IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

LazyScripter: From Empire to double RAT

Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of this paper.

APT groups are traditionally tracked according to specific targets and tools or methodologies they employ. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest. In this case, we initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation.

Digging deeper we uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines.

In the following analysis, we walk through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor. We take a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, we detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water.

This in-depth and detailed analysis has revealed a developing campaign by what we believe to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. For this reason, we continue to track this new group LazyScripter as the threat evolves.

Download paper here.

The post LazyScripter: From Empire to double RAT appeared first on Malwarebytes Labs.

Clop targets execs, ransomware tactics get another new twist

Ransomware peddlers have come up with yet another devious twist on the recent trend for data exfiltration. After interviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be systematically targeting the workstations of executives. After all, the top managers are more likely to have sensitive information on their machines.

If this tactic works, and it might, it’s likely that other ransomware families will follow suit, just as they’ve copied other successful tactics in the past.

What is Clop ransomware?

Clop was first seen in February 2019 as a new variant in the Cryptomix family, but it has followed its own path of development since then. In October 2020 it became the first ransomware to demand a ransom of over $20 million dollars. The victim, German tech firm Software AG, refused to pay. In response, Clop’s operators published confidential information they had gathered during the attack, on a dark web website.

6471dc0f 9ba1 41f3 bcc0 cc6ae2acc5d0
Clop’s Dark Web leak site

Copycat tactics

When we first came across file-encrypting ransomware, we were astounded and horrified at the same time. The simplicity of the idea—even though it took quite a bit of skill to perfect a sturdy encryption routine—was of a kind that you immediately recognize as one that will last.

Since then, ransomware has developed in ways we have seen before in other types of malware, but it has also introduced some completely new techniques. Clop’s targeting of executives is just the latest in list of innovations we’ve witnessed over the last couple of years.

Let us have a quick look at some of these innovations ranging from technical tricks to advanced social engineering.

Targeted attacks

Most of the successful ransomware families have moved away from spray-and-pray tactics to more targeted attacks. Rather than trying to encrypt lots of individual computers using malicious email campaigns, attackers break into corporate networks manually, and attempt to cripple entire organisations.

An attacker typically accesses a victim’s network using known vulnerabilities or by attempting to brute-force a password on an open RDP port. Once they have gained entry they will likely try to escalate their privileges, map the network, delete backups, and spread their ransomware to as many machines as they can.

Data exfiltration

One of the more recent additions to the ransomware arsenal is data exfiltration. During the process of infiltrating a victim’s network and encrypting its computers, some ransomware gangs also exfiltrate data from the machines they infect. They then threaten to publish the data on a website, or auction it off. This gives the criminals extra leverage against victims who won’t, or don’t need to, pay to decrypt their data.

This extra twist was introduced by Ransom.Maze but is also used by Egregor, and Ransom.Clop as well, as we mentioned above.

Hiding inside Virtual Machines

I warned you about technical innovations. This one stands out among them. As mentioned in our State of Malware 2021 Report, the RagnarLocker ransomware gang found a new way to encrypt files on an endpoint while evading anti-ransomware protection.

The ransomware’s operators download a virtual machine (VM) image, load it silently, and then launch the ransomware inside it, where endpoint protection software can’t see it. The ransomware accesses files on the host system through the guest machine’s “shared folders.”

Encrypting Virtual Hard Disks

Also mentioned in the State of Malware 2021 Report was the RegretLocker ransomware that found a way around encrypting virtual hard disks (VHD). These files are huge archives that hold the hard disk of a virtual machine. If an attacker wanted to encrypt the VHD, they would endure a painfully slow process (and every second counts when you’re trying not to get caught) because of how large these files are.

RegretLocker uses a trick to “mount” the virtual hard disks, so that they are as easily accessible as a physical hard disk. Once this is done, the ransomware can access files inside the VHD and encrypt them individually, steal them, or delete them. This is a faster method of encryption than trying to target the entire VHD file.

Thwarting security and detection

Ransomware is also getting better at avoiding detection and disabling existing security software. For example, the Clop ransomware stops 663 Windows processes (which is an amazing amount) and tries to disable or uninstall several security programs, before it starts its encryption routine.

Stopping these processes frees some files that it could not otherwise encrypt, because they would be locked. It also reduces the likelihood of triggering an alert, and it can hinder the production of new backups.

What next?

It remains to be seen if Clop’s new tactic will be copied by other ransomware families or how it might evolve.

It has been speculated that the tactic of threatening to leak exfiltrated data has lowered some victims’ expectations that paying the ransom will be the end of their trouble. Targeting executives’ data specifically may be a way to redress this, by increasing the pressure on victims.

Clop, or a copycat, may also try to use the information found on managers’ machines to spread to other organisations. Consider, for example, the method known as email conversation thread hijacking, which uses existing email conversations (and thus trust relationships) to spread to new victims. Or the information could be sold to threat actors that specialize in business email compromise (BEC).

For those interested, IOCs and other technical details about Clop can be found in the Ransom.Clop detection profile.

The post Clop targets execs, ransomware tactics get another new twist appeared first on Malwarebytes Labs.

The mystery of the Silver Sparrow Mac malware

Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow. This malware is notable in being one of the first to include native code for Apple’s new M1 chips, but what is unknown about this malware is actually more interesting than what is known!

Installation

We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, we do not know how these files were delivered to the user.

These .pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.”

Silver Sparrow's installer telling the user, "This package will run a program to determine if the software can be installed."

This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late. You’d already be infected.

Malware life cycle

The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This script has several functions.

First, it will contact a command & control server formerly hosted on Amazon AWS. The data it gets back looked something like this at the time of analysis:

{
     "version": 2,
     "label": "verx",
     "args": "upbuchupsf",
     "dls": 4320,
     "run": true,
     "loc": "~/Library/._insu",
     "downloadUrl": ""
 }

Next, the malware will check for the file ~/Library/._insu. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.

Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server.

However, as can be seen from the data, at the time of analysis, the download URL was blank. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines.

If the payload were actually downloaded, it would be launched with the args data as the arguments.

Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both of these apps appear to be very simplistic placeholder apps that don’t do anything interesting.

Silver Sparrows in the wild

Malwarebytes researchers collaborated with Red Canary researchers on their find, and have collected significant data about the infection at this point. At the time of this writing, we’ve seen 39,080 unique machines with components of Silver Sparrow detected by Malwarebytes.

Those detections are primarily clustered in the US, with more than 25,000 unique machines having Silver Sparrow detections. This, of course, is affected by Malwarebytes’ heavily US-based customer base, but the malware does appear to be quite widespread, with detections in 164 different countries.

Country Detections
United States 25,331
United Kingdom 2,785
Canada 2,389
France 2,218
Germany 920
Italy 636
Australia 509
Spain 368
India 306
Mexico 196
Silver Sparrow detections by country

The paths detected show a rather interesting pattern. The vast majority of “infections” are actually represented by the ._insu file, and machines that have that file present do not have any of the other components (as expected).

Path Detections
~/Library/._insu 38,869
/Applications/updater.app 1,627
/Applications/tasker.app 763
~/Library/Application Support/verx_updater 731
~/Library/LaunchAgents/init_verx.plist 707
/tmp/version.plist 649
/tmp/version.json 568
/tmp/agent.sh 86
Malwarebytes Silver Sparrow detections

Conclusions

At this time, we have yet to see the /tmp/verx payload. None of the infected machines have it installed. This means that, as Red Canary said, we have little information on what the intent of this malware is.

Yes, Malwarebytes protects your Mac from Silver Sparrow.

The args value in the data from the command and control server (upbuchupsf) looks similar to an affiliate code, often used by adware. However, we can’t make assumptions based on a single ten-character string, as such assumptions could very easily be wrong. After all, malware that is sold to, and used by, multiple people may very well include some kind of “customer code.”

The fact that the ._insu file has been seen in such high numbers is interesting. Since this file signals that the malware should delete itself (though we don’t know how the file gets created), that is a strong indicator that these are probably formerly infected machines.

Thus, it’s highly likely that this infection may have been present at some point in the recent past, but the operators sent out a silent “kill” command to cause the malware to delete itself. This could correspond to the first appearance of the newest malicious installer being uploaded to VirusTotal, which would be an indicator to the creator that the malware had been spotted, or it could have been prompted by some other event.

It’s unlikely that these machines were infected for a very long time, as the two command and control server domains were registered in August and December of 2020, per Red Canary findings.

Malwarebytes detects these files as OSX.SilverSparrow.

The post The mystery of the Silver Sparrow Mac malware appeared first on Malwarebytes Labs.

A week in security (February 15 – February 21)

Last week on Malwarebytes Labs, the spotlight fell on the State of Malware 2021 report, wherein we have seen cyberthreats evolve.

We also touched on ransomware, such as Egregor and a tactic known as Remote Desktop Protocol (RDP) brute forcing that has long been part of the ransomware operators’ toolkit; insider threats, such as what Yandex recently experienced with one of its own sysadmins; romance scams; and put social media under scrutiny—looking at you, Clubhouse and Omegle; some wins for the good guys; and course, Cyberpunk 2077.

Other cybersecurity news

  • Following the water supply hack in a Florida city, the US government warned critical infrastructure operators to upgrade their Windows 7 operating systems. (Source: Security Week)
  • Baby monitor vulnerabilities are in the spotlight once again after the cybersecurity team at SafetyDetectives, an independent review site, unearthed a flaw that allows miscreants to take over a camera’s video stream. (Source: SafetyDetectives)
  • Phishers used “financial bonus” as lure to deliver the Bazar Trojan. (Source: ZDNet)
  • Speaking of phishing scams, they’re also promising free COVID vaccines. Again. (Source: Infosecurity Magazine)
  • Intelligence officials from South Korea claimed that North Korea is behind the COVID vaccine cyberattack against Pfizer. (Source: Computer Weekly)
  • A flaw in Agora, a voice and video platform, was discovered that could allow attackers to spy on private calls. (Source: CyberScoop)
  • Palo Alto’s Unit42 uncovered a cryptojacking campaign that has been in operation for the last couple of years. (Source: Palo Alto Networks)
  • ScamClub, a malvertising group, was discovered using an iPhone browser bug to push ads. (Source: Confiant)
  • With the introduction of Apple’s M1 computer processors, new malware made for them is starting to emerge. (Source: Motherboard)

Stay safe, everyone!

The post A week in security (February 15 – February 21) appeared first on Malwarebytes Labs.

Omegle investigation raises new concerns for kids’ safety

Social media site Omegle is under fire after an investigation found boys using the platform to expose themselves on camera, and adults exposing themselves to minors.

Omegle users are paired with a random stranger who they can socialize with via text or video chat. An investigation by the British Broadcasting Corporation (BBC) found boys and adults exposing themselves on camera, after its founder, Lief K-Brooks, claimed that he had increased moderation efforts months ago.

Just like TikTok, Omegle’s popularity has exploded during the pandemic. According to data collected by Semrush, an online visibility management platform, Omegle has enjoyed a global growth of 65 million visits from January 2020 to January 2021—a staggering 91 percent growth. Users from the US, the UK, India, and Mexico have helped spark interest.

What contributed to Omegle finding fame is that TikTok users started sharing Omegle videos to their friends and followers. TikTok now has a very active #omegle hashtag, which has been viewed 9.4 billion times as of this writing.

MEL magazine’s Magdalene Taylor theorized that it’s the allure of talking to strangers—or being exposed what our parents warned us about: “stranger danger”—that is fuelling this growth. “People wanted to experience what the Internet was like when people were still afraid,” Taylor wrote.


Read: Stranger Danger and the Sociable Child


Investigators from the BBC, who had monitored Omegle for approximately 10 hours, were paired with dozens of other users who appeared to be under 18 years of age, even as young as seven or eight. But within one two hour period they were connected with 12 men performing sexual acts (“a common occurrence”, the BBC noted), eight naked males, and a handful of pornographic ads. In instances wherein BBC investigators were paired with people who appeared to be, or identified themselves as, underaged Omegle user performing sexual acts, the broadcaster says “These instances were not recorded, and we ended both chats swiftly before reporting them to the authorities.”

Keira, a 15-year-old Omegle user from the US told the BBC that “Men being gross is something me and my friends see a lot. It should be better monitored. It’s like the dark web but for everyone.”

Like most popular social media platforms, Omegle has a minimum age limit of 13, and its terms of use say that users under 18 should only use it with a parent or guardian’s permission. It’s home page also features a prominent warning: “Video is monitored. Keep it clean!”. It does not attempt to verify users’ age, however.

Omegle login controls
Omegle’s home page asks users to “Keep it clean”

The Internet Watch Foundation (IWF), an international charity based in the UK that aims to minimize available abuse content against children, expressed concern over what the investigators have unearthed but are not surprised as this follows a trend. According to Chris Hughes, hotline director for IWF, they have found self-abuse material that were recorded from Omegle and distributed by predators online. They also know that such acts happen in a household where parents are present as evidence of background conversations they can hear in the videos.

“I’m absolutely appalled. This sort of site has to take its responsibilities seriously,” says Julian Knight MP, the House of Commons Digital, Culture, Media, and Sport Select Committee chairman in an interview with the BBC. “What we need to do is to have a series of fines and even potentially business interruption if necessary, which would involve the blocking of websites which offer no protection at all to children.”

The saga exposes some familiar fault lines. Age verification is fine in theory but it is difficult to do. Even if it’s implemented effectively it can simply replace one set of potential harms with a different one.

The history of social media suggests that if Omegle tried to tackle the problem by increasing the number of human moderators, it’s unlikely it could ever hire enough to effectively police the platform effectively.

Until (and perhaps even if) these intractable problems find a solution, parents who want to protect their children will have to educate themselves, and their children, to the hazards they might face online.

The post Omegle investigation raises new concerns for kids’ safety appeared first on Malwarebytes Labs.

North Korean hackers charged with $1.3 billion of cyberheists

The US Department of Justice recently unsealed indictments detailing North Korea’s involvement in several global cyberattack campaigns against institutions in the financial and entertainment sectors, and money laundering schemes in certain US states.

The first unsealed indictment is for hacking activities done by three computer programmers from North Korea. Prosecutors name Jon Chang Hyok (전창혁; aka “Alex/Quan Jiang”), Kim Il (김일; aka “Julien Kim” and “Tony Walker”), and Park Jin Hyok (박진혁; aka “Pak Jin Hek”, “Pak Kwang Jin”, and “Jin Hyok Park”) as members of the Reconnaissance General Bureau (RGB), a military intelligence arm of the Democratic People’s Republic of Korea (DPRK) that is known for conducting clandestine operations on behalf of its country.

Park was already indicted back in Septmber 2018 for his involvement in multiple destructive cybercrime attacks, which includes the creation of WannaCry that made headlines in 2017, the Bangladesh Bank cyber heist in 2016, and the attack on Sony Pictures Entertainment (SPE) in 2015.

According to the Justice Department, the RGB is known by many names in the cybersecurity industry, such as the Lazarus Group and Advanced Persistent Threat 38 (APT38). Other crimes the three North Koreans are charged with include: attempting to hack banks’ networks and sending falsified SWIFT messages; the theft of millions of US dollars worth of cryptocurrency from cryptocurrency companies; conducting ATM cash-out (aka FASTcash) and spear phishing schemes; deploying multiple malicious cryptocurrency applications; and the creation and marketing of the Marine Chain Token, an attempt to gain funds and evade US sanctions. A charge was also unsealed against Ghaleb Alaumary, a Canadian-American described by the FBI as a “prolific money launderer”.

While Jon, Kim, and Park are based in North Korea, their government has stationed them in other countries like Russia and China, the report further claims.

North Korean actors have not only heavily targeted the financial sector but also several cybersecurity professionals. Jérôme Segura, director of threat intelligence at Malwarebytes details, “In one of the most recent campaigns, Lazarus APT has targeted vulnerability researchers and exploit developers to steal new exploits as well as any additional tools they may be able to use in the future. This campaign has been conducted to broaden their capabilities in using zero days in their future attacks.”

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” the report quotes Acting US Attorney for the Central District of California Tracy L. Wilkinson. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

Alaumary is already in custody while Jon, Kim, and Park remain at large.

A copy of the indictment in PDF can be downloaded here.

The post North Korean hackers charged with $1.3 billion of cyberheists appeared first on Malwarebytes Labs.

Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy

What game caused some players to experience seizures, allows you to have unauthorized sex with Keanu Reeves, features a lead character who can’t keep the contents of his pants contained, was pulled from the PlayStation Store weeks after release, and still managed to shatter sales and streaming records? 

Of course we’re talking about Cyberpunk 2077, the latest game from Polish developer CD Projekt Red.

In spite of countless, often embarrassing, bugs CDPR created an engrossing open world RPG that even the game’s detractors can’t stop hate-playing. Arguably, a big part of Cyberpunk’s appeal is its setting. Taking place in a fictional American metropolis known as Night City during the year 2077, this dystopian vision of the future attempts to cram every single sci-fi cyberpunk trope into one 30 hour game. Hacking, virtual reality, body modification, sentient computer AIs—it’s all in there.

For all its high tech wonder, some aspects of day to day life in Night City feel familiar. The Internet (or Net, as it’s called in the game) looks about the same as it does in real life, with players browsing websites on a monitor, a mouse, and keyboard. And it’s still possible to get a computer virus. In fact, falling victim to a computer virus is central to the game’s plot.

Since Cyberpunk features computers, hacking, viruses, and has the word “cyber” in the title, we obviously had to write about it.

So, the two members of the Malwarebytes Labs staff who actually played the game were asked to weigh in on cybersecurity in Cyberpunk 2077. And if we get to talk about video games for work, we’re all for it.

SPOILER ALERT: This discussion covers some major plot points.

Who are you?

Philip Christian: Hi! I was an avid gamer through college. Now I play a few major releases per year. I completed the main quest in Cyberpunk. All in, I’ve sunk about 70 hours into the game. I played on Google Stadia (don’t hate me). I work at Malwarebytes so I must know something about cybersecurity, but when it comes down to how threats operate on a technical level, I turn to the experts, like Chris.

Chris Boyd: I’m a Lead Malware Intelligence Analyst for Malwarebytes. I’ve played games dating back to the Atari 2600 days, have worked on a few titles you won’t have heard of many moons ago, and particularly enjoy modding the guts out of Bethesda titles. I’ve put roughly 200 hours into Cyberpunk, and spend a long time looking at hacking in games generally.

The most cringeworthy cybersecurity moment?

Philip: The hacking mini game was total baloney. When you try to hack a computer you’re shown this number matrix and you’re trying to select the correct numbers from the matrix. Not sure what this has to do with hacking unless hacking IRL has something to do with Sudoku.

If I’m being generous, it does bear a vague resemblance to brute force attacks, which are kinda big right now. With a brute force you’re just mashing in numbers, letters, and characters hoping you guess the correct login credentials, but you’re doing it really fast with an automated program entering the credentials for you.

Chris: Would have to agree, the hacking minigame is a horribly confusing pattern matching puzzle which is badly explained and not very realistic. This is common in games, and unless the game is entirely focused on hacking I think the right approach is to try and keep it simple. Sadly, that hasn’t worked here.

The most realistic cybersecurity moment?

Philip: There’s a mission in the game where you need to hack into someone’s password-protected computer. The mission entails looking at websites and figuring out the person’s password from what they’ve shared about themselves online. It’s really just a small part of a larger mission to find a missing teenager. This is a more realistic take on hacking than the numbers mini game. We all reveal way too much about ourselves via social media and cybercriminals use that info against us.

Chris: The cybersecurity realism in the game seems to come from incredibly meta real-world happenings related to the title. For example, the character Goro Takemura is a legendary personal bodyguard / security expert who trains literal cyber ninjas. The gag is he is also absolutely useless with technology, and often sends accidental selfies to the player character while trying to do something else.

Sure enough, a bug occurred in the game which could essentially break saves and prevent progress. The cause? Goro, the guy who can’t use his phone properly, would call the player character and the call would bug out.

“Videogame character who can’t use his phone breaks your game, with his phone” is meta enough. But then we have Elon Musk announcing a Tesla model will be able to play cyberpunk, at roughly the same time it’s announced his Neuralink, Musk’s neurotechnology company, may be trialling computer chips in brains by the end of the year.

Being able to play a game about the dangers of placing chips in your brain, in a car built by somebody who wants to put chips in people’s brains, is the kind of crossover I live for!

Best representation of hacking in the future?

Philip: My favorite NPC in the game is Delamain the AI taxi driver. He looks like a cross between Johnny Cab from Total Recall and Death from Bill and Ted’s Bogus Journey. Anyway, his system gets infected by a rogue AI and it’s up to you to help him clean it out and regain control of his fleet of computer controlled taxis. Cars today are computers on wheels and car hacking is already a thing.

Chris: More than the hacking mini game, the real hacking meat on the bone here concerns Biohacking and more technology-centric body modifications. Almost everyone in the game is walking round with some sort of Internet-connected body part at all times.

People can overload your ocular implants, fry chips in your body, shut down devices and leave you at a standstill, wipe your short-term memory, and more.

It’s only natural we’ll see an increasing number of technological solutions for medical issues, and the tech industry has a habit of connecting things to the Internet without much care for security. In some ways the future is already here, and has been for some time.

Pacemaker hacks already exist. “Looping”, a DIY method for hacking your own insulin pump, has brought about a surge in purchases for the device needed to do it. A killer-app remote control for insulin pumps? Yep, those exist too.

As we creep towards Transhumanism, we’re going to have to be very careful regarding our final destination. If we aren’t careful we’ll quickly arrive at a point where anybody could be running anything. How do you prepare for that? How do you secure it? It’s entirely possible that we won’t be able to.

Screen Shot 2021 02 05 at 12.13.24 PM
Johnny Silverhand is feeling frisky tonight.

Scariest representation of hacking in the future?

Philip: Someone put out a mod that swaps the Johnny Silverhand skin (modeled and voiced in-game by Keanu Reeves) with one of the sex workers (aka joytoys), allowing your character to have sex with an NPC that looks exactly like Keanu. It’s more weird than anything, but the incident got me thinking about deepfakes. This incident isn’t a deepfake in the strictest sense of the word, but it does give us a high profile example of a real person’s likeness being manipulated with technology. It’s something we’re just starting to see and we should expect to see more of it in the near future.

Chris: In games specifically, character swaps are nothing new. As good as Cyberpunk 2077 looks, even the highly detailed models such as Keanu’s are very much video gamey and not very realistic looking, once you get up close. It’s more an approximation of what the developers think he looks like, as opposed to even a fairly basic deepfake which can look very real indeed. Having said that, the developers were well within their rights to shut the mod down because the modder didn’t have Keanu’s permission. The issue of consent is paramount, whether the mod is ultra-realistic or some sort of PlayStation 2 callback.

I think games have a long way to catch up to deepfake levels of controversy, and this would be a subject to revisit if and when realistic models of real people work their way into VR titles.

What else caught your attention?

Philip: I liked how you could hack mundane items like soda vending machines, TVs, and security cameras as a way of distracting enemies. IRL it’s already possible to hack IoT (Internet of things) devices, control them remotely, and cause them to behave in weird ways. There’s examples of coffee machines being hacked, baby monitors, smart TVs—you name it. If it’s connected to the Internet, it’s susceptible to hacking so maybe think twice. Does your refrigerator really need to be connected to the Internet?

Chris: A major aspect of the game is trying to cheat death by any means necessary. Replacing vital organs and upgrading body parts, even when there’s no medical requirement for it, to make yourself run faster or punch harder. You can even scan people in the street with ocular implants tied to the city’s crime database (hello, facial recognition glasses).

The biggest push where that’s concerned involve’s the game’s main quest. Corporations offer immortality by copying your consciousness to a computer chip, and the ramifications thereof.

It’s amusing to me that we’re playing through this fairly common sci-fi/technology trope at the same time as Microsoft’s patent for dead relatives revived as AI chatbots was discovered.

Where this technology goes from here is anyone’s guess.

Is it safe to mod your game?

Philip: Going back to the Keanu Reeves sex mod thing. CDPR had the mod removed from the site where it was being hosted. Since it’s not available through legitimate channels I think people who are curious will try to obtain it through less safe backchannel methods. This is a perfect scenario for scammers and criminals. In fact, CDPR recently advised gamers not to install mods from unknown sources due to a vulnerability that might allow criminals to remotely execute code on the target system.

Chris: They’ve already updated the game to address issues from that vulnerability, which is great news. Having said that, there’s always a risk from modding any game where you download unknown code and files. Most major mod sites perform some sort of security check on files offered for download, but gamers should always run some tests of their own. You’re entrusting your whole system to random people offering you files.

Some of the mental safeguards we deploy to avoid sketchy downloads tend to come down when modding. “I’m on a trusted site, everything here is legit, what could possibly go wrong”. A little caution is always a good thing where modding is concerned, whether it’s your favorite game or your ocular implants.

The post Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy appeared first on Malwarebytes Labs.

Romance scams: FTC reveals $304 million of heartache

In 2020, reported losses to the FTC for romance scams went up by 50% from 2019, totalling $304 million. And things weren’t exactly good before: Romance scams have cost people a fortune for 3 years running, according to the FTC. Their latest report suggests a steady rise in these kind of scams generally and ponders the impact of the pandemic. If nobody can go out, it stands to reason that dating in the virtual world would experience a surge of interest.

Love is most definitely in the air for people up to no good.

Some key findings

  • Scams often begin on social media but are unexpected. Potential victims aren’t necessarily on a site for dating in the first place.
  • The use of gift cards for sending money to scammers increased 70%.
  • Reports of money lost increased across every age group in 2020.

Many of the old tricks are still in play, because they’re tried and tested. Throw enough of them out there and a scammer snags a bite eventually. It only takes one or two direct hits to make a small fortune. Meanwhile, people face losing huge sums of money which is often not recoverable.

Sending all my love…and my money

The report mentions many reports of large losses involve scammers claiming to send a victim money. Once the victim receives it, the scammer invents a reason why they need it sent back, or forwarded to a third party. This is how people end up as money mules. As we often mention, this is a bad situation to be in. While the mule ends up in various degrees of legal trouble, the anonymous scammer pulling the strings gets away with it.

It’s unfair, and very cruel for people who would naturally assume they’d done nothing wrong.

We see a variety of romance con-tricks involving requests to move funds. One we examined recently adds a small spin to proceedings. The scam works as follows:

  • The scammer connects with a victim on a dating app, and supplies photos and audio recordings.
  • After some small talk, the scammer says they want to send the victim some money. The scammer “can’t use their account” from their location, but they’re happy to give login details so the victim can do it themselves.
  • The scammer sends a link to a fake banking website where the victim is likely to be asked to complete a transaction, to increase their trust in the scammer, or for their own personal or banking details.

Gift cards: a wealth of opportunity

As mentioned already, gift cards are an attractive proposition for people up to no good. They’re easy to obtain and can be bought in small amounts. Unlike a few years back, they’re not limited to a narrow selection of items or stores. This is good for fakers, because they’re less likely to make victims feel like they’re being sent on a wild goose chase. They can pretty much buy anything and it’ll be of value to the scammer, either through usage or selling on. If gift cards are ever mentioned on dating apps or on social media, you’ve every right to be suspicious.

Steering victims away from the theoretical safety of their online space is a common tactic, not specific to dating scams. (Gaming scams will often take victims away from their gaming console ecosystem to third party sites, for example.) Romance scammers often try to lure people away from the dating apps where they met. This is good for the scammer, problematic for the victim: The digital paper trail becomes muddied, certain protections and safety mechanisms may not apply or be usable, and so on.

A trick of the eye

Catfishing romance scams use fictional personas that often rely on stolen images. People will use photos of models from different parts of the world, or pretend to be U.S. Army soldiers, or even celebrities, to get the job done. All they care about is grabbing the cash, and it doesn’t matter how much the victim on the other side of the screen is impacted.

To combat this, people should make use of reverse image search to see where else the images appear. AI generated images are also common in this realm though, so reverse image search is useful but not foolproof.

On a similar note, refusing to do video calls could be suspicious. They may simply be shy, but one would probably expect video for dating is a reasonable expectation a year into the pandemic.

Tips for avoiding romance scams

Attempts to get you away from the platform where you met, requests for cash, or requests for a lot of personal information / logins should set alarm bells ringing. Asking for money for a visa / travel, or sudden medical aid, should too. Sending scans of passport pages is also a bit unusual. Anything which goes from 0 to 60 in the blink of an eye or seems too good to be true should definitely cause you to be very careful.

Be sure to check out our tips for dating safety and security before you next delve into the world of digital dating. The last thing anybody needs right now is financial fallout caused by a bogus romantic interlude. The more you can reduce the odds of that happening, the better everyone using dating platforms will be for it. Let’s consign these fakers to the digital rubbish bin, where they belong.

The post Romance scams: FTC reveals $304 million of heartache appeared first on Malwarebytes Labs.

Yandex sysadmin caught selling access to email accounts

Yandex, a European multinational technology firm best known for being the most-used search engine in Russia, has revealed it had a security breach, leading to the compromise of almost 5,000 Yandex email accounts.

The company says it spotted the breach after a routine check by its security team. They found that one of their system administrators with access to customer accounts was allowing third-parties to see some of these accounts “for personal gain”. Yandex made it clear in its official press release that no payment details were compromised.

With so much attention paid to eye-catching external threats like ransomware and BEC, it’s easy to forget that one of the biggest threats organisations face isn’t trying to force its way into their network, it was invited in.

Insider threats

Current and former employees, contractors, business partners, suppliers, third-party vendors, and service providers are all potential insiders. And they don’t have to be technologically savvy to pull off an “inside job”.

In fact, some insiders aren’t even intentionally malicious. The most common cause of incidents is employee negligence, such as the misuse of access privileges or a general inattention to keeping sensitive information private and secure, can cause employers a lot of headaches. This can be further compounded by a lack of effective cybersecurity and privacy training programs or an utter absence of an intentional culture of security.

Negligent and careless employees (or what others call “accidental insider threats”), more often than not, have zero intention to hurt their organizations; malicious employees, on the other hand, knowingly act against their employers for personal gain.

According to the 2020 Cost of Insider Threats: Global Report from the Ponemon Institute, the costliest insider threat is credential theft, which averages to nearly $875,000 USD to remediate. Not only that, incidents of credential theft have tripled in the last 5 years. With a booming demand for employees who are willing to share company secrets with criminals, it wouldn’t be a stretch to expect that cases involving this would be popping up more frequently. They pay well after all.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source forum,” said Brandon Hoffman, chief information security officer at Netenrich, an IT service management company, in an interview with Threatpost. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee.”

Organizational breaches have become a mainstay in news outlets, with many of them about outside parties forcing themselves inside private networks either by force (hacking) or social engineering (phishing). With the current pandemic and everyone working remotely, spotting insider threats has become more challenging than ever. This should make businesses more vigilant and determined in curbing insider threats before it happens. For those who don’t know where to start, here’s a good place: look at the zero trust model, and see how you can adapt it within your organization.

The post Yandex sysadmin caught selling access to email accounts appeared first on Malwarebytes Labs.

Clubhouse under scrutiny for sending data to Chinese servers

The audio-chat app Clubhouse is the latest rage in the social media landscape. What makes it so popular and, now it’s part of the social media landscape, can we trust it?

The Clubhouse app

Clubhouse was launched about a year ago and was initially only used by Silicon Valley’s rich and famous. It is different from other social media in that it focuses on the spoken word. Clubhouse members can enter virtual rooms to listen in or participate in live conversations. The conversations can only be joined when they are live and the people having the conversation determine who is allowed to listen and who can talk.

The Clubhouse app is freely available for download to every iPhone user, and an Android version is in the pipeline, but participation is kept exclusive by making it invitation only.

Every new user only gets a few (initially only two) invitations to give away. The developers claim it was done this way to allow for a controlled growth, so as not to overload the server infrastructure. Whether by design or coincidence, this also seems to work as a clever marketing scheme. Deep down, we all want to be part of the club of cool kids.

As a member you can select the subjects you are interested in and apply to be allowed in on conversations about those subjects. The conversations are not saved by the app, so the idea is that you “had to be there” to know what they talked about. But in the digital world thinking that some information is gone for good is very often an illusion. What’s to stop someone from recording a conversation they’re in?

Chinese servers

Recently Clubhouse went viral among Chinese-speaking audiences. But as soon as the Chinese government became aware of political discussions on the app, it was abruptly blocked by the country’s online censors, on Monday February 8, 2021. This line of events made some researchers wonder how private the conversations really were.

An investigation by the Stanford Internet Observatory found that some of the back-end infrastructure for the Clubhouse App was provided by Agora. Agora is a Shanghai-based start-up, with US headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. Exactly what Clubhouse needed to roll out their app.

The Stanford Internet Observatory

In their blog Clubhouse in China: Is the data safe? the Stanford Internet Observatory (SIO) team unravels the ties between Clubhouse and Agora and speculates not why the Chinese government banned the app, but rather why it took them so long.

According to the article “SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio … It is also likely possible to connect Clubhouse IDs with user profiles.”

In a series of tweets one of the team members, Alex Stamos, adds:

“We found Chinese servers being used even for conversations that only involved Americans.”

He goes on to say that neither Agora, nor another Chinese supplier, EnjoyVC, are listed as data sub-processors in the Clubhouse privacy policy.

Alex Stamos is adjunct professor at Stanford University’s Center for International Security and Cooperation. He is also the former chief security officer at Facebook, so he does know a thing or two about social media.

Clubhouse statement

Clubhouse’s reaction to the analysis done by the Stanford Internet Observatory was:

“Clubhouse is deeply committed to data protection and user privacy.

We designed the service to be a place where people around the world can come together to talk, listen and learn from each other. Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the App Store to make it available in every country around the world, with the exception of China. Some people in China found a workaround to download the app, which meant that—until the app was blocked by China earlier this week—the conversations they were a part of could be transmitted via Chinese servers.

With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client. Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.

We welcome collaboration with the security and privacy community as we continue to grow. We also have a bug bounty program that we operate in collaboration with HackerOne, and welcome any security disclosures to be sent directly to security@joinclubhouse.com.”

Countered by Alex Stamos with:

“We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated.”

Meaning that not only is the Chinese infrastructure essential for Clubhouse at this point, but it will also prove to be hard to keep the US traffic away from it.

So, is it safe?

As TikTok discovered last year, popularity comes with scrutiny. The Stanford Internet Observatory report is interesting but it isn’t a poof of malice. It should help Clubhouse improve its privacy and security though, and Clubhouse will be under no illusion that people are watching it closely on both sides of the Great Firewall.

Our advice is to treat Clubhouse the same way you do with every social media app. Once you release information on social media it is out of your control and you should treat it as if it’s freely available. It is up to each user to decide much information they are willing to share about themselves. It is not always easy to balance the scales between privacy and social interaction. But it is better to be aware of the risks and not invest your trust in a social media app, just because it is cool to be a part of. Or just because they claim to value data protection and user privacy.

Stay safe, everyone!

The post Clubhouse under scrutiny for sending data to Chinese servers appeared first on Malwarebytes Labs.