IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Vulnerability in Windows 10 URI handler leads to remote code execution

Researchers at Positive Security have discovered a drive-by remote code-execution (RCE) bug in Windows 10. The vulnerability can be triggered by an argument injection in the Windows 10 default handler for ms-officecmd: URIs. It is likely that this vulnerability also exists in Windows 11.

What’s worrying is that the research team simply decided to find a code execution vulnerability in a default Windows 10 URI handler, and that they succeeded within two weeks. Given how many URI handlers are included in Windows you can bet that there are others to be found.

What is an URI handler?

A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. The well-known uniform resource locator (URL) and the uniform resource name (URN) are both examples of URIs. A URI handler is the program that gets launched to open a URI of a certain type. For example, the URI handler for ftp links can be different from the URI handler that deals with http links. This depends on your settings and often on which software and apps you have installed.

The problem handler

In this case the code execution is triggered by a malicious website which performs a Javascript redirect to a crafted ms-officecmd: URI (a scheme used by the Microsoft Office Universal Windows Platform (UWP) app to launch other Office desktop applications).

As an alternative to exploitation through malicious websites, crafted ms-officecmd: URIs could also be delivered via desktop applications performing unsafe URL handling. However, this exploit only works if the user has Microsoft Teams installed but it is not running.

ms-officecmd

While looking for viable candidates, the ms-officecmd: scheme immediately grabbed the attention of the research team due to its promising name. MS Office is a very complex suite of applications with many legacy features and a long history of exploitability. On top of that, the scheme ends in the abbreviation for ‘command’, which suggests even more complexity and potential for injection.

ms-officecmd in the registry
ms-officecmd in the registry

When the team started playing around with it, they noticed an executable called LocalBridge.exe which would briefly run, but would show no apparent external effect.

The research team decided to decompile LocalBridge.exe. which taught them how to create a valid JSON payload. It turned out they had to dig deeper. That meant analyzing AppBridge.dll next, since it contained the LaunchOfficeAppValidated method which the JSON payload is ultimately passed to.

As a different approach to dissecting the application that handles ms-officecmd: URIs, they tried inspecting an application which generates URIs that get handled by ms-officecmd:.They ended up at the Office UWP app. In this context it is good to know that the Office apps for phones using Windows 10 Mobile (Word, Excel, PowerPoint, OneNote) reached end of support on January 12, 2021. That means that since that date, app users no longer receive security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft.

After some tinkering, the researchers managed to use the extracted JSON payload to open Office desktop applications via ms-officecmd: URIs. Specifically, the payload extracted from the Office UWP app could be used to open Outlook.

Phishing angle

The researchers found that when an http(s) URL was provided in the filename property, Outlook would render the respective webpage in an IE11 powered embedded web view. No indication of the webpage’s origin or even the fact that the displayed content stemmed from an external webpage was given. This behavior could be abused to mount very believable phishing attacks, especially since mailto: links are, depending on local configuration, expected to open the user’s email program.

Based on this information, the researchers crafted a PoC that does the following once a user can be tricked into clicking a link on a malicious website:

  • A malicious executable named outlook.exe is saved to the victim’s download folder by dynamically adding an iframe that points to the exe file.
  • The innocent looking mailto: link target is replaced with a malicious ms-officecmd: URI which references the downloaded executable in its filename property.
  • The user confirms the ‘Open LocalBridge?’ dialog, which is not an explicit security warning.
  • When Outlook is starting up, it displays a warning dialog about opening a potentially unsafe hyperlink. The user confirms opening the local ‘outlook.exe’ file since they are expecting outlook to be opened.
  • The downloaded file is executed.

Patched or not?

The researchers have been going back and forth with Microsoft about this for months, having initially disclosed the weakness to Microsoft in March. Microsoft closed Positive Security’s initial report the very next day, based on what Positive Security called Microsoft’s “erroneous” belief that the exploit relies on social engineering, which would not meet the definition of a security vulnerability.

According to the researchers, the patch that was issued after five months seems to only affect Teams and Skype. The argument injection vulnerability described in this post is still present on fully patched Windows 10 and 11 systems. After the researchers brought this to Microsoft’s attention, they were told another patch addressing the argument injection was underway. Microsoft gave the researchers the go-ahead to post their write-up independently of its rollout.

Unfortunately, I was unable to confirm this. None of my Windows 10 machines have Edge Legacy installed and IE crashes on every exploit attempt, which is also annoying but not what I was waiting to see. When I tried it on the latest version of Edge, Malwarebytes Browser Guard blocked the download of the “outlook.exe.”

Anyway. This goes to show it pays to actually read the prompts and hover the links.

example1 Edge
It always pays off to pay attention before clicking a link

Stay safe, everyone!

The post Vulnerability in Windows 10 URI handler leads to remote code execution appeared first on Malwarebytes Labs.

Was threat actor KAX17 de-anonymizing the Tor network?

A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.

Tor nodes

The Tor network, as defined by the official website is a group of volunteer operated servers that improve the privacy and security of one’s data. Tor nodes are also referred to as routers or relays. They receive traffic on the Tor network and pass it along. A series of virtual tunnels are created between all nodes of the Tor network, and for each data transmission a random path of tunnels, known as the relay path, is chosen.

Some of these servers work as entry-guards, others as middle-relays, and yet others as exit-nodes from the Tor network. All Tor traffic passes through at least three relays before it reaches its destination.

Servers without contact information

Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.

This policy, however, is not policed very strictly, mainly to ensure there’s always a sufficiently large number of nodes. But a security researcher and Tor node operator going by Nusenu told The Record this week that they observed a pattern in some of these Tor relays with no contact information, which they first noticed in 2019 and have traced back as far as 2017.

Grouping the servers by similarities, the researcher arrived at a threat actor they named KAX17. This threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. These servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.

The purpose

Given the number of servers run by KAX17 the calculated probability of a Tor user connecting to the Tor network through one of KAX17’s servers was 16%, there was a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.

This would give the threat actor ample opportunity to perform a Sybil attack. A Sybil attack is a type of attack on a computer network service where an attacker subverts the service’s reputation system by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. This could lead to the deanonymization of Tor users and/or onion services.

Given the cost and effort put into this and the fact that actors performing attacks in non-exit positions are considered more advanced adversaries because these attacks require a higher sophistication level and are less trivial to pull off, it is highly likely this is the work of a high-level (state-sponsored?) threat actor. As for who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.

A spokesperson for the Tor Project confirmed Nusenu’s latest findings and said it had also removed a batch of KAX17 malicious relays.

“Once we got contacted, we looked through all the relays in the network and identified several hundred relays that are very likely belonging to the same group and removed them on November 8.”

Exit nodes

Other malicious actors have been known to control a great percentage of the exit nodes. These exit nodes were used in man-in-the-middle attacks to remove encryption from web traffic where possible, known as SSL stripping, primarily targeting cryptocurrency-based traffic, especially those visiting Bitcoin and cryptocurrency tumbling services. For example, the attacker can redirect the user to cryptocurrency sites featuring the attacker’s Bitcoin wallet address in the hope that the user won’t notice the difference. If the user doesn’t pay attention, they’ll send the attacker their cryptocurrency rather than the website or service, losing them in the process.

How to stay safe

Especially traffic that runs through Tor exit nodes, using the standard HTTP protocol is unencrypted and will give a malicious exit node complete access to the content.

How you can prevent this:

  • The easiest way to stay safe from bad exit nodes is not to use them. If you stay within Tor hidden services (the Dark Web), you can keep all your communications encrypted. This works well when possible, but it isn’t always practical.
  • Use end-to-end encryption. More sites than ever are using HTTPS to secure your communications, rather than the old, insecure HTTP standard.
  • Use websites and services that don’t report on your activities as a matter of course. As an example, switching from Google search to DuckDuckGo reduces your trackable data footprint.
  • Do not use any personally identifiable information. Again, not always practical, but worth limiting it as much as you can.
  • Avoid sites and services that require you to log in. After all, sending your login credentials through a malicious Tor exit node would compromise the login.
  • Use a VPN. A Virtual Private Network (VPN) keeps you safe from malicious exit nodes by continuing to encrypt your data once it leaves the Tor Network.

Stay safe, everyone!

The post Was threat actor KAX17 de-anonymizing the Tor network? appeared first on Malwarebytes Labs.

A chink in the armor of China-based hacking group Nickel

Microsoft has taken control of 42 web domains that a hacking group was using to try to breach its targets.

On December 2, the Microsoft Digital Crimes Unit (DCU) filed pleadings with the US District Court for the Eastern District of Virginia seeking authority to take control of the sites that it discovered belonged to a China-based group it calls Nickel. The court order was unsealed December 6 following completion of service on the hosting providers, and traffic from the websites is now routed to computer servers controlled by Microsoft.

The disruption is unlikely to prevent Nickel from pursuing its hacking activities, but it has put a spanner in its works, effectively removing a key piece of the infrastructure the group has been relying on for its latest wave of attacks. Sadly, any setback to the Chinese hacking group or others will likely be temporary as the hackers will find and build new infrastructure to use in forthcoming attacks.

Nickel

Others in the security community who have researched this group of actors refer to the group by other names, including KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon. Malwarebytes generally uses the APT15 designation for this group.

Chinese groups
An overview of Chinese hacking groups and their aliases

The group’s activities have been traced back to 2010 when it performed a cyberespionage campaign directed at diplomatic organizations and missions in Europe.

Targets, methods, and techniques

Nickel’s techniques vary, but in the end the group’s activity has only one objective, namely to implant stealthy malware for getting into networks, stealing data, and spying on government agencies, think tanks, and human rights organizations.

For initial access, the DCU noticed Nickel using older, and patched, vulnerabilities in Microsoft products like Microsoft Exchange and SharePoint, but also compromised VPN suppliers or obtained stolen credentials. For lateral movement the DCU saw Nickel actors using Mimikatz, WDigest, NTDSDump, and other password dumping tools during attacks.

Then followed a drop of hard-to-detect malware that enabled intrusions, surveillance and data theft targeting organizations in Argentina, Barbados, Bosnia-Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad & Tobago, the UK, US, and Venezuela.

As a result, Nickel achieved long-term access to several targets, allowing the group to conduct activities such as regularly scheduled exfiltration of data. Microsoft Threat Intelligence Center (MSTIC) observed Nickel perform frequent and scheduled data collection and exfiltration from victim networks. The group’s activity included looking in directories of interest for new files added since the last time it collected data.

One method Nickel uses to hide malware is to drop it into existing installed software paths. The group did this to make the malware appear to be files used for an installed application. These are backdoors capable of collecting system information and have basic backdoor functionalities, including, but not limited to:

  • Launching a process
  • Uploading a file
  • Downloading a file
  • Executing a shellcode in memory

A long list of IOCs can be found at the end of this write-up about Nickel by MSTIC.

International cooperation

The Microsoft blog includes a call-to-action for industry, governments, civil society, and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace. There are some promising developments in this area, like the United States and the European Union joining the Paris Call for Trust and Security in Cyberspace, the Oxford Process which has brought together some of the best legal minds to evaluate the application of international law to cyberspace, and the United Nations taking critical steps to advance dialogue across stakeholders. Nevertheless, every entity with the relevant expertise and resources needs to do whatever they can to help bolster trust in technology and protect the digital ecosystem.

Stay safe, everyone!

The post A chink in the armor of China-based hacking group Nickel appeared first on Malwarebytes Labs.

Is your web browser vulnerable to data theft? XS-Leak explained

In recent news, IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have disclosed 14 new cross-site leak (also known as XSLeak or XS-Leak) attacks that can affects modern browsers, such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple’s Safari. Although the news and press release regarding this haven’t mentioned other browsers that are Chromium-based and Firefox-based, we can make a cautious assumption that these, too, could be vulnerable to the new XS-Leak attacks.

But what is XS-Leak? Why should internet users be worried about them? And how can they protect themselves from such web threats?

XS-Leak, explained

An XS-Leak is a type of attack that targets inherent side-channels of a web platform, allowing actors to bypass the ‘same-origin’ policy (SOP) in web browsers so they can steal user information in the background from trusted and legitimate websites. A side-channel can operate as an information leakage channel, as it “allows an attacker to infer information about a secret by observing nonfunctional characteristics of a program, such as execution time or memory consumed.” [1]

The “same-origin policy” is a critical security mechanism. Its purpose is to prevent information from being stolen from websites that users trust. It does this by restricting how documents and scripts from one origin (the URL location) can interact with resources on another origin. Without this policy, an attacker who successfully compromises a script could see everything in a user’s browser.

Browsers support various interactions between websites and web applications. XS-Leaks take advantage of a minute amount of data that is exposed every time this interaction happens between websites.

xs leak attack flow sample
An example of an XS-Leak attack flow. In this scenario, the researchers explained that a victim accesses a malicious website (Origin 1), which then requests from a resource using an inclusion method. The threat actor then uses XS-Leaks to determine the victim’s user state. (Source: XSinator)

XS-Leaks Wiki further explains: “The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.”

XS-Leaks has been around since at least the year 2000, and 34 of them have been identified and classified. XS-Leaks can be caused by different things, such as browser APIs, browser implementation details and bugs, and hardware bugs (like vulnerabilities in modern processors that Meltdown and Spectre exploit).

What is the XSinator?

The XSinator is a “browser test suite” or online tool that anyone can use to automatically scan for XS-Leaks vulnerabilities in the user’s mobile and desktop browser. XSinator.com has been created as accompanying material for the researchers’ paper entitled, “XSinator.com: From a formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers” [PDF].

XSinator preview
Overview of the XSinator website

How can I protect myself from XS-Leaks?

Mitigating the risks presented by XS-Leaks falls on the hands of web browser developers. And protecting against this, they continue to do so as some browsers have already implemented a number of new defense mechanisms against it.

IT security researchers from both universities have informed the web browser development teams of their findings and are currently fixing the issues. They also made available detailed technical defenses that browser developers can implement against XS-Leaks in their paper.

The post Is your web browser vulnerable to data theft? XS-Leak explained appeared first on Malwarebytes Labs.

How to check for Windows updates and install them

Keeping Windows up to date is an important part of warding off malware, exploits, and other attacks. If you’re not running the latest version of your OS, it can give cybercriminals the leverage they need to compromise your system.

Unfortunately not all machines are running automatic updates by default, depending on your operating system. This used to primarily be a problem on older versions of Windows. With something like Windows 10, you can’t hold back the update tide forever. The best you can do is pause updates for up to 35 days, at which point the only way you can pause again is to install new updates.

Outside of the pause/repeat cycle, most folks would resort to registry edits for longer periods of going without an update. This isn’t recommended for most users. If you’re a regular home user, there’s probably not many specific edge-case reasons why you’d want to have updates switched off.

How to check your Windows update status

Your updates should in theory be running in the background.

If you want to check whether they are, type “Windows update” into the search bar from the Start menu, and click into the Updates section. There, you’ll find a wide range of options and information.

At the very top, you’ll see if you’re up to date or not along with the time the computer last checked. From here, you can also manually check for updates.

If there are additional updates soon to be coming down the pipeline, you’ll also be able to see what they are, along with some details about the update. You can download and install manually before the updates are grabbed automatically.

If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Check your Windows update settings

Underneath the Windows 11 status box is a selection of fine tuning options related to Windows updates. These are:

Pause updates for 7 days. The length of pause required can be altered to your liking in the advanced options (to a maximum of 35 days).

Change active hours. This is for letting Microsoft know which time is best for updates, downloads, and so on. Many folks leave their PCs on overnight, so having all the update heavy lifting take place while asleep is ideal for them. Will you be out during the day? No problem, maybe daytime updates would fit your routine better.

View update history. This can be useful for troubleshooting or just keeping up to date with what’s been going on. Maybe a specific update went AWOL somehow. This is where you’d likely begin your search.

Advanced options. This is where you can alter the pause length for updates. You can also tell the device to receive updates for other Microsoft products when you update Windows. There are additional options for downloading over metered connections, restarting the device “as soon as possible” when a restart is required to install an update, and also various rules for on-screen notifications.

Is Windows update free?

Absolutely, and we recommend you make full use of its capabilities. Your devices will be that little bit more secure with regular automatic updates enabled.

The post How to check for Windows updates and install them appeared first on Malwarebytes Labs.

A week in security (Nov 29 – Dec 5)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (Nov 29 – Dec 5) appeared first on Malwarebytes Labs.

NSO Group spyware found on iPhones of US State Department employees

iPhones of at least nine US State Department employees are said to have been hacked using the Pegasus spyware developed by the Israeli technology company, NSO Group. Pegasus is a proprietary and sophisticated spyware capable of the remote surveillance of smartphones.

The employees targeted by an unknown group using the spyware are either “based in Uganda or focused on matters concerning the East African country,” according to Reuters. The hack, which took place a few months back, is said to be the widest known hack of US officials through NSO technology.

Among those notified by Apple for being targeted by the NSO Group spyware is Norbert Mao, president of Uganda’s Democratic party. He tweeted:

The iPhones were infected using a graphics processing vulnerability that Apple only learned about and patched in September this year. The flaw is said to have been taken advantaged of since at least February.

In an interview with CNN, University of Toronto’s Citizen Lab’s John Scott-Railton, who investigated Pegasus, urged the US Bureau of Diplomatic Security to do more to protect State Department devices. “NSO has been a plain-sight national security threat for years, and the fact that these breaches happened and Apple is required to do the notification, shows that the threat was not being taken seriously enough,” Scott-Railton told the news outfit.

NSO Group controversy

Last month, the US Commerce Department blacklisted NSO Group, accusing it of providing spyware to foreign governments who then used the tools “to maliciously target journalists, embassy workers, and activists.” The blacklisting makes doing business with NSO Group more difficult for US companies.

Weeks after, Apple filed a lawsuit against NSO Group for breaking into its iOS platform to target US citizens.

And then last week, 86 human rights groups and experts issued a joint letter to European states, asking them to sanction NSO Group based on credible reporting that the Pegasus spyware has aided governments in abusing human rights.

According to a senior official of the Biden administration, the government is cracking down on companies like NSO Group to protect its citizens stationed in foreign countries and “pursue new global discussion about spying limits”. Sen. Ron Wyden, who is a member of the Senate Intelligence Committee, is quoted as saying: “Companies that enable their customers to hack US government employees are a threat to America’s national security and should be treated as such.”

Denial

NSO Group released a statement on Thursday denying that its tools were used in this hacking incident, and said it was happy to cooperate with relevant government authorities.

“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place.”

The post NSO Group spyware found on iPhones of US State Department employees appeared first on Malwarebytes Labs.

Why Macs are the best, according to Mac expert Thomas Reed: Lock and Code S02E23

In the year 2021, the war for computer superiority has a clear winner, and it is the Macintosh, by Apple. The company’s Pro model laptops are finally, belatedly equipped with ports that have been standard in other computers for years. The company’s beleaguered “butterfly” keyboard has seemingly been erased from history. And the base model of company’s powerhouse desktop tower could set you back a hefty $6,000.

What’s not to love?

Ribbing aside, according to our resident Mac expert at Malwarebytes, Thomas Reed, Apple has made several important decisions about device design in the past few decades to make them more secure, easier to use, and harder to tamper. And that’s a boon to users because, as Malwarebytes discovered just a couple of years ago, the threats to Mac machines increased by 400 percent from the year prior. But threats to Apple devices extend beyond laptop and desktop threats—for years, small companies have been finding vulnerabilities in Apple’s iOS mobile operating system and selling them to the highest bidders.

So, what defenses do Apple users have to prevent the increasing number of threats from impacting them directly? As Reed explained in this week’s Lock and Code episode with host David Ruiz, there’s a lot. Apple keeps bad users out, prevents clueless users from messing things up, and it works somewhat diligently to catch malware when it’s first reported on.

But not everything is as good as it should be, Reed said. In particular, Apple’s ideology about product secrecy has bled into its approach to security updates, meaning that the company has failed to provide transparent, timely communication to its users when it matters most.

“I can understand the secrecy when it comes to new products and new designs. But when it comes to security, communication is really important and Apple could really learn something from Microsoft.”

Thomas Reed, director of Mac and Mobile at Malwarebytes

Tune in to the latest episode of Lock and Code to learn about Mac security successes and failures, and about Mac history and Reed’s first experience with a computer mouse, along with a story about, reportedly, the first-ever ransomware attack in history.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why Macs are the best, according to Mac expert Thomas Reed: Lock and Code S02E23 appeared first on Malwarebytes Labs.

Emotet’s back and it isn’t wasting any time

Emotet is one of the best known, and most dangerous, malware threats of the past several years.

On several occasions it appeared to take an early retirement, but it has always came back. In January of this year, a global police operation dismantled Emotet’s botnet. Law enforcement then used their control of this infrastructure to send a “self-destruct” update to Emotet executables. Infected organizations were given a few months grace to clean up the the neutered malware before the remaining copies did as they’d been instructed and ate themselves in April.

However, that wasn’t the end of the story.

Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity.

Blinking light

The presence of Emotet in the threat landscape has had the appearance of a blinking red light for years. Emotet started out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from infected systems (which is why Malwarebytes detects some components as Spyware.Emotet). Over the years, it evolved into a global-scale distribution infrastructure for other malware.

During this time we have seen Emotet disappear and show up again on several occasions. In September 2019, Emotet emerged from a four month hiatus with a new spam campaign, before going back into hiding early in 2020 and reappearing in July of the same year. Its use then declined, with occasional spikes, before it returned just in time for Christmas and was then dealt a massive blow by collective law enforcement action in January this year.

Recent spikes

On the December 1, 2021, our Threat Intelligence team noted a huge spike in Emotet C2 activity.

C2 activity
C2 activity observed by Malwarebytes

Other researchers also noted spikes in the number of URLs being used to distribute the malware, and the number of malware samples.

From all the reports and alerts by researchers and analysts we can see a few interesting trends.

  • First of all, our own research shows the global distribution of Emotet has a clear focus on the US.
Global coverage Emotet campaign

Speculation

From this point on the content of this post is speculation, so feel free to skip it if you have developed your own theories. Or feel free to compare notes and leave your remarks in the comments.

Emotet is growing a lot faster than any newcomer to the scene could do. This seems to indicate that old relationships have been renewed, which usually means that the persons that tied these knots in the past are still working on the project and bringing “old friends” back in.

Given the global distribution and the different campaigns that are ongoing it’s likely there are several different affiliates at work. And looking at their methods we can tell that these are not some “fresh out of their mother’s basement script kiddies” either. They are using sophisticated methods and abusing vulnerabilities that haven’t been patched yet by quite a lot of organizations. For example, some Microsoft Exchange vulnerabilities will allow them to hijack existing email threads, which gives the spam messages a higher credibility.

I checked the hosting companies for the WordPress sites, expecting to find a lot of GoDaddy domains that might have been compromised while their credentials were for sale. But I found a lot of different hosting companies, which makes WordPress the common denominator. It’s likely therefore that the attackers are exploiting vulnerable versions of WordPress plugins like OptinMonster, WP Fastest Cache, and WooCommerce Dynamic Pricing and Discounts, all of which were recently patched. (Although there are probably others that we do not know about yet too.)

Hard fact

Emotet is back! For how long is hard to predict, but they don’t behave as if they have any plans to retire again soon.

Stay safe, everyone!

The post Emotet’s back and it isn’t wasting any time appeared first on Malwarebytes Labs.

Attacker unmasked by VPN flubs charged with Ubiquiti hack

A veritable barn-stormer of an insider threat story has recently come to light.

A former employee of Ubiquiti Networks, Nickolas Sharp, has been arrested and charged for allegedly hacking company servers, stealing gigabytes of information, and then rounding it all off with a splash of extortion. This took place in December of last year, but there’s no clear reason (yet) for why he did any of it.

The alleged perpetrator might have gotten away with it too, but for several disastrous choices which ultimately led to their downfall.

Covering his tracks

Sharp clearly put some thought into the attack. Many people would perhaps just blunder across the network, leaving large but unintentional “It was me” footprints all over the place. Not so here… he made use of his network access to alter logs and more, throwing a blanket over what was actually taking place. Cleverly, he used a VPN to hide his details while doing this.

He probably thought he’d gotten away with it. However, breaches do get discovered eventually. The clock was ticking. The question was: Had he done enough?

The answer was no, he hadn’t.

Finding himself on the incident response team investigating his own attack(!), he’s alleged to have threatened to release data stolen from his employer if a ransom demand for 50 bitcoin (roughly $2 million when this all took place) wasn’t paid. According to the US Department of Justice, he then released some of the files when the ransom wasn’t forthcoming. None of this is really conducive to keeping a low profile, and the wheels started to come off.

Anonymous—up to a point

If you’re up to no good and relying on anonymity to protect you, even the slightest connection to your real life can bring the whole scheme crashing down.

Sharp’s attempts to avoid detection apparently rested with his use of a VPN. This, in theory, would keep his real IP address hidden. Law enforcement had other ideas, working out a connection between the VPN account used to attack Ubiquit and one used to create Sharp’s PayPal account.

The real kicker is that when his home internet briefly went down, so too did the VPN, and his real IP showed up as connecting to the previously mentioned workplace Github account.

From bad, to worse, to even worse than that

A visit from law enforcement might deter most people from further antics. If it were me, I’d cut my losses and keep a very low profile. However, this story was made for further antics. The Department of Justice claims the alleged perpetrator posed as a company whistleblower after the FBI had searched his home. This “whistleblower” routine took the form of stories potentially damaging to the Ubiquiti Networks organisation.

This is, frankly, an astonishing chain of events. Especially considering this hack had such a big impact on stock. It remains to be seen what, exactly, would drive someone to this sort of self-destructive cavalcade of disaster. For now, you’ll have to make do with the indictment (PDF).

When insiders attack

We’ve talked about the harms caused by insider threats many times on this blog. Problems can arise from disgruntled employees who’ve gone past the point of no return with scores to settle. Ex-employees who didn’t have their access to systems revoked can be a problem. Even the humble printer can become a battleground for keeping certain types of special paper out of easy reach. Even the FBI aren’t safe from such events.

It’s not possible to eliminate this issue completely, unfortunately. On the bright side, we can see that even in a case as severe as the Ubiquiti attack, the long arm of the law can catch up with criminals eventually—no matter how well prepared they think they are.

The post Attacker unmasked by VPN flubs charged with Ubiquiti hack appeared first on Malwarebytes Labs.