IT News

You may have seen the Dark Web referenced in popular TV shows and have gotten the wrong idea, or if you already knew about it, you may have snorted in derision. The Dark Web is also sometimes called the Deep Web, when in fact the Dark Web is only a part of the Deep Web.

Terminology

• Surface Web is what we would call the regular World Wide Web that is indexed and where websites are easy to find.
• The Deep Web is the unindexed part of the Web. Actually, anything that a search engine can’t find.
• The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web for those that are not in the know. That should tell you a lot about what it really is.

The Dark Web is a separate part of the World Wide Web

Well, it’s not as much separate, but sites on the Deep Web are harder to find as the Deep Web is an unindexed part of the internet. Actually, the indexed part of the Web, which is the part that can be found by robots, is only a small fraction of the entire web. It is hard to tell how big the Dark Web is, since, again, it is unindexed. Estimates say that only 5% of the Web is easily accessible and searchable to the general public. Many other sites can only be visited if you have a direct URL.

Only criminals use the Dark Web

Even though most of the traffic on the Dark Web is used up by criminal activities, such as—

• Drug trafficking
• Selling weapons to countries where they are forbidden or selling types of weapons that are prohibited
• Child (and other illegal) porn
• Malware (as a Service), think of this as programmers selling their malware for a fee or part of the profit
• Sites where victims can pay the ransom for some ransomware they have been hit with
• Buying and selling stolen data
• Fraud related services
• Fake ID’s
• Leak sites where ransomware gangs publish exfiltrated data if the victim refuses to pay

—there are also groups of users that need the Dark Web for reasons that are only considered illegal in a few places, such as:

• Journalists working in “difficult” countries
• People resisting a totalistic regime
• Whistleblowers
• Places where crimes can be reported anonymously
• Bitcoin services
• Forums on various subjects that do not wish to be public

As you can see there are some grey areas, depending on where you stand in a certain situation.

You need a special browser to access the Dark Web

There are several methods of restricting access to many of the resources on the Dark Web, but you can certainly expect you will have to login when you arrive at the site that you want to access. But in most cases, you will also need to be using some kind of service like a VPN, proxy, or an anonymized network.

For sites with an Onion (hence the symbol) domain, you will need a Tor browser to access them. This browser protects your privacy and anonymity by encrypting your traffic to and from the websites you are visiting, and by using a proxy. But if you are a Firefox user, you may see a big resemblance with the Tor Browser, so the browser is not that special. It’s the way how it connects that is different. You can also use Tor on the surface Web. People often do this for privacy reasons.

Surfing the Dark Web is dangerous

If you take the necessary precautions, surfing the Dark Web will not get you hurt, robbed, and mugged. But, like on the surface Web, you have to be vigilant and be protected. Keep in mind, for example, that torrents often bypass your proxy settings and might, therefore, expose your real location. And, needles to say, when you’re actively dealing with criminals, you can actually expect to get deceived and even robbed. So, stay away from those guys.

But as we recently learned, even the bad guys are not always safe on the Dark Web. People do get careless after a while and in these cases, it got the bad guys busted. Keep that in mind if you make it a habit to visit the darker corners of the Web. Curiosity killed many a cat.

The post What is the Dark Web? The Dark Web explained appeared first on Malwarebytes Labs.

The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.

The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.

Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.

PrintNightmare

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.

The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.

This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.

MSHTML

This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.

Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.

Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.

DNS elevation of privilege vulnerability

This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.

Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).

OMIGOD

OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:

• CVE-2021-38647 OMI RCE Vulnerability with a CVSS score of 9.8 out of 10.
• CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
• CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability

The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:

Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.

OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.

The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.

A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?

The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.

They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:

• For Debian systems (e.g., Ubuntu): dpkg -l omi
• For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi

If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.

The post Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD appeared first on Malwarebytes Labs.

Secure Sockets Layer (SSL) certificates are what cause your browser to display a padlock icon, indicating that your connection to a websites is secure. Although the padlock may soon be hidden from view, certificates aren’t going anywhere.

Let’s start with some definitions and explain some of the terminology.

On a strictly technical level, SSL was actually superseded by Transport Layer Security (TLS) many years ago, but the name has stuck around. So, in this article we’ll use SSL to refer to the entire SSL/TLS family of protocols.

SSL is a security technology for establishing an encrypted link between a server and a client, such as a website and a browser, or a pair of email servers. An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.

What is the purpose of SSL certificates?

SSL certificates serve two important purposes:

• Authentication. It authenticates the identity of the computer you are talking to.
• Privacy. It ensures that a connection between two computers is encrypted.

On the web, SSL makes a connection to a website more trustworthy: You are talking to the website identified in the certificate, and nobody is listening in or tampering with the communication between you. This is particularly important when you are exchanging private information like credit card details or passwords.

It does not make the website more trustworthy though, only the communication between it and you. Not every website that has an SSL certificate can be trusted. Evil websites, like phishing sites, can have SSL certificates and you can establish safe, trustworthy connections to evil sites using SSL!

Despite lots of (now outdated) advice, SSL certificates and padlocks should not be used as an indicator that a website is “safe”. Equally, if a website does not have a certificate, that does not mean it cannot be trusted.

How do SSL certificates work?

SSL encryption is possible because of the public-private key pairing that SSL certificates facilitate. A website visitor’s browser gets the public key necessary to open an encrypted connection from a server’s SSL certificate. The public key is not secret and anyone can see it, so it doesn’t matter if it’s intercepted. Anyone with the public key can use it to encrypt a message, but only the corresponding private key on the server can decrypt it.

Depending on the type of certificate it also provides a visitor with information about the holder of the certificate:

• The domain name the certificate is valid for
• Information about the holder of the certificate
• Which certificate authority issued the certificate
• Issue and expiration date of the certificate
• The public key needed for the encryption

SSL certificates are generally divided into three types:

• Domain Validated (DV) Certificates. DV certificates assert a link between a certificate and a domain. Projects like Let’s Encrypt, which provides free certificates and automates the process of creating and installing them, rely on domain validation.
• Organization Validated (OV) Certificates. OV certificates assert a link between a certificate and an organization. The body issuing the certificate must validate the legal and physical existence of the organization.
• Extended Validated (EV) Certificates. EV certificates assert a link between a certificate and an organization using a more thorough vetting process than OV certificates.

Where do you get SSL certificates?

SSL certificates are issued by a Certificate Authority (CA). Most browsers will accept certificates issued by hundreds of different CAs.

If you are looking for a certificate for your website, one option is to contact your hosting provider. They will usually be able to point you in the right direction, and will probably be able to provide one. Mention what type of certificate you are looking for since that is important information to start on your quest. Alternatively, you can automate the process of certificate creation and installation using services like Let’s Encrypt.

Is an SSL certificate necessary for a website?

The majority of the web is now encrypted, making sites without SSL the exception. SSL protects private data in transit, such as credit card details. Even when it isn’t protecting sensitive data, it stops attacks that might send you to fake websites, and prevents criminals injecting adds or malware into your traffic.

If that isn’t enough for you, there are other reasons to use SSL too.

Aside from securing your traffic, having an SSL certificate also helps your website’s search engine rankings. The current Google algorithm rewards sites with SSL by giving them higher rankings (or, better put, it punishes sites that do not use SSL).

SSL also makes a site look more professional and secure. Depending on the visitor’s browser, sites without an SSL certificate may trigger a warning that the site is not secure.

An increasing number of browser features require SSL to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS, which relies on SSL. Which makes sense, because you are providing sensitive information to such sites. It poses a security risk if those features could be tampered with by a person-in-the-middle, or other network interference or impersonation.

The post What are SSL certificates? appeared first on Malwarebytes Labs.

Google announced on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn’t already). Chrome users are expected to see the roll out in the coming days and weeks.

Readers should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.

You can check what version of Chrome you are running by opening About Google Chrome from the main menu.

The vulnerabilities

The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.

The two vulnerabilities that are being actively exploited—namely, CVE-2021-30632 and CVE-2021-30633—were  submitted anonymously. The former is an “Out of bounds write” flaw in the V8 JavaScript engine and the latter is a “Use after free” bug in the Indexed DB API.

Because threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

V8, the thorn in Chrome’s side?

Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome’s V8 engine.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.

Chrome’s V8 JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft—whose Edge browser is based on Chrome—announced an experimental project called Super Duper Secure Mode that aims to tackle the rash of V8 problems by simply turning an important part of it off.

A little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.

11 zero-days and counting

To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:

• CVE-2021-21148
• CVE-2021-21166
• CVE-2021-21193
• CVE-2021-21206
• CVE-2021-21220
• CVE-2021-21224
• CVE-2021-30551
• CVE-2021-30554
• CVE-2021-30563

With so much bad PR, you might expect Chrome’s market share to suffer; yet, it remains by far the most popular browser. Users—and the Google Chrome brand—seem unaffected.

Make sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to update itself.

Stay safe!

The post Update now! Google Chrome fixes two in-the-wild zero-days appeared first on Malwarebytes Labs.

NBC News has collected and analyzed a trove of children’s personal information it discovered on the Dark Web. Even though this information may not be as useful to cybercriminals as credit card details or login credentials, the information is still out there, where we don’t want it.

So what is it, and how did it get there?

Ransomware

Modern ransomware gangs don’t just encrypt data, they frequently steal it too. If their ransom demands aren’t met, they leak the stolen data via their Dark Web sites. These data leaks have lead to information about (amongst others) businesses, police officers, hospital patients, and school children ending up on the Dark Web.

And schools and school districts have been very popular targets for ransomware attacks. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by a ransomware analyst.

Ransomware threat actors are always looking for low-hanging fruit. And schools have always been easy targets for ransomware, because of their limited budgets, especially for security. All of which was made worse by the demand for distance learning created by the Coronavirus pandemic.

What information is out there?

Some schools may not be able to tell you how much, and what, information they have about your child if you ask them. But the evidence says it’s even worse than you might expect; it isn’t just the information you may have handed over to the school when you filled out the application. Over time, information like medical conditions or your family’s financial status may get added. Some information, like social security numbers or birthdays, will be a constant in the child’s life, and that information in the wrong hands can set up a child for identity theft throughout their life, and at any time in their life.

The NBC article provides a few examples that may raise your eyebrows.

A few months after a ransomware attack on Toledo Public Schools in Ohio, which lead to students’ names and social security numbers being published online, a parent discovered that someone had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.

Following an attack on Weslaco Independent School District, data relating to approximately 16,000 students was leaked, including: Their names, dates of birth, race, social security numbers, gender, immigration status, whether they were homeless or economically disadvantaged, and if they’d been flagged as potentially dyslexic.

Can the information be removed?

The chances of permanently removing information from a ransomware leak site are slim to none. By the time the victim of a ransomware attack pays the ransom, their data has already been stolen, so they have nothing more than the word of criminals that it will be destroyed or kept safe. There is little incentive for ransomware gangs not to trade the data of payers and non-payers alike on some Dark Web forum. And when data has been shown on a leak site, anyone could have grabbed a copy.

What is the Dark Web?

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web. There are two “dark” regions on the World Wide Web: The Deep Web, and the Dark Web.

The Deep Web is an unindexed part of the web, which includes anything behind a login screen, for example. The indexed part of the web—the part that can be found by search engines—is likely to be a small fraction of the entire web, which makes the Deep Web enormous.

The Dark Web is a part of the web that can only be accessed via Tor. The Dark Web is designed to hide the location (strictly, the IP address) of everyone and everything on it. And if you can’t trace the real IP address of a user or a website, you can’t find them, arrest them, or shut them down. Which is why the Dark Web is where you’ll find ransomware leak sites.

Unlike the Deep Web, the Dark Web is extremely small, but it is very popular with criminals, for obvious reasons. Alongside ransomware leak sites, the Dark Web also hosts forums where cybercriminals can buy and exchange information, and marketplaces that sell anything and everything that’s illegal.

What can you do?

School cybersecurity is increasingly important, and parent-pressure makes a difference. Ask your school about its approach to cybersecurity, and what information about your child it keeps. Should you or your children’s information become part of a data breach you may want to read some more about identity theft, and credit monitoring.

The post Parts of the Dark Web “awash” with school children’s personal data appeared first on Malwarebytes Labs.

Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in high-level surveillance campaigns by governments.

Zero-day

Pegasus spyware is typically installed on victims’ phones using a software exploit that requires little or no user interaction—perhaps no more than a click. The exploits change over time, as they are discovered and patched by Apple.

This most recent exploit is a “zero-day, zero-click” flaw in Apple’s iMessage app that requires no user interaction at all. Known as “FORCEDENTRY”, it was discovered by CitizenLab after a forensic examination of a phone belonging to a Saudi activist.

The exploit has apparently been in use since at least February 2021, and reportedly works on Apple iOS, MacOS, and WatchOS devices.

What should you do next?

Put simply, if you run any of these devices, you must update immediately to iOS 14.8.

As per the description:

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30860: The Citizen Lab

If you want specifics on what exactly is affected, Apple has said the following:

“All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.”

Pegasus spyware

The NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn’t something you want anywhere near your phone.

Is the sky falling?

Absolutely not. It’s very good practice to keep all of your devices updated. It’s something we should be doing by default. Sometimes you may have to do some updating manually to ensure crucial systems don’t break inside whatever daisy-chain of a network you have in operation. Businesses can typically work around this if needed.

For the most part, you can typically set updates to automatic and deal with them as they come through.

As far as Pegasus goes though, the vast majority of people will never, ever run into a piece of spyware like it. Pegasus campaigns are expensive, and so are the exploits they use. Campaign owners simply do not care about most people enough to waste valuable resources on them. They do care about defined, specific, known targets in advance, however. This isn’t something which tends to get spammed out to hundreds of thousands of Gmail accounts, or dropped into Discord chat. If you are a high value target—perhaps if you work at a center for human rights—you might need to ponder the implications of something like Pegasus.

As Apple itself explains, these attacks cost “millions” to develop, have short lifespans, and “are not a threat to the overwhelming majority of our users”.

All the same, you should apply the fix as soon as possible. While you’re almost certainly not at risk from Pegasus, there’s a lot of other bad things out there which do target regular folks and businesses. The danger for most people is that somebody else manages to reverse-engineer this exploit into something that’s used more widely.

Grab the update, and go about your business safe in the knowledge that being hit by Pegasus is now even more unlikely than it was previously.

The post Apple releases emergency update: Patch, but don’t panic appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Apple delays plans to search devices for child abuse imagery.
• ProtonMail hands user’s IP address and device info to police, showing the limits of private email.
• Patch now! Netgear fixes serious smart switch vulnerabilities.
• Tor vs VPN—What is the difference?
• Windows MSHTML zero-day actively exploited, mitigations required.
• Sextortion on the rise, warns FBI.
• 500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords.
• Gamers beware: The risks of Real Money Trading (RMT) explained.
• Facebook puts on Ray-Bans, struts into the privacy minefield of smart glasses.
• That’s the way the cookie banner crumbles?

Other cybersecurity news

• The capricious relationship between technology and democracy, an analysys of public policy discussions in the UK and US. (Source: Wiley Online Library)
• How can we use technology to weed out online disinformation? (Source: TheStar)
• Germany wants smartphones to get seven years of updates. (Source: Fossbytes)
• Ragnar Locker gang warns victims not to call the FBI. (Source: ThreatPost)
• Apple pays hackers six figures to find bugs in its software and then it sits on their findings. (Source: Washington Post)
• The OpenSSL Software Foundation released a completely refreshed version of its software. (Source: DarkReading)
• Google published the Android Security Bulletin for September 2021 with patches for a total of 40 vulnerabilities, including seven that are rated critical. (Source: SecurityWeek)
• CISA Warns of actively exploited Zoho ManageEngine ADSelfService vulnerability. (Source: The Hacker News)
• Microsoft has fixed a vulnerability in Azure Container Instances called Azurescape. (Source: Bleeping Computer)
• LAPD documents reveal use of social media monitoring tools. (Source: Brennan Center)

Stay safe, everyone!

The post A week in security (Sept 6 – Sept 12) appeared first on Malwarebytes Labs.

A recent spate of ransomware attacks in the US and abroad have derailed major corporations, spurring a fuel shortage on the US East Coast, shuttering grocery stores in Sweden, and sending students home from grade schools. The solution, so many cybersecurity experts say, is to implement backups, which are additional copies of vital data, databases, and networks so that, even if a ransomware attack takes root, an organization can recover quickly with a second set of safe, unencrypted data.

But if backups are so useful, why aren’t they visibly working?

In June, the meat supplier JBS was hit by ransomware and despite the company having backups in place, it still paid the attackers $11 million for a decryption key. And Northshore School District in Washington State, which suffered a ransomware attack years ago, also had backups in place, but those backups were improperly configured, providing little value to the district during its cyber emergency.

Today, on the Malwarebytes podcast Lock and Code, host David Ruiz speaks with Matt Crape, technical account manager for VMware, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

“At the end of the day, though, unfortunately, a lot of folks likely won’t realize how important backups are until they need them, and you’re usually not in a very good situation at that point.”

Matt Crape

Tune in to learn about backup complexity, common backup pitfalls, and why backups are not just a “set-it-and-forget-it” solution to today’s thorniest cybersecurity problem.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Backups are not a simple ransomware defense, with Matt Crape: Lock and Code S02E17 appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura

During the past couple of years online shopping has continued to increase at a rapid pace. In a recent survey done by Qubit, 70.7% of shoppers said they increased their online shopping frequency compared to before COVID-19.

Criminals gravitate towards opportunities, and these trends have made digital skimming attacks such as Magecart all the more profitable.

To protect our customers, we need to constantly look out for novel attacks. Having said that, we sometimes need to check for past ones too. In fact, many threat actors will reuse certain patterns or resources which allows us to make connections with previous incidents.

One Magecart group that has left a substantial amount of bread crumbs from their skimming activity has been documented under various names (Group 8, CoffeMokko, Keeper, FBseo). It is believed to be one of the older threat actors in the digital skimming space.

In this blog post, we publish a number of connections within their infrastructure usage that we’ve been able to uncover by cross-referencing several data sources.

Reconnecting with Magecart Group 8

In a recent article, RiskIQ researchers unravelled a large part of the infrastructure used by Magecart Group 8 and how they migrated to different hosts in particular Flowspec and OVH over time.

We had been looking at Group 8 also, but starting from a different angle. Back in June we were checking skimmer code that looked somewhat different than anything we could categorize. We didn’t think much of it until in July Eric Brandel tweeted about a skimmer he called ‘checkcheck’ that was using some interesting new features and was essentially the same thing we had found.

After some additional research we noticed that some parts of the code were unique but not new. In particular the exfiltration of credit card data was using a string swapping function identical to the one used by the ‘CoffeMokko‘ family described by Group-IB. In their blog, they mention some overlap with the original Group 1 (RiskIQ) that was eventually merged into what is now Group 8.

From there, we were reacquainted with a threat group that we had not seen in a while but that had been busy. There were a number of domain names that were new to us. We rapidly got down a rabbit hole and lost track of the big picture. However, the blog from RiskIQ helped to put some perspective on one part of the infrastructure that we referred to as Flowspec – OVH.

Most of the domains and IP addresses have already been covered by RiskIQ. However we were to create some mapping that showed some interesting historical connections between well-known past campaigns. In Part 1, we will explore those links.

We had also uncovered another large part of infrastructure while reporting our findings on ‘checkcheck’ to Eric Brandel. Then in August, Denis tweeted about some of those domains which interestingly are old but somehow managed to stay low for a long time. We will review those in Part 2.

Part 1: Flowspec and OVH

The RiskIQ article describes this part of the infrastructure in great details. We will review some connecting points that allowed us to rediscover older campaigns. Flowspec is a known bulletproof hosting service that has been used beyond just skimmers, but also for phishing, ransomware and other malware.

[1] The domain safeprocessor[.]com was hosted at 176.121.14[.]103 (Flowspec) and 178.33.231[.]184 (OVH). It was listed in the indicators of compromise (IOCs) from Gemini Advisory’s “Keeper” Magecart Group Infects 570 Sites blog post. On the same OVH IP is the domain foodandcot[.]com listed in the IOCs section for Group-IB’s Meet the JS-Sniffers 4: CoffeMokko Family.

[2] scriptopia[.]net was also on 176.121.14[.]103 (Flowspec) and 178.33.71[.]232 (OVH). The domain was spotted by Dmitry Bestuzhev on the website for a Chilean wine. Other domains on that IP were also caught by Rommel.

[3] mirasvit[.]net shares the same registrant as scriptopia[.]net. It was hosted at 194.87.144[.]10 and 176.121.14[.]143 (Flowspec). That IP address came across Denis’ radar in a tweet and was largely covered by RiskIQ.

[4] shourve[.]com shares the same registrant as the other skimmer domains hosted at 178.33.71[.]232. It was hosted at 5.135.247[.]142. On that same IP is adaptivestyles[.]com which shared the same registrant as scriptopia[.]net, and fileskeeper[.]org from which Gemini Advisory derived the name of their blog post.

[5] stairany[.]com hosted at 5.135.247[.]141 (OVH) appeared in a report by CSIS Group. Another domain on that IP address is clipboardplugin[.]com which was mentioned by Félix Aimé along with a screenshot of a carding website.

[6] csjquery[.]com shares the same registrant as stairany[.]com and is hosted at 169.239.129[.]35 (ZAPPIE-HOST). On that IP are hundreds of carding sites.

[7] zoplm[.]com hosted at 37.59.47[.]208 (OVH) and 51.83.209[.]11 (OVH) shares the same registrant as cigarpaqe[.]com and fleldsupply[.]com mentioned in our blog using Homoglyph domains.

[8] 176.121.14[.]189 (Flowspec) was covered by RiskIQ for its number of skimmer domains that later moved to Velia.net hosting.

Part 2: ICME and Crex Fex Pex

This bit of infrastructure was interesting because it tied back to activity we saw from domains like jquery[.]su. This was actually the starting point of our investigation, which eventually led to Part 1: Flowspec and OVH and back to Group 8.

Crex Fex Pex (Крекс-фекс-пекс) refers to a Russian play with a character that looks like Pinocchio. However in our case it is a bulletproof hoster that has seen significant skimmer activity.

[1] gstaticx[.]com was hosted at 217.8.117[.]166 (Crex Fex Pex) and 185.246.130[.]169 (ICME). We can see a recent compromise here, and the skimmer (which uses that character swapping function) in particular here.

[2] googletagnamager[.]com hosted at 217.8.117[.]141 (Crex Fex Pex) shared the same registrant as gstaticx[.]com. Interestingly, one version of this skimmer from googletagnamager[.]com/ki/x19.js loaded JavaScript from jquery[.]su.

We can find a similar path structure at jquery[.]su/ki/x2.js which also references the same min-1.12.4.js script. A version of this script can be seen here (capture).

[3] The domain jquery[.]su was registered by alexander.colmakov2017@yandex[.]ru. The same email address was used to register serversoftwarebase[.]com which is connected to brute force attacks against various CMS. In that blog post, we mention googletagmanager[.]eu hosted at 185.68.93[.]22 which is associated with a campaign against MySQL/Adminer.

[4] googletagmanages[.]com has the same registrant as googletagnamager[.]com. contrary to the other domains we’ve seen so far, this one is on Amazon. Reviewing the IP addresses which hosted it (AS14618-Amazon), we find hundreds of typosquat domains for skimming (see IOCs section for list). It seems though that most were not used, perhaps just kept for a rainy day.

Digital skimming artifacts

While checking this infrastructure we came across a number of artifacts related to web skimming activity including webshells, panels, and other tools. With such a sprawling network, it’s not hard to imagine that the criminals themselves may have a tough time keeping track of everything they have.

Tracking digital skimmers is a time consuming effort where one might easily get lost in the noise. Criminals are constantly setting up new servers and moving things around. In addition, with the help of bulletproof services, they make it difficult to disrupt their infrastructure.

However we and many researchers regularly publish information that helps to identify and block new domains and IP addresses. We also work with law enforcement and have reported many of these artifacts, in particular the stolen customer data. Finally, we also notify merchants although too many are still unaware of this threat and lack the proper contact details.

Malwarebytes customers are protected against digital skimmers thanks to the web protection module available in our consumer and enterprise products.

Indicators of Compromise (IOCs)

Skimmer domains

Related IP addresses

Typosquat

The post The many tentacles of Magecart Group 8 appeared first on Malwarebytes Labs.

Any game with an online component can be at risk from a practice known as Real Money Trading (RMT), where in-game items, artefacts, characters and the like are sold for real money. It’s a big problem for developers, especially in competitive and / or massively multiplayer online role-playing game (MMORPG) circles. Some games even explicitly allow you to report it as a prohibited in-game activity.

One major developer recently took sustained action against this practice, so we thought we’d take the time to explain what is it, and why it’s such a big deal.

Real Money Trading

RMT generally falls into two distinct camps: Power-levelling, and in-game item or currency purchases. Messages related to RMT sites are spammed across in-game chat, and also directly to other players if the game allows it. Sometimes games restrict what new accounts can do, so scammers find that hijacked accounts with more permissions are useful for this activity.

Here’s some examples we’ve seen in Final Fantasy 14. Note that one doesn’t place a link into the chat directly. Instead, they tell gamers to search for a specific phrase. This will likely be an attempt to avoid tripping spam filters.

Power levelling

This is very common in MMORPG circles. It’s in the game’s interest to keep you playing as long as possible. This is especially true if the game comes with any kind of monthly / yearly subscription. Once the content is fully exhausted, people will naturally move on to other things. A few of the biggest titles have been around for a decade or more. They contain so many activities and pieces of gated content, you could essentially play them forever. Even so, some people want to rush as fast as they can to what they consider late-game “good stuff”.

RMT gives them an alternative to grinding out hundreds of hours levelling up. After all, why do it yourself when you can pay real money to somebody else and they’ll do it for you, right? It’s a bit like passing your friend the controller when you can’t get past a level in Super Mario, except you’re handing your friend a pile of money and also breaking a bunch of terms and conditions. So, not really like that at all.

Item, account, and currency buying and selling

Real money trading of in-game currency involves third-party services that act as a broker for selling your rare items to other players, for real money, outside the game. People will also do this to buy large chunks of in-game fictitious currency with real money via RMT websites. Once the payment goes through, the player will find the money in their gaming account via whatever method the RMT site operates by.

Inflation risk

This is a hotly-debated topic, but generally folks seem to think that RMT causes some inflation in gaming currencies over the short term, if not the long term. A lot of RMT activities involve the use of bots (computer programs that play in place of humans), cheats, and hacks. This gives rise to piles of illegitimately-generated money floating around the gaming environment.

The use of bots also often denies other players the ability to harvest materials found in the game world. If four bots spawn in at a resource location, harvest everything in sight in seconds and then vanish, it’s problem time. Legitimate players can’t generate real virtual currency, they’re denied materials they need to craft and/or progress in the game, and they can’t buy or sell on the in-game marketplace as a result.

When all the resources, and all of the money is going to RMT, that’s a recipe for killing off a title.

Security implications

Some of these RMT services are very slick. You could be assigned one specific player who’ll follow the exact steps / levelling requirements you give them. You can set up calendars so they’ll log out at specific times and let you play for a while before handing control back. A few will simply take your money and run, but that’s the price you (may) pay.

Make no mistake, sites offering RMT services know they’re not supposed to be doing it. They’ll even tell you as much before you sign up for anything.

Alongside the risk of being kicked off the game you like, using an RMT service is also comes with security risks too, if you have to share your login credentials with them. The second you share a password with somebody else, you lose control of it, and you lose control over decisions about who else it’s shared with and how it’s stored.

Some provide security reassurance and tips. They may promise not to leak your details, though they don’t say where or how they’re stored. Some will advise you to change your login once the service is complete, which is at least nice of them. A lot of MMORPG titles plagued by these services offer multi-factor authentication (MFA) or similar. One presumes that RMT services make arrangements for you to send them the short-lived MFA codes in real time and then login to the game platform.

This would make the whole arrangement quite an endeavour. Final Fantasy 14 will save your username, but not your password, in its launch client. You also have to punch in your OTP code—assuming you have it enabled—every single time you load the game up.

How much money do these sites make?

It varies. One site we saw offered multiple forms of powerlevelling / item harvesting in Final Fantasy 14. A high end set of armour was estimated to take 2 days to grind out, at a cost of $399.99. We saw an offer on certain types of weapon for a cool $699.99 over 7 days. The biggest time investment / cost we saw was for a whistle. We assume it’s to summon…something. How much?

A little over $2,600, covering a solid month of playing.

That’s one impressive whistle.

What can developers stop RMT?

It’s a tough one, and bad activities will always slip through the cracks.

1. Limit the abilities of low-level characters. Developers have to balance out restrictions carefully. If a “solution” hinders a new player more than an RMT operation, it’s not worth it. You can prevent spammers from being able to shout to those around them to prevent chat spam. However, this means low-level characters in need of assistance can no longer call for help on the map. They’ll probably just get frustrated and not come back to the game.

   A more reasonable suggestion is to keep shouts, but prevent new / low-level characters from whispering (sending direct messages) to other gamers. This will reduce the risk of hidden spam / phishing attacks. On the other hand, this could interfere with other essential systems such as trading. Not an easy problem to solve!

2. Dedicated teams shutting down RMT activities are a boon for game developers. If you want to see how seriously Square Enix takes this, check out their news update page. Wall to wall takedowns of RMT accounts. The last three updates alone report a total of 10,539 accounts terminated for RMT antics, with more taken down for advertising. This is an astonishing number, and you have to consider they may have missed a few.

What are the dangers to gamers from RMT activities?

1. Account bans. Nobody wants to lose access to accounts with hundreds or even thousands of dollars sunk into them. It’s pretty easy for the RMT groups to pick up some cheap accounts in games. Not so easy for regular people to start from scratch. If the game is tied to a gaming platform such as Steam, they may have to set up a second Steam account to get back into the action. This is a lot of hassle for one game.
2. Account lost. If you purchase an account from somebody else, it doesn’t actually belong to you, and that person can reclaim it at any time. If enough people start saying “that account is mine” after some pass-it-around activity, the vendor will just shrug and close it. Sorry everyone, the only winner here would be the developers.
3. Account compromise. We’ll go back to the incredibly popular Final Fantasy 14 as an example. Spam messages will typically claim important information has been posted to the forum. It could be a fake missive about updates, as per the linked discussion. Either way, scammers direct victims to fake FF14 portals. These sites also ask for MFA codes. There’s likely some automation involved to punch these short-lived digits into the real site along with the stolen password. Nobody is sitting at the other end waiting to do it in real time 24/7. (Or perhaps they are?)
4. Loss of money. Remember, you have no real idea who you’re paying, and hundreds of dollars going AWOL isn’t unusual.
5. Enabling crime. You could be. As Lineage 2 developers NCSOFT explain, “in-game currency for sale most often comes from stolen accounts and other internet fraud”.

Conclusion

If you see a tempting message drift by in a public chat, don’t reply. Report it. At best you’ll waste time and money on dubious websites offering services they freely admit aren’t allowed. At worst, your accounts may be shut down and you could wind up being phished, hacked, or talking to law enforcement about goods supplied with stolen credit cards.

It simply isn’t worth the risk.

The post Gamers beware: The risks of Real Money Trading (RMT) explained appeared first on Malwarebytes Labs.