get their money?

It’s still being worked out, and you’ll almost certainly need to see who qualifies and who doesn’t. The current plan is to apply for awards through a specific website. It’s likely there’ll be imitation pages and phishing mails aplenty once it goes live. It remains to be seen how many people will actually apply, and some aspects of the case aren’t fully hammered out yet so we’ll likely revisit this one come October.

The post Zoom and gloom? Video comms org agrees to settle for $85m appeared first on Malwarebytes Labs.

While you read these words, the chances are that somebody, somewhere, is trying to break in to your computer by guessing your password. If your computer is connected to the Internet it can be found, quickly, and if it can be found, somebody will try to break in.

And it isn’t like the movies. The criminal hacker trying to guess your password isn’t sat in a darkened room wondering which of your pets’ names to type on their keyboard. The hacker’s at lunch and they’ve left a computer program churning away, relentlessly trying every password it can think of. And computers can think of a lot of passwords.

Oh, and there are lots of hackers out there and they don’t take turns trying to break into your computer one at a time. They’re all trying to break in separately, all at the same time.

While there are lots of ways to break into a computer that’s connected to the Internet, one of the most popular targets is the Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows somebody to use it remotely. It’s a front door to your computer that can be opened from the Internet by anyone with the right password.

RDP explained

RDP is an immensely useful feature: Remote workers can use it to log in to computers physically located at their office buildings, and IT experts can use it to fix somebody’s computer from anywhere in the world. However, that ability to log in to a computer from anywhere in the world also makes RDP an immensely attractive target for criminal hackers looking to steal data or spread malware.

To log in to a computer using RDP, users simply type in the Internet address a computer running and enter their username and password. Then they can use it as if it was on the desk in front of them. It’s that simple.

Reading that you might think that you’re safe as long as nobody knows your computer’s address. Unfortunately, your computer’s address isn’t a secret, even if you’ve never told anyone what it is.

Internet addresses (IP addresses) are just sequences of numbers, so it’s easy to create computer programs that guess all the possible IP addresses in existence and then quickly visit them to see if they belong to Windows computers with RDP switched on, over and over again. And if that’s too much work, there are websites like Shodan that can do it for them.

Searches like this make it easy for hackers to find the computers they want to target, but they don’t help them break in. To do that they will need to guess a password successfully.

Brute force guessing explained

Hackers figure out RDP passwords using a technique called “brute force guessing,” which is as basic as it sounds. They simply use a computer program that will try a password and see if it works. If it doesn’t, it will try another, and another, and another, until it guesses a password correctly or decides it’s time to try its list of passwords on a different computer. The guesses aren’t random. Some passwords are far more popular than others, so criminals use lists of the most commonly used passwords, starting with the most popular.

Unfortunately, weak passwords are extremely common. In fact, they’re so common that there is an entire criminal industry dedicated to guessing RDP passwords. Often, the hackers that guess the passwords don’t actually use them. Instead, they sell them on the Dark Web to other criminals, at an average price of just $3 per account.

Imagine how many $3 passwords a hacker has to sell to make it pay its way and you’ll get a sense for how big this problem is.

There are numerous groups scanning the Internet and trying to guess RDP passwords. Some hang around, making tens of thousands of guesses at the same computer, while others will try just a few guesses before moving on to another target. At any one time your computer might have the attention of multiple groups, all employing slightly different tactics to guess your password. And they never get bored. Even if they appear to give up, they’ll return later, to see if anything has changed or to try something new.

Before the COVID-19 pandemic, RDP was already the go-to method for spreading ransomware, and it had been for several years. Because of that, I co-authored some research into RDP brute force attacks in 2019. Our research was simple: We connected some Windows computers to the Internet, turned on RDP, and waited to see what happened.

We didn’t have to wait long. Hackers started trying to guess our test computers’ passwords within 90 seconds of them being attached to the Internet. Over the course of a month our test computers were probed with password attempts all day, every day, 600 times an hour.

And that was before things got really serious, in 2020.

The pandemic triggered a huge surge in the number of people working from home. In turn, that triggered a surge in the number of people relying on RDP. Because guessing RDP credentials and selling them was already a viable underground business, the criminal infrastructure to take advantage of remote workers was already in place. The result was a colossal increase in the number of attacks on computers running RDP.

Stopping RDP brute force attacks

RDP brute force attacks represent a serious, on-going danger to Internet-connected Windows computers. However, there are a number of ways to protect yourself against them. As in all areas of computer security, defence in depth is the best approach, so aim to do as many things on this list as you reasonably can.

• Turn it off. The simplest way to protect yourself from RDP brute force attacks is to just turn off RDP permanently, if you don’t need it.
• Use a strong password. Brute force attacks exploit weak passwords so in theory a strong password is enough to keep attackers out. In practice, users often overestimate how strong their passwords are, and even technically strong passwords can be rendered useless if they are stolen or leaked. For those and other reasons it’s best to use at least one of the other methods in this list too.
• Use a VPN. RDP can be protected from brute force attacks by forcing users connect to it over a Virtual Private Network (VPN). This hides RDP from the Internet but exposes the VPN, leaving it vulnerable to attack, so it also needs to be properly secured. This is the approach taken by a lot of organizations, but is likely to be beyond the patience or technical ability of many home users.
• Use multi-factor authentication (MFA). MFA forces users to provide multiple forms of authentication in order to log in, such as a password and a one-time code from an app. MFA offers very strong protection because even if an attacker guesses a password, it isn’t enough to give them access. Like VPNs, MFA solutions can be complex and are often aimed at business users.
• Limit the number of guesses. The simplest way to lock out brute force attackers is to limit the number of password guesses they can make. If a legitimate user gets their password wrong, they normally only need a few extra guesses to get it right. There is no need to give somebody the luxury of making tens- or hundreds-of-thousands of guesses if you only need a handful. Locking out users who make too many wrong guesses, or limiting the number of guesses users can make has the effect of making weak passwords much, much stronger. (It’s how bank cards and smartphones get away with using simple four- or six-digit PINs to protect themselves.)

The post RDP brute force attacks explained appeared first on Malwarebytes Labs.

Having antivirus (AV) software on your computer is a staple. Modern antivirus offers layered protection—a cybersecurity approach that uses multiple techniques in one package to keep you safe if you download a malicious file from the Internet, find yourself worrying after clicking a link on a direct message from a non-contact on social media, or automatically open an email attachment before you can stop yourself.

An excellent AV saves you from unnecessary worry because it works. It stops bad things. And that’s why so many people want to turn it off.

Some of the reasons are obvious—while some, not so. We find out what these reasons are by listing the three likely culprits behind your AV mysteriously being off the next time you use your computer.

1. Hackers

Ransomware has been in the news this year, but it’s been a serious threat for several years now. What many users may not realize is that ransomware attacks from a few years ago were quite different from your “common-or-garden” ransomware we see now.

A few years ago, ransomware was typically sent out in mass email campaigns. The criminals behind it hoped to catch out as many unsuspecting users as possible and charged each victim a ransom of a few hundred dollars to remove the ransomware from their computer. It was hugely inconvenient but it was a problem that tended to affect individual users rather than entire organizations.

Ransomware today isn’t a nuisance, it’s a criminal business. These days it is delivered by hand, and it’s targeted at entire companies instead of individual computers. Cybercriminal gangs break in to an organization’s network and may stay there for months before finally wreaking havoc. Before the wreaking, the group performing the attack want to maximise the chances of their attack succeeding. They do that by turning themselves into users with the power to turn off the victim company’s antivirus software, if they can.

2. Malware

Malware (malicious software) is a possible second culprit as to why your AV is turned off for some reason.

No surprise here.

Malware and antivirus similarly dislike each other. Normally, the only way they can co-exist on your computer is if the former is in quarantine. Malware authors know this, which is why some of them have successfully kitted their malicious software to try to disable, if not completely uninstall, antivirus on any computers it infects. With AV out of the way, the malware is free to harm any systems it’s on, as it was programmed to.

We see this capability most often in Trojan malware, malicious software that pretends to be something important—like an update to a program you use—but does insidious things on your computer when run. LemonDuck, an advanced cryptominer, is an example of a Trojan programmed to try to uninstall antivirus.

Although the hackers who run ransomware will often try to disable antivirus manually (as we said in the first section), some ransomware also has the ability to disable antivirus programmed in to it, including MegaCortex, PYSA, Ragnar Locker, and REvil.

3. Insiders (friends and family)

We often write about insider threats on this site—individuals who, often unknowingly, put their employer at risk. Believe it or not, insider threats exist at home too (for lack of a better term, we will stick to calling them “insiders” here).

Who might these be, you ask? They could be your kids, other family members who live with you, or—perhaps in certain circumstances—an insider could be you.

Which begs the question: Why would any of them turn off your antivirus? Often because they are erroneously advised to.

“Back in the earlier days of gaming, it was common to see antivirus programs quarantine game files,” says Chris Boyd, Lead Malware Intelligence Analyst for Malwarebytes.

“PCs with limited system resources would find the strain of games running alongside security programs a bit too much to handle. As a result, ‘Turn off your antivirus’ became a common sight on gaming forums and in accepted wisdom generally.” And it wasn’t just gaming. “Turn off your AV” was often the first thing that you’d be asked to do if you phoned tech support or read the troubleshooting section of your manual, for any piece of software.

“These days, you should never have to turn off your security solutions in order to have a quick round of Fortnite or a long session of Elder Scrolls Online”, says Boyd.

Still, the bad advice persists.

Another reason people willingly disable AV is to stop antivirus alerts when they’re installing software on shared computers.

You might be smart enough to know that an antivirus warning is a bad sign, but if you’re not the only user of the computer, and the other users really want to install something, there’s a chance they’re simply going to see security pop-ups as a hinderance and shoot the messenger by turning off the AV.

So, while a mysteriously disabled antivirus can be the handy work of hackers and malware with bad intentions, the culprit is sometimes a lot closer to home, and the motive less nefarious.

However it happens, the result is the same: You are left unprotected. Your antivirus software isn’t going to do any good if it’s turned off, so keep it safe to keep yourself safe.

Stay safe!

The post The 3 biggest threats reaching for your antivirus software’s off switch appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• OSX.XLoader hides little except its main purpose: What we learned in the installation process.
• The Clubhouse database “breach” is likely a non-breach. Here’s why.
• Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach.
• UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root.
• The Olympics: a timeline of scams, hacks, and malware.
• BlackMatter, a new ransomware group, claims link to DarkSide, REvil.
• Crimea “manifesto” deploys VBA Rat using double attack vectors.
• Microsoft provides more mitigation instructions for the PetitPotam attack.
• Spear-phishing now targets employees outside the finance and executive teams, report says.
• LemonDuck no longer settles for breadcrumbs.

Other cybersecurity news:

• QR codes are here to stay. So is the tracking they allow. (Source: The New York Times)
• NSA issues guidance on securing wireless devices in public settings. (Source: nsa.gov)
• The greatest danger to national security has become the companies that claim to protect it. (Source: Edward Snowden)
• The Northern Ireland COVID Certification Service was temporarily interrupted due to privacy issue. (Source: UK Department of Health)
• BazaCall campaigns use phony call centers meaning to trick users into exfiltration and ransomware. (Source: Microsoft Security blog)
• Solarmarker malware campaign actors are focusing their energy on credential and residual information theft. (Source: ZDNet)
• We can’t believe people use browsers to manage their passwords, says maker of password management tools. (Source: The Register)
• Polish police officers have arrested Belarusian nationals over ATM black-box attacks. (Source: The Record)
• The FBI has revealed the top targeted vulnerabilities of the last two years. (Source: Bleeping Computer)
• Officials from Israeli government agencies have raided the offices of Pegasus software vendor NSO Group, (Source: The Record)

Stay safe, everyone!

The post A week in security (July 26 – August 1) appeared first on Malwarebytes Labs.

The 2021 attacks on two water treatment facilities in the US—combined with ransomware attacks on an oil and gas supplier and a meat and poultry distributor—could lead most people to believe that a critical infrastructure “big one” is coming.

But, as Lesley Carhart, principal threat hunter with Dragos, tells us, the chances of such an event are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

“There’s this idea that there’s going to be this global, catastrophic event that’s going to affect everything and everyone, simultaneously, due to a cyberattack, and that’s just rather obtuse and absurd,” Carhart said.

Tune in to hear about critical infrastructure cybersecurity—how individual organizations plan for disasters, how those disasters incorporate cybersecurity events, and how the different sectors within critical infrastructure receive wildly different funding and resources—on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Disaster planning with Lesley Carhart, and the slim chance of a critical infrastructure “big one”: Lock and Code S02E14 appeared first on Malwarebytes Labs.

LemonDuck has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story [1][2] on the Microsoft Security blog.

LemonDuck

Trojan.LemonDuck has always been an advanced cryptominer that is actively being updated with new exploits and obfuscation tricks. Among others, it aims to evade detection with its fileless miner. LemonDuck’s threat to enterprises is also the fact that it’s a cross-platform threat. It’s one of a few documented bot families that targets Linux systems as well as Windows devices. Trojan.LemonDuck uses several methods for the initial infection and to propagate across networks:

• Malspam: the email typically contains two files: a Word document exploiting CVE-2017-8570 and a zip archive with a malicious JavaScript.
• Server Message Block (SMB) vulnerabilities: Trojan.LemonDuck leverages EternalBlue and the SMBGhost flaw to compromise a host as well as propagate to other machines within a network.
• RDP brute-forcing: Trojan.LemonDuck’s RDP module scans for servers listening on port 3389 and tries to login as user ‘administrator’ from a list of passwords.
• SSH brute-forcing: the Linux equivalent of RDP attacks. Trojan.LemonDuck scans for machines that are listening on port 22 and performs a brute-force attack using a list of passwords combined with the ‘root’ user name.
• LNK vulnerability: leverages the vulnerability CVE-2017-8464 via USB removable drive that contain a malicious .LNK file.
• ProxyLogon: an exploit for Exchange servers that allows an unauthenticated attacker to execute arbitrary commands onto vulnerable servers.

LemonDuck does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

History

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. It was named after the variable “Lemon_Duck” it utilized in one of the PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemonDuck campaigns today.

Evolution

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in manual post-breach involvement, which was adapted depending on the perceived value of compromised devices to the attackers. Which does not mean it stopped using the old infrastructure based on bulletproof hosting providers, which are unlikely to take any part of the LemonDuck infrastructure offline even when they are reported for malicious actions. This allows LemonDuck to persist and continue to be a threat.

LemonCat

LemonCat was named as such after two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com) that LemonDuck started using in January 2021. The infrastructure that includes those domains was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. These attacks typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.

Once inside a system with an Outlook mailbox, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts. This bypasses many email security policies, for example those that forgo scanning internal mail or those that determine if an email is sent from a suspicious or unknown sender. After the emails are sent, the malware removes all traces of such activity, making it appear to the user as if nothing was sent. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Human and automated infiltration

Automated infections, like the ones from malspam, launch a PowerShell script that pulls additional scripts from the C&C server. One of the first steps the infection tries once it has gained persistence is to disable or remove a series of security products like Microsoft Defender for Endpoint, Eset, Kaspersky, Avast, Norton Security, and Malwarebytes. They also attempt to uninstall any product with “Security” and “AntiVirus” in the name.

From here the methods vary based on how attractive the target is. LemonDuck leverages a wide range of free and open-source penetration testing tools. LemonDuck uses a script at installation and then repeatedly thereafter to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts. Another tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a mimi.dat file associated with both the “Cat” and “Duck” infrastructures. This tool’s function is to facilitate credential theft for additional actions. The most common name for the infection script is IF.Bin. In conjunction with credential theft, IF.Bin drops additional .BIN files to attempt common service exploits like CVE-2017-8464 to increase privilege.

At installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via a script called KR.Bin. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.

Mitigation

Some specific and more general mitigation techniques:

• Disallow removable storage devices on sensitive endpoints or at least disable autorun.
• Make sure your systems are fully patched and protected against brute-force attacks aimed at popular services like SMB, SSH, RDP, SQL, and others.
• Turn on tamper protection so malware can’t disable or uninstall your anti-malware.
• Do not disable detection for potentially unwanted programs (PUPs) since some anti-malware classifies crypto-miners as potentially unwanted.
• Block connections to known malicious domains and IP addresses.
• Review your email scanning rules that are based on allowed sender addresses, since this malware can use trusted sender addresses.

Stay safe, everyone!

The post LemonDuck no longer settles for breadcrumbs appeared first on Malwarebytes Labs.

Social engineering attacks have been a longstanding concern for both individuals and organizations alike. The trend, as we know it, is that fraudsters conducting spear phishing attacks—specifically, business email compromise (BEC)—are likely to target employees either in the finance or executive teams of a company as they have authority over financial matters.

This has now changed.

According to Barracuda’s latest report entitled “Spear Phishing: Top Threats and Trends” [PDF], 77 percent of employees who are in roles considered as “low profile” are now favorite spear phishing targets. Some of these employees are members of IT, who receive an average of 40 phishing emails per year, and the sales department, who receive 1 in every 5 BEC phishing emails sent the company’s way.

“Due to the nature of their role, sales reps are used to getting external messages from senders they haven’t communicated with before. At the same time, they are all connected with payments and with other departments including finance,” says the report. “For hackers, these individuals could be a perfect entry point to get into an organization and launch other attacks.”

Although other employees are being targeted more in BEC attacks, this doesn’t mean that executives and those in finance are off the hook entirely. As you can see in the graph below, an average CEO receives 57 phishing emails on average per year.

Whether online criminals change who they target or not, one fact remains: They continue to look for the weakest link in your company, and all they need is that one click from an employee who falls for their schemes. This further highlights the importance of education and awareness efforts any company should be focusing and investing on.

Whether or not you’re part of an organization, it’s important to teach yourself to recognize the red flags of phishing attempts, both on your computer and mobile device. We got just what you need here:

Stay safe!

The post Spear-phishing now targets employees outside the finance and executive teams, report says appeared first on Malwarebytes Labs.