IT News

Ranzy Locker ransomware emerged in late 2020, when the variant began to target victims in the United States. According to a flash alert issued by the FBI, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021, including victims in the construction, academic, government, IT, and transportation sectors. Ranzy Locker is a successor of ThunderX and AKO ransomware.

Ransomware-as-a-Service 

The group behind Ranzy Locker is not very different in its business approach from other “big game” ransomware gangs. The ransomware is made available using the Ransomware-as-a-Service (RaaS) model, which allows the developers to profit from cybercriminal affiliates who deploy it against victims. It also runs a leak site where data stolen from victims who refuse to pay a ransom is published.

RDP again, and Exchange

Where the business model is no surprise, the same can be said about the attack methods that Ranzy Locker affiliates deploy to gain initial access. According to the same FBI alert a majority of victims reported that the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent targets reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks. 

Older, and now less frequent attack methods included malicious spam, and use of the RIG exploit kit, which was previously used to spread Princess ransomware. 

Recognizing Ranzy Locker 

So, how can you tell whether you have been hit by Ranzy Locker or one of the other, many, ransomware variants out there? Well, for starters you can tell from the header of the ransom note which is named readme.txt. 

---=== Ranzy Locker 1.1 ===---

Attention! Your network has been locked.
Your computers and server are locked now.
All encrypted files have extension: .ranzy

---- How to restore my files? ----

All files on each host in your network encrypted with strongest encryption algorithms
Backups are deleted or formatted, do not worry, we can help you restore your files

Files can be decrypted only with private key - this key stored on our servers
You have only one way for return your files back - contact us and receive universal decryption program

Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee

Some variants also use file extensions for the encrypted files that show Ranzy Locker was at work. Those extensions are .RNZ, .ranzy, and .RANZYLOCKED, but there are also some that are less helpful and add a random 6 character string. 

Behavior 

A typical series of actions performed Ranzy Locker ransomware is: 

• Find and delete shadow volume copies, and other recent backups, and disable the Windows recovery environment. 
• Run the encryption process but skip files that have .exe, .dll, .sys, .ini, .lnk, .key, .rdp extensions; and exclude paths with strings including AppData, boot, PerfLogs, PerfBoot, Intel, Microsoft, Windows and Tor Browser. 
• Look for connected machines on the network.
• Drops the ransom note on the desktop of the affected system. 

From what we have noticed, the double-extortion tactic—encrypting and exfiltrating data—is only used on some victims, probably depending on the size of the company and the type of data that was stolen. 

Mitigation 

Based on the behavior of Ranzy Locker, the FBI recommends the following mitigation strategies: 

• Store regular backups of your data off-site and offline, where attackers can’t reach them.
• Implement network segmentation, so that an attacker can’t reach all the machines on your network from one compromised foothold.
• Install and regularly update anti-malware software on all hosts and enable real-time detection. 
• Install security updates for software, operating systems, and firmware as soon as they are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.  
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access ports and monitor remote access logs for any unusual activity.  
• Consider adding an email banner to emails received from outside your organization.  
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.

We would like to add Brute Force Protection to that list. 

IOCs 

Besides the characteristics mentioned in this post, the FBI points to a sample YARA rule for Ranzy Locker, which can be found here.

 Stay safe, everyone! 

The post Threat profile: Ranzy Locker ransomware appeared first on Malwarebytes Labs.

On two consecutive days Apple has released a few important patches. iOS 14.8.1 comes just a month after releasing iOS 14.8 for those who didn’t want to update their iPhones to iOS 15. This update also came as a sort of surprise as it was not beta-tested beforehand.

Earlier this year Apple announced that users would have a choice between updating to iOS 15 as soon as it’s released, or staying on iOS 14 but still receiving important security updates.

Now the differences are starting to show. As you can see in the table below, some patches are specific for 14.8.1 and some are specific for 15.1, while many are shared between them. In total 24 CVEs were covered.

The ones that stood out

Apple is, for understandable reasons, always a bit secretive about what was fixed, but from what we were able to figure out, these are the most worrying ones by type of vulnerability.

Elevation of privileges

CVE-2021-30906: Due to a vulnerability in the iCloud component of watchOS, a local attacker may be able to elevate their privileges. A simple authentication is needed for exploitation.

CVE-2021-30907: Due to a vulnerability in the Audio component of watchOS, a malicious application may be able to elevate privileges. An attack has to be approached locally. A single authentication is needed for exploitation.

Arbitrary code execution

CVE-2021-30881: Due to a vulnerability in the FileProvider component of watchOS, unpacking a maliciously crafted archive may lead to arbitrary code execution. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction.

CVE-2021-30883: Due to a vulnerability in the IOMobileFrameBuffer component of  Apple tvOS, an application may be able to execute arbitrary code with kernel privileges. This issue may have been actively exploited. As previously discussed here.

CVE-2021-30886: Due to a vulnerability in the kernel component of Apple tvOS (Digital Media Player), an application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. A single authentication is required for exploitation.

CVE-2021-30889: Due to a vulnerability in the WebKit component of Apple tvOS, processing maliciously crafted web content may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

CVE-2021-30894: Due to a vulnerability in the Image Processing component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. The attack needs to be approached locally. The requirement for exploitation is authentication.

CVE-2021-30900: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. An attack has to be approached locally. Authentication is required for exploitation.

CVE-2021-30902: Due to a vulnerability in the Voice Control component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. Required for exploitation is a simple authentication.

CVE-2021-30903: Due to a vulnerability in the Continuity Camera component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. The requirement for exploitation is a simple authentication.

CVE-2021-30909: A vulnerability was found in the kernel component of Apple macOS up to 12.0. An application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation requires a simple authentication.

CVE-2021-30914: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. Local access is required to approach this attack. A single authentication is necessary for exploitation.

CVE-2021-30916: Due to a vulnerability in the kernel component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation needs authentication.

CVE-2021-30917: Due to a vulnerability in the ColorSync component of watchOS, processing a maliciously crafted image may lead to arbitrary code execution. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim.

CVE-2021-30919: Due to a vulnerability in the CoreGraphics component of the Smartphone OS, processing a maliciously crafted PDF may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

Mitigation

Apple advises users to update to iOS 15.1 and iPadOS 15.1 or iOS 14.8.1 and iPadOS 14.8.1 which can be done through the automatic update function or iTunes.

Stay safe, everyone!

The post Update now! Apple patches bugs in iOS and iPadOS appeared first on Malwarebytes Labs.

Have you ever had someone run up to you in the street and insist you take their free knife? I hope not, because that’s a good way to wind up in a 60-minute police procedural drama. In video game land, however, anything goes. A certain type of scam is showing signs of activity at the moment and it’s likely to claim some victims before the week is out.

It involves, wait for it: someone digitally running up to you and insisting you take their free knife.

Free knife? What do you mean?

Many games on Steam make use of skins. These are fancy overlays of in-game items. You may not impress someone with your boring old default knife, or gun, or item of clothing. A rare graphical enhancement which makes said item look incredibly distinctive, however? Now you’re talking.

Skins are most commonly traded in-game. Sometimes they’re sold for virtual or real cash, although depending on the game, using real money may be against the terms of service. A few games have their trading systems deeply embedded into game platforms. For example, Steam has its own marketplace for transactions.

Are skins used in scams?

Oh boy, are they ever. One of the oldest scams around is skin phishing. The phisher will create a fake marketplace, or an imitation of a real game-themed lounge, or even just a fake user’s trading inventory page. Account compromise, and/or malware usually follows.

What does this particular scam involve?

It’s a tactic designed to scam people in the fastest way imaginable. What the scammer does can charitably be described as “minimal”. In short, they’ll send a message to potential victims on Steam or on services such as Discord. There are variations in messaging, but the essence remains the same.

“Yo, I don’t know you unfortunately, but this is for you, I do not need that knife [link]”

“I haven’t met you unfortunately (or not lol), but take it, I dont don’t need that skin [link]”

“G’day – I don’t need this bayonet just take it [link]”

Note the similarities in the first and second messages. It’s hard to say if the messages are manually typed out or automated, but we seem to be peeking at the typical indicators of a deliberate decision to try this tactic out.

Once the account is phished, the victim will have to go through Steam support to try and recover it. Accounts can have an awful lot of money tied to them. There may be thousands of dollars worth of titles bound to it. It may have hundreds of dollars in the user’s Steam wallet. There could be a ton of rare items, gifts, and other content sitting in the user’s Inventory page. Pretty much anything in there is at risk once the scammer gets their claws into the account, and account recovery can be rather stressful at the best of times.

How can I keep my Steam account secure?

Steam has a comprehensive list of security tips for its users. They include everything from phishing tips and general safety advice to account verification and two-factor authentication.

As for the free knives, bayonets, and anything else? Leave the mysterious strangers and their too-good-to-be-true murder objects to the crime dramas and keep that police cordon up around your Steam account.

The post Watch out for the Steam skin “free knife” scam appeared first on Malwarebytes Labs.

We talked to members of our Malware Removal Support team and asked them what kind of problems they get asked to solve for our customers.

To understand why they get to handle these questions, it is also necessary to know that the Malwarebytes software is unable to resolve the problems users are facing. Many of these problems can be categorized under the header of trusting the wrong people.

Privacy concerns

You know how it freaks people out when Facebook shows them advertisements for things they have only just thought about buying? Many wonder how Facebook knows this.

They say, “I haven’t searched for the item yet, but here they are showing me this advertisement.”

It gets even worse when people have had a private conversation about it, and they think the advertisers or the platform has been eavesdropping on them.

Most of the time that is not true. So, how do the platforms know what ads to serve you?

• Algorithms are smarter than most people think. Have you heard the story about the family that got coupons for baby cloths and cribs even before their daughter told them she was expecting? We humans are way more predictable than we’d like to think.
• Users of social media and Facebook in particular tend to forget how many people can see the “public” part of their profile and posts.
• Websites share information about your scrolling behavior through cookies, FLoC, and other trackers.

Some people get so convinced they have spyware on their system that they contact our support team to help them get rid of it. All we can do is inform the public and point those looking for help in the right direction.

More Facebook concerns

Besides people not securing their Facebook settings and making everything public, they also make more blatant mistakes like posting their email addresses, clicking on links to surveys in Facebook, clicking on unsolicited links in Messenger, and answering posts that phish for information that makes it easier to guess your passwords.

This comment by one MRS agent during our discussion says a lot:

“I had 2 friends on Facebook today get their profiles taken over because they clicked links they shouldn’t have clicked.”

In cases where these mishaps go wrong, all our Support team can do is tell people they have to contact Facebook as unfortunately we can’t help them.

Other password shenanigans

Another privacy related concern we often get asked about are the sextortion emails that try to intimidate the recipient by telling them the attacker has their password. But that password usually originates from some security breach and the sender has just found it in a data dump somewhere. A quick way to check is a visit to the Have I been Pwned? website.

If you do get an email like this, you should change the password anywhere you use it. And please use Multi-Factor Authentication wherever possible.

Social media and scams

Social media is a perfect way for scammers to reach a lot of people, and we often see them using this to round up victims. There are many kinds of Bitcoin scams to be found on YouTube, Twitter, and other platforms. And along with Tech Support scams, Ponzi schemes, misinformation, and many phishing attempts, you can find every kind of scammer on social media without having to look very hard.

A few more tips

To round this off we assembled a few other mistakes our team sees a lot. So steering clear of these can save you a lot of trouble.

• Letting browsers save their passwords. Use a password manager or password book for them, especially if you are sharing your system with others.
• Never backing up their system. We understand it can be cumbersome, but imagine the misery when you lose access, be it because of ransomware or a hard drive failure.
• Using cracks and keygens. The oldest trick in the book to spread malware is to tell visitors that it is a crack or keygen for a popular game or other software.
• Using torrent software. The same as for cracks and keygens applies here—unless you can verify what you are receiving, don’t download anything from anyone.

Stay safe, everyone!

The post How social media mistakes can impact cybersecurity appeared first on Malwarebytes Labs.

In a Firefox security announcement, Mozilla said 455,000 users have downloaded Firefox add-ons that interfere with how they connect to the internet.

The interference in itself was not the deciding factor, however. The add-ons abused the proxy API to prevent users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

What is the proxy API?

The proxy API can be used by add-on developers as an event listener to intercept web requests, and return an object that describes whether and how to proxy them. Add-ons that use the proxy API need the “proxy” permission. And where they want to intercept requests, they also need “host” permission for the URLs of intercepted requests.

Google Chrome provides an extension API also called “proxy” which is functionally similar to this API, in that extensions can use it to implement a proxying policy. However, the design of the Chrome API is completely different to this API. They are incompatible, which means using both is NOT recommended as it may result in connectivity issues.

Abuse cases

Mozilla says the add-ons were advertised to users as being able bypass paywall restrictions on websites. It is unknown whether the blocking of updates was intentional and whether the add-ons were performing other malicious actions.

Mozilla has blocked the malicious add-ons so they are not installed by anyone else. Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. By doing so, users can not be denied important updates.

Mitigation

Mozilla stopped accepting add-on submissions that use the proxy API until fixes were available for all users.

One of those fixes lies in the fact that Mozilla deployed a system add-on named “Proxy Failover” (ID: proxy-failover@mozilla.com) with additional mitigations, and that has been shipped to both current and older Firefox versions. This system add-on implements failover rules for system requests over malfunctioning proxies. In other words, If a proxied system request fails, the proxy configuration in use will be disabled.

As usual, make sure your browser is up to date. The latest version of the Firefox Standard Release for Desktop is at 93.0.

In case you are not running the latest version, and have not disabled updates, you might want to check if you are affected by this issue. First, try updating Firefox manually (In the menu click Settings > on the General tab scroll down to > Firefox Updates > click on the Check for updates button). Recent versions of Firefox come with an updated blocklist that automatically disables the malicious add-ons. So you should be able to get an update.

If that does not work you are advised to check In the Add-ons section, and search for one of the following entries:

• Name: Bypass ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}
• Name: Bypass XM ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}

Please make sure the ID matches exactly as there might be other, unrelated add-ons using those or similar names. If none of those IDs are shown in the list, you are not affected.

If you do find one of these entries, you can remove the add-on under the Add-ons and themes section of the menu, by clicking on the three horizontal dots and select Remove from the dropdown menu.

Using the proxy API going forward

Developers that wish to use the proxy API for legitimate reasons are asked to include a strict_min_version key in their manifest.json files targeting “91.1” or above. This will make sure that the users will not suffer blocked updates and it will expedite the review for your add-on.

Stay safe everyone

The post Patch now to bypass Firefox add-ons that abuse the proxy API to deny updates appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache.
• “Killware”: Is it just as bad as it sounds?
• REvil ransomware disappears after Tor services hijacked.
• Protect yourself from BlackMatter ransomware: Advice issued.
• q-logger skimmer keeps Magecart attacks going.
• How to delete your Snapchat account.
• High school student rickrolls entire school district, and gets praised.
• Chrome targeted by Magnitude exploit kit.
• Update now! Chrome fixes more security issues.
• A bug is about to confuse a lot of computers by turning back time 20 years.
• We dig into the Game Players Code.
• Ransomware: Why do backups fail when you need them most?

Other cybersecurity news

• Sinclair Broadcast Group says it suffered a ransomware attack and has had data stolen. (Source: NPR)
• After games boom in pandemic, gangs are using phishing and malware to cheat fans. (Source: The Guardian)
• A vulnerability in the trial version of WinRAR has significant consequences for the management of third-party software. (Source: PT Security)
• Slack contains an XSLeak vulnerability that de-anonymizes users. (Source: The Daily Swig)
• Gummy Browsers, a new fingerprint capturing and browser spoofing attack lets attackers spoof tracking profiles. (Source : Bleeping Computer)
• Elaborate CryptoEats food delivery scam steals $500,000 in minutes. (Source: Vice)
• Phishing campaign targets YouTube creators with cookie theft malware. (Source: Google Threat Analysis Group)
• Dutch forensic lab decrypts Tesla’s driving safety data and finds a wealth of information. (Source: The Record)
• Australia announces critical infrastructure reforms to protect the essential infrastructure in the event of a major cyber-attack. (Source: homeaffairs.gov.au)
• Popular NPM library hijacked to install password-stealers and miners. (Source: BleepingComputer)

Stay safe, everyone!

The post A week in security (Oct 18 – Oct 24) appeared first on Malwarebytes Labs.

“What does online privacy mean to you?”

This beguilingly simply question can produce dozens of overlapping and distinct answers, all depending on who you ask. A VPN service might tell you that online privacy means obscuring your IP address and hiding your Internet activity from your Internet Service Provider. A privacy-forward web browser, like Mozilla, or Brave, might tell you that online privacy means being protected from third-party tracking and surreptitious data collection. And an anti-surveillance activist or lawyer at an organization like the American Civil Liberties Union or Electronic Frontier Foundation might tell you that online privacy means shutting down sweeping surveillance laws in the United States like Section 702 and Section 215.

While Lock and Code has spoken to several guests about online privacy in the past, we wanted to revisit the topic because of its intersection with VPNs, the increasingly popular tools that consumers are using to protect some of their privacy online. We understand the value of a good VPN—our company makes one after all—but we also cannot deny that there is an entire world of online privacy that exists beyond the VPN.

Today, on the Lock and Code podcast with host David Ruiz, we speak to The Tor Project Executive Director Isabella Bagueros about what other types of online tracking users are vulnerable to, even if they’re using a VPN, how else users can stay private online without becoming overwhelmed, and why users should be careful about trusting any one, single VPN.

“One of the issues with VPNs, nowadays, is that they are controlled. It is a private network indeed, because it is controlled and centralized under an organization or company. They literally control all the servers, all the infrastructure that they are providing you, and I think that is one of the things that you want to avoid. You want to avoid having a single point of failure, or a single point of trust.”

Isabella Bagueros, The Tor Project executive director

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Beyond the VPN: Ultimate online privacy, with The Tor Project’s Isabella Bagueros: Lock and Code S02E20 appeared first on Malwarebytes Labs.

For those of you that remember the fuss about the Y2K bug, this story may sound familiar.

The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to Critical Infrastructure (CI) owners and operators, and other users who get the time from GPS, about a GPS Daemon (GPSD) bug in GPSD versions 3.20 through 3.22.

Y2K

If you don’t remember the Y2K bug, let me remind you quickly. Before the year 2000, lots of computer programs kept track of the year by remembering the last two digits instead of all four. Programs coded this way would work correctly until the first day of the new millennium, when they would assume they’d been transported back in time 100 years to 1900.

Some computer programs don’t care what time it is, but others do, and there were genuine fears that getting the date wrong by -100 years might cause the the lights to go out, or for planes to fall from the sky.

In the end, those big problems didn’t materialize, because everyone received a warning or two, or twenty, way in advance, and there was enough time to take action and fix the broken code.

What’s the bug now?

Alongside telling you where in space you are, the Global Positioning System (GPS) can also tell you where in time you are. To do this, it keeps a count of the number of weeks since January 5, 1980. The main civil GPS signal broadcasts the GPS week number using a 10-bit code with a maximum value of 1,023 weeks. This means every 19.7 years, the GPS week number in the code rolls over to zero.

GPSD is a GPS service daemon for Linux, OpenBSD, Mac OS X, and Windows. It collects data from GPS receivers and makes that data accessible to computers, which can query it on TCP port 2947. It can be found on Android phones, drones, robot submarines, driverless cars, manned military equipment, and all manner of other embedded systems.

Unfortunately, in an echo of the Y2K bug, a flaw in some versions of GPSD could cause time to roll back after October 23, 2021. The buggy versions of the code reportedly subtract 1024 from the week number on October 24, 2021. This would mean Network Time Protocol (NTP) servers using the broken GPSD versions would think it’s March 2002 instead of October 2021.

How bad is it?

For computer systems that have no other time reference, being thrown back in time can cause several security issues. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Losing track of what happened when, can lead to missed incidents.

Even worse is getting shut out. NTP servers using the bugged GPSD version would get thrown back almost 20 years. The Network Time Protocol (NTP) is responsible in many cases to ensure that time is accurately kept. Various businesses and organizations rely on these systems. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems.

The same would happen in cases where authentication relies on cookies. Websites and services relying on expiring cookies do not respond favorably to cookies from two decades in the future.

And speaking from experience, the last GPS week number reset to zero occurred on April 6, 2019. Many GPS-enabled devices that were not properly designed to account for the rollover event exhibited problems on that date. Other equipment became faulty several months before or after that date, requiring software or firmware patches to restore their function.

Mitigation

Since the affected versions of GPSD are versions 3.20 through 3.22 users should upgrade to version 3.23.1. Going back to older versions such as 3.19 and 3.20 is not recommended since they are unsupported and had bugs. For organizations that are using GPS appliances or rely on GPSD, it is recommended to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPSD will be required if no recent upgrades were performed.

It is also good for system administrators to make a mental note of the date October 24, 2021. If systems that had been authenticating normally start to have authentication issues after the weekend, it could be due to a mismatched date and time.

If you would like to be spared of this roll-back problem completely, the GPS modernization program is adding new civilian signals to the GPS system.

Personal note

Should your system go back to 2002, can you instruct it to tell me to invest in Bitcoin, please?

The post A bug is about to confuse a lot of computers by turning back time 20 years appeared first on Malwarebytes Labs.

Gaming security is getting a lot of attention at the moment. Rightly so; it’s a huge target for scammers and malware authors. Malicious ads, fake games, survey scams, phishing attacks…whatever you can think of, it’s in use. Some target kids and steal their accounts, selling them on. Others go after parents, who have their payment details tied to various platforms and consoles. Whatever the scammer is into, rich pickings can be theirs for the taking.

As we’ve shown previously, you don’t even have to be on a gaming platform to be at risk from shenanigans. You can run into something bad and gaming-related purely from hanging out somewhere else. These attacks, these tactics, are pervasive.

Some organisations are trying to turn the tide, however.

Step up to the plate, Game Players Code

Banks are noticing just how much time is spent dealing with gaming theft issues. No doubt their support calls tell a grim tale of cancelled cards and reverse charges. Tip: some gaming platforms will actually ban/cancel a gaming account by default should you ever reverse a dubious charge. Never do this if you can help it.

LLoyds Bank, in response to the never-ending glut of financial gaming fraud, has come up with something called “Shield against scams”. This is designed to give younger gamers a helping hand to avoid video game fakery. They’ve also got some well known gamer influencers on board which can only help get the message in front of gamers. Shall we take a look at each tip and see what else we can add to the discussion?

Chat screening and anonymity

SCREEN any chats from strangers, as well as unexpected gifts and special edition or time-limited offers. Never transfer money to someone you haven’t met in person.

HIDE personal information from others at all times, concealing your personal details where possible to avoid them being leaked.

This is a good start. Concealing player information is also helpful. Gaming forums, databases, and websites are often targeted by compromise and data theft. When the hammer falls, it’s probably best to have as few visible bits of personal information as possible. Always check the privacy specifics of whatever platform you’re using.

Some enable settings like real ID (your actual real name) by default, making it visible to whoever has the correct level of permissions. This could be a friend you’ve added, or random players looking at your profile. Other platforms won’t display real names or locations without you physically typing them into your profile. Consoles are a particular concern here because they have so many different settings across multiple menus. Many of them will have a privacy component to them, but you’ll have to dig around and make those connections yourself. It could be a slow process, so set some time aside for that.

Chat, whether in game or via a client, is an inroad to bad messages. You may even run into bogus messages in chat/VoIP land. The “I accidentally reported you” scam is hitting saturation point at the moment. Last but not least, beware of Real Money Trading if you play massively multiplayer online games.

Be cautious with payments

INVESTIGATE any gaming-related purchases before handing over money, such as checking whether the website is blacklisted on https://sitechecker.pro/blacklist-checker/ and only making card payments that offer greater consumer protections.

Another decent tip. Much of the gaming fraud we see at the moment is related to in-game purchases or DLC. Most commonly weapons, skins, outfits and the like. Some gaming platforms like Steam allow gamers to trade items. Fake trade phishes have been around for years and are very popular.

Evaluating the download risk

EVALUATE whether gaming-related downloads are being made from established trusted sources and whether they are safe by checking for malware via https://www.virustotal.com/

Generally speaking, all gaming downloads should be coming from the source (the platform you’re using) directly. Want to play Diablo 3? You’ll be using the Battle.net client on PC. Steam games? You’ll use the big download button inside the Steam client. Uplay? Origin? Epic store? The same rule applies. On a games console, it’s even more locked in. You can’t exactly go wandering off to a rogue download on a PS4.

As far as these files go, in theory you shouldn’t need to scan them (indeed, it isn’t possible to scan them if they’re on a games console). Sometimes things can go wrong with files from an official source, but this is pretty rare. Apply your own better judgment on this one.

Should you stray outside your walled client garden, that’s the time to be suspicious. Messages about free games, dubious offers/adverts, or random uploads to YouTube promising free cracked copies of the latest titles should be given a wide berth. You can certainly use VirusTotal for a quick check, but you should also read up on what it does. We would always recommend using your dedicated security tools in addition to any web-based scan.

Locking down

LOCK your gaming network by using password managers, two-factor authentication within platforms and anti-virus software.

Good tips. There are many gaming platforms. Some of them have titles exclusive to them, or deals which are better than anywhere else. Even if you decide to stick with Steam, certain games will insist on you also using their creator’s gaming platform. So you could fire up a Far Cry game on Steam, but you may need to launch the Uplay client…via Steam…and the game launches from there.

This may have changed, it’s been a few years since I tried it myself. But this is not an uncommon thing to happen.

Before you know it, you don’t just need a secure email tied to your gaming platform. You need logins for Steam, Uplay, Epic, Blizzard, multiple logins for MMORPG launchers, passwords in consoles, passwords everywhere. A password manager is exactly the kind of solution to this headache.

Two-factor authentication was rather uncommon in most gaming circles years ago, but it’s pretty much the default now. You can have it on your PC gaming clients, your consoles, your email. There’s Google Auth, or dedicated apps depending on the game publisher. Whatever your gaming network of choice, this is almost certainly something you can make use of.

Card safety concerns

DELINK your bank details from gaming and online browser accounts. Having two-factor authentication set up on bank transactions and using prepaid cards will also help to keep your money protected.

Payment information on accounts is a risk, but having payment information on any account can be a risk. The question is what can you put in place to lessen this, and how much damage can someone do if they get that information?

Many gaming clients allow you to store details, or delete them as appropriate. For example, you can tell Steam whether or not to remember payment info. You can also load up an account with funds via the Steam wallet, or put certain amounts of money onto the account with gift cards. Yes, someone can still steal an account and if it has £100 sitting on it, that’s bad. Some may argue that’s actually worse than stored card details.

If payment info is stored in Steam, you still have to enter the verification code on the back of the card for any transaction as this isn’t retained. While an account with details stored on it will still be valuable to someone out there, most people can’t simply start spending. They don’t have the code. However, an account with £100 or £300 sitting on it is an instant spend-festival.

As a result, a good tip is to only load up the account with smaller amounts of cash. It’s still bad if it gets stolen, but not £300 bad.

In conclusion…

Any attempt to make gaming realms more secure is a good thing. While you may have to add a bit more context to the tips as they stand, the basics are in place and that’s what we need to encourage young gamers with. Any positive change in habits, whether from the kids or the parents helping behind the scenes, can only be beneficial for everyone.

The post We dig into the Game Players Code appeared first on Malwarebytes Labs.

It’s widely known, and endlessly repeated, that the last, best line of defence against the potentially devastating effects of a ransomware attack is your backups.

So why do we keep hearing things like this:

We’re also feeling relatively confident, we have a very good backup system … and then we find out at about four or five hours after the [ransomware] attack that our backup system is completely gone.

Ski Kacoroski, System administrator, Northshore School District

The quote above comes from a recent Malwarebytes podcast, racing against a real life ransomware attack, in which host David Ruiz interviewed sysadmin Ski Kacoroski about a ransomware attack on the Northshore School District in Washington State.

Kacoroski’s alarming discovery—that the backups he was relying on to restore the school district’s damaged systems were unusable—is not unusual in the aftermath of a ransomware attack. The glib and depressingly common response from some in the IT community is to assume that those involved were idiots, and to blame them for their misfortune, observing with hindsight that they should have known they needed to spend more on this, run that, patch this, check that, etc.

A more realistic, more useful, perspective assumes that system administrators and security folk like Kacoroski are competent, intelligent people who are doing their best to meet multiple requirements in complex environments with limited resources. Starting there, the obvious conclusion from experiences like Kacoroski’s is that backups are hard to get right.

Why do backups fail?

Following the interview with Kacoroski, we set out to find out why getting backups right is so difficult. To help us we approached backup expert Matt Crape, a technical account manager at VMWare, and put exactly that question to him in a follow-up podcast episode, Why backups aren’t a “silver bullet” against ransomware.

This is what we learned from Crape:

Backups are difficult

Crape observed that people often imagine backups are easy, because their only experience of performing backups is doing them at home, where it is easy: You just plug a USB hard drive into your laptop every night and press a button.

But add a few hundred computers and you’re living in a different world.

Step one, says Crape, is figuring out what you’re trying to achieve. To do that you have to work though a series of important but difficult questions, including:

Are you backing up just your data, or your data and your applications? Are you archiving medical information or personally identifiable information that comes with regulatory requirements that dictate where, how, and for how long you can store it? How many copies of the data and applications will you make and where will you keep them? How long will you store each type of data? Do you need versioning? How often are you going to back everything up? Are you going to run the same schedule for all your data, no matter how important it is or how often it changes, or are you going to run different schedules for different things? And how will the scheduling, and the amount of data travlling over the network at different times, affect performance?

A backup archived to tape or the Cloud is only half the story too. It can only be considered a success if you can restore a working system from it, and there are a few things that can derail that.

SQL databases typically have to be stopped before you can take a back up that will usefully restore, for example. Many applications also depend on the existence of other services too (such as DNS, email or authentication) and you’ll need to understand and record those relationships, and have a plan for restoring systems in the right order if you want it all to come back to life.

You also need a process for reviewing those decisions regularly. Businesses evolve and change, and your backups have to keep up.

And finally, having done all that, you’ll need to do something far more difficult—convince someone it’s all worth paying for.

Backups are expensive

According to Crape “That money conversation was always the hardest part”. The problem with backups, he says, is that 99% of the time you don’t need them, so they can seem like money down the drain.

Ransomware changes the calculation considerably. Aside from their day-to-day uses, organisations have historically seen backups as a way to cope with natural disasters and other severe but infrequent events. It is easy to understand why they might put off dealing with that problem until tomorrow in favour of more immediate concerns.

But a ransomware attack isn’t a lightening strike or a once-in-one-hundred-year flood. According to IDC, “more than one third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months”. Other organisations might give you slightly different figures, but there’s no doubt that ransomware attacks are frighteningly common.

Crape suggests that the best way to make the argument for properly staffed and funded backups is to make the conversation about the cost of losing key systems: “How much downtime can we afford for this specific server?What’s the cost of that vs the cost of storing backups for three years?”

Backups are targets

“Had the Empire had better physical security for their backup archives, the Star Wars franchise would be markedly different”.

Matt Crape, Technical Account Manager, VMWare

Backups contain all the information that makes a company tick, which makes them targets for both theft and sabotage. For a modern fable on the menace of insider threats and the importance of physical security for backups, just watch Rogue One: A Star Wars Story, says Crape. “The Death Star blew up because of a backup.”

Ransomware gangs understand that your backups could deprive them of a multimillion dollar payday and will seek them out and delete them if they can. It’s also not unusual for criminal hackers to spend days, weeks, or even months inside the networks of organisations they’ve breached. They use that time to perform reconnaissance and elevate their privileges, so they can reach all parts of the network, including its backups (even Cloud backups). If they can find them, they will destroy them before running their ransomware.

When it is finally run, many kinds of ransomware will also look for and disable or delete shadow copies—a form of local backups—on the machines they infect, cutting off the possibility of restoring those machines with a quick rollback.

If your ransomware recovery plan relies on backups, you will need copies of your data that are offline and off-site, where they are permanently beyond the reach of an attacker who may be resident in your network for months.

Everyone assumes they’re working

According to Crape, another reason that backups let us down when we need them most is that people simply assume they are running correctly. “It’s not uncommon to hear about folks who just don’t check the status, ever”, he told Ruiz. “They’ll check it the first couple of days and then it gets old so they stop paying attention to it, or they turn off notifications because it’s just been running fine. You go to do a restore and you find out, oh, this thing hasn’t run in six months.”

It’s not enough to monitor that the application ran without failing, says Crape. A backup job can run without failing, but that doesn’t mean it did anything; and just because the job ran properly, that doesn’t mean the tape isn’t blank; and having something on tape doesn’t mean you have something that will usefully restore.

If you want to know if your backups are working, you have to test them. And that means doing a full restore into another environment.

Listen to the podcast

To learn more about why backups fail and how you can use them to effectively combat ransomware, listen to the full podcast below, or in your favourite podcast player from Apple, Spotify, or Google.

The post Ransomware: Why do backups fail when you need them most? appeared first on Malwarebytes Labs.