IT News

Exploit kits continue to be used as a malware delivery platform. In 2020, we’ve observed a number of different malvertising campaigns leading to RIG, Fallout, Spelevo and Purple Fox, among others.

And, in September, we put out a blog post detailing a surge in malvertising via adult websites. One of those campaigns we dubbed ‘malsmoke’ had been active since the beginning of the year. What made it stand out was the fact it was going after top adult portals and had been continuing unabated for months.

Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead. The new campaign is tricking visitors to adult websites with a fake Java update.

This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software.

Top malvertiser for months

The malsmoke campaign derives its name from the most frequent payload it dropped via the Fallout exploit kit, namely Smoke Loader.

While we see a number of malvertising chains, the majority of them come from low quality traffic and shady ad networks. Malsmoke goes for high traffic adult portals, hoping to yield the maximum number of infections. For example, malsmoke has been present on xhamster[.]com, a site with 974 million monthly visits, on and off for months.

Despite this successful run, malsmoke fell off our radar and we recorded its last activity on October 18. A couple of days prior (October 16), our telemetry registered a new malvertising campaign that uses a decoy page filled with adult images purporting to be movies.

• Adult site: bravoporn[.]com/v/pop.php
• Ad network: tsyndicate[.]com
• BeMob Ad: d8z1u.bemobtrcks[.]com/
• Decoy adult site: pornguru[.]online/B87F22462FDB2928564CED

A couple of weeks later, this campaign added a new domain as part of its redirect chain, but we can see that they are related (including the. same identifier marker in the URL)

• Adult site: xhamster[.]com
• Ad network: tsyndicate[.]com
• Redirect: landingmonster[.]online
• Decoy adult site: pornislife[.]online/B87F22462FDB2928564CED

That portal is used as a lure to get people to play adult videos that do not actually exist. Instead, users will be asked to download a fake Java update that is malicious.

A closer look at the template used and network indicators revealed that this latest malvertising campaign actually belongs to the same malsmoke threat actors that had previously used exploit kits.

We notice the same adult movie page template, with one minor fix (the typo in the page title which could have been due to the Russian keyboard layout).

Additionally, the latest domain name pornislife[.]online was registered with the same email address mikami9722@hxqmail[.]com tied to a number of other web properties previously related to malsmoke gates.

The malsmoke operators ran successful exploit kit campaigns for several months but in October decided to switch them over to a new social engineering scheme. However, the malvertising chains remained similar as they kept abusing high traffic adult portals and the Traffic Stars ad network.

New social engineering trick

The new scheme works across all browsers, including the one with the largest market share, Google Chrome. Here’s how it works: when clicking to play an adult video clip, a new browser window pops up with what looks a grainy video (black bars are ours):

The movies plays for a few seconds with audible sound in the background until an overlay message is displayed telling users that the “Java Plug-in 8.0 was not found”.

The movie file is a 28 second MPEG-4 clip that has been rendered with a pixelated view on purpose. It is meant to let users believe they need to download a missing piece of software even though this will not help in any way at all.

The threat actors could have designed this fake plugin update in any shape or form. The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.

This fake dialog is reminiscent of the missing ‘HoeflerText font’ campaign used in the EITest traffic redirection schemes. EITest was also known for using exploit kits to distribute malware and at some point switched to a similar social engineering trick to target more users, especially those running the Chrome browser.

Payload analysis

The threat actors essentially developed their own utility to download a remote payload that had the advantage of not being easily detected. If you recall, malsmoke previously relied on Smoke Loader to distribute its payloads, whereas now it has its very own loader, thanks a new evasive MSI installer.

The fake Java update (JavaPlug-in.msi) is a digitally signed Microsoft installer that contains a number of libraries and executables, most of which are legitimate.

On installation, lic_service.exe loads HelperDll.dll which is the most important module responsible for deploying the final payload.

HelperDll.dll uses the curl library that is present in the MSI archive to download an encrypted payload from moviehunters[.]site.

This is the ZLoader malware, which is then written to disk and ran as:

%AppData%Roamingmicrosoft_shared.tmp

ZLoader injects itself into a new msiexec.exe process to contact its command and control server using a Domain Generation Algorith (DGA). Once it identifies a domain that responds, it starts downloading different modules and optionally an update to ZLoader itself.

On the left of Figure 12, we can see the traffic generated by ZLoader implants injected into msiexec.exe. On the right, we can see those implants dumped from the same process. You can find more information on ZLoader and its implants in our paper The “Silent Night” Zloader/Zbot.

Evolving web threats

Malsmoke was one of the most noticeable distributors of malvertising and exploit kits striking on high profile websites.

While we thought the threat actor had gone silent, they simply changed tactics in order to further grow their operations. Instead of targeting a small fraction of visitors to adult sites that were still running Internet Explorer, they’ve now extended their reach to all browsers.

In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable. As far as web threats go, such schemes are here to stay for the foreseeable future.

Malwarebytes Browser Guard already protected users from this malvertising campaign. Additionally, we detect the MSI installer and ZLoader payloads via our Malwarebytes for Windows.

Indicators of Compromise

Redirector:

landingmonster[.]online

Decoy adult portal:

pornislife[.]online

MSI installer:

87bfbbc345b4f3a59cf90f46b47fc063adcd415614afe4af7afc950a0dfcacc2

First C2:

moviehunters[.]site

ZLoader:

4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

ZLoader C2s:

iqowijsdakm[.]ru
wiewjdmkfjn[.]ru
dksaoidiakjd[.]su
iweuiqjdakjd[.]su
yuidskadjna[.]su
olksmadnbdj[.]su
odsakmdfnbs[.]com
odsakjmdnhsaj[.]com
odjdnhsaj[.]com
odoishsaj[.]com

The post Malsmoke operators abandon exploit kits in favor of social engineering scheme appeared first on Malwarebytes Labs.

Slightly over a week ago we advised you to update your Chrome browser. That warning came only a week or so after we advised you to update your Chrome browser. Things are getting a bit repetitive round here.

Today, we are compelled to repeat that statement as Google has issued patches for two new zero-day vulnerabilities. Someone tipped Google off about them, although the source(s) wish to remain anonymous. Again, the vulnerabilities being zero-days means they are already being used in real life attacks.

Zero-days are a valuable commodity for cybercriminals since there are (until yesterday) no patches for the vulnerability and every unpatched system is another potential victim. Which is exactly why we advise to update your Chrome as soon as possible.

What is the problem that’s being fixed?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

In this case, the two vulnerabilities were catalogued as:

CVE-2020-16013: Inappropriate implementation in V8. Sound familiar? V8 was also the subject of CVE-2020-16009 where researchers stated it must have something to do with the way the Chrome browser handles Javascript.

CVE-2020-16017: Use after free in site isolation. Site isolation is the feature that makes every website run in a separate process without interaction with each other. Each will be running in a sandbox which provides an additional line of defense. Use after free may indicate that after closing a site the memory location for it may not be freed up properly.

How do I install Chrome patches?

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the zero-day vulnerabilities. My preferred method, which also allows me to keep track, is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

What version do I need?

After the update, your version number should be 86.0.4240.198 or later. You will now be protected against the vulnerabilities. Google states that the stable channel has been updated to 86.0.4240.198 for Windows, Mac, and Linux which will roll out over the coming days/weeks. Also keep an eye on your Chromium based browsers (Opera, Edge, and others) since they may require updates as well.

Stay safe, everyone!

The post Hat trick for Google as it patches two more zero-days in Chrome appeared first on Malwarebytes Labs.

Social distancing, the wearing of face masks, practicing hand hygiene, and disinfecting often-touched surfaces have become human necessities during the pandemic era. For schools, they’ve also had to adapt quickly to incorporate distance learning methods that let students continue their studies.

But being in crisis management mode didn’t give higher educational institutions much time to think carefully and plan around issues concerning cybersecurity and privacy, even though it was a struggle for them pre-pandemic. The thing is, cybersecurity and privacy isn’t just a job for the school’s IT department, students and staff have a responsibility to stay secure, too, especially with distance learning in full or partial effect.

So, what’s the TL;DR version?

Wondering how to stay secure while in your online classes, or doing homework? Try a multilayered approach.

What do we mean by this?

In privacy and security, a multilayered approach is about using multiple methods of security. It’s considered the best way of protecting yourself, whether you’re an entity that wants to protect everything important that belongs to you or you’re a person who wants to keep their data safe. A multilayered approach is paramount because a single failure in one layer wouldn’t automatically lead to the complete breakdown of security.

So, how can you create security layers to stay protected while attending classes online and/or doing homework? Before we break that down, remember that these steps not only protect you, your machine, and your data from potential cyberattacks, it also protects others as a consequence, such as your school network and everyone else who connects to it.

Protect your device

Whether you’re using your own computer or one provided by your school, it’s vital that you:

• Keep your device in a space where it can be physically safe and away from potential theft, or be accessed by other people in your home or flat.
• When you need to step away from your computer, ensure that you lock your screen. You can do this by setting up a password—or, in some cases, a picture password—and never share it with anyone, so that only you can access your own machine.
• Enable a firewall on your device.
• Download and install endpoint protection if your school hasn’t provided this, and confirm it’s running in real time.
• Ensure that all software installed on your device is up to date. And while you’re at it, uninstall software you don’t use as they could become security risks if you don’t update them.
• Turn off your device when not in use.
• Do non-school related browsing or other activities within a virtual environment. Using your personal computer for distance learning shouldn’t hinder you from using your computer like you normally do. But whether you keep school files on your computer or not, it’s best to get used to scrolling the internet within a virtual network in your personal time. This lessens the chances of you getting your computer infected if you encounter online threats.

Protect your Wi-Fi network

Whether you’re using your own internet or the Wi-Fi hotspot your school provided, it is vital that you:

• Check you are not using your router or hotspot’s default admin credentials. Using them only makes it easier for those with ill intent to hack into your device and network.
• And, while you’re there, ensure your router or hotspot is secured with a strong password—that’s at least 20 random characters long. These characters shouldn’t follow a pattern. If you don’t want to sweat this out, much less remember a complicated string without writing it down, a password manager can help you with these.
• Set up a reminder to yourself to change your router or hotspot password. This will help keep potential attacks against these devices at bay. A password manager can come in handy here, too.
• Turn on your router’s firewall.
• Enable the highest encryption option available for your Wi-Fi hotspot/router, which could be the WPA2 (Wi-Fi Protected Access 2) or WPA3 (Wi-Fi Protected Access 2) protocol.
• Change your default SSID (service set identifier), which is the network name broadcasted by your wireless router for your computer and/or device to see and connect to.
• Keep your router/hotspot firmware updated.
• Disable features that would allow any device that isn’t your own to connect to the school-provided hotspot. We’re referring to WPS (Wi-Fi Protected Setup) and UPnP (Universal Plug and Play) here.

Protect your school’s network

Infecting your school’s network—whether knowingly or unknowingly—is the last thing we want to happen. Both students and staff alike are expected to adhere to rules, which may look like the following, when connecting to a school network:

• Whatever computing device you use for distance learning, make sure you scan it first with endpoint protection software before connecting to your school’s network.
• Never download and run or share files that are of questionable origin. This includes email attachments.
• Remain informed about the types of online threats students like you might encounter. This includes phishing attempts, scams, and ransomware infections.

Protect your data

• Back up your data, especially if you’re using your own computer for studying.
• Use two-factor authentication on your school-related accounts.
• Use a virtual private network (VPN) when connecting to your school’s network.
• Avoid reusing passwords.
• Never share school-related account credentials with anyone.

Protect your virtual class sessions

A number of Zoombombing attacks have happened because students shared their Zoom details with third parties via a public, social space (think Discord, Reddit, Twitter, and even Instagram). And recordings of these Zoombombings have been floating around on YouTube and Twitch.

Please do not share your Zoom or other video communication software details to anyone. It might seem fun and that there’s “no harm done there really”—plus the class gets to be suspended for the day woo!—you’re not only hindering your other classmates from learning, you’re also getting yourself in trouble.

Understand that Zoombombing is a federal offense, and anyone found involved in such an act could be prosecuted and imprisoned. Nowadays, affected schools are encouraged to report any Zoombombing incidents to law enforcement, which may include the local or state police department and the FBI’s Joint Terrorism Task Force, to kickstart investigations. Here’s a great post containing tips on how to curb Zoombombing.

College cybersecurity is a student’s responsibility, too

Schools have the duty and responsibility to physically protect their students and staff from harm, especially during this ongoing pandemic. The same is true for ensuring that students have what they need to continue their studies in the best conceivable way they can. This includes protecting systems that house confidential information and financial data.

Yet some schools are unequipped to address every cybersecurity and privacy challenge they encounter, even before COVID-19 struck. In fact, they can only do so much. Students and staff must start recognizing their part in keeping their school network safe from cyberattacks.

Security is everyone’s responsibility. And there’s no better time than today to take this duty seriously.

The post Surviving college distance learning during the pandemic: a cybersecurity guide appeared first on Malwarebytes Labs.

Cybersecurity researchers discovered a new ransomware last month called RegretLocker that, despite a no-frills package, can do serious damage to virtual hard disks on Windows machines.

Through a clever trick, RegretLocker can bypass the often-long encryption times required when encrypting a machine’s virtual hard disks, and it can close any files currently opened by a user to then encrypt those files, too.

Chloé Messdaghi, vice president of strategy at Point3 Security, described RegretLocker as having “broken through the speed-of-execution barrier for encryption [of] virtual files.”

She continued: “[RegretLocker] actually seizes the virtual disk and is much faster in execution than previous ransomware attacking virtual files.”

Despite the ransomware’s state-of-the-art machinery, its appearance remains quite plain.

RegretLocker does not offer its victims a lengthy ransomware note—a common practice for many ransomware types today—and it asks victims to contact threat actors through an email address. That email address is hosted on CTemplar, which, according to Silicon Angle, is an anonymous email hosting service based in Iceland.

The short note that victims receive, titled “HOW TO RESTORE FILES.TXT” contains the following text:

“Hello, friend.

All your files were encrypted.

If you want to restore them, please email us : petro@ctemplar.com”

As of Tuesday, our threat intelligence team only knew of one in-the-wild reported sample, with no known or reported victims. However, this ransomware should still be watched because of its ability to quickly encrypt virtual hard disks, a potential breakthrough in ransomware capabilities.  

Often, ransomware avoids any attempts to encrypt virtual disks found on machines because those virtual disks can be enormous in size, and the time to encrypt those files would simply delay the ransomware’s purpose—to get into a machine and lock it up.

RegretLocker treats virtual disks differently, though. It utilizes the OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks as physical disks on Windows machines. Once the virtual disk has been mounted, RegretLocker encrypts the disk’s files individually, which speeds up the overall process.

RegretLocker’s virtual hard disk mounting capabilities potentially came from research that was recently published on GitHub by the security researcher smelly__vx. The researchers at MalwareHunterTeam also analyzed a sample of RegretLocket and found that it can run offline as well as online.

Further, RegretLocker can tamper with the Windows Restart Manager API to terminate active programs or Windows services that keep files open. According to IT Pro Portal, the same API is utilized by other ransomware types, including Sodinokibi, Ryuk, Conti, Medusa Locker, ThunderX, SamSam, and LockerGoga. Files encrypted with RegretLocker use the .mouse extension.

Malwarebytes users should know that we protect them from this new threat, as shown below.

The post RegretLocker, new ransomware, can encrypt Windows virtual hard disks appeared first on Malwarebytes Labs.

Mozilla has issued a critical patch for Firefox, Firefox ESR, and Thunderbird after a security issue was discovered at the Tianfu Cup 2020 International Cybersecurity Contest

The security issue has been assigned CVE-2020-26950 which has the “reserved” status. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

What is the problem that’s being fixed?

The description Mozilla published itself reveals that write side effects in MCallGetProperty opcode were not accounted for. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition.

Use-after-free is a naming convention for vulnerabilities related to the incorrect use of dynamic memory during an operation by a program. It means that after freeing a memory location, a program does not clear the pointer to that memory, which could allow an attacker to abuse the error and launch a buffer overflow attack. In a “worst case” scenario this could allow for a remote code execution (RCE) attack, but whether that is true in this case is unknown at the moment.

Which versions are vulnerable?

Make sure you are on the latest versions of the following:

• Firefox should be updated to version 82.0.3 or later
• Firefox ESR (Extended Support Release) should be updated to version 78.4.1 or later
• Thunderbird should be updated to 78.4.2

Firefox Extended Support Release (ESR) is a version of the popular browser for large organizations that need to deploy and maintain Firefox at a large scale. It does not have all the latest functions, to limit the number of updates, but it does receive security and stability updates.

How do I check my version and update?

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available.

The screens and the way to access are largely the same for all the Mozilla programs, so we will only show the Firefox example.

After the update you should see a screen similar to this:

The next stable version of Firefox will be released on November 17, 2020.

Stay safe, everyone!

The post Mozilla patches critical security issues in Firefox and Thunderbird appeared first on Malwarebytes Labs.

This week on Lock and Code, we offer something special for listeners—a backstage pass to a cybersecurity training that we held for employees during Cybersecurity Awareness Month, which ended in October.

The topic? The future of cybersecurity for the Internet of Things.

Our guests, Chief Information Security Officer John Donovan and Security Evangelist and a Director for Malwarebytes Labs Adam Kujawa guide us through some of the future’s most pressing questions. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe?

This episode was recorded live in front of our fellow Malwarebytes employees (over Zoom, of course, as is tradition during the coronavirus pandemic). The episode even includes a Q&A with our employees.

Tune in to get a glimpse into how Malwarebytes helped its own employees during Cybersecurity Awareness Month, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Hospital ransomware, because scammers have gone back to targeting things they really shouldn’t be.
• Retirement announcements, though perhaps not in the way you might expect.
• Updating is good, and updating to protect against zero-days is even better.
• Trojans and US elections? Oh my.
• If you’re in California then data privacy laws are changing. Find out how.
• Everything you ever wanted to know about RegTech but were too scared to ask.
• In a big week for patching, Apple has a little updating of their own to do.

Other cybersecurity news

• Ransomware isn’t kid’s stuff: Toy maker Mattel discloses a ransomware attack (Source: ZDNet)
• It’s a trap: what happens when a tech support scammer manages to dial through to a law enforcement cybercrime squad? (Source: The Register)
• Getting bored with ad fraud: What are some of the ways you can nip this problem in the bud? (Source: Help net Security)
• Fake Elon and his Bitcoin: The age-old Twitter problem resurfaces once again (Source: International Business Times)
• Game makers compromised: Gaming giants Capcom reveal they’ve been the target of a cyberattack (Source: BBC)

Stay safe, everyone!

The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.

Every organization in the financial industry needs to meet certain regulatory obligations, even if it’s just filing a tax return or submitting an annual report. In certain industries, such as financial services, they’ve added their own additional sets of rules that must be adhered to. For example, organizations who take and process credit card payments have an obligation to meet the Payment Card Industry Data Security Standard (PCI DSS).

To make keeping up with new regulations easier, financials are turning to RegTech. RegTech is the contraction of the words Regulatory Technology. In the financial word it is one of the hot topics. What is it and why is it so popular? Read on.

What is RegTech?

By definition, RegTech is an innovative technology that enables organizations to effortlessly adjust to the weight of always expanding needs for regulatory reporting. In essence, RegTech providers are an industry within the financial industry that provides other members of the financial world with the technology that helps them to stay current with ever-changing rules and regulations.

The wins for the users of RegTech consist mainly of these elements:

• Gain efficiency by streamlining and harmonizing processes within the organization.
• Reporting of compliance and issues is made easier by prefabricated, but often customized, modules.
• Risk can be identified and countered quicker by using smart technology.

To achieve these goals, RegTech uses 5 different types of technology:

• Monitoring processes to obtain a real-time objective about what is going on in the organization. This is essential for reporting and risk identification goals.
• Reporting is often a mandatory part of new regulations and, by constant monitoring, the required reports can be produced at the touch of a button.
• Data exchange is another part of many new regulations, specifically those that help startups on their way. Technology to enable and monitor the exchange of data helps to comply with these regulations while keeping an eye on data streams.
• Internal legal departments are supported with tools to make the implementation of new regulations more efficient and thus cheaper.
• Automation is introduced where possible to avoid human mistakes. The jungle of regulations can easily lead to human error. Monitoring and streamlining can help to avoid such errors. Reporting will have to record them if they should occur, nonetheless. And corrections can be applied where needed.

What makes RegTech so popular?

At one point, the financial industry was under a lot of stress due to new regulations. Depending on the country financials are working from and the regions they plan to do business with, the range of regulations they have to comply with can be challenging. RegTech helps financials to respond in a cost-efficient and versatile way, while maintaining a high standard of quality and security.

How does Regtech work?

This is a very hard question to answer as developments are happening at a fast pace. Every new regulation creates opportunities for the RegTech companies to work on new technology and offer it to banks, financial institutions and FinTech companies. On the other side, RegTech companies supply the supervisory agencies that lay down the rules and regulations with the technology to check compliance by the constituents. This branch is sometimes referred to as SupTech.

For example, by combining Artificial Intelligence (AI) and Big Data it is possible to predict suspicious behavior by monitoring transactions in real-time and scanning for irregularities. This technology will pick up the signals much sooner than any human possibly can, and helps to find patterns indicating money laundering and terrorist funding.

Security implications of RegTech

Many of the regulations are laid down with privacy and security in mind. A correct implementation of these regulations should not pose a problem in this field. On the contrary, if the regulators are accomplishing what they set out to do, these regulations should lift the privacy and security demands to a higher level.

Also, implementation of RegTech gives the in-house security teams at financial organizations the opportunity to focus on other issues as the technology takes over one part of their job. This doesn’t mean internal teams should let go of the process entirely, even though that might sound appealing as they often have a lot of other things on their plate, but it should ease the burden somewhat.

It’s not only necessary to measure the effectiveness of your organization’s security controls against the regulations, but also to check whether new and anticipated legislation does not interfere with your existing security standards. An obligation to offer information to your competitors should not reduce your defenses against a data breach. The Know Your Customer (KYC) documentation not only authenticates the customer’s credentials but also helps maintain a verified record of customers. Regulatory compliance mechanisms like the KYC registry store extremely sensitive personally identifiable information (PII) and elaborate customer data. So, it is important to devise systems that prevent unauthorized access, minimize cyber risks, and limit the possible consequences of a data breach.

Risk and compliance functions use different methods to keep up with regulatory challenges. They use software as a service (SaaS) in the cloud to identify risks, strategize risk tolerance, and facilitate regulatory requirements across various regions and financial services.

How does RegTech provide data security and privacy?

There are some key areas where RegTech contributes to keep our data safe:

• Fraud prevention. Information provided by criminals can be checked against existing KYC data. This helps to prevent identity theft and abuse of stolen data.
• Money laundering and terrorist funding are other areas that are monitored by using KYC data.
• Compliance with national regulations. On top of worldwide and business standards you will often find local standards are applied.
• Cloud security tools to keep data stored in the cloud at the same safety level as locally stored data.
• Authentication methods to ensure a high level of security. For example, multi-factor authentication (MFA) methods, cryptography, and encryption.

As more and more business collect PII, customers are concerned about their personal data security and their privacy. And as cybercriminals get more sophisticated, the need for more advanced and effective tools has risen. RegTech companies provide an important part of this new technology for the financial industry.

The post RegTech explained: a crucial toolset for the financial industry appeared first on Malwarebytes Labs.

Apple has patched three vulnerabilities in iOS (and iPadOS) that were actively being exploited in targeted attacks. Vulnerabilities that are being exploited in the wild without a patch being available are referred to as zero-days. The vulnerabilities were found and disclosed by Google’s Project Zero team, and patches were issued yesterday.

What has Apple patched in the update?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list. CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The zero-days are listed under the ID numbers:

CVE-2020-27930: Affected by this issue is some unknown processing of the component FontParser. Manipulation with an unknown input could lead to a memory corruption vulnerability. This means a font could be created which leads to memory corruption, allowing for a remote code execution (RCE) attack .

CVE-2020-27932: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Using such a vulnerability could allow malware to bypass security restrictions on an affected system.

CVE-2020-27950: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Disclosed kernel memory may contain sensitive data like encryption keys and memory addresses used to defeat the address space layout randomization.

What is Project Zero?

Formed in 2014, Project Zero is a team of security researchers at Google who find and study zero-day vulnerabilities in hardware and software systems. Their mission is to make the discovery and exploitation of security vulnerabilities more difficult, and to significantly improve the safety and security of the Internet for everyone.

Update your iOS now

Since Apple has flagged that at least two of these vulnerabilities are being exploited in the wild and told us of the possible consequences, users should install the update as soon as possible.

Owners of an iPhone or iPad are advised to update to iOS 14.2 and iPadOS 14.2 or iOS 12.4.9. Apple patched the same vulnerabilities in the Supplementary Update for macOS Catalina 10.15.7. You can always find the latest Apple security updates at its security updates site.

Stay safe, everyone!

The post Update your iOS now! Apple patches three zero-day vulnerabilities appeared first on Malwarebytes Labs.

First-day returns in California showed voters firmly approving to change their state’s current data privacy law—which already guarantees certain privacy protections that many states do not—through the passage of Prop 24.

As of the morning of November 4, according to The Sacramento Bee, 56.1 percent of California voters said “Yes” to Prop 24. At that time, 65.3 percent of the state’s votes had been counted. Though far from a complete tally, the numbers proved advantageous enough for celebration for the “Yes on 24” campaign.

“With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” said Alastair Mactaggart, chair of Californians for Consumer Privacy and sponsor for Prop 24. “I’m looking forward to the work ahead and the next steps in implementing this law, including setting up a commission that is dedicated to protecting consumers online.”

Proposition 24 represented one of the rarer examples in data privacy law that split advocates in two. The typical roster of data privacy supporters in the state—including Electronic Frontier Foundation, ACLU of Northern California, Consumer Watchdog, Common Sense Media, Color of Change, and Oakland Privacy—divided themselves into three separate categories: Support, oppose, or neither.

The disagreement was well-founded. As we reported, while some groups praised Prop 24 because of its increased protections on data that could reveal race and ethnicity, other groups opposed the proposition because of new loopholes that could disproportionately harm minority communities.  

Adding a potential sense of voter whiplash to the ballot proposition was that its biggest supporter and primary funder Mactaggart actually served as one of the lead architects on the very law that the proposition was trying to amend. Two years ago, after announcing an intention to bring a ballot proposition to Californians to better secure their data privacy rights, Mactaggart instead worked directly with California lawmakers to get a bill drafted, passed, and signed by then-governor Jerry Brown.

That law, called the California Consumer Privacy Act, barely went into effect in January of this year, and details on its enforcement and on how the public could assert their rights were released only this summer.

In the end, though, none of that drama appeared to matter much to California voters. With the passage of Prop 24, Californians can expect additional protections on what the proposition has defined as “sensitive personal information,” as well as the country’s first government agency established entirely to enforce a data privacy law.  

The post Prop 24 passes in California, will change data privacy law appeared first on Malwarebytes Labs.

This blog post was authored by Jérôme Segura and Hossein Jazi.

The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.

Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.

The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.

Hijacked email threads pushing bogus DocuSign documents

The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.

While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:

The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.

This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.

Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.

World events are the best lure

At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.

Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.

Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.

Indicators of Compromise

Malicious Excel documents

b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0

QBot

china[.]asiaspain[.]com/tertgev/1247015.png

1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c
06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b

QBot C2s

142.129.227[.]86
95.77.144[.]238

MITRE ATT&CK techniques

The post QBot Trojan delivered via malspam campaign exploiting US election uncertainties appeared first on Malwarebytes Labs.