IT News

A coordinated effort between global law enforcement agencies—led by the Dutch National Police—shut down a VPN service that was advertised on cybercrime forums. The VPN company promised users the ability to double- and triple-encrypt their web traffic to obscure their location and identity.

The service, called DoubleVPN, had its domain page seized on June 29. According to a splash page that has replaced DoubleVPN’s domain, in seizing the VPN’s infrastructure, law enforcement also seized “personal information, logs, and statistics kept by DoubleVPN about all of its customers.”

“Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page,” Europol said in a press release issued Wednesday. The takedown effort received support from law enforcement and judicial authorities in The Netherlands, Germany, the United Kingdom, Canada, the United States, Sweden, Italy, Bulgaria, and Switzerland, along with coordination from Europol and Eurojust.

According to an archive of DoubleVPN’s domain before it was seized, the company offered “simple,” “double,” and “triple” encryption to customers. Like any VPN service, DoubleVPN told its users that their web activity would first be encrypted through a VPN tunnel before connecting them to the Internet. The additional layers of encryption advertised by the company—which came in costlier monthly subscription plans—came from additional connections to VPN servers that DoubleVPN controlled.

In its press release, Europol said DoubleVPN “was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters.” A screen capture taken by the news outlet BleepingComputer appears to support this. In the image, a hacker forum user is answering a question about the “best, fully anonymous” VPN service and they offer two options. One of those options is DoubleVPN.

Hear the story of how a cyberstalker who hid his activity through a VPN was eventually caught

The takedown now marks at least the third time this year that law enforcement agencies across the world have come together to stop cybercrime.

In January, Europol was also involved in taking down the infrastructure of the Emotet botnet, and just two weeks ago, Ukrainian law enforcement officials—aided internationally—arrested several individuals allegedly involved in money laundering for the Clop ransomware gang.

The post Police seize DoubleVPN data, servers, and domain appeared first on Malwarebytes Labs.

Black Mirror meets 1984. Imagine that your employer uses a bot to keep track of your “production level.” And when this bot finds that you are an under-performer it fires off a contract-termination mail. Does this sound like the world you live in? Unfortunately, for some people it is.

The case

Amazon.com has used algorithms for many years to manage the millions of third-party merchants on its online marketplace. In those years many sellers have been booted for selling counterfeit goods and jacking up prices. Which makes sense, when it’s justified. But who do you argue with if the deciding party is a bot?

Now, according to an investigation by Bloomberg, Amazon is dealing with its Flex drivers in the same way. Flex drivers are “gig” workers who handle packages that haven’t made it on to an Amazon van but need to be de delivered the same day.

Tracking the workflow

So, being fired by a bot is not something that we want to warn you about because it might happen in the future. It already happens. As we have reported before, many employers find it necessary to spy on their workforce, especially now that working from home (WFH) is at discussion. Should we continue to work from home now that it looks like offices are slowly opening up again in many countries? Can we find some middle ground now that we have found out that WFH works much better than we expected? By now many organizations have the tools and infrastructure in place to allow WFH where and when possible. Do workers even want to continue working from home? I imagine many will be happy to return to the office even if they won’t say it out loud. Does being monitored, be it at home or in the office, make any of this easier?

Doomsday scenario?

So, what does workflow tracking have to do with bots firing real people? Well, in Amazon’s case the algorithm received information about the times the drivers were active, how many deliveries they made in that time, and whether delivered packages fell victim to theft by so-called “porch pirates”. These numbers were crunched into a rating for each individual driver. One too many bad ratings and the driver could expect to get the mail that told them their services were no longer needed.

Bloomberg interviewed 15 Flex drivers, including four who say they were wrongly terminated, as well as former Amazon managers who say the largely automated system is insufficiently aware of the challenges drivers face every day.

Blame the method, not the bot

Some will argue that computers are heartless machines, and they are right. But what about the managers that leave this kind of decisions to the machines? Are they hiding behind the decision the algorithm made because they are not brave enough to make those decisions themselves? Or is hiring and firing such a legal minefield that it’s easier to leave it to an algorithm?

It’s not even the blind trust in the algorithm that is infuriating. It’s the shrug when such a life-changing decision is left to a machine. And how would management be able to find out whether there are flaws in the algorithm without thorough investigations? According to Bloomberg, many Amazon Flex drivers did not take their dispute to arbitration because of a $200 fee and little expectation of success. In doing that they may also have denied the algorithm the kind of “false positive” data it would need in order to improve.

Artificial Intelligence and human decisions

In several business functions, such as marketing and distribution, artificial intelligence (AI) has been able to speed up processes and provide decision-makers with reliable insights. In my opinion that describes how this should work. The algorithm can produce all the numbers it wants and a human decision maker can assess whether there is a reason to talk to the employee that seems to be performing below par. Find out what is going on. What is the reason for the lack of results? Discuss how performance can be brought back to a satisfactory level. Have a conversation that empowers the employee. Research has shown that when employees feel empowered at work, this results in stronger job performance, job satisfaction, and commitment to the organization. That sounds a lot better than getting caught up in arbitration cases.

The underlying problem

Former Amazon managers who spoke to Bloomberg accuse their old employer of knowing that delegating work to algorithms would lead to mistakes and damaging headlines. Instead, they say, Amazon decided it was cheaper to trust the algorithms than pay people to investigate mistaken firings, so long as the drivers could be replaced easily.

Those that get fired by the bot and did take the trouble to challenge their poor ratings say they got automated responses. At least, they were unable to tell if they were communicating with real people. According to Bloomberg, a former employee at a driver support call center claims dozens of part-time seasonal workers with little training were overseeing issues for millions of drivers.

Algorithms

Amazon has automated its human-resources operation more than most companies. Maybe these are teething troubles, or maybe they overdid it. What’s certain is that, whether it’s at Amazon or elsewhere, the use of algorithms to make decisions that have a big impact on people’s lives is making headway. Before we go any further into turning Black Mirror from a work of fiction to a documentary series, it may be wise to think about how impactful we will allow these decisions to be, and whether there are any red lines we shouldn’t cross.

The post Fired by algorithm: The future’s here and it’s a robot wearing a white collar appeared first on Malwarebytes Labs.

Binance, the world’s largest and most popular cryptocurrency exchange network, has had a rough few days.

First, Japan’s financial regulator, the Financial Services Agency (FSA), issued its second warning to Binance on Friday, 25 June, for operating in the country without permission (The first warning was issued in 2018).

That same day, Binance withdrew its services from Ontario, Canada after the Ontario Securities Commission (OSC) published a Notice of Hearing and Statement of Allegation against Bybit, another crypto trading platform that is based in Singapore, taking it as a sign for them to bail. The OSC has accused Bybit of noncompliance with province regulations.

Then on Saturday, 26 June, the UK’s own financial regulator, the Financial Conduct Authority (FCA), ordered Binance to cease activities in the UK. The warning reads:

“Most firms advertising and selling investments in cryptoassets are not authorised by the FCA. This means that if you invest in certain cryptoassets you will not have access to the Financial Ombudsman Service or the Financial Services Compensation Scheme if things go wrong.

While we don’t regulate cryptoassets like Bitcoin or Ether, we do regulate certain cryptoasset derivatives (such as futures contracts, contracts for difference and options), as well as those cryptoassets we would consider ‘securities’. […] A firm must be authorised by us to advertise or sell these products in the UK.”

Binance Markets Limited, Binance’s unit in the UK, filed a registration with the FCA but withdrew its application in May due to not meeting anti-money laundering requirements.

According to the FCA’s Financial Services Register page for Binance Markets Limited, Binance must put up a public notice on its website and apps stating to its UK users that Binance Market is banned from offering its service. The FCA also ordered Binance to “not promote or accept any new applications for lending by retail customers through the operation of its Electronic Lending System, and must cease marketing any reference to EddieUK/Binance/BinanceUK being an FCA regulated platform for buying and trading cryptocurrencies.”

Binance troubles in the first half of 2021

In March, Bloomberg reported that the US Commodity Futures Trading Commission (CFTC) investigated Binance for whether the crypto trading platform, which isn’t registered with the agency, allowed US citizens to buy and sell derivatives—something that the CFTC regulates. But as this report went out, Binance hasn’t been charged with any wrongdoing. That said, Changpeng Zhao, CEO of Binance, took to Twitter to air his thoughts.

The following month, the Federal Financial Supervisory Authority—or BaFin, Germany’s financial regulation—issued a warning to Binance for potentially violating a securities laws for putting on offer “stock tokens” without correct documentation. This means that Binance allegedly failed to issue a prospectus.

A prospectus is an official document that generally tells investors what a particular investment is about so they can make an informed decision. It has information on financial security to potential investors, the company offering the investment, and what the financial risks are that accompany an investment.

Offering stock tokens that track the movement of shares in (at that time) MicroStrategy, Tesla, and Coinbase represent securities that require a prospectus. These stocks are bought and sold using Binance’s own cryptocurrency.

Magic words

As the FCA issued a warning to British consumers about Binance Markets Limited, the financial regulator also offered words of wisdom to anyone interested in investing in cryptocurrency assets: Do your research.

It’s very easy to get caught in the hype, and the loudest drones could be enough to drown out any more sensible voices. Doing your research, reading up more about the company you’re going to be investing in and what you’re investing on, and reading stories that show successes and failures in such investments could put one’s head in better perspective to not make hasty decisions. Furthermore, make sure they are legally recognized to conduct business in your country, else no one will back you up if or when things go south—and sometimes they do pretty quickly.

“Check with Companies House to see if the firm is registered as a UK company and for directors’ names. To see if others have posted any concerns, search online for the firm’s name, directors’ names and the product you are considering,” the FCA urges the British public, “Always be wary if you are contacted out of the blue, pressured to invest quickly or promised returns that sound too good to be true.”

The post Binance receives the ban hammer from UK’s FCA appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Want to stop ransomware attacks? Send the cybercriminals to jail, says Brian Honan: Lock and Code S02E11
• Atomic research institute breached via VPN vulnerability
• Hotel staff bust Hermes SMS scammer with suspiciously large number of cables
• City of Liège hit by ransomware, Ryuk suspected
• MITRE introduces D3FEND framework
• Brave takes aim at Google with privacy-first search engine
• Complicated Active Directory setups are undermining security

Other cybersecurity news:

• Malicious Google ads on spoofed Signal and Telegram sites lead to RedlineStealer. (Source: eSentire)
• A malware botnet believed to be out of China continues to infect Windows systems. It goes by many names—DirtyMoe being one of them. (Source: The Record)
• Marketo, an underground data leak marketplace, takes extortion one step further by emailing competitors the data they stole from victim organizations. (Source: BleepingComputer)
• PSA: Be on the lookout for DarkSide ransomware impersonators. (Source: Help Net Security)
• Speaking of copycats, a repurposed REvil ransomware has also emerged. (Source: Security Week)
• After three months, Volkswagen and its Audi subsidiary have started notifying millions of its clients in the US and Canada about a data breach. (Source: Digital Journal)
• According to Akamai Technologies, the video gaming industry has experienced its highest cyberattack growth during the pandemic. (Source: PR Newswire)
• PYSA ransomware uses ChaChi RAT to backdoor education orgs. (Source: BlackBerry ThreatVector Blog)
• BazarCall, the cybercriminal group behind the BazarLoader ransomware, started using call centers to trick users into downloading their ransomware. (Source: ZDNet)
• When it comes to business email compromise (BEC) scams, more than 60 percent of fraudsters behind them request gift cards. (Source: Atlas VPN)

Stay safe, everyone!

The post A week in security (June 21 – June 27) appeared first on Malwarebytes Labs.

We’ve been warning about advergaming—the combination of virtual reality (VR) and ads—for years on the Labs Blog. I’ve given a few talks on the subject too, and how ad networks will slowly work their way into enclosed spaces formerly reserved for your head. They still might, but thanks to a recent decision by Oculus VR game Blaston, that version of the future looks like certain than it once did.

VR gaming: The hardware differences

There are two main types of VR headset, one more expensive than the other. The cheaper option is any “empty shell” headset you care to mention. They could be made of plastic, or cardboard, and may require self assembly. There’s no hardware or software component at all, it’s just fancy goggles with a space for your mobile. All of the VR activity takes place on your goggle-mounted phone. Unless you have a recent model, you may struggle to run software successfully.

The more expensive option is the dedicated headset. These work with VR-ready PCs, and combine a lot of intricate hardware and software built into the device. There’s frequently additional synchronicity with platform specific software installed on the PC. A final splash of integration may come from gaming platforms such as Steam.

The major players here are Oculus, HTC Vive, and Steam’s new Index headset. Now that we’ve covered the headsets, we’ll briefly dive into potential types of VR advertising.

VR adverts: The lay of the (virtual) land

VR ads are attractive to advertisers because they have the potential to crank the behavioural advertising we’re used to on the web—where advertisers watch what you do, build a profile, and show you personalised ads—up to eleven.

For the cheaper, mobile VR sets, Adobe made waves in 2017 with an ad platform optimised for mobile VR platforms. It also potentially had the ability to pop ads while in a movie theatre, which may or may not be your cup of heavily discounted tea. Nokia were particularly enchanted by mixed reality advertising. Indeed, adding digital elements to real world views has become very popular and mimics many common mobile features used daily. This familiarity probably helps put viewers of mixed reality ads somewhat at ease.

The really big potential for ads lies with the top end hardware though. In 2017, HTC made headway with “Innovative VR ads.” This was a pretty sophisticated setup, similar in look and feel at the sign-up process to other ad platforms, like Google Ads. Sales/payout reports, test/publish facilities, 2D and big screen video ads were just some of its features.

The most interesting part was the eye tracking functionality. Many VR games track eye movement to further aspects of gameplay. Here, it served to let publishers know if gamers or headset users looked at their ads. If nobody looked, no charges from the ad system would be forthcoming.

Deepening the ties between games and adverts

One potential danger from advergaming is that a deep level of ad tracking can impact a game’s level design. For example: developers make use of systems like heatmaps, particularly in multiplayer titles. A heat map shows where players go, and where they avoid. You can see which parts of your map are popular, and which are essentially dead zones. Developers will sometimes revamp maps based on this data.

Where it goes wrong, is if developers become too immersed in ad systems populating their games. Imagine a scenario where developers generate income from ads in their title. They may make money when people look at the ads, for example, the same way ad publishers are only billed if the ad network tracks players looking at the ads.

There’s an incentive for the developers to place the ads in ever more prominent…some may say intrusive…locations. This could harm the overall aesthetic of a title, or make level design bad in favour of jamming adverts everywhere. It also raises an interesting question. Is a game developer making adverts that are gaming the advertising network system? That’s something for the devs, ad publishers, and ad network to figure out.

This was all back in 2017. How did the VR ad landscape evolve?

The changing face of VR ads

By the end of 2018, companies involved in the VR/AR ad space were talking about serving 1 billion ad impressions, and how the “novelty” factor had mostly fallen away. By the end of 2019, there was evidence that some organisations had found success with so-called “immersive” ad campaigns. This was especially the case where technology like 360 degree video was deployed. Even so, there hasn’t really been a buzz with regards VR/AR ads in gaming spaces. Until now, that is.

Negative buzz is still a form of buzz, right?

A timeline of ad disaster

May, 2021

Back in May, Oculus announced a lot of additions for tools, apps, and videos. It also mentioned the introduction of an ad ecosystem, and tied it to notions of “discoverability” and helping developers. They did also link to an article explaining how to control the ads users see. However, leaving mention of ads till the very end is something which would annoy some people on the assumption it may be something a lot of folks don’t bother reading. What sort of reader numbers make it to the end of an arguably already niche post?

Not a major thing, but something which immediately leaps out.

June, 2021

This is the point where Oculus explained how ad testing is going to work. Specifically, adding in-headset ads to the popular VR title Blaston. There are ways to make ads properly integrated into a video game title. You wouldn’t have an advert for SPACE WARS 2067 in a World War 2 setting, or an advert for a brand new motorcar on the last billboard in a ruined apocalypse. I mean, you might, but it wouldn’t look very good.

Things like that leap out. By the same token, we can argue that ads seamlessly integrated into games to the point you don’t notice them are incredibly sneaky. You can see more of that fine line here.

I’m not familiar with Blaston myself, but the screenshots look very out of place. The blog talks about making sure the ad content is relevant to the VR user, but nobody seems to consider the relevance of the ad to its environment. Put simply: An ad for “Fast free delivery” of Jasper’s something or other, lit up in bright green against an otherwise grimey, purple landscape fairly screams “I don’t belong here”.

The post also goes into detail about restrictions on ads, which is welcome. For example, they don’t use information processed / stored locally. They don’t use movement data to target ads, unlike some other ad plans where tracking / movement is an important element. Random conversation content is also off the table, they don’t want it.

That’s good, then. However, they also promised “more to come”. Shall we see how this all panned out?

The crushing inevitability of what comes next

You can probably guess where this is going, so without further ado:

The major problem here is that Blaston is a paid-for title. Given Oculus headsets are a premium purchase as it is, gamers would likely feel incredibly annoyed at having ads placed in something they paid various amounts of money for. The game is also available on the Steam platform, where it can be played via Oculus, HTC Vive, or Valve Index. Unless I’ve missed it, there’s no mention of ads being introduced while playing with Vive or Index.

That’s an immediate product disparity liable to fan the flames of anger.

The devs appear to have realised this, and have suggested resuming the ad trial in one of their free titles at a later date. All the same, some damage has potentially been done to the game’s brand. I hadn’t heard of it prior to this, and now all I’ll probably think is “Oh, that game with the advert blowout.”

Game over?

Despite ads in VR games being pushed as “the next big thing” way back in 2017, it’s now 2021. There’s a lot of ad impressions for VR/AR generally. Organisations are definitely making money from it.

Games, though? Those are going to be a very tough sell. This is, again, one small test of ad-placements to see how it all fits together…and look what happened! Game developers will be looking at the sudden blast of negative reviews for Blaston, and likely choosing to avoid ad integration for their paid titles at a bare minimum. For whatever financial boost it gives a software house, the solid chorus of condemnation is probably something they’ll want to avoid for a long time to come.

The post Is it game over for VR advergaming? appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura

A very common practice among criminals consists of mimicking legitimate infrastructure when registering new domain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many other popular brands.

In this post we look at a skimmer recently disclosed by security researchers that has been around for over a year but managed to keep a low profile. In addition to naming several of their domains after Google, the threat actor is also naming their domains after the websites they have compromised.

Often, identifying additional infrastructure on the same network is a relatively simple exercize. But in this case it is more complex because the hosting servers are comprised of a large number of domains names, many of which are also malicious but not skimming related. Hiding in the noise is another common trait for threat actors.

Keeping it simple

This skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike Magecart JavaScript code, this one is very straightforward. Jordan Herman had also previously spotted this skimmer and referred to it as Lil’ Skim. Based on an urlscan.io crawl, it appears the earliest instance is from at least March 2020, via googie[.]host.

A dense network hiding more skimmer domains

A quick review of the Autonomous System (AS198610 Beget) where those skimmer domains are found shows a significant number of malicious hosts tied to phishing kits, Windows payloads, and Android malware just to name a few. Two IP addresses in particular, 87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains belonging to Lil’ Skim.

For example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing to interact with customers. We recognize the same Lil’ Skim code here as well:

Custom domains by compromised store

And then we discovered a number of skimmer domains that were named after compromised stores. This in itself is not a new practice and is often seen with phishing sites. The threat actor simply replaced the top level domain name with .site, .website or .pw to create hosts that load the skimmer code and receive stolen credit card data.

All the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.

Conclusion

Lil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other Magecart scripts. The threat actor is keen of impersonating internet companies but also the victim sites it goes after.

We were able to track this actor across the same ASN where they registered a number of different domains over a period of at least a year. There likely are more pieces of infrastructure to uncover here, but that might be a time consuming process.

We have notified the stores that have been impacted by this campaign. Additionally, Malwarebytes customers are already protected via our web protection module across our different products including Malwarebytes Browser Guard.

Indicators of Compromise

The following IOCs are linked to urlscan.io crawls whenever possible.

Standard skimmer domains

googletagsmanager[.]website
googie-analitycs[.]site
googie-analytics[.]online
googie-analytics[.]website
cdnattn[.]site
facebookmanagers[.]pw
googletagmanager[.]space
googie[.]website
googleapis[.]website
googie[.]host
tidio[.]fun
jquery[.]fun
cloudfiare[.]site

Skimmer domains impersonating compromised sites

perfecttux[.]site
gorillawhips[.]site
bebedepotplus[.]site
postguard[.]website
dirsalonfurniture[.]site
dogdug[.]website
bebedepotplus[.]website
perfecttux[.]website

Skimmer IPs

87[.]236[.]16[.]107
87[.]236[.]16[.]10

Known victim sites

acquafiller[.]com
bebedepotplus[.]com
cartpartsplus[.]com
cosmoracing[.]com
dirsalonfurniture[.]com
dixongolf[.]com
dogdug[.]com
gorillawhips[.]com
gpxmoto[.]com
instaslim[.]com
perfecttux[.]com
pitboss-grills[.]com
totalskincare[.]com

The post Lil’ skimmer, the Magecart impersonator appeared first on Malwarebytes Labs.

In layman’s terms, a VPN uses encryption to create a private online connection between a device and a VPN server. With a good VPN service, you can shield your data from curious eyes.

A VPN protocol is the set of rules that shapes how your data travels between your computer, mobile phone, tablet, or any other device, and a VPN server. The type of VPN protocol that you use can affect the speed, stability, ease of use, security, and privacy of your connection.

WireGuard is the newest player in the VPN protocol world and has many advantages over older types of protocols. Many experts are excited about WireGuard because it trims the fat to be faster and lighter than protocols like OpenVPN. For example, WireGuard has less than 4000 lines of code while other protocols have hundreds of thousands of lines. However, like any cutting-edge technology, the protocol also has some areas to improve.

WireGuard vs OpenVPN and other protocols

Many popular VPN protocols preceded WireGuard. While some are obsolete, others remain popular today. One of the earlier ones, the Point-to-Point Tunneling Protocol (PPTP), was created in the mid-90s by Microsoft to enhance privacy on the now obsolete dial-up networks.

PPTP’s basic encryption is a bit of a double-edged sword. Although PPTP is fast because of its light security, it’s also vulnerable to breaches. Its successor, Layer 2 Tunnel Protocol (L2TP), is more secure once paired with IPsec (Internet Protocol Security). Unfortunately, L2TP/IPsec is slow and easy to block with network firewalls. 

You must also look at Secure Socket Tunneling Protocol (SSTP) to truly compare VPN protocols. Another protocol from Microsoft, SSTP, is more secure and more challenging to block than PPTP. Unfortunately, it’s challenging to run on platforms other than on Windows and offers limited access to developers.

OpenVPN is popular because it’s a well-rounded protocol—it’s open-source and features the impressive AES-256-bit key encryption. Experts say that even the most powerful supercomputer today would need millions of years to breach 256-bit encryption.

Despite its many strengths, OpenVPN is far from perfect. The most common complaint about OpenVPN is that it’s slow. It’s not unusual for a video streaming through OpenVPN to turn into a slideshow. Some users also complain about connections dropping on OpenVPN. This is where WireGuard comes in. The protocol is stable, speedier, less complex, and easier to configure than OpenVPN.

How fast is WireGuard?

One study tested 114 VPN servers to see if WireGuard is faster than OpenVPN. Here are the highlights:

• WireGuard was quickest in nearly 60% of the download tests.
• WireGuard is almost 15% faster than OpenVPN on UDP.
• WireGuard is 56% faster than OpenVPN on TCP.

It’s faster than OpenVPN, but is WireGuard safe?

WireGuard isn’t just quick, it’s also very secure. At Malwarebytes, we pair WireGuard with a 256-bit AES encryption to safeguard connections.

One thing to note about WireGuard is that by default, the protocol assigns the same IP address every time a user connects. Using the same address each time gives users a predictable ID that’s shared with every service they use, including any advertisers watching on.

To counter this, some VPN service providers modify the VPN protocol so that it assigns a random IP address, which makes it harder for advertisers, websites, and others to track your activity from one session to the next.

A number of popular VPN services have embraced WireGuard to offer customers fast and secure connections. If you’ve heard that VPNs slow down your connection significantly, perhaps you’re looking for a VPN to use while gaming, or you just generally want a fast VPN service, providers that use the new WireGuard protocol are worth looking in to.

The post What is the WireGuard VPN protocol? appeared first on Malwarebytes Labs.

The privacy-forward web browser Brave launched its new search engine in beta on Wednesday, promising a more private experience that does not track user searches, build user profiles, or require the use of an external, pre-existing search index to deliver results.

Clear from the company’s early marketing, Brave intends to position its search tool as a foil to Google, telling audiences in a promotional video that using its new search tool alongside its browser provides “the first, independent, 100 percent private alternative to Google Search and Chrome.”

How Brave expects to compete against Google—which owns 92 percent of the global search engine market share—is less clear, as “search” today is not just the delivery of information, but also the integration of that information into a company’s product suite, like when a Google search for a restaurant’s location can auto-populate that restaurant’s address into Google Maps, or when a Google search for movie times considers a user’s location.

For Google, its search business is not just an Internet answer box. It is the oil that both fuels and smooths its online convenience machine.

To its credit, Brave is expanding its offering. The company launched both a news reader and a combination VPN and firewall tool last year, and since 2019, it has implemented a novel advertising model that lets users earn money for viewing “privacy-preserving” ads.

From a certain lens, then, Brave’s growing stable of products begins to resemble a response to Google’s massive data collection regime—a suite of tools that do not prioritize making life easier for the user but making life harder for those who invade user privacy. (The company has also pushed back against FLoC, Google’s new online tracking model released just months ago.)

Brave Search features

Brave Search, which was available to a limited number of users before Wednesday’s beta release, promises users a unique set of features that the company claims no other browser provides. Users will enjoy “fully private, anonymous search,” much like DuckDuckGo, which means that users will not have their searches collected, shared, or sold for advertising purposes, and users will not have profiles built on their search activity.

Users will also get the benefit of transparent search result rankings and a search engine that integrates directly into a web browser made by the same company. In fact, by next year, the company plans to make Brave Search the default search engine in its web browser.

Further, according to the company, Brave Search is one of the rare search engines today that is not built on another company’s search index, meaning that its search results are not just scoured and collected by Google and packaged by their engine. Instead, Brave Search is powered by an independent scan of the Internet—an enormous task which was likely made possible by Brave’s earlier purchase in March of Tailcat, a search engine developed by a team previously working for the privacy-focused web browser Cliqz. That Munich-based company once positioned its own product as an alternative to Google’s search, but it shuttered in May 2020 following disruptions due to coronavirus.

Brave Search also provides a surprising amount of information about its independent search index.

For instance, every single Brave Search query provides basic info about whether the engine relied on third parties—often Google and Bing—to complete the delivered search results. When Malwarebytes Labs searched “Malwarebytes,” Brave Search said that “all results” came from Brave alone. Brave Search also provides users with an “independence metric”—offered as a percentage—from a personal and global perspective. These metrics express the same measurement of whether Brave relied on third parties, but the personal metric is derived from someone’s aggregate, personal searches, whereas the global metric is derived “from all searches, across all people who use Brave Search,” the company said.

As to how Brave Search will make money? The company already hinted at two models—a paid option with no advertisements, and a free option supported by ads. In the Brave Search FAQ, the company wrote that both options could be on the table for users who want to choose.

It is still early days for Brave Search, and competing in the online search market is far from easy. Still, more options for users means more ways that users can take control of how they engage online. Whether enough users will peel away from Google is a different question, because Brave’s big bet isn’t about convenience—it’s about privacy.

The post Brave takes aim at Google with privacy-first search engine appeared first on Malwarebytes Labs.

Security researchers and technical architects from SpecterOps have found that almost every Active Directory installation they have looked at over the last decade has had some kind of misconfiguration issue. And misconfigurations can lead to security issues, such as privilege escalation methods.

The researchers have written a paper (pdf) about Active Directory Certificate Services (AD CS) to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system. They will also present this material at BlackHat USA 2021.

Active Directory Certificate Service

Countless organizations around the world use Windows Server as the base for their IT infrastructure. Many of them also use  Public Key Infrastructure (PKI) for their authentication needs. For example, PKI is used for certificate based authentication, securing web servers (SSL), and in digital signatures for documents.

Active Directory Certificate Services (AD CS) is the server-functionality that allows you to set up PKI so it can provide the public keys, digital certificates, and digital signatures for your organization. All these things can be obtained in other ways, but the big advantage for large organizations is that AD CS can do this on a large scale. This is mainly because the Active Directory Domain Service, that has all the relevant information about each member of the domain, is linked to the AD CS and allows it to use that information.

Abusing AD CS

In their paper, the researchers lay out three areas where misconfigurations in AD CS can be abused for malicious purposes:

• Credential theft that can survive password changes and can bypass smart card authentication.
• Privilege escalation methods that allow attackers to act as any user in the domain, including their privileges.
• Domain persistence attacks that allow attackers to log on as any Active Directory user, so they can use their privileges at any time.

As you can see the researchers have really focused on user authentication and how to perform certificate-based authentication.

The paper provides a lot of details and many scenarios to achieve one or more of the above malicious purposes, which can really help a cybercriminal to infiltrate an organization’s network and provide the means for lateral movement once inside the network. It is beyond the scope of this post to go into those details, but I can recommend to read the paper to those interested in the gritty details (142 pages).

Too complicated

The researchers are the first to admit that while there is nothing inherently insecure about AD CS, it is hard to configure in a secure way. Many misconfigurations can be explained by system administrators and IT staff enabling settings for valid reasons, but without a complete understanding of the security implications that come with changing that setting.

An example form the paper:

“There is a GPO (Group Policy Object) setting titled “Allow certificates with no extended key usage certificate attribute” whose documentation makes it sound like you need to flip this switch to allow certificate authentication with the All Purpose EKU (Extended Key Usage), Client Authentication EKU, or no EKU in modern environments. However, this is a client side setting only. An older description for this GPO that states that it affects which smart card-based certificates will show up on a logon screen, which matches the behavior we’ve seen.”

Anyone that has ever worked with Windows GPOs will recognize how hard it sometimes is to work out what the effect of changing a setting will be. Let alone how it will influence security in conjunction with other settings.

Offensive tools

The researchers have decided to hold off on presenting any tools that can be used for offensive purposes until their presentation at BlackHat.

“We believe that the issues described in the paper are severe and widespread enough to warrant a delay in the offensive tool release.”

This gives those that are vulnerable some time to fix their issues and security providers to implement protection based on the IOCs/Yara rules that the researchers have published for their tools Certify and ForgeCert.

Mitigation

In response to this paper Microsoft has issued a blog post that details how recent Extended Protection for Authentication related updates can help safeguard authentication credentials on the Windows platform. This includes actions to change a default configuration that was flagged by the researchers as a serious security issue. Microsoft has indicated it has no plans to change this default configuration as part of an update, so system adminsitrators and IT staff are advised to do this themselves.

If you are curious about the security of your own AD CS settings, the researchers have released a tool called  PSPKIAudit that performs an audit of AD CS for vulnerable configurations. Their paper also contains instructions and guidelines for finding and fixing vulnerable AD CS configurations.

The post Complicated Active Directory setups are undermining security appeared first on Malwarebytes Labs.

The US National Security Agency (NSA) has announced it will fund the development of a knowledge base of defensive countermeasures for the most common techniques used by malicious threat actors.

The project will be made available through MITRE and will be called D3FEND as it complements MITRE’s existing ATT&CK framework.

MITRE ATT&CK

The MITRE Corporation is a non-profit organization with the mission to “solve problems for a safer world”. It wants to bring security focused communities together to develop more effective cybersecurity. Where most people may have heard of MITRE because it runs the CVE database of known vulnerabilities, another widely respected resource is its MITRE ATT&CK framework.

MITRE ATT&CK framework is a knowledge base of offensive tactics and techniques based on real-world observations. It contains information about malicious groups and techniques, and it’s open and available to any person or organization for use at no charge. It’s used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

An ATT&CK example

The MITRE ATT&CK framework is divided into a number of groups that reflect different stages of an ongoing attack.

As an example, let’s look at the entry “Phishing for information” in the “Reconnaissance” stage.

Users will find a description of the attack vector and some real-world examples, with links to articles or blogs about them. If you look under “Spearphishing” > “Higaisa” you will find a link to our own blogpost about Higaisa, for example. Further down below the description of the attack vector you can find “Mitigations” and “Detection” techniques against the attack vector.

MITRE D3FEND

So, now MITRE has started to build a similar framework for network defense, with NSA funding. The goal is to help security architects quickly understand the specific capabilities of a wide variety of defensive technologies. This framework will be shared publicly so everyone can use it, and benefit from it in the same way they use the ATT&CK framework.

The main entry to the knowledge base can be found at d3fend.mitre.org.

As you can tell from the layout the defensive techniques have been grouped into a similar linear arrangement to Harden, Detect, Isolate, Deceive and Evict.

Let’s look at an example in the new knowledge base, I’ll grab one that we happen to know a lot about: “File Content Rules“, under “Detect” > “File Analysis”.

The entry for “File Content Rules” explains how this simple method of pattern matching works and what some use-cases are. But lower down is the more interesting part. The knowledge bases ATT&CK and D3FEND are tied together by highlighting the ATT&CK techniques related to this D3FEND entry.

Conclusion

I must say that one of the sentences in the NSA announcement trying to explain the mission of D3FEND put me on the wrong foot.

“D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface.”

The “tailor defenses against specific cyber threats” immediately gave me the mental image of a game of whack-a-mole. But looking at what has been established so far I think the following sentence describes the project a lot better.

“Our goal is to make it easier for architects to better understand how countermeasures work, so that they can more effectively design, deploy, and ultimately better defend networked systems.”

As explained by Peter Kaloroumakis, a principal cybersecurity engineer at MITRE who leads the work on D3FEND.

It’s about being able to make an assessment whether you have all the bases covered that you feel are worth covering in your case. Many organizations have a special threat model and need stronger defenses in one area and not so much in others. This gives them a tool to check whether they missed something or where improvements are possible.

Implementation

MITRE and the NSA have urged organizations today to start implementing the D3FEND framework into their security plans as soon as possible. The MITRE Corporation has also released a technical whitepaper (PDF) describing the basic principles and the design of this new framework.

The post MITRE introduces D3FEND framework appeared first on Malwarebytes Labs.