IT News

The REvil ransomware (AKA Sodinokibi, which operates as a Ransomware as a Service) is adopting some outreach techniques after initial compromise, designed to shame victims into paying up.

Shaming victims into action

Malware authors and social engineers have relied on shame and the threat of exposure for years. Nothing encourages potential victims to pay up like a solid threat. This isn’t something to underestimate or dismiss. It can have very serious consequences, with at least one tragedy involving a suicide linked to common-or-garden ransomware threats. 

These threats are most closely linked to people at home, with sextortion being one of the biggest.

This is where victims are told someone has footage of them watching pornographic material, or engaging in sexual activity. If they don’t pay the Bitcoin ransom, scammers will release the footage to the world at large or even to just friends and family. This threat comes from old passwords taken from password dumps—which have probably long since changed—which could lend some believed credibility to the threat. The Ransomware authors have no footage whatsoever, but it’s a very effective tactic.

From consumer to corporate…

In recent developments, ransomware bought itself a business suit and a nice tie, and it started working its way into corporate. Here, the gimmick was compromising the network, locking up important files and/or servers and demanding cash to release them back to victims.

This quickly became a mess of arguments over paying the ransom, and the world of cyber insurance and whether it would actually insure against these types of attacks. It also led into the concept of ransomware authors ruining their own trust model with broken unlocks or missing decryption keys.

This time it’s personal

Whereas typical ransomware attacks involve encryption of all available files. More recently, attackers have added data exfiltration to their box of tricks, along with threats to leak the stolen data if victims are able to recover from the encryption with the attacker’s help.

A well-worn security notion is that we never know the full story in terms of numbers compromised by attack X or Y. This seems a reasonable assumption; lots of consumer and business victims of cybercrime do not want to publicize it. There may be liability issues they’re trying to keep hidden, or perhaps they don’t want the embarrassment of everyone knowing what happened.

This latest development twists the exfiltration knife a bit harder by using a splash of shame to encourage victims to pay up.

The scammers perform outreach to the media and the victim’s clients. The idea here is to keep heaping pressure on the victims until they relent and pay up. VoIP calls seem to be the method of choice for said outreach, which helps keep callers anonymized.

As noted by Bleeping Computer, similar tactics have been used in the past, but those calls focused on the victims. Threatening to expose a compromised machine or network via journalists or business affiliates is upping the stakes quite a bit.

As with ransomware attacks where there is no guarantee of being given a decryption key after payment, so too is there no guarantee the attackers will play nice afterwards. Regardless of tactics used, the end results are always the same: pay up, or else.

Putting scammers on the do-not-call list

Options may be limited depending on how prepared victims are at the start of a ransomware attack. It may well be that files are unrecoverable, or business operations cease while cleanup takes place.

It could be a huge payout is handed to the attackers, and no files are returned. They may get lucky, with all services restored and no mention outside the four walls of the business affected. It’s simply a lottery, though having said that, there’s a few ways you can even the odds. Stay safe out there, and hopefully you’ll never have to hear a ransomware fan at the other end of a telephone line.

The post REvil ransomware’s calling, and it’s not good news appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our podcast featured Eva Galperin who talked to us about defending online anonymity and speech.

We wrote about how Ryuk ransomware has developed a worm-like capability, how Exchange servers are attacked by Hafnium zero-days, 21 million free VPN users’ data was exposed, how China’s RedEcho was accused of targeting India’s power grids, whether Google’s Privacy Sandbox will take the bite out of tracking cookies, and how a Chrome fix patches an in-the-wild zero-day.

Other cybersecurity news

• Gab has been badly hacked, the stolen information includes what appears to be passwords and private communications. (Source: Wired)
• A bug in a shared SDK can let attackers join calls undetected across multiple apps. (Source: ZDNet)
• Business email compromise (BEC) scammers are utilizing a new type of attack targeting investors. (Source: BleepingComputer)
• Socially engineered attacks surfaced in maritime cybersecurity. (Source: Center for International Maritime Security)
• Researchers found three new malware strains used by the SolarWinds group. (Source: The Hacker News)
• Horticulture is an interesting sector for hackers since it is at the forefront of modern technologies. (Source: Horti Daily)
• A federal judge has approved a $650m settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users. (Source: The Guardian)
• Google shared a PoC exploit for a critical Windows 10 Graphics RCE bug. (Source: Bleeping Computer)

Stay safe, everyone!

The post A week in security (March 1 – 7) appeared first on Malwarebytes Labs.

Happy Monday! And if you haven’t yet checked the significance of this day—March 8—before grabbing coffee, today is International Women’s Day (IWD).

Since March 19, 1911, the year the very first IWD was observed in several European countries, millions of people have been calling for women to be given more rights, which includes the right to work, vote, and hold public office. A few years later it was moved to March 8 and it has been celebrated on that day ever since.

The United Nations first celebrated IWD in 1975, and two years later proclaimed a United Nations Day for Women’s Rights and International Peace to be observed by member states.

Today, people around the world are celebrating the cultural, economic, political, and social achievements of women. And strong female influences help create equally strong women. Here at Malwarebytes, we didn’t have to look very far for examples. With piqued curiosity, we asked a selection of women who their heroes are. Here are their answers.

RBG

My hero is Ruth Bader Ginsburg. Her entire journey is so inspiring, she led the way for so many women as a role model. She spoke up when it wasn’t entirely ok for woman to speak up, she created a path for woman to become professionals in the corporate world, and became the second female on the Supreme Court.

Ruth fought for what was right, gender equality, women’s rights and was a big proponent of making sure that every woman has their voice heard. She pushed through many challenges, overcame so many obstacles and was the voice that was needed to help push gender equality forward. It isn’t often that someone is so brave and stands up for what is right in the face of so much adversity.

— Jamie Hudson, Vice President, Global Support & Services

Amanda Palmer

I’d like to talk about my female hero, the artist Amanda Palmer. Whereas I would’ve liked her in my 20s for her daring style and cool music, I admire her now for using her platform to further empower women, to really understand and celebrate their worth. Her book and Ted Talk “The Art of Asking” taught me about the importance of community and kindness, and how we should overcome this fear of asking each other for help, as we are stronger together.

I had the pleasure of meeting her last year, and was blown away by her kindness and love. The meeting left me with a sense of empowerment and determination to keep paying it forward, to keep lifting other women (and with that, myself) up.

— Tjitske dV, Community Relations Manager

Charlotte Klein (and others)

A few of my famous heroes are Tina Fey, Amy Poehler, and Joan Didion. They’ve each blazed pioneering trails in comedy, writing, and journalism, advancing the embrace of female leadership in these previously male-dominated industries. They’ve created iconic characters and captivating stories that have made a tremendous impact on society. Their wit, bravery, and pure talent are an inspiration.

And a real-life hero is the dearly-departed, legendary Charlotte Klein. She was the director of the nationally renowned Charlotte Klein Dance Centers where I studied for 10 years. She was tough as nails (hers were always perfectly manicured), expecting excellence from her students, but offering unrelenting support in return. She gave me the backbone, skills, self-confidence, and heart I needed to succeed in my goals—and they were (are) lofty ones!

— Wendy Zamora, former editor-in-chief, Malwarebytes Labs; current tech/security writer

The post International Women’s Day: Women in tech name their heroes appeared first on Malwarebytes Labs.

Third-party cookies have been the lynchpin of online advertising for many years. Plans to phase cookies out forever continue to run at a steady pace, with Google in the driving seat. In 2019, it announced its vision for a “Privacy Sandbox”. The building blocks for this were essentially:

1. Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
2. Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
3. If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.

The Privacy Sandbox mission is to “Create a thriving web ecosystem that is respectful of users and private by default”. The intention is to create a set of rules that will work well for everybody. No third-party cookies, no incredibly specific individual marketing profiles, and data is kept on your device as much as possible. User data is anonymised and grouped into “cohorts”, and those cohorts with similar interests will then see targeted ads. In this way, users aren’t compromising privacy and advertisers can still deliver targeted ads, but will struggle to map out individual identities.

Broadening the scope of user privacy

This all sounds reasonable enough. A push for standards where user data sharing is greatly reduced, but ads can still function as intended is likely much better than what we have now. The wheels often come off on long-term plans like this, so it is to their credit it’s still very much happening.

You can see some aspects of web control already offered by Google in this blog from 2019:

• My Activity: Look at searches, websites visited, videos watched. It’s sort of like your browser history, but on a grand Google scale, with options to disable aspects of search or location.
• Ad Settings: Possibly the most relevant to this subject, as it shows how your ads are personalised. This is done via data you’ve added, Google’s best guesses, and data from advertisers partnered with Google. My standout highlight was the assumption I’m into extreme sports, flower arranging, and country music. I guess I’m obscuring my actual interests in a very privacy conscious fashion.

They also explain at length why you see specific ads, and also how to opt out.

Slow and steady wins the race?

Tackling third-party cookies isn’t a particularly new idea, and both Safari and Firefox have been bringing the hammer down, to various degrees of severity. But the companies behind those browsers don’t depend on ad revenue in the way that Google does. Which is why what Google is attempting is not a straightforward ban; it’s trying to find ways to replace the old system entirely. There are many, many arguments about this subject. Some advertisers claim organisations are doing this to keep users behind their own walled garden of advertising and tracking. Others say whatever you replace the old system with, will either be ignored or worked around.

This last point has some validity to it. While the major advertising players will probably work with the new methods, this leaves a gap in the market for shenanigans. Not everybody will play nice. Many smaller networks are entirely reliant on individual tracking. In some cases, they may not be able to adapt—or might not want to.

Tearing up the rulebook

CNAME cloaking, where analytics firms make third-party cookies look like first-party cookies to get around ad-blocking, has been in the news recently. We can expect a lot more of these tactics as the inevitable demise of third-party cookies draws closer.

Much is still unknown about the proposed replacements too. We don’t know exactly how people might extract themselves from specific cohorts should they feel the need to, for example. Or even if it will be possible. If I see targeted, extreme-sport-flower-arranging ads all over the place, what options are available to “fix” it?

These are good questions to ponder while Privacy Sandbox continues its 2 year plan to bring the curtain down on the ubiquitous third-party cookie. We look forward to seeing what comes next, and cast a cautious eye in the direction of ad networks everywhere.

The post Will Google’s Privacy Sandbox take the bite out of tracking cookies? appeared first on Malwarebytes Labs.

RedEcho, an advanced persistent threat (APT) group from China, has attempted to infiltrate the systems behind India’s power grids, according to a threat analysis report from Recorded Future [PDF].

It appears that what triggered this attempt to gain a foothold in India’s critical power generation and transmission infrastructure, was a tense standoff at Pangong Tso lake in May 2020. However, the report by Recorded Future, a cybersecurity company specializing in threat intelligence, claims that RedEcho were on the prowl way before this time.

Incidents at the border

China and India have been locked in a territorial dispute for decades, over an ill-defined, disputed border between Ladakh and Aksai Chin. This de-facto boundary called the Line of Actual Control (LAC) sits in the Himalayan region. Because of snowcaps, rivers, and lakes along the frontier, the LAC can shift, and soldiers from both sides often find themselves face to face with each other, increasing the risk of a confrontation.

The most recent conflict at the border transpired in June 2020, barely a full month after the May skirmish. This time, Chinese and Indian soldiers clashed in Galwan, with China accusing India of crossing onto the Chinese side. A total of 63 casualties—20 troops from India and 43 from China—were reported. Both countries insisted that no bullets were exchanged. Instead, they engaged using, literally, sticks and stones (“rocks and clubs”, according to the BBC).

Incidents in cyberspace

Although Recorded Future had observed a lot of intrusion activity towards Indian organizations in the digital space before the clash, it gained momentum after the Indian and Chinese troops faced off in May.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations,” the report said. “The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020.”

RedEcho is the latest APT group to target India via its energy sector using ShadowPad, a modular backdoor that has been in use since 2017. The company also noted in its report that ShadowPad is shared among other state-backed threat actor groups who are affiliated with both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). Some of these groups include APT41 (aka Barium, among others), Icefog, KeyBoy (aka Pirate Panda), Tick, and Tonto Team.

RedEcho allegedly penetrated a total of 12 organizations, including four of India’s five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs). These organizations are responsible for ensuring the optimum scheduling and dispatching of electricity based on supply and demand across regions in India. According to Recorded Future, “The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.”

This isn’t the first time India’s critical infrastructure has been in the crosshairs. In November 2020, APT41 had set their sights on India’s oil and gas sectors. Media reports suggested that the October 2020 power outage in Mumbai and neighboring areas, which crippled train transportation, closed the stock exchange, and hampered those working from home amidst the pandemic, was sabotage. Some called the outage a “warning shot” from China.

“Profoundly disturbed”

Subrahmanyam Jaishankar, India’s foreign minister, described the relationship between India and China as “profoundly disturbed”. RedEcho is just one threat actor group that has entered the scene, but we can expect that they won’t be the last. And things might only get worse because of rising geopolitical tensions, not just between China and India but also between other countries that are currently in dispute.

Remember the December 2016 power grid attack against Ukraine by Russian hackers?

And to accentuate the likely reality that more attacks against critical infrastructures will happen in the future, Dragos Inc, a cybersecurity firm specializing in industrial cybersecurity, released its “2020 Year in Review” report in late February 2021 determining that threats against industrial control systems (ICSs) and operational technology (OT) have increased threefold.

It’s worth mentioning that not all attacks on critical infrastructure are backed by nation states though. And while this is true, the outcome is still the endangerment of lives. Take, for example, the attempted poisoning of a Florida city’s drinking water last month, which was likely an act of vandalism, but could have had the impact of a terrorist attack.

The post China’s RedEcho accused of targeting India’s power grids appeared first on Malwarebytes Labs.

The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability (CVE-2021-21166) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is not the first time that Chrome’s audio component was targeted by an exploit.

No details available

Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.

An object lifecycle is used in object oriented programming to describe the time between an object’s creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.

For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn’t go well, and memory is mismanaged, that could lead to a flaw – or vulnerability – in the program.

More vulnerabilities patched in the update

As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:

Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

The CVE’s

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

• CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
• CVE-2021-21160: Heap buffer overflow in WebAudio.
• CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
• CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
• CVE-2021-21164: Insufficient data validation in Chrome for iOS.

When more details about the vulnerabilities come to light it’s possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.

How to update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

Stay safe, everyone!

The post Update now! Chrome fix patches in-the-wild zero-day appeared first on Malwarebytes Labs.

Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves. The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.

The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.

For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.

Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”

He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”

The data leak of SuperVPN, GeckoVPN, and ChatVPN

In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.

The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.

Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.

Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.

According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.

According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”

Past VPN errors

The unfortunate truth about the recent VPN app data leak is that this type of data mishap is nothing new.

In 2019, the popular VPN provider NordVPN confirmed to TechCrunch that it suffered a breach the year before. According to TechCrunch:

“NordVPN told TechCrunch that one of its data centers was accessed in March 2018. ‘One of the data centers in Finland we are renting our servers from was accessed with no authorization,’ said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server—which had been active for about a month—by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”

Separate from the NordVPN breach, last July, seven VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

The seven VPN providers investigated by vpnMentor were:

• UFO VPN
• Fast VPN
• Free VPN
• Super VPN
• Flash VPN
• Secure VPN
• Rabbit VPN

The researchers at vpnMentor also explained that there was good reason to believe that the seven apps were all made by the same developer. When analyzing the apps, vpnMentor discovered that all of them shared a common Elasticsearch server, were hosted on the same assets, shared the same, single payment recipient—Dreamfii HK Limited—and that at least three of the VPNs shared similar branding and layouts on their websites.

Finally, the report also highlighted the fact that all seven of the apps claimed to keep “no logs” of user activity. Despite this, vpnMentor said that it “found multiple instances of internet activity logs on [the apps’] shared server.”

The report continued: “We viewed detailed activity logs from each VPN, exposing users’ personal information and browsing activities while using the VPNs and unencrypted plain text passwords.”

So, not only did these apps fail to live up to their own words, but they also collected extra user data that most users did not anticipate. After all, most consumers might rightfully assume that a promise to refrain from collecting some potentially sensitive data would extend to a promise to refrain from collecting other types of data.

But, according to vpnMentor, that wasn’t the case, which is a clear breach of user trust.

Let’s put it another way:

Imagine choosing a video baby monitor that promised to never upload your audio recordings to the cloud, only to find that it wasn’t just sending those recordings to an unsecured server, but it was also snapping photos of your baby and sending those pictures along, too. 

Which VPN to trust?

The trust that you place into your VPN provider is paramount.

Remember, a VPN can help protect your traffic from being viewed by your Internet Service Provider, which could be a major telecom company, or it could be a university or a school. A VPN can also help protect you from government requests for your data. For instance, if you’re doing investigative work in another country with a far more restrictive government, a VPN could help obfuscate your Internet activity from that government, should it take interest in you.

The important thing to note here, though, is that a VPN is merely serving as a substitute for who sees your data. When you use a VPN, it isn’t your ISP or a restrictive government viewing your activity—it’s the VPN itself.

So, how do you find a trustworthy VPN provider who is actually going to protect your online activity? Here are a few guidelines:

• Read trusted, third-party reviews. Many of the issues in the above apps were spotted by good third-party reviewers. When picking a VPN provider, rely on the words of some trusted outlets, such as Tom’s Guide, TechRadar, and CNET.
• Ensure that a VPN provider has a customer support contact. Several of the VPN apps investigated by vpnMentor lacked any clear way to contact them. If you’re using a product, you deserve reliable, easy-to-reach customer support.
• Check the VPN’s privacy policy. As we learned above, a privacy policy is not a guarantee for actual privacy protection, but a company’s approach to a privacy policy can offer insight into the company’s thinking, and how much it cares more about its promises.  
• Be cautious of free VPNs. As we wrote about last week, free VPNs often come with significant trade-offs, including annoying ads and the surreptitious collection and sale of your data.
• Consider a VPN made by a company you already trust. More online privacy and cybersecurity companies are offering VPN tools to supplement their current product suite. If you already trust any of those companies—such as Mozilla, Ghostery, ProtonMail, or, yes, Malwarebytes—then there’s good reason to trust their VPN products, too.

It’s a complicated online world out there, but with the right information and the right, forward-looking research, you can stay safe.

The post 21 million free VPN users’ data exposed appeared first on Malwarebytes Labs.

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.

“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The Hafnium attack group

Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).

Exchange Server

In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.

In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.

Not one, but four zero-days

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:

• CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
• CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

They all look the same. Boring you said? Read on!

The attack chain

While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.

Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

Urgent patching necessary

Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.

Or as Microsoft’s vice president for customer security Tom Burt put it:

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.

Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.

Stay safe, everyone!

The post Patch now! Exchange servers attacked by Hafnium zero-days appeared first on Malwarebytes Labs.

The French government’s computer emergency readiness team, that’s part of the National Cybersecurity Agency of France, or ANSSI, has discovered a Ryuk variant that has worm-like capabilities during an incident response.

For those unacquainted with Ryuk, it is a type of ransomware that is used in targeted attacks against enterprises and organizations. It was first discovered in the wild in August 2018 and has been used in numerous cyberattacks since, including high profile incidents like the attack on the Tampa Bay Times and other newspapers in January 2020. According to the FBI, it is the number one ransomware in terms of completed ransom payments.

How has Ryuk changed?

The French team found a variant of Ryuk that could spread itself from system to system within a Windows domain. Once launched, it will spread itself on every reachable machine on which Windows Remote Procedure Call (RPC) access is possible. (Remote procedure calls are a mechanism for Windows processes to communicate with one another.)

Why is this remarkable?

This is notable for two separate reasons.

• Ryuk used to be dropped into networks and spread manually, by human operators, or deployed into networks by other malware.
• Historically, one of the major players when it came to dropping Ryuk has been Emotet. And as it happens, the Emotet botnet suffered a serious blow when, in a coordinated action, multiple law enforcement agencies seized control of the Emotet botnet. And if the plan behind this takedown works, the botnet will be rolled up from the inside.

Targeted ransomware attacks command high ransoms because they infect entire networks, grinding whole organizations to a halt. Until this discovery, Ryuk had always relied on something else to spread it through the networks it attacked.

Given the timing of the Emotet takedown (January 27, 2021) and the discovery of the worm-like capabilities (“early 2021”) it’s tempting to connect the two. However, it would have required a very quick turn-around for these new capabilities to have been developed in response to the loss of Emotet. On the other hand, I’m not a firm believer in coincidence, especially when there are compelling reasons to suspect otherwise.

Not an Emotet alternative

But the new-found worm capabilities of Ryuk are not an alternative to the initial infection of a network that was done through Emotet. The worm-like capabilities can be deployed once they are inside and not to get inside.

And even though Emotet was renowned for appearing in combination with Ryuk, it certainly wasn’t its exclusive dealer. It is still hard to tell what the impact of the Emotet takedown will be on the malware families that were often seen as its companions.

Ryuk’s technical capabilities

The team behind Ryuk has proven with earlier tricks that they are very adept in using networking protocols. In 2019 researchers found that Ryuk had been updated with the ability to scan address resolution protocol (ARP) tables on infected systems, to obtain a list of known systems and their IP and MAC addresses. For systems found within the private IP address range, the malware was then programmed to use the Windows Wake-on-LAN command, sending a packet to the device’s MAC address, instructing it to wake up, so it could remotely encrypt the drive. Wake-on-LAN is a technology that allows a network professional to remotely power on a computer or to wake it up from sleep mode.

The combination of ARP and RPC.

Summing up, this new variant can find systems in the “neighborhood” by reading the ARP tables, wake those systems up by sending a Wake-on-LAN command, and then use RPC to copy itself to identified network shares. This step is followed by the creation of a scheduled task on the remote machine.

In 2019, the NCSC reported that

“Ryuk ransomware itself does not contain the ability to move laterally within a network,”

meaning that attackers would first conduct network reconnaissance, identify systems for exploitation and then run tools and scripts to spread the crypto-locking malware. With the development of this new capability, this statement is now no longer true.

Mitigating network traversal

One of the mitigation processes that were proposed, and that didn’t involve any cyber-security software, was to disable the user account(s) that are in use to send the RPC calls, and to change the KRBTGT domain password. The KRBTGT is a local default account that acts as a service account for the Kerberos Distribution Center (KDC) service. Every Domain Controller in an Active Directory domain runs a KDC service. Disabling the user account(s), and especially changing the KRBTGT domain password, will have a serious effect on the network operations and require many systems to reboot. But these troubles don’t outweigh the ramifications of a full network falling victim to ransomware.

Keep your networks safe, everyone!

The post Ryuk ransomware develops worm-like capability appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech.

In January, the New York Times exposed a public harassment campaign likely waged by one woman against the family of her former employer. Decades after being fired, the woman allegedly wrote dozens of fraudulent posts across the Internet, ruining the family’s reputation and often slipping past any repercussions.

Frequently, the websites that hosted this content refused to step in. And, in fact, depending on what anyone posts on major websites today, those types of refusals are entirely within a company’s right.

These stories frequently produce reactionary “solutions” to the Internet—from proposals to change one foundational law to requiring individuals to fully identify themselves for every online conversation. Those solutions, however, can often harm others, including government whistleblowers, human rights activists working against oppressive governments, and domestic abuse survivors.

Tune in to hear about the importance of online anonymity for domestic abuse survivors and why changing one key Internet law will not actually fix the problems we have today, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• The mystery of the Silver Sparrow Mac malware
• Clop targets execs, ransomware tactics get another new twist
• LazyScripter: From Empire to double RAT
• Scammers, profiteers, and shady sites? It must be tax season

Other cybersecurity news

• NCSC helps NurseryCam to secure itself (Source: The Register)
• Taking a peek behind the big-tech curtain (Source: Medium Blog)
• A tale of cloned attack tools (Source: Check Point Blog)
• Phishers imitate well-known shipping companies (Source: Tech Radar)
• Malware gangs forge alliances (Source: Threat Post)

Stay safe, everyone!

The post Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03 appeared first on Malwarebytes Labs.