IT News

First-day returns in California showed voters firmly approving to change their state’s current data privacy law—which already guarantees certain privacy protections that many states do not—through the passage of Prop 24.

As of the morning of November 4, according to The Sacramento Bee, 56.1 percent of California voters said “Yes” to Prop 24. At that time, 65.3 percent of the state’s votes had been counted. Though far from a complete tally, the numbers proved advantageous enough for celebration for the “Yes on 24” campaign.

“With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” said Alastair Mactaggart, chair of Californians for Consumer Privacy and sponsor for Prop 24. “I’m looking forward to the work ahead and the next steps in implementing this law, including setting up a commission that is dedicated to protecting consumers online.”

Proposition 24 represented one of the rarer examples in data privacy law that split advocates in two. The typical roster of data privacy supporters in the state—including Electronic Frontier Foundation, ACLU of Northern California, Consumer Watchdog, Common Sense Media, Color of Change, and Oakland Privacy—divided themselves into three separate categories: Support, oppose, or neither.

The disagreement was well-founded. As we reported, while some groups praised Prop 24 because of its increased protections on data that could reveal race and ethnicity, other groups opposed the proposition because of new loopholes that could disproportionately harm minority communities.  

Adding a potential sense of voter whiplash to the ballot proposition was that its biggest supporter and primary funder Mactaggart actually served as one of the lead architects on the very law that the proposition was trying to amend. Two years ago, after announcing an intention to bring a ballot proposition to Californians to better secure their data privacy rights, Mactaggart instead worked directly with California lawmakers to get a bill drafted, passed, and signed by then-governor Jerry Brown.

That law, called the California Consumer Privacy Act, barely went into effect in January of this year, and details on its enforcement and on how the public could assert their rights were released only this summer.

In the end, though, none of that drama appeared to matter much to California voters. With the passage of Prop 24, Californians can expect additional protections on what the proposition has defined as “sensitive personal information,” as well as the country’s first government agency established entirely to enforce a data privacy law.  

The post Prop 24 passes in California, will change data privacy law appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura and Hossein Jazi.

The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.

Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.

The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.

Hijacked email threads pushing bogus DocuSign documents

The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.

While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:

The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.

This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.

Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.

World events are the best lure

At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.

Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.

Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.

Indicators of Compromise

Malicious Excel documents

b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0

QBot

china[.]asiaspain[.]com/tertgev/1247015.png

1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c
06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b

QBot C2s

142.129.227[.]86
95.77.144[.]238

MITRE ATT&CK techniques

The post QBot Trojan delivered via malspam campaign exploiting US election uncertainties appeared first on Malwarebytes Labs.

The threat actors behind Maze ransomware have announced their retirement. On November 1, they posted the retirement announcement on the website where they would normally name and shame their victims that were unwilling to pay the ransom.

“The Project is closed.

Maze Team Project is announcing it is officially closed.

All the links to out project, using of our brand, our work methods should be considered to be a scam.

We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it. Attention to everyone who wants for its private information to be deleted from our news website. You can contact to Maze support chat. Support will be continued for a month after the press release.”

The Maze gang was known for introducing an extra way to create leverage against victims. Not only did the attackers lock organizations’ data up, they also stole the data and threatened to publish it if the ransom was not paid, giving victims another compelling reason to pay up, especially if the data was of a sensitive nature.

So it’s ironic that in the rest of the spelling error-ridden statement, the cybercriminals assume the posture of a group of people out to improve the world rather than line its own pockets. As if raising awareness of security flaws and the danger of Bitcoin was the attackers real goal. If they set out to ease their conscience, we would have preferred them to publish their master decryption keys.

Did the Maze gang retire unexpectedly?

Not really. At Malwarebytes we saw detections drop over the last month after a steep peak in August.

We suspect this is a result of the fact that many of their affiliates have moved to a new family, Egregor aka Ransom.Sekhmet. A week earlier, BleepingComputer reported that the Maze gang had stopped seeking out and encrypting new victims some time in September. The gang also cleaned up its data leak site and seemed to be busy extorting its final victims.

Will the Maze ransomware gang truly retire?

We will have to wait and see—history has shown us that when a crime group decides to close its doors, it’s rarely because the criminals have seen the error of their ways and it’s more often due to a new, more powerful threat that the threat actors would prefer to use.

So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this. We do, however, see plenty of reasons for businesses to look at their protection against brute force and other attacks on their RDP ports.

We will keep you posted of any new developments, as always.

Stay safe, everyone!

The post Maze ransomware gang announces retirement appeared first on Malwarebytes Labs.

Before you start to Google for election news, we’d like you to check whether your browser is at the latest and safest version. “Again?”, Chrome users may say. Yes, because Google has found another zero-day vulnerability – that means it’s a hole that is actively being exploited right now.

It’s the second zero-day in Google found in the past two weeks. Last week we reported about CVE-2020-15999 and advised to upgrade to at least version 86.0.4240.111. Today it is the turn of CVE-2020-16009 which is patched in Chrome version 86.0.4240.183 and later.

How do I install Chrome patches?

The easiest way to do it is to allow Chrome to update automatically which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser. So, it doesn’t hurt to check now and then. And now would be a good time, given the zero-day vulnerability. My preferred method, which also allows me to keep track, is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

What is this Chrome patch for?

Google has not disclosed what the 0-day does or how it is used. This is habitual as they want to give users a chance to update before giving threat-actors the chance to design their own exploits. But researchers came to the conclusion that it must have something to do with the way the Chrome browser handles Javascript by looking at the changelog.

After the update, the security hole should be patched and your settings page should say:

If so, you’re good to go for now.

Stay safe, everyone!

The post Update your Chrome again as Google patches second zero-day in two weeks appeared first on Malwarebytes Labs.

Healthcare is not in a good place right now.

With some countries and states deciding to go back in to lockdown due to the continued rise of reported COVID-19 infections—and several garnering record-high numbers compared to when almost every country initially went into lockdown—it seems horrible timing that hospital ransomware is back in the news.

Early on in the coronavirus crisis, a promise was made by some ransomware gangs to leave hospitals alone. But cybercriminals behaving like criminals—whether we’re in the middle of a pandemic or not—isn’t something that we should be shocked about.

In the last few months, we’ve seen rising hospital ransomware attacks.

In late September, a chain of hospitals under the Universal Health Services (UHS), one of the largest healthcare providers in the United States, were hit with what appeared to be Ryuk ransomware. According to their official statement, they successfully provided patient care despite not being able to access their IT applications, largely because of back-up processes and offline documentation methods they already had in place. Thankfully, no patient and/or employee data were compromised during the attack.

UHS hospitals and patients were, in a way, lucky. But this isn’t always the case.

Several weeks ago, we reported on Uniklinikum, a German hospital, being hit with a still-unknown strain of ransomware. And because the hospital stopped admitting new patients due to its systems behaving abnormally—a method that many ransomware-hit hospitals have adopted—a woman in need of serious medical attention had to be driven to another hospital 20 miles further. She died. This is considered the first case of death linked to a cyberattack.

“The stereotype of a cybercriminal is that of a bored teenager who is computer literate and socially maladjusted. This is far from the truth and every time there is a crisis we can see that cybercriminals are in reality ruthless and heartless individuals looking to inflict suffering on their victims in whatever way they can, and if a global crisis, such as COVID-19, plays to their advantage they will do so,” Brian Honan, head of BH Consulting, told ISMG in March of this year. “We should not relax any of our defenses but be more aware of criminals looking to leverage the crisis to spread misinformation, set up scams, launch phishing attacks and launch cyberattacks. Contrary to popular belief, there are no common, decent criminals in the online world.”

Last week, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Health and Human Services (HSS) released a joint alert on ransomware activity targeting hospitals and other healthcare providers. The malware families they named that actively target such organizations are TrickBot, BazarLoader (aka BazarBackdoor), Ryuk, and Conti.

This alert also highlights the importance of having and maintaining an offline, encrypted backup of data; creating, maintaining, and exercising a threat incident response plan—even a basic one—so staff would know how to respond in the event of a ransomware attack; and knowing and following the Ransomware Response Checklist, which is included in this CISA guide page.

Healthcare organizations might think that it’s only sensible to pay the ransom as lives could be severely impacted by a ransomware attack. However, in many cases, this scenario can be avoided by being prepared, expecting to be hit, and knowing what to do when—not if—it comes.

The post Hospital ransomware: Gangs are back to target healthcare appeared first on Malwarebytes Labs.

We had a very busy week at Malwarebytes Labs.

We offered advice on Google’s patch for an actively exploited zero-day bug that affects Chrome users, our podcast talked about finding consumer value in Cybersecurity Awareness Month with Jamie Court, we provided guidance about keeping ransomware cash away from your business, pointed out how scammers are spoofing bank phone numbers to rob victims, analyzed how a fake COVID-19 survey hides ransomware in a Canadian university attack, and discussed how a new Emotet delivery method was spotted during a downward detection trend.

Believe it or not, we also found time to explain what was going on with the HP printer issue on Mac, analyzed how California’s Prop 24 splits data privacy supporters and discussed Vastaamo, a data breach with unprecedented consequences.

Other cybersecurity news

• Federal agencies are warning of an increased and imminent cybercrime threat to US hospitals and healthcare providers, especially with regard to ransomware attacks. (Source: NBC)
• Despite their own claims, questions have been raised as to whether the SunCrypt gang are indeed the newest members of the Maze cartel. (Source: Security Boulevard)
• The five biggest cybersecurity threats for the healthcare industry as seen by cloud-first security firm Wandera. (Source: TechRepublic)
• CVE-2020-14882 A bug in Oracle Weblogic is being actively exploited, and the exploitation is trivial. (Source: InfoSec Handlers Diary Blog)
• Foreign cyber threats to the 2020 US presidential election are predominantly sophisticated disinformation campaigns. (Source: digital shadows)
• Why satellite hacking has become the biggest global threat for countries like the US, China, Russia, and India? (Source: The Eurasia Times)
• Facebook warned of perception hacks undermining trust in democracy. (Source: Axios)
• Microsoft warned that threat actors are actively exploiting systems unpatched against the ZeroLogon privilege escalation vulnerability in the Netlogon Remote Protocol. (Source: BleepingComputer)
• Email compromise attacks are on the increase as threat actors shift their focus from finance employees to group mailboxes. (Source: BetaNews)
• Zoom has kicked off end-to-end encryption for its mobile and desktop apps. (Source: ZDNet)

Stay safe, everyone!

The post A week in security (October 26 – November 1) appeared first on Malwarebytes Labs.

California’s data privacy house is divided.

On the Golden State’s November ballot this year is the question as to whether to amend California’s barely-two-year-old data privacy law, the California Consumer Privacy Act. Far from the first attempt to change the fledgling law, Proposition 24 sets itself apart because its primary backer is the same man who ushered in the state’s data privacy law two years ago.

California voters are therefore presented with a strange, legislative about-face: One of the lead architects for California’s privacy law thinks it is already time to change that law—perhaps dramatically so. The proposition seeks to create a new category of consumer data, a new data protection agency, and new carveouts for certain uses of data.

The law-making whiplash isn’t just affecting voters, either, as many privacy advocates disagree with the changes, and the parallel campaigns both supporting and opposing Proposition 24 have split typical bedfellows.

Standing in support of the proposition are the consumer rights advocacy Consumer Watchdog (who we recently spoke with), family tech safety nonprofit Common Sense, civil rights organization NAACP, and multiple privacy scholars and notable politicians, including “surveillance capitalism” expert and Harvard Business School professor Shoshana Zuboff and former Democratic presidential hopeful Andrew Yang.

Standing in opposition are multiple consumer advocacy groups including Consumer Action (not to be confused with Consumer Watchdog) and Public Citizen, privacy and human rights nonprofit Center for Digital Democracy, racial justice organization Color of Change, and ACLU of Northern California.

This division has also produced potentially confusing, conflicting statements for Californians trying to understand which way to vote.

For example, on one side, the NAACP has voiced support for Prop 24 because it “allows consumers to stop companies from using online racial profiling to discriminate against them.” On the other side, however, ACLU of Northern California has asked voters to vote no on Prop 24, arguing that it “will disproportionately harm poor people and people of color.”

Who then is right?

As is usually the case in data privacy debacles, the devil is in the details. In fact, both groups have a point—they’re just focusing on different pieces of the proposition.

Today, let’s look at why this one ballot prop has divided a typically unified group of privacy advocates.

The origin of the California Consumer Privacy Act (CCPA)

More than two years ago, a real estate developer became a privacy advocate.

Alastair Mactaggart has told the story of his transformation many times, and it always begins with a Google engineer disclosing just how much information the company knows about its consumers. After learning about a legislative tool in California politics that allows voters to directly approve policy, Mactaggart began drafting up a ballot proposition with a co-lead named Mary Ross.

That proposition never made it onto the state’s 2018 ballots, but it didn’t have to. By working directly with state lawmakers, Mactaggart and Ross managed to write up a bill eventually signed into law by then-governor Jerry Brown.

On June 28, 2018, the California Consumer Privacy Act, or CCPA, became law. With the governor’s signature, Californians could eventually expect new data privacy rights, including the rights to access and delete their data, port their data to another provider, and opt out of having their data sold.

The success of the law today, however, eludes easy definition. Simply put, not enough time has passed. CCPA did not come into effect until January 1, 2020, and businesses and consumers lacked details on compliance and on how to assert new data privacy rights. California’s Attorney General finally submitted those details, called “regulations,” this summer. 

If such little time has passed, then, why already try to change it?

According to Mactaggart, it’s because the law already needs major support, after facing no less than 18 legislative attempts to amend it in the past two years—several of which could have removed any teeth to the law’s protective bite.

“I’m not a politician. I don’t want to be a politician. I just want to get a good law in place,” Mactaggart told CNN. “It was a little daunting to see how hard business tried to just destroy it this year.”

What is Prop 24?

To its supporters, Proposition 24 is a chance to strengthen a data privacy law that is already a prime target.

If passed by voters, Prop 24—also called the California Privacy Rights Act and which you can read in its full 52 pages here—would amend the CCPA to create a new category of “sensitive personal information,” create a new right of data “correction,” triple some of CCPA’s fines for violations regarding children’s data, amend the liability companies face for some data breaches, and create a new data protection agency to handle enforcement of the CCPA.

Prop 24’s new category of “sensitive personal information” would receive new data protections, too, as Californians could separately choose to protect this data from certain uses.

According to the bill, “sensitive personal information” would include precise geolocation data, information revealing racial or ethnic origin, religious or philosophical beliefs, or union membership, email and text message content, genetic data, and biometric information that is specifically collected and analyzed “for the purpose of uniquely identifying a customer.” The proposition would also include Social Security, driver’s license, state ID, or passport numbers into its definition of “sensitive personal information.”

Granting people the ability to stop companies from using sensitive information in ways that they do not approve of is a major boon to Californians, said Carmen Balber, executive director for Consumer Watchdog.

“Under Prop 24, a consumer can limit the use of their sensitive information to stop Uber from profiling them based on race, stop Spotify from utilizing their precise geo-location and prevent Facebook from using their sexual orientation, health status or religion in its algorithms,” Balber said.

Further, the creation of a data protection agency has won over several supporters, including entrepreneur and former presidential candidate Yang. In a recent piece for The San Francisco Chronicle, Yang wrote positively about the data protection agency which could serve as a “watchdog over big tech.”

But for several privacy rights advocates, Prop 24 also includes too many concessions—and too many lost opportunities—to earn their support.

Electronic Frontier Foundation, which neither supports nor opposes the proposition, said instead:

“Prop 24 does not do enough to advance the data privacy of California consumers. It is a mixed bag of partial steps backwards and forwards.”

Prop 24 opposition

Though Prop 24’s detractors have several, separate concerns, each organization cites one same problem with the proposition: It expands the CCPA’s current allowance for “pay-for-privacy” schemes.

Pay-for-privacy schemes rear up in data privacy bills every few months, and they always present the same risk. In fact, Malwarebytes Labs already wrote about a pay-for-privacy provision included in a data privacy bill introduced last year. In that bill, consumers could have been penalized for exercising their potential right to not be tracked online, after signing up for a universal “Do Not Track” website.

Prop 24, however, packages the pay-for-privacy risk a little differently. According to Prop 24, businesses could withhold discounts from customers exercising their privacy rights strictly when operating “loyalty club” programs. 

The carve-out may sound small, but, according to ACLU of Northern California, the expansion of any pay-for-privacy scheme would disproportionately harm at-risk communities first. The argument is similar to the organization’s concerns with any “data as property” proposals—struggling families who need the money the most would not be able to say no to any bargain that puts a dollar amount on their data privacy.

“The fact is that working families are already struggling to stay healthy, find a job, keep food on the table, and maintain their housing,” the organization wrote. “No one should be put in the position of choosing between the necessities of survival and their privacy.”

Separate from the pay-for-privacy risk, the No on Prop 24 Coalition—which includes ACLU of Northern California, Oakland Privacy, Indivisible SF, and the California League of Women Voters—published a list of complaints about the proposition.

The group said that Prop 24 would allow companies to collect Californians’ data as soon as they leave state borders, override an incoming law that grants more data transparency for employees, and, as a bit of a mini-bombshell, it includes a carveout for credit reporting agencies that, according to one news site, is lifted “almost verbatim” from a lobbyist’s demands.

Finally, the No on Prop 24 Coalition said that Prop 24 would re-shift the burden of data privacy back to the consumer, forcing Californians to opt out of data usage and sales with each and every individual website and app that they visit and use.

This is a known problem in data privacy, and it is in part why just this year, US Senator Sherrod Brown of Ohio passed around a federal data privacy bill that no longer hinges on the idea of consent.

What next?

Californians will finish voting with the rest of the nation on November 3. According to recent polling released by the Yes on Prop 24 campaign, the proposition could smoothly sail into becoming law. According to that data, a whopping 77 percent of likely voters in California plan to vote yes.

That statistic is, admittedly, a shock, not because Malwarebytes Labs has a position on the ballot proposition, but because of an entirely separate, non-controversial opinion: 52 pages is a lot to ask voters to read through.

The post California’s Prop 24 splits data privacy supporters appeared first on Malwarebytes Labs.

“Hell is too nice a place for these people.” Never have we seen outrage about a cybercrime at such a level. The outrage is aimed at cybercriminals behind the data breach that occurred at Finnish psychotherapy practice Vastaamo. Vastaamo, which has treated some 40,000 patients, is a subcontractor to several major public-sector hospital districts. Finland’s president Sauli Niinisto called the blackmailing “cruel and repulsive.” Prime Minister Sanna Marin said the hacking of such sensitive information was ”shocking in many ways.”

What happened at Vastaamo?

For once it wasn’t a ransomware attack on a health care organization. Vastaamo was first breached in 2018, with a follow-up in March 2019, and on both occasions the attackers managed to steal tens of thousands of patient records. Due to the nature of the practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, it appears as though security levels were raised at Vastaamo only after the 2019 hack, and by then the data had already gone. Vastaamo was informed of the extortion in late September, 2020, when the three Vastaamo employees received an extortion message.

What did the attackers do to monetize the Vastaamo breach?

Vastaamo has been summoned to pay roughly half a million US dollars in Bitcoin. But that’s not the worst bit. Recently, the attackers started to send extortion messages to the patients, asking them to pay around $240 to prevent their data from being published. And that is a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The aftermath

Here’s what’s been going on since the attack:

• Vastaamo’s CEO Ville Tapio was fired by the board because he was considered to be aware of the breaches and of shortcomings in the psychotherapy provider’s data security systems.
• Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
• Finnish police are still investigating, hindered by the long interval between breach and extortion demands. They are not even sure whether the extortionists are the same people as the initial attackers.
• Finland’s infosec community has set up a website with guidance for the victims on how to recover from the breach.
• Many of the victims are considering legal action against Vastaamo. Unfortunately, Finnish procedural law does not allow for class-action lawsuits.
• The extortionists have already published some 300 files using the anonymous Tor communication software.
• Various Finnish organizations have rapidly mobilized ways to help the victims of the breach, including direct dial numbers for churches and therapy services.

It will probably take some time before it becomes clear what went down exactly, if ever. And the number of leaked patient files and the way the patients are being extorted makes this case one of a kind. Let’s hope it stays that way.

Healthcare and cybersecurity in general

We at Malwarebytes have warned about security issues in the healthcare industry many times before, pointing out some major causes of inadequate cyber defenses:

• The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals. They likely all run on different operating systems and require specific security settings in order to shield them from the outside world.
• Legacy systems: Quite often, older equipment will not run properly on newer operating systems, which results in an outdated OS or even software that has reached the end-of-life point. End-of-life means the software will no longer receive patches or updates even when there are known issues.
• Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Organizations need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.
• Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as “we have more important things to do.”

What should Vastaamo victims do now?

Some of the guidance given to Vastaamo clients applies to other situations, but some is very specific for this one. Should your data be leaked in a data breach, Malwarebytes published a quick checklist in 2018.

Vastaamo’s website has the following suggestions for victims:

• Do not call 112 (Finnish 911 equivalent), as the emergency center will not be able to help with this.
• Record and preserve any emails, messages, and other evidence you receive.
• Record all information about the sender at the time of receiving the message in the crime report.
• Do not pay the ransom
• Do not distribute mails, as they contain personal information.

Victim Support Finland, backed by the Ministry of Justice, has more guidance in English for those who suspecttheir data may have been comprised in the Vastaamo breaches.

Stay safe everyone!

The post Vastaamo psychotherapy data breach sees the most vulnerable victims extorted appeared first on Malwarebytes Labs.

Apple holds the keys to nearly all recent Mac software. This is a story of those keys, and how a Hewlett Packard (HP) error caused problems for a lot of people.

Code signing and certificates

First, it’s important to understand that when I say “keys,” what I really mean is “certificates.” These certificates are similar to the ones that are the basis for secure communication between a web server and your browser. With web traffic, these certificates are used to encrypt the data, but they support more than just encryption.

Certificates also allow for validation. For example, when you try to connect to your bank site, the site’s certificate will verify that the site really does belong to your bank. Not many people actually look at these certificates, of course, but doing so is a sure-fire way to avoid a phishing site.

How does this relate to Apple and HP, you ask? Good question. For quite a few years now, Apple has supported what is called “code signing” on macOS. Code signing involves using a certificate to cryptographically sign a piece of software. This allows the system, and the user, to verify which developer created the software, and check that it hasn’t been modified since it was created.

In recent years, Apple has done more than just support code signing… it’s come as close as is reasonably possible to requiring code signing. As a developer, if you don’t sign your Mac software, your users will have trouble running it, and you (or your support staff) will get countless help inquiries. Your software will also probably just get deleted by many people.

This obviously applies to apps you download from the Internet or the App Store, but it also applies to more prosaic software, such as print drivers. HP makes printers, and thus makes print drivers, and of course those drivers are signed, as they should be.

The certificates used to sign software on macOS (and iOS, for that matter) are provided and managed by Apple. The certificates used by HP are no exception.

So, what happened?

Last Thursday evening (October 22), we started seeing an influx of support requests from people complaining about some new malware that we weren’t detecting. At least, that’s what they were saying. As we dug into the issue, however, we saw that there was a pattern in the screenshots we were seeing.

The “malware” was being reported by the built-in anti-malware features in macOS, and there were a dozen or more different processes that macOS claimed “will damage your computer,” with a check box reading “Report malware to Apple to protect other users.” Sounds pretty scary, right?

However, we noticed that this “malware” was all (mostly*) related to HP printing drivers. The messages generally appeared when people were trying to print to their HP printers. Samples of the software that we obtained appeared to be legitimate, with no signs of malicious behavior.

Why did macOS think it was malicious?

Initially, there was a lot of finger pointing at a recent XProtect update. (XProtect is a basic form of anti-malware protection built into macOS, which aims to prevent malicious software from running.) The thought was that this was a false positive; in other words, XProtect was erroneously detecting legitimate files as malicious.

However, the timing of the last XProtect update didn’t line up with the very sudden and widespread emergence of the issue. With some digging, we found that the source of the issue was that the developer certificate used to sign these HP drivers had been revoked.

Revoking a certificate is usually done by Apple when a piece of malware is discovered to be signed using that certificate. It was initially assumed that Apple had erroneously revoked the certificate. However, it turned out, according to a statement from HP given to The Register, that HP itself had erroneously requested that the certificate be revoked.

We unintentionally revoked credentials on some older versions of Mac drivers. This caused a temporary disruption for those customers and we are working with Apple to restore the drivers. In the meantime, we recommend users experiencing this problem to uninstall the HP driver and use the native AirPrint driver to print to their printer.

Apple was able to reinstate the revoked certificate, which fixed the problem for some people, but not everyone. We’re still seeing new cases reported days later.

The impact of false positives

This isn’t the first time that certificates have been revoked in error. As an example, there was a case back in August where a developer named Charlie Monroe reported that his entire Apple developer account was deleted, and his code signing certificate was revoked. All his apps suffered the same issue as HP’s print drivers.

With any security software, false positives are always a potential problem. Mistakes happen, and Apple isn’t always to blame in cases like this. However, when there’s a certificate issue with a piece of Mac software, it affects everyone, everywhere, who is using that software.

The fallout of these events can hit the developers hard. I don’t know how Charlie Monroe is doing, but I suspect that a significant number of people who were using his software probably deleted it, and may never trust his software again.

At companies like Malwarebytes, these events have the potential to result in hundreds or thousands of support tickets from customers asking why we didn’t detect this “malware,” or even why we’re blocking something legitimate (on the mistaken belief that this message is being shown by Malwarebytes). Some folks may never have contacted our support teams, and simply uninstalled our software, thinking they’d gotten infected while under our protection.

Perfect conditions for scams

One of the most unfortunate aspects of events like these is that they provide incredibly fertile ground for scams. There has been an explosion in scam videos and web pages claiming to help you “remove” this “malware.” These scams work by taking advantage of common things people are searching for that they think are malware.

For example, if you search for “will damage your computer” on Google right now, you will get a number of results offering to help you “remove will damage your computer” (yes, in exactly that nonsensical language). Within hours on Friday, some of these sites – and fake YouTube videos referring to those sites – were already taking advantage of this chaos.

The goal of these sites is to trick you into thinking you’re infected, so that you will download the software they recommend to remove the “virus.” In reality, there often is no actual malware, and the site gets paid an affiliate fee for every referral to the software in question. Often, the software being recommended itself is a scam.

It’s very important to be skeptical in your use of Google (and other search engines). Don’t automatically believe that something is malware just because you Googled it and found sites calling it malware.

How to fix the Mac/HP printer issue

If you are among those who are still having the problem, here are some possible fixes that have worked for our customers:

1) Restart your computer, ensuring it’s on the network when it restarts

2) Check for HP software updates via the Software Update pane in System Preferences

3) Remove the HP printer from System Preferences -> Printers & Scanners, then try adding it again.

4) Check for newer HP software for your printer on the HP support site:

https://support.hp.com

5) If all else fails, contact HP via its support site for assistance.

*Addendum

Earlier, we said that the issue was mostly related to HP printer drivers. There was another issue with a couple Amazon apps – Amazon Music and Amazon Workspaces – where users were seeing the same behavior. This led to a lot of speculation and finger pointing at Apple (in which yours truly regretfully participated), but this appears to have been an unrelated and coincidentally timed issue. Apple was not to blame, as was initially thought, and actually acted quite quickly to help HP rectify the error.

The post HP printer issue on Mac: What happened? appeared first on Malwarebytes Labs.

Emotet, one of cybersecurity’s most-feared malware threats, got a superficial facelift this week, hiding itself within a fake Microsoft Office request that asks users to update Microsoft Word so that they can take advantage of new features.

This revamped presentation could point to internal efforts by threat actors to increase Emotet’s hit rate—a possibility supported by Malwarebytes telemetry measured in the last few months.

Emotet spikes amid downward trend

Since August 1, Malwarebytes has detected repeated weekly spikes in Emotet detections, with an August peak of roughly 1,800 detections in just one day. Those frequent spikes betray the malware’s broader activity though—a slow and steady trend downwards, from an average of about 800 detections in early August to an average of about 600 detections by mid-October.

Caught by Malwarebytes on October 19, Emotet’s new delivery method attempts to trick victims into thinking that they’ve received an update to Microsoft Word. The new template, shown below, includes the following text:

“Upgrade your edition of Microsoft Word

Upgrading your edition will add new features to Microsoft Word.

Please, click Enable Editing and then click Enable Content.”

If users follow these dangerous instructions, they will actually enable the malicious macros that are embedded into the “update request” itself, which will then be used as the primary vector to infect the machine with Emotet.

Malwarebytes protects users from Emotet and its latest trick, as shown below.

For those without cybersecurity protection, this new delivery method may appear frightening, and in a way, yes, it is. But when compared to Emotet’s stealthy developments in recent years, this latest switch-up is rather ordinary.

In 2018, the cybersecurity industry spotted Emotet being spread through enormous volumes of email spam, in which potential victims received malicious email attachments supposedly containing information about “outstanding payments” and other invoices. In 2019, we spotted a botnet coming back to life to push out Emotet, this time utilizing refined spearphishing techniques. Just weeks later, we found that threat actors were luring victims through the release of former NSA defense contractor Edward Snowden’s book. And this year, Bleeping Computer reported that threat actors had managed to train the Emotet botnet to steal legitimate email attachments and to then include those attachments amongst other, malicious attachments as a way to legitimize them.

Threat actors have gone to such great lengths to deliver Emotet because of its destructive capabilities. Though the malware began as a simple banking Trojan to steal sensitive and private information, today it is often used in tandem to deliver other banking Trojans, like TrickBot, that can steal financial information and banking logins. This attack chain doesn’t stop here, though, as threat actors also use Emotet and Trickbot to deliver the ransomware Ryuk.

Compounding the danger to an organization is Emotet’s ability to spread itself through a network. Once this malware has taken root inside a network, it has derailed countless consumers, businesses, and even entire cities. In fact, according to the US Cybersecurity and Infrastructure Security Agency, governments have paid up to $1 million to remediate an Emotet attack.

How to protect your business from Emotet

Our advice to protect against Emotet remains the same. Users should look out for phishing emails, spam emails, and anything that includes attachments—even emails that appear to come from known contacts or colleagues.

For users who do make that risky click, the best defense is a cybersecurity solution that you’ve already got running. Remember, the best defense to an Emotet infection is to make sure it never happens in the first place. That requires constant protection, not just after-the-fact response.

The post New Emotet delivery method spotted during downward detection trend appeared first on Malwarebytes Labs.