IT News

Two months after fully restoring its systems, CNA Financial, the leading US insurance company that was attacked by a group using Phoenix CryptoLocker ransomware, issued a legal notice of an information security incident to the Consumer Protection Bureau in New Hampshire.

You may recall that Phoenix CryptoLocker—or simply Phoenix—is a ransomware family that is believed to be linked to the criminal group Evil Corp. CNA’s network was compromised in March 2021. This notice has given every reader an insight into how the attack happened, what CNA did, and what they continue to do for those whose data was affected by this ransomware-attack-slash-data-breach.

Phoenix posed as a browser update

According to CNA, one of its employees was able to download and execute a fake browser update after visiting a legitimate website. The notice didn’t specify if this legitimate website is the official website of the browser this employee is using. The employee not having elevated privileges didn’t stop the threat actors from following through with the attack. Instead, they used “additional malicious activity” to get credentials they need to move forward. Attackers often use privilege escalation exploits to increase their access rights, or tools like Mimikatz that can extract passwords from a computer’s memory.

“With elevated privileges, the Threat Actor moved laterally within the environment to conduct reconnaissance and establish persistence onto certain systems within the environment. Between March 5 and March 20, 2021, the threat actor conducted reconnaissance within CNA’s IT environment using legitimate tools and legitimate credentials to avoid detection and to establish persistence,” the company revealed.

Using legitimate administration tools and accounts in this way to explore a network and spread malware is know as “living off the land”. It allows attackers to keep a low profile as they go about their business because their activity doesn’t look out of place and their tools often aren’t detected by security software by default.

At least 15,000 systems, including devices connected to CNA’s network via VPN, were instantly affected after the threat actors detonated the ransomware.

Data stolen but untouched

CNA Prior to executing Phoenix, the threat actors were able to steal important and sensitive information affecting 75,349 individuals. A significant number of them were names of current and former employees plus their dependents and their Social Security Numbers (SSNs). On the other hand, a small number of those affected had their birth dates, benefit enrolment, and medical information.

As to how these were stolen, the threat actors “copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of the unstructured data (“Exported Data”) from the CNA environment directly into the threat actor’s cloud-based account (the “Mega Account”) hosted by Mega NZ Limited (“Mega”).”

According to CNA’s notice, it was able to work with the FBI and the “Cloud-Storage Platform” (presumably this means Mega) to “take control of the account and quickly recover CNA’s data”. CNA believes that the data was held so that the attackers could threaten to leak it, a common tactic in modern ransomware attacks. The company reports that its forensic experts could find no evidence that the data was “viewed or otherwise shared”; therefore, it was never accessed by the threat actors themselves to either be sold, traded, or used for other nefarious purposes.

Recovering from ransomware

This information coming to light two months after the attack shows that recovering from ransomware is rarely quick and easy. Aside from the obvious technical problems that have to be overcome to get a business working again, the root causes must be discovered and addressed, and there may be legal and regulatory hurdles to overcome.

In a recent episode of our Lock and Code podcast, host David Ruiz spoke to Ski Kacoroski—a system administrator with the Northshore School District in Washington state—about the immediate reaction, the planned response, and the long road to recovery from a ransomware attack. You can listen to it below, or on Apple Podcasts, Spotify, and Google Podcasts.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack appeared first on Malwarebytes Labs.

This blog post was authored by Hasherezade

In mid-July we responded to an incident that involved an attack on a Microsoft Exchange server. The threat actor used this entry point to get into a Domain Controller and then leveraged it as a springboard to deploy ransomware.

While examining the ransomware payload, we noticed it was a new variant which we had not heard of before. In this blog we will take a look at AvosLocker a solid, yet not too fancy new ransomware family that has already claimed several victims.

This type of ransomware attack is unfortunately all too common these days and has wreaked havoc across many industries. With the disappearance of the infamous REvil, it is possible new threat actors are actively looking to fill the void.

New ransomware, looking for partners

Avos is a relatively new ransomware, that was observed in late June and early July. Its authors started searching for affiliates through various underground forums. They announced a recruitment for “pentesters with Active Directory network experience” and “access brokers” which suggests that they want to cooperate with people who have remote access to hacked infrastructure.

In the other advert they describe the product they offer: a multi-threaded ransomware written in C++:

They offer not only the malware, but also help in managing the communication with the victim, and hosting of the data stolen during the operation. Soon, some victims of this ransomware started to emerge.

Behavioral Analysis

AvosLocker is ran manually by the attacker who remotely accessed the machine. For this reason, it is not trying to be stealthy during its run. In default mode, it works as a console application reporting details about its progress on screen.

A sample log from the run (shortened):

 drive: C:
 drive: D:
 Threads init
 Map: C:
 Searching files on: C:*
 file: C:autoexec.bat
 Map: D:
 Searching files on: D:*
 FindFirstFileA: INVALID_HANDLE_VALUE
 drive D: took 0.002000 seconds
 Start encryption on C:
 Encrypting C:autoexec.bat - ext bat - capped YES
 Searching files on: C:_pin*
 file: C:_pinpinadx-vsextension-3.17.98314-g0c048d619.bat
 Start encryption on C:
 Encrypting C:_pinpinadx-vsextension-3.17.98314-g0c048d619.bat - ext bat - capped YES
[...]
Searching files on: C:Documents and Settings*
 FindFirstFileA: INVALID_HANDLE_VALUE
 Searching files on: C:$Recycle.Bin*
 […]
 drive C: took 52.590000 seconds
 Done!!
 64.620000 seconds

Looking at the log, we can see that the ransomware first “maps” the accessible drives by listing all their files. After that it goes to the encryption. The files are selected for encryption depending on their extensions.

The files that have been encrypted by AvosLocker can be identified with .avos extension appended to the original filename. While the content is unreadable, at the end we find a Base64-encoded block added:

We can assume that this Base64-encoded data contains RSA-protected AES key that was used for encrypting this file. Each attacked directory has a ransom note dropped in it, named GET_YOUR_FILES_BACK.txt:

Interestingly, the ID is not generated during the deployment, but hardcoded in the sample (which we can see easily by viewing the sample strings). This may mean that the distributors generate a sample per victim.

The link given in the ransom note guides to the Onion website, requesting the ID, that was also in the note:

Upon the ID submission, the victim is presented with the individual panel:

In addition to the casual threats about increasing the price after the deadline has passed, this ransomware adds blackmail by doxing. The additional website titled “Press releases” is provided to prove that those aren’t just empty threats:

Visual analysis

Visualizing the content of the encrypted files shows their high entropy. No patterns from the original file content were preserved. Example:

Those properties suggest that a strong encryption algorithm was used, probably in a CBC mode (Cipher Block Chaining).

Also, the same plaintext files have been encrypted into different ciphertext output. This suggests that for each file a new key (or at least a new initialization vector) was generated.

Inside

This ransomware is dedicated to be deployed by the attacker manually on the hacked machines. This purpose is reflected in the design. In contrast to most malware, AvosLocker comes without any protective (crypter) layer. Yet, it’s not completely defenseless: all the strings, and some of the APIs, are obfuscated in order to evade static detection. Yet, during its execution, it yells out on the console the logs of the performed actions, so that the attacker could observe in the real time what the program is doing.

Execution flow

The execution starts in the main function:

First, the malware checks if it was provided with the optional commandline arguments. By supplying them, the attacker can enable/disable some of the features.

Then, the mutex name is decoded (“ievah8eVki3Ho4oo”), and its presence is checked. It is done in order to prevent the ransomware from being run more than once at the time. If the mutex already exists, the execution terminates.

This malware may come with a hardcoded RSA Public Key of the attacker. This key will be further used for encrypting individual AES keys, used for encrypting files. Yet, the presence of the Public Key is optional. In case if it wasn’t provided, the application will generate a new key pair.

After this preparation, the malware proceeds to encrypt files. Depending on the argument given, it may encrypt network resources. Then, unconditionally, it encrypts drives. The encryption operations are run in new threads.

After the encryption was done, it prints information for the attacker. Then, all the running threads are finalized. At the end the malware prints the summary about how long it took to encrypt available resources.

Arguments

By default it runs as a console application, yet the console can be hidden by supplying a specific commandline argument: ‘h’ (hide). There is also a commandline argument allowing to opt out encryption of network resources: ‘n’ (network).

String obfuscation

As mentioned before, Avos uses string obfuscation. All the strings are obfuscated by XOR with the given key, and deobfuscated just before use. Although the algorithm is simple, the way it implements it is especially tedious to counteract. Rather than having one, central deobfuscating function, each of such operations is done inline. Examples:

API obfuscation

As well as the strings, some of the APIs used by the malware are obfuscated. Functions are retrieved by their checksums, which is a common trick used by malware, in order to avoid hardcoding names of the functions which may rise suspicions. Which is lesser common though, is that the function resolving the API is also used as an inline.

This way of obfuscating API calls not only hides the used functions, but also adds volume to the code, making it more unreadable and difficult to follow.

Yet, it is easy to reveal the used function names with the help of tracing and tagging. Example – the above obfuscated function resolved to GetLogicalDrives:

Attacked targets

The ransomware encrypts all attached drives.

Additionally, unless the argument (‘n’) was given from the commandline, the ransomware proceeds to encrypt network shares. Available resources are being enumerated in a loop:

The accessible network shares are getting encrypted:

From each medium, the files are first added to the list. Then, the created list is processed by the encryption routine.

Files with the following extensions are being attacked:

ndoc docx xls xlsx ppt pptx pst ost msg eml vsd vsdx txt csv rtf wks wk1 pdf dwg onetoc2 snt jpeg jpg docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm sldm vdi vmdk vmx gpg aes ARC PAQ bz2 tbk bak tar tgz gz 7z rar zip backup iso vcd bmp png gif raw cgm tif tiff nef psd ai svg djvu m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov avi asf mpeg vob mpg wmv fla swf wav mp3 sh class jar java rb asp php jsp brd sch dch dip pl vb vbs ps1 bat cmd js asm h pas cpp c cs suo sln ldf mdf ibd myi myd frm odb dbf db mdb accdb sql sqlitedb sqlite3 asc lay6 lay mml sxm otg odg uop std sxd otp odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr crt key pfx der dat

How the encryption works

Avos uses two strong encryption algorithms. Symmetric: AES – to encrypt files, and asymmetric: RSA – to encrypt the generated AES keys. This is a very common combo which provides strong data protection. It is also often used by variety of ransomware.

The RSA Key

As mentioned before, the RSA Public key may be hardcoded in the Avos sample. In the analyzed case, the following Public Key was hardcoded:

In case of lack of thereof, a new keypair is generated. The Public Key is stored for the further use, and the private key is logged on the screen, as the information for the attacker.

The same Private Key is also dumped in each ransom note, instead of the ID:

This suggests that this mode was created only for testing purposes, and it not intended to be used on victims. Only the mode with the Public Key hardcoded is usable in real attack scenarios.

File encryption

Before the malware proceeds to encrypt particular file, it first retrieves a list of associated processes, that may be blocking the access:

The list is retrieved with the help of RmGetList:

If any processes has been found, they are being terminated. Then the malware proceeds with encryption.

For each file, an AES key generated by a previously deployed routine is retrieved and used to initialize AES context.

After that, the AES encryption is applied on the file content.

The file is encrypted in-place (without creating additional copy), in 64-byte long chunks. A chunk of a plaintext is read, encrypted, and written back to the original file.

As we observed during the behavioral analysis, the block with the RSA encrypted, base64-encoded AES key is written at the end.

AES key generation

The generation of random keys is deployed in the function enumerating the files of a particular directory, prior to the encryption. For each listed file a new key and Initialization Vector are generated, and stored for further use.

As default, the cryptographically strong random generator is used. However, if for some reason this strong generator fails, it falls back to the naive generator (based on the standard rand() function).

This may render a flaw in the full encryption scheme. However, the chance of the strong random generator failing is too small to consider worth the attention in real life scenarios.

The malware fetches a buffer of 512 random bytes per each file, and then generates out of this a 64-character long string for the key, and a 32-characters long string for the Initialization Vector.

This key and the initialization vector are further passed to a function initializing AES context. Although the created key is 64 bytes long, we must note that only 32 first characters are going to be used. Similarly, in the case of the Initialization Vector, only first 16 bytes matter. Both strings are treated as ASCII.

Preview of the file encrypted with the presented key/IV set:

Example – a ChyberChief recipe decrypting the aforementioned file, using the key and initialization vector dumped from the memory:

Valid implementation, unimpressive design

AvosLocker does not distinguish itself much from other ransomware (apart from being unusually noisy). All its features are average. Its encryption scheme seems implemented correctly, so recovering the data is not possible without obtaining the original Private Key for a particular sample. It also uses a well-established pair of algorithms: RSA and AES. Although it contains some inconsistencies in the implementation, they do not impact the main goals of this malware.

We didn’t find in the sample any routines responsible for uploading the stolen files. Yet, since the model of the delivery of this ransomware assumes manual access, it is possible that the data exfiltration is done manually by the attackers.

AvosLocker meets its objective by being a simple tool assisting in the manual attacks, and creating the expected damage.

Protection and recommendations

• Keep software up-to-date and turn on automatic updates whenever possible
• Enforce strong password policies and multi-factor authentication (MFA)
• Perform backups and periodically test restoring them
• Reduce attack surface by removing unused or unnecessary services
• Mitigate brute-force attacks (this is a feature in our Nebula product) 
• Enable tamper protection to prevent attackers from uninstalling your security software (this is a feature in our Nebula product)

AvosLocker is detected without specific signatures by Malwarebytes’ anti-ransomware technology:

Indicators of Compromise

43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856

The post AvosLocker enters the ransomware scene, asks for partners appeared first on Malwarebytes Labs.

A very serious security flaw in immensely popular printer drivers has been disclosed and it could affect many millions of Windows systems. The printer driver was issued by HP, but it’s also in use by Samsung and Xerox. All the affected printers are laser printers.

The most surprising about this find is probably that the vulnerability apparently has existed since 2005 and was only found 16 years later.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The vulnerability has been listed as CVE-2021-3438 and it is a potential buffer overflow in the software drivers that can be abused to achieve an escalation of privilege.

Vulnerabilities also often receive a severity rating on the CVSS scale. This vulnerability received an 8.8 out of 10 rating on the CVSS scale, which puts it in the high-severity range.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes.

In this case the buffer overflow can be used to get administrator permissions on the system as a normal user. So any attacker that wants to use this vulnerability will first need some kind of access to the system. But once they have access they can use the vulnerability to get permissions to install programs, view, change, or delete data, and encrypt files. The vulnerable driver is loaded when the systems boots, so the printer doesn’t even have to be connected to the system anymore for this vulnerability to work. Even worse, the user may not even be aware of the presence of the vulnerable driver.

Discovery

The vulnerability was discovered more or less by coincidence by researchers at SentinelLabs when they were configuring a brand new HP printer. In their post about the vulnerability they state:

“Many of these drivers come preloaded on devices or get silently dropped when installing some innocuous legitimate software bundle and their presence is entirely unknown to the users. These OEM drivers are often decades old and coded without concern for their potential impact on the overall integrity of those systems.”

After the discovery on Feb 18, 2021  the researchers engaged in an “open-ended process of vulnerability discovery.” Which means they spoke to vendors and manufacturers to makes sure the vulnerability had a patch before it could be exploited in the wild. So far as we know, this vulnerability has not been seen abused in the wild yet. But after disclosure and publication of the patches, which will no doubt be reverse engineered, this can happen anytime soon.

Mitigation

HP offers an update to patch the vulnerability. The immense list of affected products can be found at the HP site about the vulnerability. To obtain the update you can go to the HP Software site and search for your printer model, even if that is a Samsung model.

If there is an update for your printer you will see something similar to this after clicking on the Software, Drivers and Firmware button.

From there your can use the Download button to obtain the update and install it. If you are looking for the update because you have an affected Xerox laser printer you can visit the Xerox Support portal where it is available for download.

So far we have found three ssport.sys files that are vulnerable. If you are unsure whether you have such a file on your system check the ssport.sys file in your %windir%system32drivers directory. If it matches one of these SHA-256 hashes:

7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4

d3c763fb3f8ca7059a1d124e46014c9b578acef2fdc017f751642e2c66b7b8cc

789d98a3ad0c51e6d6ba6d907b4dbf96040ef244d71b8d53c95bb44ebc8f684b

it is a driver that pre-dates the date of the initial report, so it is very likely vulnerable and needs to be replaced.

Stay safe, everyone!

The post Millions of Windows machines affected by ancient printer vulnerability appeared first on Malwarebytes Labs.

Doxing (or doxxing) is in the news again, for an absolutely shocking story that ended with a man’s death caused by a swatting attack. If you don’t know what doxxing or swatting are, don’t worry. We’ll explain it all.

The doxing 101

Doxing someone is a technique going back to the 90s. Back then, everyone was typically very anonymous online and stripping that anonymity away was a powerful weapon.

I’d argue it really came to prominence in mainstream terms during the massive boom in social media. Bad people very quickly realised huge amounts of personal data was lurking on sites such as MySpace, just out of reach. Once obtained, chaos and mayhem were the inevitable end result. In that time period, roughly between 2007 to 2010, law enforcement was generally struggling to keep up. If you ended up in Internet trouble with trolls and / or doxers, you were essentially on your own.

Not a great position to be in.

The Swatting 101

Prank calls to emergency services have been around forever. The difference here is swatting calls come with the threat of injury or death. The technique involves calling emergency services and telling the operator someone is about to commit suicide, or a family is at risk from an intruder, or perhaps they’ve witnessed someone brandishing a weapon. Whatever it takes to get law enforcement to turn up expecting trouble.

The name swatting comes from the US-based Special Weapons and Tactics teams (SWAT) used to deal with violent and dangerous situations. Swatting became a go-to tactic in gaming circles. Aggrieved gamers would get busy doxing after fallouts over online matches, with inevitable consequences. As streaming is now a default for many gamers, more and more examples of swatting are caught on camera. Everyone from 12 year olds to people gaming in business premises are at risk.

The problem is so bad that law enforcement frequently create tactics to help mitigate the threat to innocent people. Real world pranking can range from mildly amusing to incredibly annoying, but the trouble is people can and do take it to extremes. Swatting is, as you’d guess, a “prank” at the absolute extreme end.

Jail time after man dies of swatting-induced heart attack

What happened here is an awful combination of threats, harassment, social engineering and swatting. A desire to obtain “rare” social media handles led individuals to pressure victims into handing them over. A lot of it sounds like the usual thing you’d expect from doxing: pizza delivered to the door, that kind of thing.

However, it quickly escalated into all manner of malicious tactics designed to steal away desirable usernames. Bomb threats, SIM swap attacks, and even fake dating meetings which involved unsuspecting dates walking into one victim’s home as if they were expected.

Eventually, one victim’s address was posted into a Discord chat. The inevitable swat attack took place, and they died of a heart attack after crawling under a fence at the behest of police officers.

60 months in prison is the end result for 18-year-old Tennessee man Shane Sonderman, one of the people involved in what the judge described as these “almost unspeakable” crimes, and the person who posted the victim’s address to Discord. Sonderman’s sentence is the maximum the law allows.

Steering clear of swatting

Protecting yourself from swatting isn’t exactly easy, and a lot depends on whether your local law enforcement regularly deploy with weaponry. There are certainly ways to minimise the threat in relation to personal information exposure. However, much of that is down to warding off social engineering attacks and good OPSEC. All the same, it’ll help in all situations including potential swat attempts so it’s win-win.

This story is a shocking reminder that far too many people out there are willing to casually endanger lives over nothing more than videogames, social media accounts, or even just plain old boredom. We need to do everything we can to ensure our risk from such attacks is as minimal as it can possibly be.

The post 5 years for swatter who caused a man’s death for a Twitter handle appeared first on Malwarebytes Labs.

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

The spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.

Pegasus is spyware, and spyware is not made to respect privacy. It erodes it.

What may be most upsetting about Sunday’s bombshell reporting is that the cybersecurity community has known about Pegasus for years. Antivirus vendors detect it. Digital forensics labs know how to catch it. And between 2016 and 2018, more than 1,000 IP addresses were found to be associated with it.

With tools like Pegasus that can be abused on a global scale, we take on too big a risk. When weaponized by authoritarian governments, surveillance chills free speech, scares away dissent, and robs an innocent public of a life lived unwatched, for no crime committed other than speaking truth to power, conducting public health research, or simply loving another person.

It enables abuses like the mobile phone hack of Hatice Cengiz, former fiancée of murdered Washington Post columnist Jamal Khoshoggi. After the world learned that her phone was hacked, she wrote:

“I am deeply shocked that I have been targeted while I was in such pain waiting to find out what had happened to Jamal. This was the worst time of my life and yet the killers were spying on me. They have no shame. They must be brought to justice.”

Pegasus in theory

According to NSO Group, its main spyware program is a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. In answering questions from the group of 17 media organizations—which published their findings under the name “The Pegasus Project”—NSO Group said:

“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

After The Pegasus Project published its initial findings on Sunday, NSO Group’s chief executive Shalev Hulio spoke with The Washington Post about concerns he had about how his company’s software has been used against journalists and human rights activists.

“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”

Hulio told The Washington Post that his company had terminated the contracts of two customers because of allegations of human rights abuses, but, according to the paper, he refused to disclose which accounts were closed.

NSO Group’s explanations are just one half of the story, though, because, in reporting out Sunday’s revelations, The Pegasus Project also asked potentially responsible governments why they used Pegasus to hack the mobile phones of dissidents and reporters. The governments in question either denied using Pegasus at all—like Rwanda’s foreign affairs minister said—or they claimed that any surveillance carried out by their governments was lawful—like Hungarian Prime Minister Viktor Orban’s office did.

Similarly, the government of India rebuffed any allegations that it wrongfully used Pegasus to conduct surveillance. Any interception of messages, the government said, is approved at several levels of the government in accordance with several laws.

“In India, there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States,” the government said. “The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act, 1885 and section 69 of the Information Technology (Amendment) Act, 2000”

The twin stories that NSO Group and its clients tell, then, is that Pegasus is a necessary tool to maintain safety, and that the use of Pegasus is legal within a country’s own surveillance regime.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications,” NSO Group told The Pegasus Project. “These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”

This trend can be true—end-to-end encryption is more widely available today than ever before, offered in several consumer apps on both Android and iOS devices—while also overblown. As Malwarebytes Labs has written before, the “going dark” problem is often overstated, and the solution to that problem, to make “safe backdoors,” is also technologically impossible.

Importantly, though, if Pegasus was actually a critical tool to stop crime, it could be proven. In practice, however, The Pegasus Project found that the targets of Pegasus are not “terror organizations, drug cartels, human traffickers, pedophile rings” or “other criminal syndicates,” but rather reporters, scientists, romantic partners, and potentially heads of state

Pegasus in practice

On Sunday and in the days following, The Pegasus Project revealed the broad cast of victims it believes have been targeted with Pegasus spyware.

In its reporting, The Pegasus Project relied on a list of 50,000 phone numbers obtained by the French journalism nonprofit Forbidden Stories. The reporters believe the 50,000 phone numbers are a list of phone numbers that have been targeted using Pegasus spyware. The list also includes timestamps for each phone number entry, which the reporters believe shows when a phone was potentially first targeted by a Pegasus operator.

In the investigation, the reporters contacted dozens of the individuals who the listed phone numbers belonged to, eventually obtaining 67 mobile devices that they believed had been targeted by the spyware.

The 67 devices were first analyzed by Amnesty International’s Security Lab, which looked for traces of Pegasus spyware and for malicious text messages that, if clicked, were known to exploit device zero-day vulnerabilities to install the Pegasus spyware and hack into phones. Amnesty International’s work was separately verified by Citizen Lab, a research institution at the University of Toronto that focuses on technology and human rights.

In the investigation, The Pegasus Project found signs of successful or attempted hacking by Pegasus spyware on 37 devices. The remaining 30 devices produced inconclusive results.

The list of phone numbers—which NSO Group denied is a list of Pegasus targets—included 14 politicians, including three presidents, 10 prime ministers (three current and seven former), and one king.

The three presidents are France’s Emmanuel Macron, Iraq’s Barham Salih, and South Africa’s Cyril Ramaphosa. None of the heads of state offered their mobile devices to The Pegasus Project, making it impossible to know if the devices had been hacked or had received malicious text messages that could result in a hack.

The possible use of Pegasus against presidents, prime ministers, and princesses is just that: Possible. But remember that The Pegasus Project found evidence of hacking or attempted hacking on 37 of the 67 mobile devices it tested.

From the facts reported so far, the use of Pegasus against those individuals bears no marking of anti-terrorist, pro-security, or counterintelligence work at all.

For instance, why was Pegasus used to hack into the phone of reporter Khadija Ismayilova, whose investigative work has revealed corruption within Azerbaijan’s ruling family?

Why was Pegasus silently implanted onto the iPhone 11 of Claude Magnin, Paris resident and  wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco?

Why was Pegasus used to hack into the phones of the wife and separate fiancée of Washington Post columnist and critic of the Saudi Arabian government Jamal Khoshoggi, who, according to the Biden Administration, was murdered and dismembered with approval from Saudi Arabia’s Crown Prince?

And why did a Pegasus operator send malicious texts to one scientist and two nonprofit directors who actively supported a banal soda tax in Mexico? Or why did a Pegasus operator similarly send text messages to Mexican journalist Raphael Cabrera that, if clicked, could have reportedly resulted in a Pegasus infection of his iPhone 6?

This is not security work. This is surveillance.

A dangerous industry

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

More recently, NSO Group’s activities spilled into American news when Facebook blamed the Israeli company for exploiting a vulnerability in WhatsApp in 2019. Facebook-owned WhatsApp later sued NSO Group for allegedly using this vulnerability to allow Pegasus users to hack 1,400 devices. The lawsuit is still proceeding, and it has gained the support of Microsoft, Google, Cisco, and VMWare.

We have known about these problems for years. We can no longer turn a blind eye to this type of abuse. Two years ago, a group of cybersecurity vendors, digital rights activists, and domestic violence support networks came together to launch the Coalition Against Stalkerware, recognizing the interdisciplinary need to protect users from the threat of intimate partner surveillance.

We hope the same energy can be captured today.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere, and it needs to be stopped.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products,” Snowden said. “They’re not providing any kind of protection, any kind of prophylactic.”

“They don’t make vaccines. The only thing they sell is the virus.”

The post Pegasus spyware has been here for years. We must stop ignoring it appeared first on Malwarebytes Labs.

Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare.

Doesn’t sound serious? Reassured that users must already have access to the system and be able to execute code on said system to use this vulnerability? Don’t be.

Using SeriousSAM, a user can access multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker would then have full control, which means they can install programs, view, change, or delete data, and create new accounts with full user rights. Which is exactly what an attacker wants.

My mama said

SAM stands for Security Accounts Manager and it is supposed to be a protected database that can only be accessed by users with Adminstrator privileges. This was designed as such because the database contains the hashed passwords for all users on a system.

Now, I’ve always been taught that anyone with physical access to your system, and enough knowledge, can take it over. One of the reasons why this is true is that the “holder” of the system can dump those sensitive Registry database files when Windows is not running.

When Windows is not running the registry is not “mounted” and the “access violation” protection is inactive, since to another operating system (OS) they are just files like any other. You can see the caveat there. You need to look at the files from an external OS to pull this off. (I will leave the “how to” do that to your imagination.)

While dumping a registry hive from an inactive Windows machine like that may sound daunting to some, and difficult for malware to pull off, SeriousSAM makes it much easier. SeriousSAM removes the need for that external OS, and for Windows to be off, making it a much more achievable trick. It allows users (or malicious programs inadvertently run by those users) to bypass the “access violation” protection on the computer they’re using, while it’s running.

Pass the hash

“But the passwords are hashed!”, I heard you thinking. In that case, meet pass-the-hash attacks.  Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that “mathematical operation” required to gain access. The authentication process does not require the plaintext password. The hash is enough.

So, pass the hash is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

Made easy

The vulnerability we have been referring to as SeriousSAM is listed as CVE-2021-36934 and while it is unclear exactly which versions of Windows are vulnerable, it looks as if some versions of Windows 10 and all versions of Windows 11 are affected, as long as System Protection, aka Shadow Volumes, is enabled. The Microsoft advisory says “…we can confirm that this issue affects Windows 10 version 1809 and newer operating systems”. The company is researching the issue and we will update this post once we know more.

The vulnerability got its other name, HiveNightmare, because it affects registry hives, and as a reference to the recently discovered PrintNightmare vulnerabilities in the Windows Print Spooler service. I think it’s a better name for this vulnerability because SAM is not the only sensitive Registry database that’s affected. Others  are all stored in the %windir%system32 config folder, as is SAM. They are SYSTEM, SECURITY, DEFAULT, and SOFTWARE. Which means there might be more options for hackers with limited access to raise privileges or achieve remote code execution waiting to be found.

The underlying problem is, in Microsoft’s own words “overly permissive Access Control Lists (ACLs) on multiple system files”. Those lax permissions are carried over into the Shadow copies where the files are unmounted and as unprotected as the files on the dormant computer my mother warned me about. So, any user can dump the database from the Shadow copy and as such create a readable database.

Shadow Volumes are enabled by default so that doesn’t bring the number of systems at risk down a lot. It is a useful option, but in this case it is also what enables this vulnerability.

Mitigation

While Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.

You can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the CERT advisory. The advisory notes that “simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”

Microsoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Restrict access to the contents of %windir%system32config

• Open Command Prompt or Windows PowerShell as an administrator.
• Run this command: icacls %windir%system32config*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

• Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%system32config.
• Create a new System Restore point (if desired).

Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

The post HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11 appeared first on Malwarebytes Labs.

We’ve written at length about account compromise and identity theft, and how criminals will often hijack accounts belonging to dead people. In many ways, it’s the perfect crime for anyone indulging in social engineering.

The amount of abandoned accounts due to death can only ever go up, and nobody is really paying attention if someone accesses them illicitly. By the same token, crooks grabbing ID’s during a disaster (natural or otherwise) is a good fit for bad people. Governments and rescue organisations are busy looking for folks and sorting out the problem. The moment victim details are released and / or leaked, the possibility for fraud is there. It could be days, or weeks before someone realises what’s happening. By that point it could already be too late.

Digging into identity theft

Depending on the region, identity theft of the dead can take many forms. In the US, for example, there were concerns back in 2012 over public access to something called the “Death Master File”. There were also plenty of concerns about this problem on a broad scale. Millions of dead people each year having their identities stolen, and around 800,000 instances of credit applied for in their names?

You bet. If this happens close to the time of the person’s death, it can easily disrupt and complicate a situation which is bad enough to deal with as it is. In the aftermath of the Japanese Earthquake / Tsunami in 2011, identity assistance was in so much disarray generally that most ID scams we saw focused on pretending to be charities as opposed to victims.

It stands to reason they’re probably more likely to swipe data from smaller, more local disasters than those on a much larger scale. Bigger events tend to cause scammers to gravitate towards mass donation charity fakeouts in any case.

When scammers strike

The latest example of this particularly distasteful trend came to light a few days ago. Scammers simply monitored unfolding news of a partial 12 story building collapse in Surfside, Florida that has so far claimed 90 lives. As names of victims were released, the scammer tried to exploit their identities. Relatives of the deceased are being urged to check credit accounts in case something untoward has taken place.

At time of writing, no further details have been released. We can only hope law enforcement has some idea who is behind this one, and that more information will be forthcoming soon. So far, the only comment available is one which says they’re protecting the integrity of the case, and also preventing further victimization.

Speaking to WPLG Local 10, Surfside Mayor Charles Burkett channelled the town’s revulsion, warning “[the police department] are out there looking. I wouldn’t want to be that person right now.”

Preventing identity theft

This can be a contentious topic, especially when credit score agencies themselves are at risk from attacks of the most severe variety. There’s also considerable concern over various types of identity theft protection services. With those caveats out of the way:

• Here’s a run-down of how you can protect yourself from any breach which affects a credit score agency you happen to have shared your data with.
• We cover a lot of ground with regards warding off various types of tax identity theft.
• Did you know child identity theft is a thing? Because it absolutely is. We’ve covered this topic at length in not one, but two articles.

Away from our blog, there’s a couple of other articles you may wish to also check out. The Experian blog explains some of the different types of common identity theft. Mail, credit card, online shopping, biometric, and synthetic. There’s something for everyone. They also have another article which details some of the ways scammers can misuse your data. Finally, Equifax list some of the methods you can deploy to keep your social media identity secure.

It’s not like there’s a huge amount we can do to secure our accounts or identity once we’re gone, but we can certainly be proactive about it while still able to set the wheels in motion.

The post ID theft ghouls targeting Surfside victims is appalling, but no surprise appeared first on Malwarebytes Labs.

Whether you’ve read up on Greek mythology or you’re simply a big fan of Marvel comics, the name “Zeus” should be familiar to you. In the context of cybercrime though, ZeuS (aka the Zbot Trojan) is a once-prolific malware that could easily be described as one of a handful of information stealers ahead of its time. Collectively, this malware and its variants infected millions of systems and stole billions of dollars worldwide.

ZeuS was primarily created to be a financial or banking Trojan, otherwise known as crimeware. But, as you’ll see, the extent of its information stealing ability could easily go beyond covertly pilfering financial information, making it a real threat to individuals and organizations of all sizes.

First spotted in-the-wild in 2007, the earliest known version of the ZeuS Trojan was caught stealing sensitive information from systems owned by the United States Department of Transformation. It was believed that ZeuS originated in Eastern Europe. ZeuS affiliates focused their efforts away from corporations and large banks, going after small- to medium-sized organizations, including towns and churches, according to the Federal Bureau of Investigation (FBI).

ZeuS usually arrives via phishing campaigns, spam campaigns, and drive-by downloads. However, this is easy to change and anyone motivated to conduct financial fraud can easily change who they target and how they want their ZeuS to be delivered. Victims have been infected by ZeuS variants via instant messengers (IM), messaging features in social media platforms, and even a pay-per-install (PPI) service—a way to distribute ads to users that a ZeuS user employed for their campaigns.

Once a machine gets infected, ZeuS immediately steals information from web browsers and Windows’ protected storage (PStore), such as banking or financial information and stored account credentials, respectively. All stolen data are siphoned off via a command & control (C&C) server.

Furthermore, any system infected with ZeuS also becomes a bot in a botnet. A kind of illegal Cloud computing platform that can be rented out to other criminals. These bots were also used to remotely update the ZeuS variants residing in them.

To date, there are 545 versions of the ZeuS Trojan, according to a website called ZeuSMuseum.com.

How mighty is the ZeuS Trojan?

A ZeuS Trojan toolkit can be fashioned to do a number of things both for the fledgling and adept fraudster.

ZeuS lurks inside infected machines as it stealthily monitors the websites users visit. It recognizes when a user is on a banking website, for example, and then records keystrokes when the user logs into the site. Because of this, fraudsters can easily log back into that banking account using the recorded keystrokes.

Some variants of ZeuS also affect mobile devices that run Android, Symbian, and Blackberry. ZeuS is the first information stealing malware that steals Mobile Transaction Authentication Numbers (mTANs), a type of two-factor authentication (2FA) method that banks use when you want to perform transactions. An mTAN, also called SMS TAN code, is usually a 6-digit number that is unique per transaction and is sent via SMS.

ZeuS steals information in a number of ways, including: Stealing user keystrokes; collecting the text users enter into web forms; taking screenshots whenever the mouse is clicked; so-called man-in-the-browser (MiTB) attacks that add new elements to web forms asking for things like social security numbers or bank PINs.

As to what, exactly, ZeuS steals, here is non-exhaustive a list provided by the SecureWorks security researchers:

• Data submitted in HTTP forms
• Account credentials stored in the Windows Protected Storage
• Client-side X.509 public key infrastructure (PKI) certificates
• FTP and POP account credentials
• HTTP and Flash cookies

ZeuS is also capable of re-encrypting itself every time it infects a system, making each infection “unique” and therefore harder to detect.

Many researchers attribute ZeuS’s ability to stay under the radar for long periods of time as the main reason why it became the most sought-after info-stealer kit in the underground market during its time. It’s likely that ZeuS infected millions of computers, with many victims not realizing that their sensitive data had fallen into the hands of criminals and that their computer was part of a botnet.

The ZeuS developers also put a lot of effort into protecting their malware. According to SecureWorks, ZeuS 1.3.4.x, a privately sold version of the kit, is protected via a hardware-based licensing system. Also known as hardware-locked licensing, this system allows the kit to be installed on only one computer.

The “fall” of ZeuS Trojan

In 2011, the source code for ZeuS 2.0.8.9 was leaked. Some groups or individuals started offering the use of ZeuS botnets on a subscription basis. According to a case study on ZeuS from students at the University of Cambridge, this “maximises earnings by providing the same service to multiple users. For the user of the service, the benefits are in a reduction in the initial financial outlay, while outsourcing the logistical and maintenance requirements, and reducing the risk of failure to achieve results.”

Cybercriminals also began creating their own ZeuS-based information stealers, make ZeuS itself something of a footnote. Citadel, GameOver, Panda Banker, Terdot, Floki, and Sphinx are some of the known ZeuS variants to date.

Before the code leak, it was rumored that the ZeuS creator would be retiring and then selling his code to a competitor called SpyEye, an up-and-coming information stealer that made heads turn for being able to remove ZeuS infections. There had been reports of a code hand-over, yes, further confirming the merging of the two malware, but the ZeuS creator didn’t quit. According to a report from Brian Krebs, the creator merely stopped selling it publicly and started creating “a more robust and private version of Zeus” instead.

In 2013, the FBI charged and arrested Aleksander “Harderman” Panin, a 24-year-old Russian male believed to be the creator of the SpyEye Trojan. That same year, Hamza Bendelladj, a 24-year-old Algerian male, was arrested and charged for developing components of SpyEye, operating botnets infected with SpyEye, and of course, fraud charges.

Is ZeuS dead?

As long as criminals continue to use bits and pieces of its code to create their own malware, ZeuS can’t be considered dead, so much as fading away slowly. However, ZeuS’s purpose, data theft, is making a comeback.

Banking trojans haven’t gone away, but in recent years their activity has been eclipsed by an epidemic of ransomware. Recently though, major ransomware operators have taken to stealing victims’ data before encrypting it, so they can threaten to leak it.

The tactic has been so successful that some ransomware actors claim to be moving away from encrypting files, and focussing entirely on finding and exfiltrating sensitive data from organisations.

In fact, following a devastating attack on Ireland’s public health system, the Conti ransomware gang issued the Health Service Executive (HSE), a free decryption key to unlock all of their affected files, convinced that simply publishing and selling the data they had stolen was leverage enough.

How long I wonder, before information stealers are another thing Biden will be phoning Putin for?

The post The life and death of the ZeuS Trojan appeared first on Malwarebytes Labs.

Do you remember back when the latest urgent update was a vulnerability in Microsoft Exchange? How is that only four months ago? The trigger for the urgent advice in March was the fact that Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributed the attacks to a group they have dubbed Hafnium.

Hafnium at the time was a newly identified attack group that was also thought to be responsible for attacks on internet-facing servers, and which was known for exfiltrating data to file sharing sites. Its targets were mainly entities in the United States across a number of industry sectors. Despite the group’s use of leased servers in the US, Microsoft believed it was based in China.

The attack method used against the Exchange servers was called ProxyLogon. ProxyLogon quickly went from “limited and targeted attacks” to a full-size panic. Microsoft’s patches for the Exchange vulnerabilities were quickly reverse engineered. Before long attackers from everywhere in the world and every level of cybercrime were using the bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Attribution

As most security researchers will tell you, attribution is hard, especially when it involves international espionage. Nonetheless, the US, UK, EU, and NATO have simultaneously voiced their concern about what they say is the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace.

Australia, Japan, New Zealand and Canada have also joined the coalition that are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it. One of the elements of the exposure is to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world using ProxyLogon attacks against Microsoft Exchange servers.

The US Department of Justice also announced criminal charges against four hackers from the Chinese Ministry of State Security, the country’s unofficial espionage institution (the same organization that the UK named as the culprit behind the cyberattacks on Microsoft Exchange servers that took place earlier this year). The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are believed to be a part of this broader set of actions the federal government took to expose cybercrimes the White House officials say are sponsored and encouraged by the Chinese government.

The allies are also attributing the Chinese Ministry of State Security as being behind activity known by cyber security experts as “APT40” and “APT31”. It is rare to see such a unified and orchestrated reprimand against one of the world’s leading economies, but so far that seems to be as far as it goes. We have not seen any sanctions to be announced.

Sanctions

The EU has urged China to adhere to the “norms of responsible state behaviour as endorsed by all UN member states”, and not allow its territory to be used for malicious cyber-activities, and “take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation”.

The UK is calling on China to “reaffirm the commitment made to the UK in 2015 and as part of the G20 not to conduct or support cyber-enabled theft of intellectual property of trade secrets.”

When asked about the Microsoft hack, Joe Biden said one reason the US has not imposed sanctions against China over the cyberattacks is that the Chinese government, not unlike the Russian government, is not doing this themselves, but are protecting those who are doing it and maybe even accommodating them being able to do it.

In the past the EU imposed its first-ever sanctions in response to cyberattacks in July 2020, targeting Russian, Chinese and North Korean hackers involved in major incidents in previous years, namely the NotPetya ransomware outbreak, Cloud Hopper supply-chain hack, and WannaCry ransomware attack. In October 2020, it imposed sanctions on two Russian intelligence officers and a unit of the GRU military intelligence services over their involvement in hacking the German parliament in 2015.

From state-sponsored to free-for-all

As we have seen with ProxyLogon, the impact of this type of state-sponsored cybercrime aren’t limited to states. Techniques used by state actors have a way of getting picked up by cybercriminals that will grab every opportunity to make a few extra bitcoins.

Just look at EternalBlue and the other SMB vulnerabilities – developed as NSA hacking tools – that came out of The Shadow Brokers leak. These vulnerabilities were quickly picked up by threat actors like  Emotet and TrickBot. EternalBlue was also the driving power behind WannaCry.

Observed tactics and techniques

The NSA, CISA, and FBI also issued a joint advisory containing more than 50 tactics, techniques, and procedures (TTPs) that Chinese state-sponsored cyber actors have used in attacks targeting the US and allied networks.

The post US, EU, UK, NATO blame china for “reckless” Exchange attacks appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• DNS-over-HTTPS takes another small step towards global domination
• Nope, that isn’t Elon Musk, and he isn’t offering a free Topmist Dust watch either
• Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday
• Is crypto’s criminal rollercoaster approaching a terminal dip?
• Ransomware’s Russia problem
• SonicWall warns users of “imminent ransomware campaign”
• What is scareware?
• Does using a VPN slow down your Internet?
• US offers huge reward in fight against state-sponsored cybercriminals

Other cybersecurity news:

• Kaseya finally started moving on after the ransomware attack from REvil. (Source: Kaseya CSA Incident Response)
• Attackers use non-malicious documents to disable macro security warnings before executing the malicious macro. (Source: The Hackers News)
• MageCart criminal gang used odd concatenation technique to hide their malware. (Source: Sucuri Blog)
• Mint Mobile suffered a data breach. (Source: BleepingComputer)
• Guess, the fashion retailer, suffered a breach, too. (Source: SecurityMagazine)
• SpoofedScholars phishers targets professors and writers who are experts about the Middle East. (Source: TechRepublic)
• Meanwhile, REvil seem to have disappeared. (Source: Endgadget)
• At this point, we lost count at the number of times TrickBot has come back. (Source: Gizmodo)
• Twitter verifying bot accounts raised a lot of questions regarding their process. (Source: The Daily Dot)
• Adobe releases critical patches for Reader, Acrobat, and Illustrator. (Source: Security Week)

Stay safe!

The post A week in security (July 12 – July 18) appeared first on Malwarebytes Labs.