IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Steer clear of this “TestNTrace” SMS spam

Yesterday I received an SMS from “TestNTrace”, with the message resembling an official NHS communication:

fakehnstext

The text reads as follows:

NHS: You’ve been in close contact with a person who has contracted the Omicron variant. Please order a test kit via: [URL redacted]

Well, that’s an alarming thing to wake up to. However, not everything is as it first seems.

Health and (security) safety concerns

The first red-flag is that this isn’t an official NHS URL. Additionally, there’s no explanation as to how or why they know I’ve “been in close contact” with somebody. Nevertheless, people will take this message at face value.

Receiving this will be especially concerning for anyone with specific health risks related to COVID-19 exposure. There’s also a few reasons as to why this kind of spam message may prove successful in the current climate.

Testing times for…tests

It’s becoming increasingly difficult to obtain PCR tests in the UK. The rules have changed, leading to frequent delays and issues. Previously you could obtain free tests as and when you needed them. Now, tests are no longer free. As per the official guidance page:

If you’re in Scotland or Northern Ireland, you might be eligible to get a free polymerase chain reaction (PCR) test to check if you have coronavirus (COVID-19).

In England or Wales you can no longer get free PCR tests to check if you have COVID-19.

There are some exemptions, but they’re few and far between.

What this means in practice is a glorious opportunity for scammers and fakers to make even more money off the back of the pandemic. Scams targeting people with coronavirus themes are bad enough at the best of times. When you can’t even get hold of a test, it’s particularly ghoulish.

Digging into the website

The landing page resembles a standard UKGOV NHS page related to the pandemic. The links also all lead to genuine NHS sites and information portals.

Untitled design 26
Ordering a test kit

It reads as follows:

Order (COVID-19) Omicron PCR test kit

The UK has decided to deploy test kits in response to the risks of the Omicron variant. COVID-19 cases have soared by their highest number since the start of the pandemic as the Omicron variant continues to spread rapidly.

Due to rising cases among fully vaccinated patients, research has shown that it is still possible to catch and spread COVID-19 even if you are fully vaccinated.

Order your (COVID-19) Omicron PCR test kit below.

Information:

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation.

Note: PCR test kits are free, you will only have to pay £0.99 for postage of the kit.

That’s a very long way of saying “please give us £0.99”. However, there’s a lot of clues in that block of text to suggest you shouldn’t give them a thing.

Of movement restrictions and compulsory isolation

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation” is quite the statement, designed to encourage people throwing money their way as fast as they can.

Confirmatory PCR tests are no longer required. You’re also no longer required by law in the UK to stay at home and isolate if infected. The Test and Trace contact service is now closed. I couldn’t even begin to tell you what the supposed movement restrictions are all about.

Clearly, we’re dealing with something here which isn’t exactly reflecting reality as it currently stands. If we proceed to the next page anyway, the site asks for a range of personal information.

Personal details, and payment for postage

The site asks for name, DOB, email, phone, and address.

Untitled design 27
A wealth of personal information

The follow up page asks for payment details.

Untitled design 28
Payment for postage

Avoiding the PCR payment rush

If you need to obtain test kits, your best option is likely to be local pharmacies and supermarkets. Random texts and emails which lead to sites other than nhs.uk should be treated with caution, especially when tied to requests for payment.

Even if they claim the kits are free, they’ll likely ask for postage costs. All this, on top of how they magically know you’ve come into contact with somebody who has COVID-19 in the first place. While there may well be delays and low supplies in trusted stores, it’s still a much safer option than handing your payment details and personal information to random websites.

This is one text you can happily block and report. If you need a test at short notice, answering random SMS spam is definitely not the way to get one.

The post Steer clear of this “TestNTrace” SMS spam appeared first on Malwarebytes Labs.

NGINX zero-day vulnerability: Check if you’re affected

On April 9, hacking group BlueHornet tweeted about an experimental exploit for NGINX 1.18 and promised to warn companies affected by it. On April 10, BlueHornet claimed to have breached the China branch of UBS Securities using the NGINX vulnerability.

Tweet

All we learned on Twitter was that a new zero-day vulnerability in the NGINX web server existed and had been publicly revealed. The vulnerability could allow remote code execution (RCE) on a vulnerable system.

But on April 11, NGINX responded with an article saying that after investigating the issue, it had found it only affects reference implementations. Specifically, the NGINX LDAP reference implementation which uses LDAP to authenticate users of applications being proxied by NGINX.

NGINX

NGINX is an open-source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. When it was first released, NGINX was used mostly for serving static files, but since then, it has grown into a complete web server that deals with the entire spectrum of server tasks. NGINX has surpassed Apache in popularity due to its lightweight footprint and its ability to scale easily on minimal hardware. According to specialists, NGINX can run thousands of connections of static content simultaneously and is 2.5 times faster than Apache.

LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.

The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX. The reference implementation was announced in June 2015. The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. In the reference implementation, that service is a daemon called ldap‑auth. It’s written in Python and communicates with a LDAP authentication server.

NGINX and LDAP
Image courtesy of NGINX

The vulnerabilities

The primary way to configure the LDAP reference implementation is with a number of proxy_set_header directives. However, the configuration parameters can also be set on the command line that initializes the Python daemon. The vulnerabilities exist in the way unsanitized input can be used to change or set LDAP configuration parameters.

The NGINX blog specifies the circumstances that need to be fulfilled for the vulnerabilities to be exploited:

  • Command-line parameters are used to configure the Python daemon
  • There are unused, optional configuration parameters
  • LDAP authentication depends on specific group membership

Mitigation

NGINX provides mitigation recommendations for each of these conditions.

When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

Also ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (memberOf) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters ( ) and the equal sign =, which all have special meaning for LDAP servers.

NGINX states that the backend daemon in the LDAP reference implementation will be updated to sanitize this type of input in due course.

And we have rounded up some additional advice.

Because LDAP extends to IoT devices, of which there are many more than IT devices, organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, keep the firmware up to date, and apply proper password management.

Make sure that you sanitize any input before it gets passed to the daemon.

Stay safe, everyone!

The post NGINX zero-day vulnerability: Check if you’re affected appeared first on Malwarebytes Labs.

April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.

Microsoft

Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.

For those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:

  • CVE-2022-24500 CVSS 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability
  • CVE-2022-24541 CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability
  • CVE-2022-26809 CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability
  • CVE-2022-26919 CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability

CVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:

  • CVE-2022-26904 CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.
  • CVE-2022-24521 CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.

Other notable CVEs:

  • CVE-2022-24491 CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
  • CVE-2022-24997 CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

On these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available here.

A vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.

In related news, Microsoft announced the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with patch management.

Edge and Chrome

The Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.

Other updates

While you’re at it, we also saw updates from vendors like:

Stay safe, everyone!

The post April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities appeared first on Malwarebytes Labs.

SMS group spam promises free gifts in return for bill payment

We’re seeing lots of examples of peculiar SMS messages sent to random groups of people. Most of these messages promise free gifts and/or offers after having paid bills. Nobody has asked for these texts, and they’re not being sent by providers of any services. What’s going on?

The set up

Most of the messages we’ve seen, and indeed received ourselves, are identical to the below example:

Free Msg: your bill is paid for March. Thanks, here’s a little gift for you [URL removed]

tfu980fC
Spam messaging

Where do the links go?

A very good question. Clicking any of the links while on desktop typically results in a site failing to load error. Most likely, they’re checking the user agent of your browser to ensure you’re on mobile when hitting the link.

On mobile, you’re bounced through a secondary URL before landing on a 404 error on Facebook or Twitter. Despite a piece of this website daisy-chain being lost to the void, the texts are still coming and it’s probably child’s play to correct the broken landing pages to something functional. As a result, we can’t say for sure what the final destination is. 

A friend of mine mentioned they ended up on some sort of airpod/free mobile accessories offer site from a similar group message not so long ago, so that’s one possibility. What we can say is that you should definitely avoid clicking these links should you receive one. We simply don’t know where you’ll end up, and you can very easily end up out of pocket with one mis-click.

Tips to avoid this SMS group spam

  • A lot of people are sending “STOP” messages in response to these messages. Unfortunately this won’t work, and you’re not going to opt-out of anything in this scenario.
  • Blocking the sender number helps, but they’re coming from several numbers one after the other. If you’ve received one, sadly you should probably expect more. Remember to report every single one which comes your way.
  • It can be tricky generally to block messages when dropped into a random group. Depending on phone/app, you should be able to tap three dots (or similar) and report the spamming number from there. This may also result in blocking all numbers in the group by default, which means you won’t receive dozens of unsubscribe style messages all day long from 19 other people.

Remember: If in doubt, visit your provider’s website and see first-hand if they’re offering up freebies for payment. The likelihood is they’re not, but it’s still better than clicking any of the above to find out.

The post SMS group spam promises free gifts in return for bill payment appeared first on Malwarebytes Labs.

USPS “Your package could not be delivered” text is a smishing scam

A scam is doing the rounds which begins with a text from what claims to be the US Postal Service. The SMS reads as follows:

[U.S. Postal Service] We’re sorry to let you know that your package could not be delivered. To reschedule a delivery please visit [bit(dot)ly]

I’ve never received an SMS from the US Postal Service, but I have to imagine they don’t use bit.ly redirect links in text messages. The bit.ly link hides the actual URL being sent to people’s phones. You can view stats for a bit.ly link by placing “+” at the end of the URL. Detailed stats about the shortener’s creation date, number of clicks, and more are available through this method. On this occasion, data is hidden with the message “This link has been flagged as redirecting to malicious or spam content”.

Clicking through reveals the following warning:

  • The link may be listed on a website blocklisting service.
  • The link may have been reported to Bitly by a member of the public.
  • The link may contain malware (software designed to harm your computer), attempt to collect your personal information for nefarious purposes, or otherwise contain harmful and/or illegal content.
  • The link may be attempting to hide the final destination.
  • The link may lead to a forgery of another website or may infringe the rights of others.

Not a promising start for our missing package. Shall we take a look at the final destination?

Phishing for info

The actual landing page, located at us(dot)awaiting(dot)host, claims to be a USPS parcel tracking page. It says:

USPS Currently Awaiting Package
Undeliverable as Addressed(UAA) Problem with Address
USPS Allows you to Redeliver your package to your address in case of delivery failure or any other case.
You can also track the package at any time, from shipment to delivery.

It asks visitors to “verify address”, by filling in their name, address, city, state, ZIP code, phone number and email.

fake usps
Fake data entry form

Clicking Continue at this point would normally display a second page asking for payment information. At the time of writing, clicking continue triggers a .php URL and then redirects to the 3M science website. It’s likely the data entered has been submitted to the phisher, but why didn’t they ask for payment details too?

Forgetful phishers or long-haul social engineering?

Sometimes scammers simply forget to make sure their ruse sails smoothly from A to B. It may be that they’re only actually interested in grabbing name and address information for now via the website. The logical progression would be to follow up by phone, mail, or post.

It’s also possible they realise they’ve attracted some heat and are trying desperately to put the flames out. The site is flagged via the bit.ly link and produces warning pages in browsers such as TOR. The creators may figure it’s not worth the potential risk of keeping payment detail requests online anymore – if they were there in the first place, that is.

The right way to arrange a redelivery

This is “basic parcel delivery information” as opposed security advice, but If you do use USPS, you’ll want to head over to its dedicated redelivery page. It explains in detail what USPS customers should expect when waiting on a parcel, and what to do next.

As for the security angle: Fake USPS delivery notification spam is a popular tactic for scammers, and USPS’s recent advisory on the topic includes instructions on how to report bogus SMS messages.

No matter the delivery service, always pay attention to the URL on the landing page and ensure it matches up with the official site you’re familiar with. It’s no fun having your data harvested, even if they miss out on your payment details. There’s no guarantee they won’t follow up on such a thing at a later date, so it’s well worth taking the time to get it right the first time around.

Just over half of all smishing attacks in the last few months of 2021 in the UK alone claimed to be from delivery firms. Even as the pandemic (sort of) recedes a little, this scam refuses to go away. Next time your receive a text about a package you have no memory of, it might be worth checking your most recent purchases before responding. If the parcel is real, it’ll still be there – unlike the fly-by-night scammers.

The post USPS “Your package could not be delivered” text is a smishing scam appeared first on Malwarebytes Labs.

Apps removed from Google Play for harvesting user data

Dozens of apps were removed from the Google Play Store after they were found to be harvesting the data of device owners. The code in question—a software development kit (SDK)—was used inside apps which were downloaded over 10 million times.

What happened?

A wide range of Android apps were found to have this particular SDK lurking. There’s no obvious connection between the apps besides the SDK, as they’re all from different sources and developers. A mobile powered speed camera radar. QR barcode scanners. Weather/clock widgets. Even a remote control PC mouse app. They all had this SDK running under the hood, doing things it shouldn’t have been. The only key point among them all is that they made use of something designed to help monetise their app.

It’s possible the app developers believed there was no issue with including the SDK in their apps. Indeed, there seems to be some confusion as to what, specifically, some developers thought the SDK was doing.

According to WSJ, one dev claimed they were told it was “collecting data on behalf of internet service providers”. These supposed ISPs were complemented by financial service/energy companies. Others claim to have signed non-disclosure agreements.

Google did not find these antics impressive, and swiftly removed many of the apps. The SDK is able to collect clipboard data, exact location, phone numbers, emails, and nearby devices. It can also scan other locations such as WhatsApp downloads.

Mapping out a person

You have to be very careful with visual clues to a person’s physical location, but also digital ones too. Stripping out GPS data from a photograph, or disabling geolocation on a social media portal. This can also work its way down to other areas, such as Bluetooth beacons in towns and department stores. Even Apple AirTags are now generating significant issues for people.

Even without physical stalker threats, you still need to know what’s going on inside the phone in your pocket. As the researchers note, whoever is collecting this information could link an email and mobile to GPS location data. This is very bad news for journalists working on sensitive stories. It’s also very bad in places where forms of political activism are not appreciated. In fact, it’s bad for everybody. Consider that your “not a big deal” is someone else’s “well that’s a disaster” on their personal threat model scale.

Back into the fold

Google is allowing removed apps back on the store for a second chance, assuming the SDK element has been removed. The BBC reports that the majority of apps have already returned. There is the question of whether or not some developers were up to no good. Perhaps some were totally unaware, maybe some saw harmless looking promotions for more accurate data collection and a bump in cash. Sadly, they may not have considered what, exactly, the SDK would be doing in return.

Is my device safe from this SDK?

Google hasn’t revealed how many more apps on the Play Store included the SDK. It’s very likely that all traces are now gone.

The age old advice of “the best way to keep your Android safe is to only download apps on the Play Store” may sound contradictory. However, it’s still the case that this is entirely accurate.

You’re much better off using the store than a third party download location. Simply hoping that it isn’t a scam from top to bottom won’t save you from a rogue install. Depending on device model, you may even have to tick the “allow installs from unknown sources” option to even use third party stores in the first place.

This could very well make things even more insecure in terms of your mobile device.

Keep applying those OS updates as they come along. Pay attention to reviews of apps before you download them. Take a look at some of the requested permissions at install time. If your device is capable of installing a trusted security tool, consider installing one of those too. All of this will help keep your device safe. While there’s never any guarantees, we’d be surprised if the Play Store gives the wheel back to this problematic and unwanted Android app addition.  Looks like it’s back to business as usual for the Play Store – for now, at least.

The post Apps removed from Google Play for harvesting user data appeared first on Malwarebytes Labs.

How to password protect a folder

There are times when you would like a folder to be accessible by you alone. Financial information, personal documents, or work related files on your personal system sometimes need to be hidden from prying eyes. One of the ways to do this is to password protect the folder.

Windows

For the Windows section of this article we will answer a few frequently asked questions.

Can you put a password on a folder?

Well, Windows does not provide you with an option to simply password protect a folder, but it does provide you with some options that you can utilize to put a password on a folder.

In Windows you can encrypt a folder by following these instructions:

  • Right-clicking it
  • Select Properties from the menu.
  • On the form that appears, click the General tab.
  • On that tab click the Advanced button
  • Select Encrypt content to secure data.
  • Click OK.

An important downside to this method is that your Windows username and password will be used to encrypt and password protect the folder, so people logging in on the same account as you can still see the content.

It is also important to note that when the process completes, you’ll be prompted to back up your encryption key if you’ve never used the feature before. Click the recommended option on the notification and follow the prompts to make a note of your encryption key. You’ll need this information if you ever lose access to your encrypted files, so it’s important you take the time to back it up.

How do I password protect a folder in Windows 10?

For Windows versions later than Windows 7 there is also an option to send files to a compressed folder (a zip file) which you can password protect. This Send to option is usually faster than encrypting the content. But you will have to keep in mind that the option creates a duplicate, so you will need to delete the original once you’re satisfied the compressed version is complete and accessible.

How do I hide a folder?

Hiding folders is not an ideal solution, but we want to point out that it is available in Windows. It works like this:

  • Right-click on the file or folder that you want to hide.
  • Select Properties.
  • Click the General tab
  • Under the Attributes section, check Hidden.
  • Click Apply.

Why is it not ideal? Anyone that has access to the system can check the option to Show hidden files, folders, and drives in the folder options.

Show hidden files
Folder options

Many advanced Windows users already have this option enabled, and you may forget to change the setting after you have accessed your hidden folder.

MacOS

You can password protect folder contents using macOS and Disk Utility, a built-in utility on your Mac. This method will also encrypt the content.

  • Open Disk Utility on your Mac
  • With Disk Utility open, select File from the menu bar
  • Then choose New Image -> Image from Folder.
  • Select the folder you want to protect with a password
  • Choose your encryption level: 128-bit, or 256-bit AES encryption
  • Enter and verify the password for your folder (After you type the password into both the Password and Verify text boxes make sure to uncheck Remember password in my keychain, otherwise anyone logged into your account will still be able to access the data.
  • Give the folder a name if desired
  • Under Image Format select read/write from the menu
  • Select Save

This creates a disk image holding the contents of the folder in encrypted storage. So, you’ll need to delete the original folder after verifying the disk image is complete and accessible.

Another important thing to remember is that this method only creates a fairly small—and fixed—amount of free space on the disk image, so if you want to make changes you’ll be dealing with a limited capacity. If you want a disk image with unlimited capacity, you’d be better off creating a blank image, and choosing sparse bundle disk image as the image format. If you create a 200 MB sparse bundle disk image, you can copy a 1 GB file onto it and it’ll resize to fit. However, it will not decrease in size if you were to delete that 1 GB file.

Third party software

It is not our place to make recommendations about software you can use to achieve the goal of password protecting folders, but there are several third party software packages for both Windows and Macs that are very good at compressing files and folders and providing the resulting compressed files with a password. If they are any good you will not need to decompress the entire folder before you can look at an individual file.

Just be careful not to download any potentially unwanted programs (PUPs) or one that is bundled with PUPs or adware.

The post How to password protect a folder appeared first on Malwarebytes Labs.

Conti ransomware offshoot targets Russian organizations

Thanks to the Threat Intelligence team for their help with this article.

Conti, the infamous ransomware created by a group of Russian and Eastern European cybercriminals, has again made headlines after a hacking group used its leaked source code to create another variant of the ransomware and target Russian businesses.

The hacking group calls itself Network Battalion ’65 (@xxNB65), and it is highly motivated by Russia’s invasion of Ukraine.

NB65 has been breaching Russian entities and stealing and leaking their data online. Some of its targets include Continent Express (travel management company), Roscosmos (Russian space agency), Tensor (document management operator), Ufa Scientific Center of the Russian Academy of Science (part of a network of scientific research institutes), and VGTRK (state-owned TV and radio broadcaster). Expect the number of its victim organizations to increase, as the group says it won’t be stopping until the war stops.

NB65’s ransomware, composed of 66 percent of Conti’s code, behaves the same way as the original Conti variant but with slight yet noticeable changes. Last week, a sample was submitted to VirusTotal, allowing cybersecurity researchers to study it.

How it works

Once executed, this ransomware appends the.NB65 extension to encrypted files.

wm mwb NB65 encrypted files
These are what files look like when encrypted with the NB65 ransomware, an offshoot of Conti ransomware.

The ransomware creates the ransom note, R3ADM3.txt, a known IOC file of Conti. However, the note’s content has been changed to reflect NB65’s message to victim organizations: Blame Russian President Vladimir Putin for the cyberattack.

wm mwb NB65 ransom note
NB65 turned the tables on Russian organizations using the ransomware variant initially designed to avoid them.

By now it’s probably painfully apparent that your environment has been infected with ransomware. You can thank Conti for that.

We’ve modified the code in a way that will prevent you from decrypting it with their decryptors.

We’ve exfiltrated a significant amount of data including private emails, financial information, contacts, etc.

Now, if you wish to contact us in order to save your files from permanent encryption you can do so by emailing network_battalion_0065@{redacted}.

You have 3 days to establish contact. Failing to do so will result in that data remaining permanently encrypted.

While we have very little sympathy for the situation you find yourselves in right now, we will honor our agreement to restore your files across the affected environment once contact is established and payment is made. Until that time we will take no action. Be aware that we have compromised your entire network.

We’re watching you closely. Your President should not have commited war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.

NB65’s ransom note contains details of what the group did to prevent victims from decrypting their files using Conti decryptors. There is also a contact email for victims to who want their files decrypted by the group. However, speaking to BleepingComputer, an NB65 representative said they don’t expect victims to reach out.

When BleepingComputer pressed for reasons for attacking Russian organizations, NB65 has this to say:

After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias[sic] ability to operate normally. The Russian popular support for Putin’s war crimes is overwhelming. From the very beginning we made it clear. We’re supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, **** em.

We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.

Malwarebytes users are protected from this ransomware, and we detect NB65’s variant as Ransom.Conti.

The post Conti ransomware offshoot targets Russian organizations appeared first on Malwarebytes Labs.

Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations 

The results of the MITRE Engenuity ATT&CK Evaluation of the Wizard Spider and Sandworm adversaries were officially released1 last week. We are very proud of the Malwarebytes EDR results in the MITRE Engenuity test, which are the direct reflection of a relentless core EDR team and the learnings from participation in prior MITRE Engenuity testing rounds.

MITRE Engenuity provides the results in a structured format which allows for deeper understanding of the products being tested. Thanks to this level of reporting, we can see how well each product is prepared to detect, and ideally prevent, attacks by advanced adversaries.

The MITRE Engenuity data also allows anybody to determine the level of visibility and the level of analytics coverage of each EDR product tested. But it allows much more than that. Based on the data, anybody can also derive the level of configuration required for best detection, the level signal to noise ratio, the level of investigation needed to understand and act on alerts, and many more things.

As a summary of our analysis of the data so far, we believe that the MITRE Engenuity results back up our claims that Malwarebytes EDR:

  1. Needs little or no need to customize configurations
  2. Provides best analytics coverage, useful alerts, and high signal-to-noise ratio
  3. Is effective at preventing advanced attacks

MITRE Engenuity ATT&CK Emulations 101

MITRE Engenuity replicates well known hacking attacks, by reconstructing the various steps of attacks on enterprise networks, from the initial compromise to the exfiltration of sensitive data and persistence. In the MITRE Engenuity Round 4 evaluation, the attacks replicated were those of the cybercrime groups Wizard Spider and Sandworm. Each attack step includes several sub-steps that go in-depth into how the attack is carried out. The higher the number of sub-steps identified by the security software, the greater the visibility of that attack step and thus the possibility for the product and a customer to identify and react to the attack.

Prior to the 4 days of intense testing, vendors are allowed to configure and deploy their products to their optimum settings. After the emulation is carried out by MITRE Engenuity on the victim machines, vendors need to show MITRE Engenuity how their product has performed against each sub-step of the attack. For each sub-step, vendors can showcase “No detection,” “Telemetry detection,” “General detection,” or higher quality detections such as MITRE Engenuity-mapped Tactic and Technique detections. MITRE Engenuity gathers details of every little step of the way during investigation and reporting of findings.

Overall raw visibility results

The MITRE Engenuity ATT&CK Evaluation of Wizard Spider and Sandworm involved 109 sub-steps altogether. The emulations which focus on the Windows platform account for most of the steps, i.e. 90 out of the 109 sub-steps are exclusive to Windows OS. The remaining 19 steps are carried out in the Linux platform. Vendors are evaluated based on the number of detections over the corresponding number of sub-steps for the platforms they participated in. For vendors who did not participate on the Linux emulation, the total number of sub-steps is 90. For vendors who participated in in the Linux emulation, the total number of sub-steps is 109.

Malwarebytes did not participate in the Linux test because our EDR product for Linux was not yet available during the MITRE Engenuity evaluation in October 2021. However, Malwarebytes EDR for Linux is available in beta today with similar detection capabilities as the Malwarebytes EDR for Windows agent.

The following “overall raw visibility” ratios are based on the corresponding number of sub-steps for each vendor. When reviewing the results or calculating scores, pay attention to the total number of sub-steps (90 or 109) to ensure accurate scores.

1 MITRE Visibility including config

A very important note about Modifiers and “Configuration Changes”

During the evaluation vendors cannot change the configuration of the tested product, as this would have affected the accuracy of the results. However, MITRE Engenuity does allow configuration changes to be made to the EDR product if the vendor can provide better, higher quality details for a specific sub-step, or after a miss of a specific sub-step. Sub-steps which are detected by the product after a configuration change are marked with a “Config Change” modifier. These change modifiers allow us to better understand the limitations of each product to deal with attacks from advanced adversaries. These modifiers indicate which changes, tweaks, or manual detections the vendor added during the test in order to be able to detect a specific sub-step which was not detected to the vendor’s liking by the product the first time it was tested. Based on the MITRE Engenuity methodology2:

  • The vendor is allowed to perform changes to the product such as obtaining telemetry from alternative data sources, which may not yet be readily available to the typical enterprise customer. These modifiers are labeled as “Config Change (Data Source)”.
  • The vendor is allowed to create or provide a higher quality detection by modifying the detection logic and triggering new alerts. These modifiers are labeled as “Config Change (Detection Logic)”.
  • The vendor is allowed to change the UI of the product to provide better mapping to MITRE Engenuity Tactics and Techniques. These modifiers are labeled as “Config Change (UX)”.
  • The vendor and product may trigger an alert after a delayed period of time, typically because of a manual submission to a sandbox by the EDR operator, or from a Managed Detection and Response (MDR) team. These modifiers are labeled as “Delayed Detection

Vendors are allowed to make use of Configuration Changes and Delayed Detections after the first pass of testing with the original config.

At Malwarebytes we believe any EDR product should strive to be easy to use out-of-the-box and without requiring advanced configuration, especially given the high demand and low supply of specialized IR personnel.

2 MITRE number config changes delayed detections

Overall raw visibility results without configuration changes

We wanted to get an interpretation of the data which would represent what an out-of-box experience would be for a typical customer. Therefore, in the following data analysis we discard all detections from any vendor which are the result of a Configuration Change. Config Change detections are not representative of the typical experience that a customer would have with the EDR product. These detections derive from the vendor itself re-configuring the product to detect something that wasn’t detected during initial MITRE Engenuity testing.

For the following graph, higher quality detections such as Technique are downgraded to Telemetry detections if they are the result of a “Config Change (UX)” or “(Detection Logic)”. Telemetry-only detections are discarded if there is an associated “Config Change (Data Source)” modifier.

Our parser3 is available to replicate this analysis of discarding Configuration Changes and Delayed Detections. If we discard Configuration Changes and Delayed Detections during the test, then the “overall raw visibility” results vary not so slightly:

3 MITRE Visibility wihtout config

The MITRE Engenuity Analytics Coverage—a focus on detection quality

The above approach which looks only at “overall raw visibility” is the quickest, although also probably the most incorrect way, to interpret the data. Looking only at “overall raw visibility” does not take into account aspects which are critical to understanding the quality of the EDR product being evaluated.

MITRE Engenuity provides a much more interesting and useful datapoint to determine EDR detection quality, which is “Analytics Coverage”. As defined by MITRE Engenuity, Analytics Coverage is “the ratio of sub-steps with detections enriched with analytics knowledge (e.g. at least one General, Tactic, or Technique detection category)”.

An Analytics Coverage index highlights which detections are higher quality detections which make it easier for the user or practitioner to act upon and to initiate response and remediation actions. By contrary, too many detections deriving from “Telemetry” events or delayed detections which were manually added later by the vendor are indicative of EDR solutions which require large, specialized teams to operate.We believe a quality EDR product should be quick to identify and highlight the root problem of each incident in an easy-to-understand manner which facilitates response and remediation. If we focus on the Analytics Coverage indicator of quality alerts for each vendor, the results vary considerably:

4 MITRE Analytic coverage windows

MITRE Engenuity results for Windows

The MITRE Engenuity test involved 109 steps altogether, of which 90 were executed in the Windows OS platform. In this section we will analyze the results of each vendor against the Windows attacks only.

We plot both the “Overall Raw Visibility” and “Analytics Coverage” datapoints from the above paragraphs into a quadrant to see where each EDR products’ capabilities fall within these dimensions.

Just like before, we discard detections which come from a Configuration Change or Delayed Detection due to these being considered “misses” by us at the time of the test, and not representative of the customer experience without a specialized and dedicated SOC.

5 MITRE MQ graph

Protection

While all EDR products should be able to DETECT, not every EDR product has the ability to PREVENT advanced attack tactics.

Prevention and real-time blocking of advanced attack tactics is a delicate matter which involves balancing effective real-time protection through advanced exploit mitigations, AI/ML, behavior monitoring, sandboxing, and heuristics on one side, and minimizing conflicts and the need for highly specialized configurations and tuning on the other side.

We are very glad and humbled to be amongst good company in this challenging test.

6 MITRE protection efficacy

Summary

Malwarebytes is one of the very few companies during the MITRE Engenuity Round 4 Evaluation who did not need to make any Config Changes to trigger quality detections, and at the same time achieved some of the top scores in visibility and analytics. This points to Malwarebytes as one of the top EDR leaders.

We believe that the MITRE Engenuity Round 4 results are a true representation of the Malwarebytes EDR strengths as a better out-of-the-box solution:

  1. Little or no need to customize highly specialized configurations
  2. High quality alerts and signal-to-noise ratio
  3. Effective not just at detecting, but also preventing advanced attacks

MITRE Engenuity does not offer its own interpretation or ranking of the test results. But if we were to apply our own interpretation of the results to a ranking methodology and framework similar to those used by testing organizations AV-Comparatives, MRG-Effitas, etc., it could look something like this:

Leaders Contenders Challengers
Cybereason Microsoft Check Point Software
SentinelOne Trend Micro Symantec
Palo Alto Networks CrowdStrike FireEye
Malwarebytes Fortinet McAfee
Cynet ReaQta
Cylance** Cisco
VMware Carbon Black** AhnLab
CyCraft
Sophos
Leaders Ranking Criteria* Contenders Ranking Criteria Challengers Ranking Criteria
90%+ analytics coverage out-of-the-box (without config changes)
90%+ Protection scores
80%+ analytics coverage out-of-the-box (without config changes)
80%+ Protection scores
40%+ analytics coverage out-of-the-box (without config changes)
40%+ Protection scores

* The ranking criteria could be stricter if instead of looking at e.g. “90%+ analytics coverage” we set the criteria of “90%+ Technique coverage”, as suggested4 by Josh Zelonis. We fully agree with Josh’s point of view that the market needs to evolve to using Technique detections as the most important metric.

** Vendors that achieve the CHALLENGERS criteria but who also achieve 80%+ protection rates get bumped to CONTENDERS since we believe that effective prevention is more cost-effective than detection.

*** Vendors shown are listed in order or higher Analytics Coverage. Not all vendors who participated in the MITRE Engenuity Round 4 evaluations are included in the ranking above. Those that didn’t participate in the Protection test and/or who achieved low analytics coverage or protection scores may not fit the ranking criteria and thresholds as defined above.

This post was authored by Bogdan Demidov, Marco Giuliani, and Pedro Bustamante.

The post Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations  appeared first on Malwarebytes Labs.

A week in security (April 4 – 10)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (April 4 – 10) appeared first on Malwarebytes Labs.