IT News

Labor Day weekend is just around the corner and, believe it or not, cybercriminals are likely just as excited as you are! 

Ransomware gangs have nurtured a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it shorthanded. 

They like to attack at night and at weekends, and they love a holiday weekend. 

Indeed, while many people are looking forward to catching up with friends and family this Labor Day weekend, cybercrime gangs are likely huddling, too, planning to attack somebody. 

On the last big holiday weekend, Independence Day, attackers using REvil ransomware celebrated with an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses. 

Why out-of-office attacks work

Ransomware works by encrypting huge numbers of files on as many of an organization’s computers as possible. Performing this kind of strong encryption is resource intensive and can take a long time, so even if an organization doesn’t spot the malware used in an attack, its tools might notice that something is amiss. 

“You never think you’re gonna be hit by ransomware,” says Ski Kacoroski, a system administrator with the Northshore School District in Washington state. Speaking on Malwarebytes’ Lock & Code podcast, he told us about Northshore’s nighttime attack: “It was an early Saturday morning. I got a text from my manager saying ‘something is up’ … after a short while I realized that [a] server had been hit by ransomware. It took us several more hours before we realized exactly how much had been hit.” He added “We had some high CPU utilizations alert the night before when they started their attack, but most of us were already asleep by midnight.” 

Criminals taking advantage while employees are away for holidays, weekends, or simply because their shift is over, is a classic “when the cat’s away” opportunistic crime. 

Be prepared for holiday disruption

We reached out to Adam Kujawa, Malwarebytes’ resident cybersecurity evangelist, and asked what organizations can do to minimize the chance their holiday weekend will be disrupted.  

Do these before the holiday 

• Run a deep scan on all endpoints, servers, and interconnected systems to ensure there are no threats lurking on those systems, waiting to attack! 

• Once you know those systems are clean, force a password change a week or two out from the holiday, so any guessed or stolen credentials are rendered useless. 
• Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA), Manager Authorization, and requiring a local network connection. Although this will make it a more difficult for employees (for a short amount of time), this will also make it significantly more difficult for attackers to traverse networks and gain access to unauthorized data. Once the holiday ends, you can revert these policies since you’ll have more eyes to watch out for threats. 
• Provide guidance to employees on not posting about vacations and/or holiday plans on social media. 
• Provide free—or free for a limited time—security software to employees to use on personal systems 
• Ensure all remotely accessible connections(e.g. VPNs, RDP connections) are secured with MFA. 

Do these during the holiday 

• Ensure all non-essential systems and endpoints are shut down at the end of the day. 
• Reduce risk by disabling or shutting down systems and/or processes which might be exploitable, if they aren’t needed. 
• Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation. We suggest create a cyberattack reaction and recovery plan that includes call sheets, procedures on communicating with law enforcement and collecting evidence, and what systems can be isolated or shut down without seriously affecting the operations of the organization.

“The only mistake in life is a lesson not learned”

When we asked him why he came forward to tell his ransomware story when many others are reluctant to, Kacoroski told us: “The only mistake in life is a lesson not learned.” 

A lesson we can all learn from recent history is that cybercriminals are probably planning to ruin somebody’s Labor Day weekend. So don’t wait for an attack to happen to your organization before you decide you need to be ready. 

Prepare now, so you can enjoy an uninterrupted Labor Day weekend! 

The post How to stay secure from ransomware attacks this Labor Day weekend appeared first on Malwarebytes Labs.

In the wake of several high-profile ransomware attacks against critical infrastructure and major organizations in the last few months, President Biden met with private sector and education leaders to discuss a whole-of-nation effort needed to address cybersecurity threats and bolster the nation’s cybersecurity.

Several participants in President Biden’s meetings have recently announced commitments and initiatives:

• The National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.
• The Biden Administration announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines.
• Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain.
• Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
• IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
• Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
• Amazon announced it will make available to the public at no charge the security awareness training it offers its employees.

And those are just the big players. The full list can be found here.

The importance and relevance of each of these is discussed below.

Supply Chain

An important attack vector for ransomware that lead to some of the biggest and most costly attacks were supply chain attacks. While not new, these attacks are always interesting because they usually involve highly skilled attacks and make a lot of victims. A prime example of such a case is the MSP provider Kaseya.

You can listen to what went wrong, exactly, in Kaseya on our podcast Lock and Code, with guest Victor Gevers of the Dutch Institute for Vulnerability Disclosure, which found seven or eight zero-days in the product.

The Industrial Control Systems Cybersecurity Initiative

In April 2021, the Biden Administration launched an Industrial Control Systems Cybersecurity Initiative to strengthen the cybersecurity of critical infrastructure across the United States. The Electricity Subsector Action Plan was the first in a series of sector-by-sector efforts to safeguard the Nation’s critical infrastructure from cyber threats. Expanding to gas pipelines may have been prompted by the attack on Colonial Pipeline.

Security training

Organizations know that training employees on cybersecurity and privacy are not only expensive but time-consuming. Putting together a cybersecurity and privacy training program that is not only effective but sticks requires an incredible amount of time, effort, and thought in finding out employees’ learning needs, planning, creating goals, and identifying where they want to go.

For organizations to offer that kind of training for free to people outside of their own organization is a big commitment, but it is also hard to make that training effective. The more you know about the environment a student will be working in, the more targeted and effective the training can be.

This type of training can be broken down in a few layers:

• Awareness which is not really training, but making people aware of what dangers are out there. A regular reader of our blog will have a high awareness level, or so we hope.
• Actual training strives to produce relevant and needed security skills and competencies. But as we pointed out, that is hard to do without having specific knowledge about the working environment. What programs the trainees will be using is essential for targeted and effective training.
• Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and pro-active response. Which is a good thing, given the shortage of cybersecurity professionals, but that is not what I’m reading in the announcements.

We are glad about the initiatives and the amount of money and effort willing to be put into the initiatives. Some will certainly be more effective than others and we will certainly do our best to keep awareness levels high.

The post US government and private sector agree to invest time, money in cybersecurity appeared first on Malwarebytes Labs.

Researchers from Citizen Lab, an academic research and development lab based in the University of Toronto in Canada, has recently discovered that an exploit affecting iMessage is being used to target Bahraini activists with the Pegasus spyware. The Bahrain government and groups linked to them—such as LULU, a known operator of Pegasus, and others like them who are associated with a separate government—were tagged as culprits of the surveillance activity.

Dubbed by Citizen Lab as FORCEDENTRY, this iMessage exploit is said to have been in use since February 2021. For an entity to get inside someone’s iPhone using FORCEENTRY to exploit an iMessage vulnerability, there is no need to come up with social engineering tactics to get their target to do an action, which is, usually, to click something. The attackers just deploy the exploit. No need for the target to click something. This is what we mean when we refer to some attacks as “zero-click”.

FORCEDENTRY is Megalodon

FORCEDENTRY and Megalodon—the name given to iMessage exploit activity witnessed by Amnesty International’s research arm Amnesty Tech in July 2021—are one and the same.

When FORCEENTRY is fired at a device, it crashes IMTranscoderAgent, a service the device uses to transcode and preview images in iMessage. According to The Hacker News, this is FORCEDENTRY’s way of getting around Apple’s BlastDoor security feature, which was designed to protect against attacks, including those from the KISMET exploit. Once this agent crashes, the exploit can then download and render items, likely images, from the Pegasus server.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” the researchers claim in the Citizen Lab report.

FORCEDENTRY has been observed targeting and deploying Pegasus against Bahraini activists, members, and writers belonging to Waad (a political society), Bahrain Center for Human Rights (a Bahraini NGO), and Al Wefaq (cited as “Bahrain’s largest opposition political society”).

KISMET: the other exploit

FORCEENTRY is actually the second known exploit to be used to target journalists using an iMessage vulnerability. In 2020, Citizen Lab named KISMET, a then 0-day exploit against iPhone iOS version 13.5.1 and above. It could also hack the iPhone 11, the latest model of that time. This made iPhone devices that were available before the release of iOS 14 vulnerable and exploitable.

No real protection in sight?

As of this writing, researchers at Citizen Lab believed that the KISMET and FORCEDENTRY exploits might have been prevented by users disabling iMessage and FaceTime. However, disabling these two cannot fully protect users from any spyware or zero-click attacks, the researchers said. Disabling iMessage also means that your once-encrypted message could be easily intercepted by attackers.

There are also other text and video messaging apps iPhone users can use in place of iMessage and FaceTime should they choose to disable them. Some of these are open-source, such as Signal.

The post Latest iPhone exploit, FORCEDENTRY, used to launch Pegasus attack against Bahraini activists appeared first on Malwarebytes Labs.

In August of 2021, a thief stole about $600 million in cryptocurrencies from The Poly Network. They ended up giving it back, but not because they were forced to. Slightly more than one week later, Japanese cryptocurrency exchange Liquid was hacked and lost $97 million worth of digital coins.

These examples of recent news about hacked cryptocurrency exchanges left many investors wondering whether it was still smart to invest in cryptocurrencies and how to keep them safe.

We can’t answer the first question for you. I wish I knew. But we can explain the terminology, the methods, and the risks. So you can decide which would be best for you.

Wallets

A wallet is basically the name for the methods to store virtual money. Like you can keep non-virtual money in a bank account or under your mattress, you can keep virtual currencies in hot and cold wallets. An empty wallet has the same meaning ….. and the same value. So let’s try to avoid getting our wallets robbed empty.

Bank robbers

A big difference between bank robbers and hackers that are after crytpocurrency exchanges, besides the possible size of the loot, is that when money gets stolen from a bank they are not going to tell their customers that a certain amount of the stolen amount belonged to them. Unless the robbers emptied some private lockers, but that is not the point. If you have your cryptocurrency stored with an exchange and the hosted wallets get emptied, the exchange will be able to tell exactly whose money was stolen due to the traceability of each transaction that defines the very nature of cryptocurrencies. So the feeling that many will refer to as having the money safely in the bank, does not fully apply for crypto exchanges.

A hardware wallet

A hardware wallet is a place to safely store your private keys. The goal of the hardware wallet is to keep the private keys secret since they are needed to authorize transactions. Fundamentally, if you write the private key down on a piece of paper and put it in your safe at home, you have the most basic hardware wallet. And sometimes you will be advised to do just that.

Wallets often make use of a seed phrase. A seed phrase is a list of words which store all the information needed to recover cryptocurrency funds on-chain. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper and keep it in a safe place. If you were to give out your seed phrase, for example as a result of a phishing attempt, the threat actor would then be able to get access to your wallet.

What is a cold wallet?

A much more sophisticated method of keeping your money under the mattress is a cold wallet. A cold wallet is a hardware wallet that is not connected to the internet. So this can be compared to having your money in a vault at home which you only open when you need to spend some of the funds. When it comes to the danger of having your cryptocurrency stolen by hackers, a cold wallet ranks highly as one of the safest storage methods. But a cold wallet has a few drawbacks:

• They cost money. Prices for common hardware wallets range from $50 to $200. Not a big price to pay if you own a large amount of cryptocurrencies, but ridiculous to safeguard a few Satoshi.
• They are not available for every cryptocurrency. You can easily find hardware wallets for the well-known cryptocurrencies like Bitcoin and Ethereum, but you will have more trouble finding a suitable one if you are investing in new or rare cryptocurrencies.
• Lose your cold wallet or break it beyond repair and it is all gone.

Or as the IT engineer who accidentally threw away the hard drive of an old computer containing 7,500 bitcoins back in 2013 said: “I’ll keep looking.”

Hot wallet

A hot wallet may be called that because it compares to walking around with a lot of cash in your pockets in the worst of neighborhoods. A cryptocurrency exchange to hackers is like a huge pot of gold at the end of the rainbow. And looking at the events over the past years the coding behind these exchanges has been seriously lacking in the security department. Even if you can trust an exchange to not pull an inside job on you, can you trust the security measures they have taken to safeguard your savings?

The main job of an exchange is not to safely store your wallet, although many of them will certainly offer you that option. Their main job is to allow you to buy and sell cryptocurrencies. Most of the crypto brokers that works with these exchanges to ensure a continuous flow of supply and demand work with cold wallets and will probably advise you to do the same. But again, we are talking about amounts that are worth an investment in security.

Feel free to add your advice in the comments, but keep them civilized.

Remember, if you want to hold onto your cryptocurrencies, keep them safe!

The post Cold wallet, hot wallet, or empty wallet? What is the safest way to store cryptocurrency? appeared first on Malwarebytes Labs.

Famously, Pinky and the Brain were a pair of animated mice that wanted to take over the world. Of course they never succeed, but maybe they just set their sights too high. Because while mice may not be taking over the world yet, they are taking over computers.

In the last week, security researchers have reported not one, but two different mice (of the non-furry, non-animated variety) being used to seize control of Windows machines.

Which had us asking ourselves: How is it that something as simple as a mouse can cause security issues? Well, it’s all about ease of use. Things that are intended to make your life easier have a way of making life easier for those with mal-intent too. We’ll explain.

“Let’s take over the world!” Brain said to Pinky, and off they went…

Yesterday it was Razer

A few days ago, a security researcher discovered and disclosed a local privilege escalation (LPE) vulnerability that allows any user to walk up to an unlocked Windows machine and gain SYSTEM privileges, simply by plugging in a Razer Synapse mouse or keyboard. SYSTEM privileges allow them to install and run anything on the device, putting them in total control.

It needs to be said that this scenario is only something you need to start worrying about after an attacker has already gained physical access to your computer, be it stolen or otherwise. (But it’s also worth saying that getting physical access to computers is the sort of thing that attackers like to do.)

The problem stems from the fact that when you plug a Razer device into Windows 10 or Windows 11 computer, the operating system tries to be helpful by automatically downloading and installing the Razer software that allows you to alter the settings for that mouse.

It’s called “Plug and Play”, but you could this a case of “Plug and Privilege Escalation”.

Not just Razer as it turns out

Inspired by the story about Razer, another researcher conducted a test against a gaming keyboard from SteelSeries. It took him some trial and error, but the end result was the same: SYSTEM privileges for a process of your choice, allowing for a complete takeover.

The researcher also warned there are probably more out there too. He concluded that vendors aren’t forcing proper access control against their downloadable firmware, so we should look forward to hearing similar stories about multiple hardware products.

And he was soon proven right by yet another researcher, who used an Android phone (that was pretending to be a SteelSeries USB keyboard), to pull of the same attack.

The mice are not the problem

As you might have guessed, it’s not the mice that are the problem, it’s actually the Windows Desktop application that causes the trouble. That’s because it gets SYSTEM privileges during installation, without first asking for a system administrator’s permission.

When the Razer software is installed, the setup wizard allows you to choose the folder where you want to install it. This ability to select an installation folder is where an attacker can cut in.

When you change the location of the folder, a ‘Choose a Folder’ dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open ‘Open PowerShell window here,’ which will open a PowerShell terminal in the folder shown in the dialog. Since this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges. In the elevated PowerShell prompt you can run any command (and you have effectively taken over).

The SteelSeries installer proved a bit harder to abuse, but the researcher discovered that opening the “Learn More” link in the license Agreement opened the default browser with SYSTEM privileges, allowing the user to save the agreement. And from that dialog it is possible to spawn a terminal with god-like powers.

Patches are in the works

Razer has awarded the researcher a bug bounty and is working on a patch. SteelSeries has announced it will disable the automatic start of the installation software when a new device is connected.

Which leaves two questions: What other mice are lurking, undiscovered, with ambitions unknown, and since this seems to be an issue with how installation works, shouldn’t Microsoft also be working on these problems?

To be continued.

The post Mice “taking over the world!”, one Windows machine at a time appeared first on Malwarebytes Labs.

Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security. If you look at the market share of the most popular browsers, there is one browser that steals the crown without a lot of competition: Google’s Chrome. Safari is the only other one that passes the 10% line, the rest merely look like marginal players. Of course, there are billions of browser users in the world, so even the marginal players are used by significant numbers of people, but they fade when compared to Chrome.

I’m assuming here that people use the browser that they like best. In case you are not, you know you do have a choice, right? It’s not even unheard of to use more than one browser on the same system. It does even have some merits:

• Troubleshooting: Is that site really unavailable or is it my browser?
• Segregation: Use one for work and another for home use.
• Privacy: Using multiple browsers can disrupt tracking (although there are better ways).
• Security: Switch to a different browser if your favorite is waiting for a security patch.

In this post we will look at how your choice of browser can contribute to your online safety and privacy. And tell you about some browsers that actually do care about those elements. We will also touch upon some methods to make the browser you like safer and more private.

Why you should care

As I have said in the past, a browser is not just a looking glass. When you are browsing websites the information stream goes two ways. Some of the information your browser gives to the websites you visit is necessary for the website to function properly. But sometimes the website owner just wants to have as much information as possible about their visitors: Where are my visitors located? What other websites have they visited recently? Which link did they click to get here? How long did they stay? Where did they go to next? How many free articles have they read. And in many cases the information can and will be used for targeted advertising.

Better security and privacy in your favorite browser

In the past I have written about how to tighten security and increase privacy on your browser. Feel free to read the whole post but here is a summary.

The upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and security extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. You have options here, since you can install a VPN to anonymize all your Internet traffic, or you can install a VPN extension that will do so for your browser only. Since a VPN can slow down the Internet connection, the choice will be based on which other programs that need the Internet connection you use and your personal preference.

Better browser choices

Besides using a VPN, you can also look at some alternative browsers that are already optimized for privacy and security. Here is our choice of best privacy browsers:

• The Tor Browser protects your privacy by connecting you to the Internet using the Tor network, which was originally developed by the US Navy and DARPA. It hides your IP address like a VPN, but it doesn’t require you to trust a VPN provider, or share your real IP address with one. The Tor browser (which is based on Firefox) also includes a number of privacy features, plug-ins and defaults designed to protect your privacy. The Tor browser is available for Windows, macOs, and Linux.
• Freenet is a peer-to-peer platform for censorship-resistant communication and publishing that is available for Windows, macOs, and Linux.
• Waterfox is a secure and private browser based on Firefox, that allows you to use Firefox extensions. It is available for Windows, macOS, Linux, and Android.
• Pale Moon is another Mozilla fork, but it doesn’t work with all Firefox extensions. It is available for Windows and Linux.
• Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

There are some things to consider here, because the best browser for privacy is not necessarily always the best browser for security. But they are closely knit together. And while it is easy to enhance your security outside of your browser, it is hard for another program to stop a browser from leaking information about you. And if you do manage to do so, it is likely to interfere with how well the browser works.

Granted, it may take you a while to get used to a new browser. One thing you can do to make it easier to adapt is to choose a browser that is based on the one, or very similar to, the one you are already using. For example, if you are using Firefox now, have a look at the Tor Browser, Waterfox, or Pale Moon. Whereas Chrome users may find using Brave more intuitive.

Your choice

So, what is the best browser for privacy and security? Choosing between browsers is hard enough and making that choice for someone else is even harder. But if you try the above and see which one you like best, you will have made a choice that improves your online safety and privacy. Good for you!

Stay safe, everyone!

The post The best browsers for privacy and security appeared first on Malwarebytes Labs.

A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to launch huge Distributed Denial of Service (DDoS) attacks.

Last time it was a vulnerability in the Arcadyan firmware found in devices distributed by some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.

A similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.

Vulnerabilities

The vulnerabilities were found and disclosed by IoT Inspector, a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of CVE-2021-35395 contains a pretty dense explanation, but it boils down as follows.

There are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to “unsafe” copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.

For anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.

The description ends:

Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones…

In other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.

Same botnet, same operator?

With all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.

Researchers at SAM Seamless Network were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet seen by Unit 42 in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.

It also stands to reason to assume this is the actor that was responsible for the largest DDoS attack recorded to date, just last week.

Mitigation

Realtek has since patched the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.

RealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a list of affected devices courtesy of Mainstream Technologies but this is only a partial list. Alongside its list, Mainstream Technologies warns that: “If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch”.

So even if your device is not on it, that doesn’t mean it’s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.

It is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/law enforcement should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.

Stay safe, everyone!

The post Realtek-based routers, smart devices are being gobbled up by a voracious botnet appeared first on Malwarebytes Labs.

In life, when you encounter something momentuous—a sudden job loss, a routine check-up that revealed an illness you can’t afford the medical bills for—you can be assured that the federal or state government has benefits you can apply for it. And where there are benefits, you can also be assured that there will be individual scam artists and national (if not international) cybercrime gangs attempting to get those benefits by fraudulent means.

It was no different when the COVID pandemic hit.

And while there are domestic fraudsters in the US, the biggest agents of pandemic-related scams and fraud, according to law enforcement officials and private experts, are outside the country and read like a who’s who of cybercrime stereotypes: Nigerian scammers, Chinese hackers, and Russian mobsters.

The fraudulent filing of claims related to the COVID pandemic has been an on-and-off topic of discussion in news sites. And American nationals and legal residents in the US, in particular, who have lost their jobs due to the pandemic recession are the ones at the losing end of every fraud story out there.

According to the same law enforcement officials speaking to NBC News, the federal government “cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 million to $400 billion—at least half of which went to foreign criminals”.

NBC News has pointed out that if you compare the amount being stolen via pandemic-related unemployment relief fraud, it dwarfs the annual budget the federal government allots on intelligence gathering or K-12 education. It even far outweighs the annual economic cost of ransomware attacks, which some put at around $20 billion USD.

“This is perhaps the single biggest organized fraud heist we’ve ever seen,” RSA’s Armen Najarian was quoted saying. Najarian had tracked down a Nigerian ring that was able to plunder millions of US dollars from many US states.

Exploiting weak ID checks

Criminals have been taking advantage of the Pandemic Unemployment Assistance (PUA) program, using stolen identities to land individual payouts of up to $20,000 USD.

When you file for unemployment relief, you have to prove that you were employed, before the pandemic affected your status. Some states have sought out the use of ID.me, which supplied NBC with a rogue’s gallery of pictures showing fraudsters trying to pull the wool over the eyes of the verification process with an assortment of silicon masks, barbie doll heads, and deepfake videos.

NBC reports that federal watchdogs have been flagging the weakness of some state’s verification methods for years—and the criminals know they can game the system.

In fact, the unemployment verification process in some states is so bad that prison and jail inmates were able to successfully apply for COVID-19 unemployment compensation.

Because of the rampant fraud of this nature, the Office of Inspector General (OIG) issued an alert to the US Department of Labor (DOL) that it should “take immediate action and increase its efforts to ensure SWAs,” or State Workers Agencies, “implement effective controls to mitigate fraud in these high risk areas.” The memo also identified potential fraud benefits paid in the following four areas:

1. Multi-State Claimants — totalling $3.5 billion in UI benefits paid;
2. Social Security Numbers of Deceased Individuals — totalling $58.7 million in UI benefits paid;
3. Federal Prisons — totalling $98.3 million in UI benefits paid; and
4. Suspicious Email Accounts — totalling $2 billion in UI benefits paid.

Since many states have already opted out (or will be opting out) of some or all of the unemployment relief stimulus as early as July 2021, it is expected that fraudsters will be moving on to other opportunities to make a COVID buck.

Outdated technology

Criminals are also exploiting a lack of data sharing between states. Almost half of states in the US have yet to join a national data exchange to check Social Security Numbers (SSNs), which can make it possible to use one SSN to file a claim in multiple states. Also, some states have not been sharing fraud data even though it’s required by federal law. On top of that, the IOG also released a report in May 2021 revealing that 40 percent of states did not perform the required Benefit Payment Control (BPC) activities (database identity checks), and 88 percent did not do the recommended BPC cross-matches.

Regardless of how fraudsters were able to get their hands on COVID government benefits, they are quick to move the money. Foreign organized criminals, for example, use mobile payment services—Cash App, in particular—to either move money or covert the stolen money to bitcoins, before moving it overseas. Sometimes, they also sought the aid of money mules to move cash.

Reporting fraud

If you think you might be a victim of pandemic-related relief fraud you should report it to:

• Your employer,
• Your state unemployment benefits agency, and
• the Federal Trade Commission (FTC) via IdentityTheft.gov.

The FTC will also help you with what to do next to recover from the incident of stolen identity. You might also reach out to the Identity Theft Resource Center (ITRC), a not-for-profit organization that has helpful resources you can use to resolve ID theft and fraud problems.

It’s also a good idea to freeze your credit, which in turn makes it a lot more challenging for the fraudster to use your identity to open a new account.

Lastly, it’s a good idea to review your credit reports every now and then.

Stay safe!

The post Criminals exploited weak checks and old tech to pull off vast COVID benefit fraud appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Podcast: Katie Moussouris hacked Clubhouse. Her emails went unanswered for weeks.
• How to troubleshoot hardware problems that look like malware problems.
• Analysts “strongly believe” the Russian state colludes with ransomware gangs.
• macOS 11’s hidden security improvements.
• How to spot a DocuSign phish and what to do about it.
• Cars and hospital equipment running Blackberry QNX may be affected by BadAlloc vulnerability.
• Beware of COVID Pass scams.
• T-Mobile customers, change your PINs.
• Cisco Small Business routers vulnerable to remote attacks, won’t get a patch.
• Largest DDoS attack ever reported gets hoovered up by Cloudflare.

Other cybersecurity news:

• SynAck ransomware decryptor lets victims recover files for free. (Source: BleepingComputer)
• A job ad blunder by the UK’s Ministry of Defence has accidentally revealed the existence of a secret SAS mobile hacker squad. (Source: The Register)
• Chinese espionage tool exploits vulnerabilities in 58 widely used websites, (Source: The Record)
• Wanted: Disgruntled employees to deploy ransomware. Get paid to be the insider threat. (Source: Krebs on Security)
• IDC survey finds more than one third of organizations worldwide have experienced a ransomware attack or breach. (Source: IDC)
• Hackers steal $97 million from Japan’s Liquid crypto exchange. (Source: Engadget)
• OpenSSL announces a high severity update on August 24th. (Source: openSSL)
• Unpatched Fortinet FortiWeb vulnerability allows remote OS command injection. (Source: Help Net Security)
• China pushes through data protection law that applies cross-border. (Source: ZDNet)
• NYC teachers‘ social security numbers exposed. (Source: InfoSecurity Magazine)
• America’s secret terrorist watchlist exposed on the web without a password. (Source: Bob Diachenko)

Stay safe, everyone!

The post A week in security (August 16 – August 22) appeared first on Malwarebytes Labs.

Last Saturday the Cybersecurity and Infrastructure Security Agency issued an urgent warning that threat actors are actively exploiting three Microsoft Exchange vulnerabilities—CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.

This set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the May 2021 Security Updates issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)

The attack chain

Simply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:

• Get in with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
• Take control with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
• Do bad things with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

ProxyShell

The Record reports that ProxyShell has been used to take over some 2,000 Microsoft Exchange mail servers in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven’t installed the April and May patches.

We know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since March. Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.

Ransomware

Several researchers have pointed to a ransomware group named LockFile that combines ProxyShell with PetitPotam. Kevin Beaumont has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a webshell. Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read Kevin Beaumont’s post.

PetitPotam

Before we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.

PetitPotam uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.

Since the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about PetitPotam.)

LockFile

LockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a blog post that the ransom note from LockFile ransomware is very similar to the one used by the LockBit ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are connected, and sharing resources and tactics.

Advice

CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

We would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.

Stay safe, everyone!

The post Patch now! Microsoft Exchange is being attacked via ProxyShell appeared first on Malwarebytes Labs.