IT News

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can’t be removed because the browser is managed from the outside.

As you can imagine, that has freaked out quite a few Chrome users.

We have talked about the search hijacker’s business model in detail. Suffice to say, it is a billion-dollar industry and a lot of search hijackers want a piece of this action as even a small portion can amount to a hefty income.

One search hijacker doesn’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn’t care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

What have they done this time?

We were alerted by some of our customers who said they were unable to remove Chrome extensions as they ran into this restriction:

Basically, this is telling the user that the browser may be managed outside of Chrome and the administrator has installed an extension. Even users that have Administrator accounts on the affected systems are unable to remove these extensions.

The extension in question is easily spotted in an overview of all the installed extensions as it is the one that has no “Remove” option.

We have found several of these search hijackers in the Chrome webstore but installing them from there does not lead to the “managed browser symptoms.” It takes a Windows installer to make the necessary registry changes, so users that installed it from the webstore should be able to remove it themselves in the normal way.

What all the hijackers that use the managed browser technique have in common is that they add the registry keys:

HKEY_LOCAL_MACHINESOFTWAREPoliciesChromiumExtensionInstallForcelist    
 HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeExtensionInstallForcelist

under which the forced extensions are numerated as registry values like this:

"1"="REG_SZ", "lpfpbajbnhddlpljjnfndngbkkfkjfna;https://clients2.google.com/service/update2/crx"

The description in the Chromium documentation about the ExtensionInstallForcelist states:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

How do these hijackers land on victim’s systems?

We are not completely sure but we did manage to round up some stand alone installers from the Temp folder on affected Windows systems. And it looks as if these installers were part of a bundler.

What victims will typically see is an installer notice like this one:

and then nothing until they open Chrome and see this new tab:

and the “your browser is managed by a remote administrator” type of comment scattered throughout the Chrome menu and settings.

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

• The hijacker redirects victims to the best paying search engine.
• The hijacker redirects victims to their own site and show additional sponsored ads.
• The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

• The extension lets the hijacker take over as the default search engine.
• The extension takes over as “newtab” and shows a search field in that tab.
• The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

This family is of the kind that uses their own site as a redirect to the search engine they get paid by, and the extension takes over as default search engine. The default is the one that gets queried when the user searches from the address bar.

Removal

Malwarebytes recognizes these hijackers and removes them from affected systems. You can find a few removal guides on our forums:

Removal guide for Mazy Search

Removal guide for SearchSpace

And at the rate they are pushing out new ones, more will probably follow.

IOCs

Extension identifiers

fhmghdmcgkkdadabbnkmnejhoncccjio (Capita)

lpfpbajbnhddlpljjnfndngbkkfkjfna (search space)

fifailmmmlkdabfkkoejgffjdfgbieji (Mazy)

Domains

search-space.net

mazysearch.com

capita.space

defaultsearch.link

Stay safe everyone!

The post Search hijackers change Chrome policy to remote administration appeared first on Malwarebytes Labs.

MSPs naturally adapt and mature as innovative technologies and more effective processes are introduced into the industry. But with ransomware cyberattacks happening left and right, pushing them to evolve even further, MSPs are left with no choice but to go with the flow. Going for improved functionalities—although important—is simply no longer enough. MSPs must begin putting a lot of emphasis on improving their security for the continuous protection of their most valuable assets.

With ransomware threat actors exploiting weaknesses in remote monitoring and management (RMM) platforms to get into endpoints by the thousands, MSPs have found themselves wondering whether their platform is secure, robust, and agile enough with the changing threat landscape. To help them decide, let us look at the key points to consider when choosing an RMM that is right for them.

Helping MSPs look for “the one”

Indeed, there is no “one-size-fits-all” RMM platform. Every MSP has its own unique needs, and vendors must meet those needs so both can deliver high quality service and grow together as one.

Whether you’re an experienced MSP who is evaluating your current RMM or contemplating on switching to another vendor, or you’re a new MSP who is on the lookout for an RMM platform that best fits your unique business needs, we offer you a guide in finding “the one.”

Security

Ask: “Does this RMM vendor take security seriously as much as we do?”

A security-conscious MSP looks for security present in an RMM vendor’s product. This should be a necessity as their business is at stake, most especially if you’re an MSP that handles all your clients’ data. It is only logical to look for a vendor that cares about the security of their clients’ assets the same way you, the MSP, care about the assets of your clients, too.

MSPs can start assessing for security by checking if the communication between entities are secure. For example, are endpoints communicating securely with the monitoring server? Is the monitoring server communicating securely with remote management devices/systems? Overall, does the RMM take a layered approach to secured communication between devices and apps, which in turn, protects the entire support chain?

Another point to think about is whether the platform provides multiple security role assignments for various kinds of users. Certain users can only have read-only access, for example, while others are granted higher privileges based on their job functions.

We cannot stress enough the importance of MSPs securing themselves to keep their clients safe from online attacks like ransomware. Being consistent in this regard on every facet of the decision-making process will only put MSPs at a significant advantage.

Scalability

Ask: “Does this RMM adapt to new demands and scale really well with the changing trends?“

RMM platforms and solutions aren’t something new. In fact, some of them have been around for decades. With this in mind, MSPs should look at how much the RMM has changed since it first offered its service, what has it done so far to keep up with the ever-changing business landscape, and how it has planned to evolve for the future.

Legacy RMMs were never created with the modern MSP, thousands upon thousands of endpoints to support, and the Internet of Things (IoT) in mind. There are far better designed RMMs today that are built to deliver robust, multi-tenant solutions—meaning, the ability to manage disparate multiple clients and/or managing access to multiple application for various clients using a single application or platform—for MSPs. RMMs that offer these are foreseen as best positioned for the future. It is, therefore, paramount for MSPs to partner with a vendor that scales well with market demand and doesn’t hold them back when it comes to their own business growth.

Proactive, with the drive for change

Ask: “Does the RMM vendor provide proactive patching and show momentum in improving?“

Not only should MSPs look for an RMM that has a long-term product roadmap and how they regularly release updates for it, but they should also start looking at how their current or potential vendor go about actively [1] monitoring the threat landscape and [2] looking for flaws to their own software before the bad guys would even have time to know about and create an exploit for it.

MSPs have realized that reacting to cyberattacks doesn’t work. And while it is admirable for an RMM vendor to be able to determine a security flaw and patch it as quickly as they can to mitigate infection, preventing something big from happening far outweighs mitigating what has already happened.

Apart from patching, a good RMM must also show that it is continuously improving their own products by adding more helpful functionalities, enhancing what’s most used, and doing away with whatever is not beneficial for MSPs.

Ease of use

Ask: “How easily can my employees use this platform?“

MSPs look for software that not only gets the job done but are also easy to operate. Aesthetics (better designed, interface-wise) combined with functionality come into play here. The UI must be easy to understand and navigate, each bit of what is shown gives technicians a clear idea of what they want to know about their endpoints. Furthermore, it must allow MSPs to customize the tool that fits their business needs.

Of course, no matter how intuitive the platform claims to be, it’s still new software that no one in the company is familiar with it. That said, a good RMM must offer training for MSP technicians to fully understand the platform and use it well and proficiently. Know that the more complex the tool, the longer the training; the longer the training, the greater the cost; and the more complex the tool, the higher the risk that the trained technician would be making mistakes.

Mobile-enabled

Ask: “Can the RMM platform be accessed via mobile devices?“

With everyone carrying at least one mobile device with them, going mobile is no longer a want but, for many, is also now a need. An RMM solution that MSP technicians can use outside of the office can be an extremely valuable feature, especially when a real-time alert kicks in. The MSP technician must be able to perform troubleshooting tasks using a small screen and over a cellular network. An MSP that can deliver quality service anytime and anywhere is something that current and potential clients vie for and may become highly in-demand in the future.

For MSPs, security is at the forefront in these uncertain times

Choosing a vital tool like an RMM platform is not an easy and quick process for MSPs to go through. It takes careful thinking and a lot of time and effort in evaluating. For new MSPs, this process is probably one of the most challenging, more so if all RMMs seemingly offer the same. At the end of the day, however, finding that one RMM vendor you can grow your business and expand your portfolio offerings with is totally worth it. Potential and current clients not only see MSPs as software and hardware experts, but they are quickly looking up to them as security advisers as well.

Having insight on the current trends and following these considerations, coupled with asking the right questions, is not only strategic. It is also the first step in laying down the cornerstone for future-proofing your business.

Good luck in your search!

The post MSPs, know what you’re really looking for in an RMM platform appeared first on Malwarebytes Labs.

Car manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later confirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the companies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos Aires.

Based on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this blog post, we review what is known about this ransomware strain and what we have been able to analyze so far.

Targeted ransomware with a liking for ICS

First public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez sharing information about a new targeted ransomware written in GOLANG.

The group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by security firm Dragos.

On June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT. When we started looking at the code, we found several artefacts that corroborate this possibility.

When the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it does, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware allegedly tied to Enel.

Target: Honda

• Resolving internal domain: mds.honda.com
• Ransom e-mail: CarrolBidell@tutanota[.]com

Target: Enel

• Resolving internal domain: enelint.global
• Ransom e-mail: CarrolBidell@tutanota[.]com

RDP as a possible attack vector

Both companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference here). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.

• RDP Exposed: /AGL632956.jpn.mds.honda.com
• RDP Exposed: /IT000001429258.enelint.global

However, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper internal investigation will be able to determine exactly how the attackers were able to compromise the affected networks.

Detection

We tested the ransomware samples publicly available in our lab by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses.

We detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection layers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our anti-ransomware technology was able to quarantine the malicious file without the use of any signature.

Ransomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target big companies in order to extort large sums of money.

RDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently learned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map out all assets, patch them, and never allow them to be publicly exposed.

We will update this blog post if we come across new relevant information.

Indicators of Compromise (IOCs)

Honda related sample:

d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1
mds.honda.com

Enel related sample:

edef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a
enelint.global

The post Honda and Enel impacted by cyber attack suspected to be ransomware appeared first on Malwarebytes Labs.

A short while ago we reported on the FTC ruling against payment provider RevenueWire. Now, another Canadian company is under scrutiny, and the cases are very much related. Not only are these companies hailing from the same city, they also share some founders.

The company ParetoLogic is involved in a US class action lawsuit in which it is accused of having circulated programs that would charge customers to fix non-existent computer problems.

As we saw in our previous coverage, RevenueWire—acting under the name SafeCart—was charged under the accusation that they provided services as a payment provider for companies that were involved in tech support scams. RevenueWire denies the allegations, and issued a statement saying it settled to avoid protracted litigation and legal costs.

The case of ParetoLogic

In the case at hand, the plaintiff Archie Beaton sued Defendant SpeedyPC Software (“SpeedyPC”), a British Columbia company, alleging that it was engaged in fraudulent and deceptive marketing of SpeedyPC Pro (“Speedy PC Pro” or the “Software”), a computer software product that claimed to be able to diagnose and repair various PC errors.

In this context it is good to know that SpeedyPC Pro is the name of a program that the plaintiff purchased, and this program was produced, marketed, and sold by ParetoLogic.

The United States District Court for the Northern District of Illinois Eastern Division set out under the notice that “SpeedyPC Software appears to be the trade name of a company known as ParetoLogic, Inc. To avoid confusion, the Court will refer to the defendant only as SpeedyPC Software.”

ParetoLogic software

SpeedyPC was not the only software issued by ParetoLogic. Many similar programs were marketed in very much the same way. What they all had in common is that they fall in a category we refer to as “system optimizers.” This type of software combines some or all of the below functionalities:

• Registry cleaner
• Driver updater
• Temp file cleaner
• Disk optimizer (disk defragmenter)
• System error reporter

Since all these functionalities are offered by free tools built into the Windows operating system, many system optimizers are considered Potentially Unwanted Programs (PUPs), especially if they exaggerate the seriousness of possible improvements that can be made on a user’s system.

A well-known example of a ParetoLogic product is PC Health Advisor:

The ties with RevenueWire

What’s interesting in this case is that ParetoLogic Inc. was co-founded by the same partners behind another Victoria, Canada tech company, RevenueWire, that recently settled fraud charges with the U.S. Federal Trade Commission for US$6.7 million.

RevenueWire handled the sales and distribution of software and digital products for many developers and publishers worldwide. In fact, part of RevenueWire’s alleged scheme involved serving as a legitimate face for software companies that had already been denied by large, trusted payment processors, and according to at least one online forum, ParetoLogic may have fit that description, as it did not appear to accept PayPal.

The case against ParetoLogic

ParetoLogic has been fighting the plaintiffs’ right to start a class-action case in the US on several grounds since 2015 but was unsuccessful in this attempt to avoid going to court over the charges. Archie Beaton’s motion to certify a class for his complaint—which basically serves as a request to gather other folks facing similar, alleged wrongdoing into one lawsuit—against ParetoLogic was granted in October 2017 and was upheld at the U.S. Court of Appeals for the Seventh Circuit in Chicago in October 2018.

Grounds for the case

Beaton looked online for a fix for some computer problems he was experiencing and found a free trial of SpeedyPC Pro. As per usual with this type of software the program reported some problems with the system, but let the user know they needed the paid version to fix said problems.

From the Court of Appeals for the Seventh Circuit:

Using his personal business’s credit card, [Beaton] purchased SpeedyPC Pro and ran it on his laptop. It began by scanning his device, just as the free trial had done. The program then told Beaton to click on “Fix All.” Beaton dutifully did so. Yet nothing happened. Beaton ran the software a few more times, to no avail. Feeling ripped off, and suspecting that his experience was not unique, Beaton sued Speedy in 2013 on behalf of a class of consumers defined as “All individuals and entities in the United States who have purchased SpeedyPC Pro.” Despite Speedy’s lofty pledges, Beaton claimed, the software failed to perform as advertised. Instead, it indiscriminately and misleadingly warned all users that their devices were in critical condition, scared them into buying SpeedyPC Pro, and then ran a functionally worthless “fix.”

Decision of the court

Speedy identified 10 individual issues that allegedly defeated predominance. The district court was not persuaded. It found that some were best addressed on a class‐wide basis, and they outweighed the remaining individualized inquiries.

“Finding no abuse of discretion in the district court’s decisions to certify the nationwide class and the Illinois subclass, we affirm the court’s certification orders,” the court wrote.

In layman’s terms, this means the plaintiff can represent other victims of ParetoLogic’s SpeedyPC and seek compensation for their damages.

Conclusion

This case has been on the table since 2014 and it can take a few more years before the courts decide on a final ruling about compensation. Meanwhile, ParetoLogic’s Victoria offices have been closed and its website has been taken offline. Provincial government records show it is still registered as an active corporation and its last annual report was filed in January.

The post ParetoLogic facing complaint of alleged wrongdoing appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to John Donovan, head of security at Malwarebytes, and Adam Kujawa, director of Malwarebtyes Labs, about securely working from home (WFH).

With shelter-in-place orders now in full effect to prevent the spread of coronavirus, countless businesses find themselves this year in mandatory work-from-home situations. On today’s episode, we go beyond just talking about threats. We have a dialogue.

First, what types of malware and attack methods are we seeing, and then, how has Malwarebytes responded. We want to give you an inside look, because even though we’re a cybersecurity company, staying cyber secure goes beyond malware detection. It reaches into educating your employees and implementing proper policies to protect your company.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

• Labs report finds: Coronavirus campaigns lead to surge in malware threats
• A brief history of video game saves and data modification
• Teaching from home might become part of every teachers’ job description
• New LNK attack tied to Higaisa APT
• Sodinokibi ransomware gang auctions off stolen data

Plus other cybersecurity news:

• Bug bounty hunter snags $100,000 award for zero-day bug in ‘Sign in with Apple‘ system. (Source: TechSpot)
• 100,000 company inboxes hit with voice message phishing. (Source: Bleeping Computer)
• 80% of organizations suffered at least one cloud data breach in the past 18 months. (Source: Ciso Mag)
• Mongolia arrests 800 Chinese citizens in cybercrime probe. (Source: Reuters)
• Minnesota used contact tracing to track protestors, which created a trust problem for medical workers in the pandemic. (Sources: BGR and Cnet)

Stay safe, everyone!

The post Lock and Code S1Ep8: Securely working from home (WFH) with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.

This post was authored by Hossein Jazi and Jérôme Segura

On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.

The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.

In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.

Distribution

The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.

We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:

• “CV_Colliers.rar”
• “Project link and New copyright policy.rar”

Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.

The following shows the overall process flow when executing the malicious LNK file.

LNK file

The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:

• Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
• Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
• Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
• Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
• Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
• Copy “66DF33DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
• Execute the JS file by calling Wscript.
• Open the decoy document.

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.

Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.

JS file

The JavaScript file performs the following commands:

• Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
• Execute the dropped “svchast.exe”.
• Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
• Add “officeupdate.exe” to scheduled tasks.
• Send a POST request to a hardcoded URL with “d3reEW.exe” as data.

svchast.exe

Svchast.exe is a small loader that loads the content of the shellcode stored in “63DF3DFG.tmp”.

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.

The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.

Chaining techniques for evasion

While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.

We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.

IOCs

CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d

Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9

Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81

International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6

Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com

C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info

MITRE ATT&CK techniques

The post New LNK attack tied to Higaisa APT discovered appeared first on Malwarebytes Labs.

Is it legal to buy stolen data from criminals? In most countries the answer would be no. But will it lead to a penalty or a fine? That is a different question and I’m afraid some companies and organizations will be inclined to seriously consider the last question even when they know the answer to the first one. Maybe we can at least agree that it is not ethical or recommended.

Why are we asking you this?

As we reported earlier, some ransomware operators make it a habit to exfiltrate data from the networks they break into. The stolen data are to be used as an extra incentive to persuade the victims into paying. If the victims don’t pay up, the stolen data will be published.

But now, the Sodinokibi, aka REvil, ransomware operators have come up with yet another way to make money using the stolen data. They have launched a new auction site used to sell victim’s stolen data to the highest bidder. Considering how this information could be interesting to several parties when it concerns a high profile victim or for a select few when it concerns a direct competitor, it makes sense to ask for a steep price.

The ransomware gang already ran a site called “Happy Blog” where they post samples of the stolen data and then threaten to release the actual files to the public. For the auction site they use this new format:

On the auction site you can find information about the organizations they have stolen data from and some information about what the data includes.

The auction procedure

On the site you can find these rules:

• To bid on an auction, you must register for each auction separately.
• After registration, you will need to make a deposit of 10% of the starting price. At the end of the auction the amount will be refunded (except for blockchain commission).
• If you have not paid your bid on the winning auction, you will lose your deposit. This is to ensure that none of the bidders make fake bids.
• All computational operations are performed in the cryptocurrency Monero (XMR).

By clicking “continue” you confirm that you agree to the terms above. You will be given a username/password and details of deposit payment.

In the description for each dataset, you find the starting price and the minimum deposit (10% of the starting price), but also a blitz price that allows you to buy the data without further bidding.

Only organizations and companies?

Apparently not. On their auction site the authors posted a hint that there might be more interesting data forthcoming.

“And we remember the Madonna and other people. Soon.”

As we have reported earlier, a lawfirm representing many megastars fell victim to the Sodinokibi gang as well. So, we anticipate that those stolen data may be in high demand and bring the criminals a pretty penny.

Buying stolen data

Buying these data is a bad idea for several reasons.

• You are keeping the ransomware business model alive by paying the ransomware operators. It does not matter whether that payment is a ransom or a payment for stolen data.
• It should not come as a surprise that dealing with criminals could pan out poorly. They may double-cross you or turn you into their next victim.
• Buying stolen data is illegal and the seller will know that you have done something illegal, which opens a new avenue of extortion.
• Data are easily copied, so who is going to guarantee that you will have exclusive access to the data you bought? A bunch of known criminals?
• Are you sure you will get your deposit back if you are outbid?

These auctions may be yet another trend in the ransomware-as-a-service business models, even though the extra exposure involved in selling data may slightly heighten the chances of the criminals getting caught. Many organizations have adapted to the fact that ransomware exists and have taken precautions by way of protection and by creating easy to deploy backups.

Information about Sodinokibi

In case you are interested in some more background information about the Sodinokibi ransomware we highly recommend these Malwarebytes resources:

Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void

Sodinokibi drops greatest hits collection, and crime is the secret ingredient

Detection profile for Ransom.Sodinokibi

Stay out of their greedy claws, everyone!

The post Sodinokibi ransomware gang auctions off stolen data appeared first on Malwarebytes Labs.

Games consoles and handhelds have always been an interesting battleground for hacking activities. The homebrew scene for using hardware in interesting ways has a long and varied history, especially where porting games to run on different platforms is concerned.

Tampering with games while playing them to gain a distinct advantage has always been frowned upon by the majority of players and developers, however. Nobody wants to play a game where they can be killed from the other side of the map, but that’s how things roll in PC gaming land. Aimbots, wallhacks, miners, autoclickers, you name it – it’s been done, and has been for many years.

In theory, a console’s architecture and limited functionality available to the owner should make it near impossible to directly alter the inner workings of said device. This has tended to hold up for all but the most advanced hardware hackers. This is why console hackers often took the path of least resistance and targeted data on the device which would be most open to tampering. That would be your save data.

Saving the day?

While everything else in a console is forever doomed to follow the same processes and routines repeatedly, from essential functions to the code running the game you’re playing, save data is the weak spot. It’s forever changing. It requires the device to allow it to be altered as it dynamically responds to thousands of your choices over the course of a session. The console saves a state, and reinserts it back into the game the next time you load up.

Even better for the hacking/modding communities, this data is often saved to a potentially vulnerable external device. When it isn’t, coders can usually come up with a way to craft tools which can extract the data from the device to a PC, where it can then be edited to their heart’s content before being put back.

While the console hardware of today is different from what’s gone before, and the security architecture is theoretically more advanced than what we had 10+ years ago, ultimately our gaming devices are still tied to most of the same functionality by necessity.

Take the Nintendo Switch, the hottest handheld around and current victim to save altering shenanigans. Players are altering data, dropping it into live game worlds, and benefiting from cheating. Nintendo will almost certainly be taking action, and bans could follow. Sounds exciting, right?

Before we get to that, let’s look at how saving on devices—and editing those saves—has evolved down the years.

Saving games through the years

Saving in games goes back almost as far as the dawn of gaming in the household itself, and Nintendo play a big part in its evolution over time. The first big smash games most people remember back at the dawn of gaming are Atari 2600 titles which didn’t need game saves. They were basic, strapped for memory, short, and often had no end as such…just the same levels looped but made faster, or more difficult.

As the tech evolved, games struggled to keep up and you ended up with would-be complicated titles hampered by no saves, or players given dozens of extra lives as a workaround which frankly felt a bit insulting towards our incredible gaming skills.

Atari 2600: Passwords enter the fray

Some early games dabbled in would-be save states by introducing basic codes you could punch into the title screen and pick up where you left off. The games at this point were still linear, so you could get away with this approach.

It’s faintly bizarre to look back now and think your “save game” equivalent at the time wasn’t your game saved at all; just some code punched into the cartridge to tell it to essentially start an entirely new game, with your handful of items, at a later level rather than the beginning.

There are actually quite a few Atari 2600 games with password/pick-up-where-you-left-off systems, an early indicator of the direction things were about to take.

N.E.S. – Batteries included

Things stepped up once Nintendo decided to dramatically bump the scope of what games were capable of. Legend of Zelda is usually hailed as the first major title which included a “proper” ability to save, via battery powered memory. This is called non-volatile memory, because it doesn’t need a constant flow of power to retain the data. Ultimately, games could be significantly bigger and better than ever before.

PlayStation 1: Memory cards on the table

Many of you reading this will have their first memory of console gaming knowledge firmly tethered to the original Playstation’s iconic memory cards. Even now, people debate what exactly “15 blocks of memory” means (good news, it’s been cleared up). The save functionality jammed inside of those NES cartridges was basically pulled out and turned into its own standalone device (see also: the Dreamcast VMU).

At this point, gamers finally had a way to take their save data away from the console, do what they want with it, then pop it back in. Unlike now, the games weren’t online. Things were mostly single player or local split screen. If you wanted to cheat, be it to gain extra lives, see all the levels, turn everyone into pumpkins, or anything else, you just fired up a cheat cartridge or used it to create your own cheats.

PlayStation 1: Regional difficulty

I primarily remember the console modding scene all about being able to play region locked discs, with many a furtive moment spent in vaguely dubious gaming stores asking if they’d chip your machine, wink wink. Some of you may remember a legendary (for the gaming scene) incident where a coverdisc giveaway involving a cheat code system went horribly wrong. I’ve still got the disc somewhere. No, you can’t have it.

Xbox 360 comes under fire

On the 360, all those years of learning how to edit files on consoles finally combined with online gameplay environments in many ways risky to the players.

Hex editing the data on PC with specially designed tools, rehashing it so the console thinks the data is the real deal, and then resigning it so you could use files tied to someone else’s profile resulted in all sorts of interesting antics. Changing the look of their gaming avatar on the console dashboard, unlocking lots of paid items from the marketplace after just one purchase, even joining gaming sessions with temporary names imitating well known game developers were all part of this boom in console modding activity.

Even worse were cases of modders removing their visible gaming name entirely, leading to situations where gamers couldn’t figure out how to report them for cheating, or even who they were. As always, the player data was the soft underbelly of the otherwise solid system.

How Nintendo changed up the game

Older Nintendo handhelds allowed you to copy saves to removable storage devices. Not so with the Switch. At launch, people quickly discovered that saves were not transferable from the handheld to external storage. All gamesave data resided on the handheld’s internal flash memory only.

Considering the many years of game tampering resulting in real-time shenanigans while people played, it probably made some sense to stop opening up portions of data to tampering. With it locked firmly into the device, that would likely help prevent hacks and cheating…right?

Oh, my sweet summer child

The SD card in the Switch is there for additional space should you download a lot of games. Buying physical titles as your primary source of gaming kicks means you may not need to bother with SD cards at all. It’s common for people to assume game saves end up on the SD along with downloaded game data, but that isn’t the case.

The game saves are kept tucked away on the device, and Nintendo are insistent you don’t go wandering off depositing your save files all over the place.

Anyone familiar with handheld modifications down the years will have some idea where this is heading…

Hacking the handheld Gibson

That’s right, it’s homebrew time. As the name suggests, homebrew is the stuff you come up with when the original hardware/software combination isn’t quite what you’re looking for. It’s the act and the art of popping closed systems, and making them dance to the beat you want. You might merely expand upon original functions, or modify them heavily, or even replace them entirely.

Just as Nintendo arguably drove forward the scope of game design and general tinkering by introducing battery saves to a mainstream audience, so too did they inadvertently push the word “Homebrew” into the public eye after enterprising (non Nintendo affiliated inviduals) came up with the “Wii Homebrew”. This permitted Wii users to access homebrew apps direct from the Wii system menu. From there, the word really took hold.

Taking a firm stance on firmware

Custom firmware is a specific form of homebrew which is the magic key to a system’s innards. With it, real ultimate power is yours. Unless there’s a permanently fatal flaw in the setup of a device which can’t be corrected, custom firmware is usually addressed by the manufacturer and you end up with a sort of permanent digital great divide. A patch goes in and locks down the firmware workaround forever.

At that point, all devices made prior to the fix become the end goal and they probably start fetching a pretty penny on ebay and elsewhere. The newer, later models which no longer respond to tampering? Sorry gang, you’re just not that cool anymore. There’s usually multiple ways to seize control of any device, and this is no different. Being able to boot up the device in recovery mode allows for the execution of unsigned code.

There’s a lot more to it than this, and everything from selecting the specific exploit to preparing the SD card in the right way to make everything go without a hitch can be a painstaking process. People will often make backups in case anything goes wrong, something that can easily befall inexperienced homebrew enthusiasts. Nintendo modders are also very particular about disabling any features which could allow Nintendo to trace hacks to their device and ban it from Nintendo services.

Once all of that is done, the device owner is finally ready to start playing with their chosen custom firmware. There may well be additional steps at this point depending on the ultimate objective, but let’s just wind forward to the part where people are messing with their saves.

Animal Crossing takes a trip to Modding Island

As you’ve seen, data moving is not something Nintendo is keen on here. Merely transferring your saves from an old device to a new one legitimately is a little bit more complicated than “copy and move.” Here, we’re weirdly back in the same editing land we found ourselves in during the Xbox360 days.

Dragging and dropping specific files into the folders related to the custom firmware is how people were doing it back in March. These techniques tend to evolve quickly over time allowing for greater customisation, and indeed from all accounts this latest hack relies on specific save editing tools. But what are they doing?

It’s full of stars

Put simply, it’s all about star fragments. These are rare crafting components in the game and focusing on them seems to have replaced creating lots of bells as the number one Animal Crossing cheat of choice.

Using save editors, star fragment trees (which don’t exist in the game normally) are popping up on islands belonging to players. You don’t even need to have put them there yourself to begin with, as you can dig them up from other islands, trade them, or have them planted for you by friends. As with all things not originating from the source, there are some big clanging caveats to go with them. 

Nintendo almost certainly have an idea who is using them or introducing them into the gamespace. That could end up with action being taken against the players. It’s also been reported that the items are one use only, so after that they’re of no use whatsoever. Players have also claimed the items can break parts of the player’s island, resulting in so-called “dead tiles”—which can’t be used anymore—and corrupted saves.

It’s tricky enough making legitimate modded files work in games which support modding activity, especially as updates to the base game often result in the mod needing to be altered and updated, too.

Here, we have these bizarre items dumped into a game where QA support for modding doesn’t exist, so if updates for the base game at a later date make these things break your game completely, I doubt Nintendo will do anything about it. It’s a huge clanging Buyer Beware, is what it is.

Risky business

Even without the perils of Nintendo detecting your device due to a mistake on your part and banning your device at a later date, you could easily brick the handheld while setting things up, or corrupt your saves, or even fall foul to fake firmware downloads. Not everything in modding land is benign, and we’d advise people to consider carefully if the risks here outweigh the benefits.

The post A brief history of video game saves and data modification appeared first on Malwarebytes Labs.

“Hey Joe, I wanted to remind you that starting next Monday you will be expected to teach from home. The lesson material is in your inbox along with the list of pupils that are expected to follow them. We are sure it will take some adjustments, but we trust that by working together we can make the best of the current situation.  If you have any questions, feel free to let us know.”

Basically, that is the scenario many teachers across the globe have found themselves in—or are about to find themselves in—because of the broad shelter-in-place orders now in effect to limit the spread of coronavirus. And we still don’t know how long this could all last. In fact, teaching from home might become a part of the new normal when the new school year starts after the summer.

We have covered some of the perils that come with working from home but teaching from home poses some extra hurdles. Not only are you entertaining a demanding audience, you are working with sensitive data about children. As indicated, we have already handed our readers some general tips for working from home (WFH), but collaborating with co-workers and teaching children are two different beasts altogether. Let us go over some pointers that are specific for teaching from home.

Get your house prepped for video calls

You probably already know that there are some children in your class that notice everything, especially if it is outside of the scope of the lesson. To limit the number of distractions you can:

• Take a good look at the background. Is there anything that could possibly get more attention than the subject at hand? In some of the software packages you can choose a virtual background if you would rather not display your real surroundings.
• Make sure everyone in your household knows when not to disturb you. Ideally you’ll be in a separate room with a warning sign at the door when you are working, so the people in your household know when not to burst in.

Optimize your lessons

Teaching from home is a different craft then teaching in front of the class, but you probably already knew that. Some things you can use to your advantage when working from home:

• Stream what you can. You can broadcast or upload a prepared lesson or part thereof. After viewing you can discuss it with the students. It relieves the stress of “performing live” and it’s easier on your internet connection since it uses less bandwidth than a conference call.
• Don’t go overboard with the prepared lessons. Your students learn more when they are part of a discussion or otherwise engaged in the subject matter.
• Virtual classes, virtual breaks. It is easy to forget that your students need a break now and then just as they would in the real life classroom, but allowing them to move away from the computer will cause disruptions that are longer then you intended. Show some funny video or discuss a lighthearted theme as a virtual break.

Adjust your teaching to the circumstances

Decide on the most important learning goals as you may not achieve all the goals you would have reached by teaching in person and strive to at least meet those minimum requirements. Everything extra should be considered a bonus.

Looking after individual students that are falling behind is harder when you are teaching from home. The direct human contact is an important factor in how well we are able to pick up whether a student is struggling. And it’s hard be patient rather than telling them what the answer is because we have at least 20 other students that need our help as well. Encourage those that are struggling and give them the time to come up with their own answers.

Teaching from home: technology

It is not very likely that you will have the luxury of choosing your own tools and software. Chances are you will have to make do with what you get.

Familiarize yourself with the technology before you jump in at the deep end. Utilizing the teaching tools could become a nightmare if you have to figure out how everything works on the fly.

Once you are familiar with the software and hardware it is a lot easier to take advantage of the things the technology has to offer.

Teaching from home: privacy and compliance

It is hard to give general guidelines when it comes to aligning with all the different privacy and compliance guidelines. In some countries it would be against privacy regulations if students can hear their classmates in a video conference call, even if they are asking a question about the lessons. Make sure you are aware of your local rules and regulations, so you don’t get caught off-guard.

Handle data and access with care

The key here is to avoid unauthorized views of confidential information. Here are a few ways to shore up physical security while WFH:

• If you need to leave your home for supplies or other reasons, make sure your work devices are inaccessible.
• Should you be living with a roommate or young children, be sure to lock your computer even when you step away for just a bit. Don’t tempt others in your household by leaving information accessible. This is true even for the workplace, so it is imperative for WFH.
• If you can’t carve out a separate workspace in your home, be sure to collect your devices at the end of your workday and store them someplace out of sight.
• Access to a computer’s desktop should at least be password protected, and the password should be strong. Even if the entire machine is stolen, a strong, mandatory password will keep the thief from easily accessing sensitive school information.
• Encryption also helps protect information on stolen or compromised computers. Check whether data encryption is active on your work machine. Not sure? Ask your IT department whether you have it, and if they think it’s necessary.
• If you’re connecting your work computer to your home network, make sure you don’t make it visible to other computers in the network. If you have to add it to the HomeGroup, then make sure the option to share files is off.
• Secure your home Wi-Fi with a strong password and do the same for access to the settings on your home router. Be sure to change the default password it came with!

Teaching from home: security

Whether you are going to use your own laptop or one provided by your school, make sure to keep the data safe. It is important to realize that you will likely be storing sensitive information about your students on a system that is connected to your home network and maybe even on your personal device.

And last but not least, familiarize yourself with the security settings of the software you are going to use. We have an extensive guide for Zoom that can also serve as a set of directions for other similar software packages. You definitely don’t want your classes to be interrupted by Zoombombers.

Stay safe, everyone!

The post Teaching from home might become part of every teachers’ job description appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we published our most recent episode of our podcast Lock and Code, providing an in-depth discussion on web browser privacy, looked at the membership bump for the Coalition against Stalkerware, and dug into EDR solutions. We also looked at twists added to the threat scene by Maze Ransomware.

Other cybersecurity news

• Breach affects major service provider: A cloud server breach serves as stepping stone for data theft. (Source: Infosec Magazine)

• LiveJournal hits the news: Up to 26 million logins are up for grabs, and it’s possible they’re related to LiveJournal. (Source: DreamWidth)

• Red Cross warning: The ICRC and more asked governments to get a firm grip of cyber attacks targeting hospitals and medical systems. (Source: CNET)

• When websites portscan: Intetesting research highlighted security and privacy concerns for  both websites and the people using them. (Source: The Register)

• Warnings abound that unemployment claim scams are on the rise as a result of the COVID-19 pandemic. (Source: WKZO) 

• Zoom bombing brings serious consequences: The FBI are investigating zoom bombers deploying illegal imagery and videos on unsuspecting victims. (Source: The Hill)

• Fake news, free speech: There are claims that some Governments are using the pandemic, and information related to it, as a way to potentially crack down on free speech. (Source: Foreign Policy)

• Prepping for 5G conspiracy theories: A look at how the DHS is getting itself  ready for the  inevitable wave of tall tales hitting the US. (Source: Wired)

• Student discovers security / doorbell camera flaws: A computer science student contacted many big industry players to explain where things may be going wrong. (Source: Help Net Security)

• Ransomware attacks continue: There may be a pandemic, but that hasn’t stopped some individuals from causing mayhem anyway. (Source: WRBL)

Stay safe, everyone!

The post A week in security (May 25 – 31) appeared first on Malwarebytes Labs.