IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Password manager hijacked to deliver malware in supply chain attack

In the latest example of a supply chain attack, cybercriminals delivered malware to customers of the business password manager Passwordstate by breaching its developer’s networks and then deploying a fraudulent update last week, said Passwordstate’s maker, Click Studios.

Though the number of infected computers is currently unknown, Click Studios said in an April 24 advisory that the victim count “appears to be very low.” That estimate may increase though, said Click Studios, as it continues to investigate. According to the company, its password manager is used by more than 29,000 customers across the industries of banking, retail, manufacturing, education, healthcare, government, aerospace, and more.

The attack lasted just 28 hours, Click Studios said, from April 20, 8:33 PM UTC to April 22, 0:30 AM UTC. Only the customers who initiated an update between those hours are at risk.

As to how the cybercriminals breached the company, Click Studios only said that “a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality.” Click Studios said the “initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au,” which regularly points Passwordstate’s in-place upgrade function to approved software versions loaded onto Click Studios’ Content Distribution Network, or CDN. By compromising the in-place upgrade functionality, the cybercriminals were able to point users to their own CDN, which carried the malware.

The malware—currently referred to as Moserpass—stole system information and Passwordstate data and then delivered it back to the servers that were controlled by the cybercriminals responsible for the attack.  

That data included computer name, username, domain name, current process name, current process ID, and several fields from a customer’s Passwordstate account, including title, username, description, notes, URL, and password. Data for certain “generic field” entries was also delivered, but Click Studios said that users who chose to encrypt that data averted the malware’s data harvesting and delivery capabilities.

Click Studios also clarified in its April 24 advisory that, “although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN.”

According to Bleeping Computer, the CDN servers used in the attack are no longer active.

The Passwordstate attack is the latest example of a re-emerging cyberthreat that saw great attention back in 2013 when the US retailer Target suffered an enormous data breach that compromised the payment information of 41 million customers. That attack, which resulted in an $18.5 million settlement, began with an attack on the company’s HVAC vendor. Four years later, cybercriminals again relied on a supply chain attack to breach Equifax, and just two years after that, the SolarWinds supply chain attack rattled the entire cybersecurity industry.

These attacks are difficult to catch, and for an attack like the one that targeted Passwordstate, they pose a significant threat to cybersecurity overall, as users and businesses could begin to question the legitimacy of regular software updates.

For Passwordstate’s customers who did install the fraudulent update, Click Studios advised to contact the company’s customer support, and, following specific instructions, to begin resetting all passwords saved in Passwordstate.

The post Password manager hijacked to deliver malware in supply chain attack appeared first on Malwarebytes Labs.

Zoom deepfaker fools politicians…twice

We recently said deepfakes “remain the weapon of choice for malign interference campaigns, troll farms, revenge porn, and occasionally humorous celebrity face-swaps”. Skepticism that these techniques would work on a grand scale such as an election, remains in place. In the realm of malign interference and smaller scale antics, however, deepfakes continue to forge new ground.

It’s one thing to pretend to be anonymous law enforcement operatives at the other end of a web call, with no deepfake involvement. It’s quite another to deepfake the aide of a jailed Russian opposition leader.

Zooming into deepfake territory

Multiple groups of MPs were recently tricked into thinking they were talking to Leonid Volkov, a Russian politician and chief of staff to Alexei Navalny’s 2018 presidential election campaign. Instead, Dutch and Estonian MPs at different meetings were presented with an entirely fictitious entity forged in the deepfake fires. From looking at the various reports on these incidents, we’re not entirely sure if fake Leonid responded to questions or stuck to a pre-written script. We also don’t know if the culprits faked his voice, or spliced real snippets to form sentences. Based on this report, it appears the Zoom call was conversational, but details are sparse. The aim of the game was most likely to have MPs say they want to support Russian opposition with lots of money. 

How did this happen?

It appears basic security practices were not followed. Nobody verified it was him beforehand. His email wasn’t pinged, nobody said “Hey there…” on social media. This is rather incredible, considering people doing an Ask Me Anything on Reddit will hold up a “Hi Reddit, it’s me” note as a bare minimum. With such a non-existent security procedure in place, disaster is sure to follow.

One wonders, given the absence of contact with the real Leonid, how fake Leonid had the Zoom sessions arranged in the first place. Can anyone arrange a call with a room of MPs if they claim to be somebody else? Do online meetings regularly take place with no effort to ensure everyone involved is legitimate? This all seems a little bit peculiar and faintly worrying.

Locking down deepfakes: in it for the long haul

Outside the realm of verification-free Zoom calls with parliamentarians, more moves are afoot to detect deepfakes. SONY has stepped into a battleground already populated by DIY tools and researchers trying to fight fakery online. Elsewhere, we have AI generated maps. While this sounds scary, it’s not something we should be panicking over just yet.

Deepfakes continue to become more embedded in public consciousness which can only help raise awareness of the subject. You want some Young Adult fiction about deepfakes? Sure you do! Actors helping to popularise the concept of fake video as something to be expected? Absolutely. Wherever you turn…there it is.

Low-level noise and quiet misdirection

For now, malign interference campaigns and small-scale shenanigans are the continued order of the day. It’s never been more important to take some steps to verify your web-based conversationalists. Whether an AI-generated deepfake or someone with a really convincing wig and fake voice, politicians need to enact some basic verification routines.

The real worry here is that if they fell for this, who knows what else slipped by them via email, social media, or even plain old phonecalls. We have to hope that whatever verification systems are in place for alternate methods of communication among politicians are significantly better than the above.

The post Zoom deepfaker fools politicians…twice appeared first on Malwarebytes Labs.

A week in security (April 19 – 25)

Last week on Malwarebytes Labs, we interviewed Youssef Sammouda, a 21-year-old bug bounty hunter who is focused on finding vulnerabilities on Facebook.

We looked into the CodeCov supply-chain attack, the vulnerabilities in Pulse Secure VPN that are being actively exploited by attackers, and the discovery of SUPERNOVA malware found on a SolarWinds Orion server.

We also featured technology, particularly facial recognition, used by the FBI to identify one of the Capitol rioters several months after it happened; we covered news about a FIN7 sysadmin being indicted for 10 years for “billions in damage”; and the calling out of EU’s proposed ban on the use of artificial intelligence, because it doesn’t deal with its potential for high abuse. Lastly, we have provided a comprehensive guide on how to pick the best VPN for you, whether you stream, play video games, or torrent.

Other cybersecurity news

Stay safe!

The post A week in security (April 19 – 25) appeared first on Malwarebytes Labs.

11-13 year old girls most likely to be targeted by online predators

The Internet Watch Foundation (IWF), a not-for-profit organization in England whose mission is “to eliminate child sexual abuse imagery online”, has recently released its analysis of online predator victimology and the nature of sexual abuse media that is currently prevalent online. The scope of the report covered the whole of 2020.

IWF annual report: what the numbers reveal

The IWF assessed nearly 300,000 reports in 2020, wherein a little more than half of these—153,383—were confirmed pages containing material depicting child sexual abuse. Compared to their 2019 numbers, there was a 16 percent increase of pages hosting such imagery or being used to share.

From these confirmed reports, the IWF were able to establish the following trends:

The majority of child victims are female. There has been an increase in the number of female child victims since 2019. In 2020, the IWF has noted that 93 percent of the child sexual abuse material (CSAM) they assessed involved at least one (1) female child. That’s a 15 percent increase compared to numbers in 2019.

06 2.1.0 SexBreakdown Pie x3
Females dominate the victimization type in online child abuse imagery. On the other hand, imagery involving males has significantly decreased since 2019, from 17 percent to 3 percent. (Source: IWF Annual Report 2020)

Online predators are after children ages 11-13. The IWF counted a total of 245,280 hashes—unique codes representing different pictures, videos or other CSAM—the majority of which involve females, where a child victim is 11-13 years of age. This is followed by children aged 7 to 10 years of age.

07 2.1.0 AgeByHashes Bar
These hash statistics show a clear trend: a great majority of predators are after imagery of children aged 7 to 13. (Source: IWF Annual Report 2020)

To learn more about the IWF Hash List, watch this YouTube video.

Tink Palmer, CEO of the Marie Collins Foundation, a charity group that helps child victims and their families to recover from sexual abuse involving technology, told the IWF why online predators gravitate within these age groups.

“In many cases it is pre-pubescent children who are being targeted. They are less accomplished in their social, emotional and psychological development. They listen to grown-ups without questioning them, whereas teenagers are more likely to push back against what an adult tells them.”

08 2.1.1 AgeAnaylsis Bar
Age breakdown of child sexual abuse graph, which further supports this trend against 11 – 13 year old girls. (Source: IWF Annual Report 2020)

Self-generated child sexual abuse content are on an uptick. 44 percent of images and videos analyzed by IWF in 2020 are classed as “self-generated” child sexual abuse content. This is a 77 percent increase from 2019 (wherein they received 38,400 reports) to 2020 (wherein they received 68,000 reports).

“Self-generated” content means that the child victims themselves created the media that online predators propagate within and beyond certain internet platforms. Such content is created with the use of either smartphones or webcams, predominantly by 11 to 13 year old girls within their home (usually, their bedroom) and created during periods of COVID-19 lockdowns.

Content concerning the use of webcams are often produced using an online service with a live streaming feature, such as Omegle.

47 2.1.2 Age11 13 Sex Bar
Statistics on self-generated abuse vs contact sexual abuse among female children who are aged 11 to 13 years old (Source: IWF Annual Report 2020)

Europe is found hosting almost all child sexual abuse URLs. The IWF has identified that 90% of the URLs it analyzed and confirmed to house CSAM were hosted in Europe, in which they also included Russia and Turkey. Among all countries in Europe, the Netherlands is the prime location for hosting CSAM, a constant that the IWF has seen through the years.

63 Top10Countries Map
Due to lower cost of web hosting, 77% of CSAM are physically hosted on servers in the Netherlands. (Source: IWF Annual Report 2020)

Shutting the door on child sexual abusers

The IWF report highlights a worrying trend on child victimology and gives us an idea that online predators not only groom their targets but also coerce and bully them to do their bidding. And child predators usually frequent platforms that a lot of teenage girls use.

Sadly, there is no single measure or piece of technology that can solve the problem of child exploitation. The best protection for children is effective parenting, and the IWF urges parents and guardians to be T.A.L.K. to their children. T.A.L.K. is a list of comprehensive and actionable steps parents and/or carers can take to help guide their children through a safer online journey as they grow up. T.A.L.K. stands for:

* Talk to your child about online sexual abuse. Start the conversation – and listen to their concerns.

* Agree ground rules about the way you use technology as a family.

* Learn about the platforms and apps your child loves. Take an interest in their online life.

* Know how to use tools, apps and settings that can help to keep your child safe online.

If images or videos of your child have been shared online, it’s important for parents not to blame the child. Instead, reassure them and offer support. Lastly, make a report to the police about these images or videos, IWF, Childline, or your local equivalent.

“Don’t be shy. You look so pretty in your picture, Evie. Just wanna see what you’ve got under there. Just for me.”

The post 11-13 year old girls most likely to be targeted by online predators appeared first on Malwarebytes Labs.

Breaking free from the VirusTotal silo: Lock and Code S02E07

This week on Lock and Code, we speak to Malwarebytes Chief Information Security Officer John Donovan about the flaws in using VirusTotal as the one source of truth when evaluating whether or not a cybersecurity tool actually works. It’s a practice that is surprisingly common.

Weeks ago, Malwarebytes Labs released the SMB Cybersecurity Trust & Confidence Report, which revealed that the majority of small- to medium-sized businesses that we surveyed were taking proactive measures to test whether their endpoint protection was catching all the right—or wrong—stuff. We found that of those who did evaluate their endpoint protection tools, a hefty 58 percent did so strictly by using VirusTotal.

Now, VirusTotal is a massive online resource that countless cybersecurity researchers likely rely on every day. But it shouldn’t be the only tool that security teams rely on, because VirusTotal has some gaps. In fact, all the evaluation methods that respondents told us about in our survey are far from perfect, and they might lead to uninformed conclusions.

If endpoint detection tools are supposed to stop an attack before it happens, what good is evaluating it with an incomplete tool? It puts too much at risk. And that isn’t even mentioning the potential privacy threats involved.

“If you get a file that says ‘This looks like there’s a virus in it,’ be careful with what you’re uploading,” Donovan said. “If you take something that is a confidential memo that flagged your antivirus, you may want to figure out how to look at that somewhere differently rather than putting that up in VirusTotal”

Tune in to learn about the smartest ways to test and implement endpoint protection into your small- to medium-sized business, and how to finally break free from the VirusTotal silo, on the latest episode of Lock and Code, with host David Ruiz.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Breaking free from the VirusTotal silo: Lock and Code S02E07 appeared first on Malwarebytes Labs.

Artificial Intelligence ban slammed for failing to address “vast abuse potential”

A written proposal to ban several uses of artificial intelligence (AI) and to place new oversight on other “high-risk” AI applications—published by the European Commission this week—met fierce opposition from several digital rights advocates in Europe.

Portrayed as a missed opportunity by privacy experts, the EU Commission’s proposal bans four broad applications of AI, but it includes several loopholes that could lead to abuse, and it fails to include a mechanism to add other AI applications to the ban list. It deems certain types of AI applications as “high-risk”—meaning their developers will need to abide by certain restrictions—but some of those same applications were specifically called out by many digital rights groups earlier this year as “incompatible with a democratic society.” It creates new government authorities, but the responsibilities of those authorities may overlap with separate authorities devoted to overall data protection.

Most upsetting to digital rights experts, it appears, is that the 107-page document (not including the necessary annexes) offers only glancing restrictions on biometric surveillance, like facial recognition software.

“The EU’s proposal falls far short of what is needed to mitigate the vast abuse potential of technologies like facial recognition systems,” said Rasha Abdul Rahim, Director of Amnesty Tech for Amnesty International. “Under the proposed ban, police will still be able to use non-live facial recognition software with CCTV cameras to track our every move, scraping images from social media accounts without people’s consent.”

AI bans

Released on April 21, the AI ban proposal is the product of years of work, dating back to 2018, when the European Commission and the European Union’s Member States agreed to draft AI policies and regulations. According to the European Commission, the plan is meant to not just place restrictions on certain AI uses, but to also allow for innovation and competition in AI development.

“The global leadership of Europe in adopting the latest technologies, seizing the benefits and promoting the development of human-centric, sustainable, secure, inclusive and trustworthy artificial intelligence (AI) depends on the ability of the European Union (EU) to accelerate, act and align AI policy priorities and investments,” the European Commission wrote in its Coordinated Plan on Artificial Intelligence.

The proposal includes a few core segments.

The proposal would ban, with some exceptions, four broad uses of AI. Two of those banned uses include the use of AI to distort a person’s behavior in a way that could cause harm to that person or another person; one of those two areas focuses on the use of AI to exploit a person or group’s “age, physical or mental disability.”

The proposal’s third ban targets the use of AI to create so-called social credit scores that could result in unjust treatment, a concern that lies somewhere between the haphazard systems implemented in some regions of China and the dystopic anthology series Black Mirror.

According to the proposal, the use of AI to evaluate or classify the “trustworthiness” of a person would not be allowed if those evaluations led to detrimental or unfavorable treatment in “social contexts which are unrelated to the contexts in which the data was originally generated or collected,” or treatment that is “unjustified or disproportionate to their social behavior or its gravity.”

The proposal’s final AI ban would be against “’real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement,” which means police could not use tools like facial recognition in real-time at public events, with some exceptions.

Those exceptions include the “targeted search” for “specific” potential victims of crime, including missing children, and the prevention of “specific, substantial, and imminent threat to the life or physical safety of natural persons, or of a terrorist attack.” Law enforcement could also use real-time facial recognition tools to detect, locate, identify, or prosecute a “perpetrator or suspect” of a crime of a certain severity.

According to Matthew Mahmoudi, a researcher and adviser for Amnesty Tech, these exceptions are too broad, as they could still allow for many abuses against certain communities. For instance, the exception that would allow for real-time facial recognition to be used “on people suspected of illegally entering or living in a EU member state… will undoubtedly be weaponised against migrants and refugees,” Mahmoudi said.

Aside from the proposal’s exceptions, it is the bans themselves that appear quite limited when compared to what is happening in the real world today.

As an example, the proposal does not ban post-fact facial recognition by law enforcement, in which officers could collect video imagery after a public event and run facial recognition software on that video from the comfort of their stations. Though the EU Commission’s proposal of course applies to Europe, this type of practice is already rampant within the United States, where police departments have lapped up the offerings of Clearview AI, the facial recognition company with an origin story that includes coordination with far-right extremists.

The problem is severe. As uncovered in a Buzzfeed investigation this year:

“According to reporting and data reviewed by BuzzFeed News, more than 7,000 individuals from nearly 2,000 public agencies nationwide have used Clearview AI to search through millions of Americans’ faces, looking for people, including Black Lives Matter protesters, Capitol insurrectionists, petty criminals, and their own friends and family members.”

Buzzfeed found similar police activity in Australia last year, and on the very same day that the EU Commission released its proposal, Malwarebytes Labs covered a story about the FBI using facial recognition to identify a rioter at the US Capitol on January 6.

This type of activity is thriving across the world. Digital rights experts believe now is the best chance the world has to stamp it out.

But what isn’t banned by the proposal isn’t necessarily unrestricted. In fact, the proposal simply creates new restrictions based on other types of activities it deems “high-risk.”

High-risk AI and oversight

The next segment of the proposal places restrictions on “high-risk” AI applications. These uses of AI would not be banned outright but would instead be subject to certain oversight and compliance, much of which would be performed by the AI’s developers.

According to the proposal, “high-risk” AI would fall into the following eight, broad categories:

  • Biometric identification and categorization of natural persons
  • Management and operation of critical infrastructure
  • Education and vocational training
  • Employment, workers management, and access to self-employment
  • Access to and enjoyment of essential private services and public services and benefits
  • Law enforcement
  • Migration, asylum, and border control management
  • Administration of justice and democratic processes

The proposal clarifies which types of AI applications would be considered high-risk in each of the given categories. For instance, not every single type of AI used in education and vocational training would be considered high-risk, but those that do qualify would be systems “intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions.” Similarly, AI systems used for employment recruiting—particularly those used to advertise open positions, screen applications, and evaluate candidates—would be classified as high-risk under the broader category of AI for employment, workers management, and access to self-employment.

Here, again, the proposal angered privacy experts.

In January of this year, 61 civil rights groups sent an open letter to the European Commission, asking that certain applications of AI be considered “red lines” that should not be crossed. The groups, which included Access Now, Electronic Privacy Information Center, and Privacy International, wrote to “call attention to specific (but non-exhaustive) examples of uses that are incompatible with a democratic society and must be prohibited or legally restricted in the AI legislation.”

Of the five areas called out as too dangerous to permit, at least three are considered as “high-risk” by the European Commission’s proposal, including the use of AI for migration management, for criminal justice, and for pre-predictive policing.

The problem, according to the group Access Now, is that the proposal’s current restrictions for high-risk AI would do little to actually protect people who are subject to those high-risk systems.

Per the proposal, developers of these high-risk AI systems would need to comply with several self-imposed rules. They would need to establish and implement a “risk management system” that identifies foreseeable risks. They would need to draft up and keep up to date their “technical documentation.” They would need to design their systems to implement automatic record-keeping, ensure transparency, and allow for human oversight.

According to the European Digital Rights (EDRi) association, these rules put too much burden on the developers of the tools themselves.

“The majority of requirements in the proposal naively rely on AI developers to implement technical solutions to complex social issues, which are likely self-assessed by the companies themselves,” the group wrote. “In this way, the proposal enables a profitable market of unjust AI to be used for surveillance and discrimination, and pins the blame on the technology developers, instead of the institutions or companies putting the systems to use.”

Finally, the proposal would place some oversight and regulation duties into the hands of the government, including the creation of an “EU database” that contains information about high-risk AI systems, the creation of a European Artificial intelligence Board, and the designation of a “national supervisory authority” for each EU Member State.

This, too, has brought pushback, as the regulatory bodies could overlap in responsibility with the European Data Protection Board and the Data Protection Authorities already designated by each EU Member State, per the changes implemented by the General Data Protection Regulation.

What next?

Though AI technology races ahead, the EU Commission’s proposal will likely take years to implement, as it still needs to be approved by the Council of the European Union and the European Parliament to become law.

Throughout that process, there are sure to be many changes, updates, and refinements. Hopefully, they’re for the better.

The post Artificial Intelligence ban slammed for failing to address “vast abuse potential” appeared first on Malwarebytes Labs.

SUPERNOVA malware discovered on SolarWinds Orion server

The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”.

NOT part of the SolarWinds attack

The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The threat actors are believed to be different from the ones behind the infamous supply chain attack.

Pulse Secure VPN

CISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack.

The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.

From there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed.

Web shells

Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. A minimal web shell can be as simple as this:

<?=`$_GET[1]`?>

A shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. The SUPERNOVA web shell is more sophisticated, and written in .NET rather than PHP, but it is essentially no different.

It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. The injected code is compiled and directly executed in memory.

Harvesting credentials

The goal of the operation looks to have been to gather even more credentials. CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods:

  • Cached credentials used by the SolarWinds appliance server and network monitoring.
  • By dumping Local Security Authority Subsystem Service (LSASS) memory.

The cached credentials are normally protected by encryption unless they are marked as exportable. So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable.

The attacker put a renamed copy of procdump.exe on the SolarWinds Orion server to dump the LSASS memory. The credentials were then dumped into a text file and exfiltrated by an HTTP request.

CVE-2020-10148

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA believes that a vulnerability listed as CVE-2020-10148 was used to bypass the authentication to the SolarWinds appliance.

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Bypassing the authentication would have enabled them to run commands with the same privileges the SolarWinds appliance was running, which was SYSTEM in this case.

Recommendations

Based on findings done during the ongoing investigation CISA recommends all organizations implement the following practices to strengthen the security posture of their organization’s systems:

  • Check for common executables executing with the hash of another process
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Implement Local Administrator Password Solution (LAPS).
  • Implement the principle of least privilege on data access.
  • Secure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes” for access.
  • Deploy and maintain endpoint defense tools on all endpoints.
  • Ensure all software is up to date.
  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on organization workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on organization workstations and servers.

It also urges users of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 to to review Emergency Directive ED 21-01 and associated guidance for recommendations on operating the SolarWinds Orion platform. US federal agencies are required to comply with these directives.

Stay safe, everyone!

The post SUPERNOVA malware discovered on SolarWinds Orion server appeared first on Malwarebytes Labs.

How to choose the best VPN for you

If you’ve been shopping for a VPN service in 2021, you’ve probably noticed how many providers are available. Using a personal VPN has grown in popularity in recent years, and for good reason. You may no longer be asking, “Should I use one,” but rather, “Which one should I choose?”

The answer might be different for different people. There are many features and providers to consider. Here, we guide you through some of the decision factors so you can select the best VPN for your needs.

Is a free VPN the best choice?

One of the first questions VPN shoppers might ask is whether to use a free VPN service or pay for one. If you’re familiar with what a VPN is, you probably know that there are costs associated with being a provider. A VPN is like a middleman for your Internet traffic, and just like you probably pay an Internet Service Provider for your home Internet, a VPN provider somehow has to cover the costs of their service.

You might compare free vs paid VPNs to free vs paid Internet access. For home Internet access, an Internet Service Provider maintains the infrastructure to deliver Internet to homes, and charges customers for it. If you go to a café and use their free WiFi, the café pays for the WiFi and might build that cost into how much they charge you for a cup of coffee. So, how would a free VPN provider build their costs into a free service?

A common way free VPN services cover their costs is through advertising. That might be showing you ads when you use the service, or by taking your Internet activity data (as well as their other customers’ data) and selling that to advertisers as marketing data. Given that one of the main reasons to use a VPN is to increase your online privacy, it seems that using a free VPN that covers its costs by using your Internet activity for advertising might not accomplish that goal.

If you decide you want to use a paid VPN service for your online privacy but you’re not ready to commit to a long-term subscription right away, many providers offer a free trial before you have to make that commitment.

Choosing a VPN for gaming, streaming, or torrenting

One of the key decision factors in choosing a VPN is what you plan to use it for. In your research, you’ll likely explore reviews to help narrow down your selection, and one of the best ways to make your choice is to take advantage of free trials, so you can take the VPN for a test drive, so to speak. 

The best VPN for you might not be the best one for someone else. Online privacy is the main concern for most VPN users, but if you intend to use one while gaming, watching streaming services based in other countries, or for torrenting, you will have other considerations too and might choose a different provider in each case.

Best VPN for gaming

Many avid gamers have not wanted to use a VPN while gaming due to increased lag caused by encrypting traffic and routing it through a VPN server. However, many VPNs have gotten faster and more efficient, and “gaming VPN” is less of an oxymoron than it used to be. In addition to the online privacy benefits, gamers may also be keen to hide their IP addresses due to threats like doxing and swatting.

Alternatively, some users don’t want to use a VPN for gaming, but do want to use a VPN for everything else other than gaming. In that case, they will want to pay attention to how easily and transparently they can do this. Do they have to do one thing at a time and remember to turn the VPN on and off as they need it, or can they keep their VPN on all the time while allowing games to bypass it?

If you’re a gamer searching for the best VPN specifically for gaming, take advantage of free trials, and test out your selections while gaming to see how they impact speed and performance. 

Best VPN for streaming

Most VPN services enable you to select a server in the country of your choice, and this can enable you to watch some streaming services as if you were located in that country. However, some streaming services have cracked down on this practice, and so not every VPN will enable you to watch the content you want. Testing out a VPN with the streaming services you want to watch is a good way to determine what works now, but keep in mind that your access may change as streaming services adapt. Before using a VPN to access a streaming service, be sure to check that doing so does not violate their terms and conditions.

Best VPN for torrenting

Torrenting is a form of peer-to-peer (P2P) file sharing. Torrent downloads are quick because they are drawn from multiple nearby peers instead of from a single faraway location. To get access to the network users must become peers and allow a small portion of their computer’s resources to be used for hosting torrent data. While sharing files with other users isn’t illegal in and of itself, torrenting is often associated with pirating copyrighted material. However, there is perfectly legal content that people torrent, such as classic movies, TED Talks, and content in indie or niche genres that might not be readily available on large streaming services.

Often for torrenting, connection speed is most important factor in choosing a VPN so you can start watching content quickly. Unlike gaming, where download performance is most important, torrent users will also care about upload performance. This is another example in which taking advantage of free trials to test out VPN speeds while torrenting can help you to pick the best VPN for this purpose.

VPN features

Once you’ve thought about how you plan to use a VPN, the final step to select the best one for your needs is to compare features. This includes:

  • Ease of use: Is the interface easy to navigate and use?
  • Connection speed: You can test this if you do a free trial of the services you’re considering, and look at VPN speed comparison tests.
  • Server locations: In how many different countries are servers available?
  • Data limits: Does the service provide unlimited data, or is there a cap?
  • Simultaneous usage: How many devices can use your plan simultaneously?
  • Operating systems: Can you use the same VPN service on Windows, Mac, Android, and iOS?
  • VPN protocol: Do they use WireGuard, OpenVPN, or another protocol?
  • Encryption: Does the VPN use 256-bit AES encryption, the current best-in-class standard? 
  • Logging: Do they keep activity logs or have a no-log policy? What data gets logged?
  • Kill switch: Do they offer a kill switch, to close your browsers or apps if the VPN disconnects unexpectedly?
  • Split tunneling: Do you want to be able to do some online activities inside the encrypted VPN, and others (such as high-bandwidth activities) just on your regular Internet connection?
  • Support: Is support available 24/7? Is it available via chat, email, phone?

What’s the best VPN for your needs? Different people will have different answers. Considering the available features and reasons you want to use a VPN service will help you to answer that question.

The post How to choose the best VPN for you appeared first on Malwarebytes Labs.

Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild

Pulse Secure has alerted customers to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.

Cybersecurity sleuths Mandiant report that they are tracking “12 malware families associated with the exploitation of Pulse Secure VPN devices” operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.

The old vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:

  • CVE-2019-11510 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We wrote about the apparent reluctance to patch for this vulnerability in 2019.
  • CVE-2020-8243 a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.
  • CVE-2020-8260 a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

The obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.

The new vulnerability

The new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10—the maximum—and a Critical rating. According to the Pulse advisory:

[The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

There is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don’t wait for the patch.

Mitigation requires a workaround

According to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company’s Security Advisory 44784. Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.

Targets

The Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations’ environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.

Threat analysis

FireEye’s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are “applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so”. In their blogpost they discuss 4 variants. Interested parties can also find technical details and detections there.

Networking devices

State sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.

The post Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild appeared first on Malwarebytes Labs.

FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram

Facial recognition tech is in the news again after the FBI discovered the identify of one of the Capitol rioters by using facial recognition software on his girlfriend’s Instagram posts. It may sound scary and invasive, but in truth, what’s happening isn’t particularly new. In this case, we have what’s fast becoming a fairly standard tale of tracking people down via online imagery. Sometimes there’s cause for concern even without the latest tech providing some sort of flashpoint.

What’s happened?

After the Capitol riots following the US election, those responsible were slowly arrested over a period of weeks of searching and identifying. The Verge story mentions that in this effort, law enforcement made use of “facial recognition tools” to track down people associated with the event. The tool apparently brought researchers to the Instagram feed of a suspect’s girlfriend. It was a short step from there to matching his clothes with images from the Capitol riot.

Everything unravelled for the suspect quickly. Facebook accounts revealed his name. This brought investigators (via his state driving licence records) to his identity, workplace, and home.

Recognising recognition

We’ve covered facial recognition on the blog many times. Most concerns tend to focus on the potential for abuse from repressive Governments and law enforcement overreach. It’s such a concern that tech giants regularly dip in, and then quickly dip out when public opinion turns.

I don’t think many people will complain if facial recognition is used to help identify the people at the Capitol riots. Organisations find new ways to secure their sites with facial recognition and biometrics on a daily basis. You may or may not object to your bank combining facial recognition with AI software. These are potentially useful applications of this technology. Even so, we need to know what we’re dealing with for this story.

When pop culture and cold hard reality collide

Facial recognition is very much one of those technologies made a cliche for all time by film and television. The camera zooms in from orbit, it picks up the target in seconds, the operator is able to tell where the suspect bought his suit by enhancing the fibers on his jacket and so on.

The reality here is, “some people used a program to play mix and match with publicly available photographs”. The end result is still impressive, but CSI: Cyber this is not.

Impressive, but not CSI: Cyber

How does this work, then? Well, the article mentions “open source facial recognition tools”. The affidavit doesn’t say which tool, because law enforcement doesn’t want to give perpetrators clues for avoiding the long arm of the law. You can see some of the more popular tools available here, if you’re interested in learning more or giving them a go.

Otherwise, there are many other ways to match images with the raft of materials floating around online. TinEye is a dedicated online tool for matching images, and Google / Bing / Yandex search all offer their own versions of this functionality. A little bit of sleuthing and familiarity with OSINT practices can go a long way.

A sliding scale of “that’s impressive”

One of the best examples of this happened just recently, with a lost hiker pinpointed via a photograph. To me, this is significantly more impressive than digging a fairly distinctive individual out from a never-ending pile of selfies and readily available data on popular image sharing websites. As a result, I’d say this one is interesting, but definitely nothing new. Crowdsourcing also has a history of going horribly wrong, and the infamous Reddit Boston Bombing debacle is as good a place to drop this warning as any.

We’ll definitely see more of these stories in the near future, but I wouldn’t necessarily start panicking about this branch of open sourcing just yet.

The post FBI face recognition trawl finds Capitol rioter via his girlfriend’s Instagram appeared first on Malwarebytes Labs.