IT News

“Hey Joe, I wanted to remind you that starting next Monday you will be expected to teach from home. The lesson material is in your inbox along with the list of pupils that are expected to follow them. We are sure it will take some adjustments, but we trust that by working together we can make the best of the current situation.  If you have any questions, feel free to let us know.”

Basically, that is the scenario many teachers across the globe have found themselves in—or are about to find themselves in—because of the broad shelter-in-place orders now in effect to limit the spread of coronavirus. And we still don’t know how long this could all last. In fact, teaching from home might become a part of the new normal when the new school year starts after the summer.

We have covered some of the perils that come with working from home but teaching from home poses some extra hurdles. Not only are you entertaining a demanding audience, you are working with sensitive data about children. As indicated, we have already handed our readers some general tips for working from home (WFH), but collaborating with co-workers and teaching children are two different beasts altogether. Let us go over some pointers that are specific for teaching from home.

Get your house prepped for video calls

You probably already know that there are some children in your class that notice everything, especially if it is outside of the scope of the lesson. To limit the number of distractions you can:

• Take a good look at the background. Is there anything that could possibly get more attention than the subject at hand? In some of the software packages you can choose a virtual background if you would rather not display your real surroundings.
• Make sure everyone in your household knows when not to disturb you. Ideally you’ll be in a separate room with a warning sign at the door when you are working, so the people in your household know when not to burst in.

Optimize your lessons

Teaching from home is a different craft then teaching in front of the class, but you probably already knew that. Some things you can use to your advantage when working from home:

• Stream what you can. You can broadcast or upload a prepared lesson or part thereof. After viewing you can discuss it with the students. It relieves the stress of “performing live” and it’s easier on your internet connection since it uses less bandwidth than a conference call.
• Don’t go overboard with the prepared lessons. Your students learn more when they are part of a discussion or otherwise engaged in the subject matter.
• Virtual classes, virtual breaks. It is easy to forget that your students need a break now and then just as they would in the real life classroom, but allowing them to move away from the computer will cause disruptions that are longer then you intended. Show some funny video or discuss a lighthearted theme as a virtual break.

Adjust your teaching to the circumstances

Decide on the most important learning goals as you may not achieve all the goals you would have reached by teaching in person and strive to at least meet those minimum requirements. Everything extra should be considered a bonus.

Looking after individual students that are falling behind is harder when you are teaching from home. The direct human contact is an important factor in how well we are able to pick up whether a student is struggling. And it’s hard be patient rather than telling them what the answer is because we have at least 20 other students that need our help as well. Encourage those that are struggling and give them the time to come up with their own answers.

Teaching from home: technology

It is not very likely that you will have the luxury of choosing your own tools and software. Chances are you will have to make do with what you get.

Familiarize yourself with the technology before you jump in at the deep end. Utilizing the teaching tools could become a nightmare if you have to figure out how everything works on the fly.

Once you are familiar with the software and hardware it is a lot easier to take advantage of the things the technology has to offer.

Teaching from home: privacy and compliance

It is hard to give general guidelines when it comes to aligning with all the different privacy and compliance guidelines. In some countries it would be against privacy regulations if students can hear their classmates in a video conference call, even if they are asking a question about the lessons. Make sure you are aware of your local rules and regulations, so you don’t get caught off-guard.

Handle data and access with care

The key here is to avoid unauthorized views of confidential information. Here are a few ways to shore up physical security while WFH:

• If you need to leave your home for supplies or other reasons, make sure your work devices are inaccessible.
• Should you be living with a roommate or young children, be sure to lock your computer even when you step away for just a bit. Don’t tempt others in your household by leaving information accessible. This is true even for the workplace, so it is imperative for WFH.
• If you can’t carve out a separate workspace in your home, be sure to collect your devices at the end of your workday and store them someplace out of sight.
• Access to a computer’s desktop should at least be password protected, and the password should be strong. Even if the entire machine is stolen, a strong, mandatory password will keep the thief from easily accessing sensitive school information.
• Encryption also helps protect information on stolen or compromised computers. Check whether data encryption is active on your work machine. Not sure? Ask your IT department whether you have it, and if they think it’s necessary.
• If you’re connecting your work computer to your home network, make sure you don’t make it visible to other computers in the network. If you have to add it to the HomeGroup, then make sure the option to share files is off.
• Secure your home Wi-Fi with a strong password and do the same for access to the settings on your home router. Be sure to change the default password it came with!

Teaching from home: security

Whether you are going to use your own laptop or one provided by your school, make sure to keep the data safe. It is important to realize that you will likely be storing sensitive information about your students on a system that is connected to your home network and maybe even on your personal device.

And last but not least, familiarize yourself with the security settings of the software you are going to use. We have an extensive guide for Zoom that can also serve as a set of directions for other similar software packages. You definitely don’t want your classes to be interrupted by Zoombombers.

Stay safe, everyone!

The post Teaching from home might become part of every teachers’ job description appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we published our most recent episode of our podcast Lock and Code, providing an in-depth discussion on web browser privacy, looked at the membership bump for the Coalition against Stalkerware, and dug into EDR solutions. We also looked at twists added to the threat scene by Maze Ransomware.

Other cybersecurity news

• Breach affects major service provider: A cloud server breach serves as stepping stone for data theft. (Source: Infosec Magazine)

• LiveJournal hits the news: Up to 26 million logins are up for grabs, and it’s possible they’re related to LiveJournal. (Source: DreamWidth)

• Red Cross warning: The ICRC and more asked governments to get a firm grip of cyber attacks targeting hospitals and medical systems. (Source: CNET)

• When websites portscan: Intetesting research highlighted security and privacy concerns for  both websites and the people using them. (Source: The Register)

• Warnings abound that unemployment claim scams are on the rise as a result of the COVID-19 pandemic. (Source: WKZO) 

• Zoom bombing brings serious consequences: The FBI are investigating zoom bombers deploying illegal imagery and videos on unsuspecting victims. (Source: The Hill)

• Fake news, free speech: There are claims that some Governments are using the pandemic, and information related to it, as a way to potentially crack down on free speech. (Source: Foreign Policy)

• Prepping for 5G conspiracy theories: A look at how the DHS is getting itself  ready for the  inevitable wave of tall tales hitting the US. (Source: Wired)

• Student discovers security / doorbell camera flaws: A computer science student contacted many big industry players to explain where things may be going wrong. (Source: Help Net Security)

• Ransomware attacks continue: There may be a pandemic, but that hasn’t stopped some individuals from causing mayhem anyway. (Source: WRBL)

Stay safe, everyone!

The post A week in security (May 25 – 31) appeared first on Malwarebytes Labs.

In the first three months of 2020, as the world clamped down to limit coronavirus, cyber threats ramped up.

Our latest, special edition for our quarterly CTNT report focuses on recent, increased malware threats which all have one, big thing in common—using coronavirus as a lure. Our report, “Cybercrime tactics and techniques: Attack on home base,” analyzes the trojans, info stealers, and botnets that threat actors delivered to increasingly more homes from January to March of this year.

Our report looks at more than attack volume, though. It also captures the actual models that threat actors used to try and trick unsuspecting victims. From an email purporting to come fom UNICEF, to another claiming to contain information about proper face mask usage, to a much-discussed, fraudulent map posing as a legitimate, global coronavirus case tracker from John Hopkins University—it’s all here in our latest report.

Malwarebytes researchers have been following these attack methods for months.

We found a scam email that preyed on individuals’ desire to offer support during the pandemic. We investigated activity from a reported Pakistani state-sponsored threat actor spreading a remote access Trojan through a coronavirus-themed spearphishing campaign. We discovered countless impersonating emails and snake-oil pitches hiding a variety of keyloggers, ransomware, and data stealers.

In today’s report, we now have the data to show what malware threats, specifically, increased in the first three months of 2020.

Key takeaways: Attack on home base

• Cybercriminals quickly transitioned to delivering years-old malware with brand new campaigns that preyed on the confusion, fear, and uncertainty surrounding the global coronavirus pandemic.
• Malwarebytes discovered that the backdoor malware NetWiredRC, which laid low for roughly five months in 2019, dramatically increased its activity at the start of 2020, with a detection increase of at least 200 percent by March compared to last December.
• The time period between January and February was, for several of the malware types analyzed, a precursor to even greater, increased detection activity between February and March.
• Malwarebytes recorded increased detections of nearly 110 percent between February and March for the malware AveMaria, a dangerous remote access trojan that can provide remote desktop access and remote webcam control, with the additional ability to steal passwords.
• Malwarebytes recorded increased detections of more than 160 percent between February and March for the malware DanaBot, an invasive trojan and information stealer that can swipe online banking account credentials.
• Phishing campaigns appear to be the most popular attack method, but cybercriminals have also gotten creative with fraudulent websites that hide malware.
• A 26 percent increase in credit card skimming activity in March puts home shoppers at greater risk

To learn more about the attack methods and malware types targeting individuals today, and to find recommendations on how to protect your—and your remote employees’—home base, read the full report:

Cybercrime tactics and techniques: Attack on home base

The post Coronavirus campaigns lead to surge in malware threats, Labs report finds appeared first on Malwarebytes Labs.

An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their important files or use some kind of rollback technology to restore their systems to the state they were in before the attack.

To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Maze introduces leaked data

In the last quarter of 2019, Maze’s developers introduced this new extortion method. And, as if ransomware alone wasn’t bad enough, since the introduction of this methodology, many other ransomware peddlers have started to adopt it. The most well-known ransomware families besides Maze that use data exfiltration as a side-dish for ransomware are Clop, Sodinokibi, and DoppelPaymer.

The dubious honor of being noted as the first victim went to Allied Universal, a California-based security services firm. Allied Universal saw 700MB of stolen data being dumped after they refused to meet the ransom demand set by Maze. Nowadays, most of the ransomware gangs involved in this double featured attack have dedicated websites where they threaten to publish the data stolen from victims that are reluctant to pay up.

Characteristics of Maze ransomware

Maze ransomware was developed as a variant of ChaCha ransomware and was initially discovered by Malwarebytes Director of Threat Intelligence Jérôme Segura in May of 2019. Since December of 2019, the gang has been very active making many high profile victims in almost every vertical: finance, technology, telecommunications, healthcare, government, construction, hospitality, media and communications, utilities and energy, pharma and life sciences, education, insurance, wholesale, and legal.

The main forms of distribution for Maze are:

• malspam campaigns utilizing weaponized attachments, mostly Word and Excel files
• RDP brute force attacks

Initially Maze was distributed through websites using an exploit kit such as the Fallout EK and Spelevo EK, which has been seen using Flash Player vulnerabilities. Maze ransomware has also utilized exploits against Pulse VPN, as well as the Windows VBScript Engine Remote Code Execution Vulnerability to get into a network.

No matter which method was used to gain a foothold in the network, the next step for the Maze operators is to obtain elevated privileges, conduct lateral movement, and begin to deploy file encryption across all drives. However, before encrypting the data, these operators are known to exfiltrate the files they come across. These files will then be put to use as a means to gain extra leverage, threatening with public exposure.

MAZE uses two algorithms to encrypt the files, ChaCha20 and RSA. After encryption the program appends a string of random 4-7 characters at the end of each file. When the malware has finished encrypting all the targeted files it changes the desktop wallpaper to this image:

In addition, a voice message is played to the user of the affected system, alerting them of the encryption.

IOCs for Maze ransomware

Maze creates a file called DECRYPT-FILES.txt in each folder that contains encrypted files. It skips some folders among which are:
• %windir%
• %programdata%
• Program Files
• %appdata%local

It also skips all the files of the following types:
• dll
• exe
• lnk
• sys

This ransom note called DECRYPT-FILES.txt contains instructions for the victim:

They then promise that:

After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files.

SHA 256 hashes:

19aaa6c900a5642941d4ebc309433e783befa4cccd1a5af8c86f6e257bf0a72e 

6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13

9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1

b950db9229db2f37a7eb5368308de3aafcea0fd217c614daedb7f334292d801e

Protection

Malwarebytes protects users with a combination of different layers including one that stops the attack very early on and is completely signature-less.

Besides using Malwarebytes, we also recommend to:

• Deny access to Public IPs to important ports (RDP port 3389).
• Allow access to only IPs which are under your control.
• Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it is advised to block unused ports.
• Apply the latest Microsoft update packages and keep your Operating system and antivirus fully updated.

Payments

While our advice as always is not to pay the criminals since you are keeping their business model alive by doing so, we do understand that missing crucial files can be a compelling reason to pay them anyway. And with the new twist of publishing exfiltrated data that the Maze operators introduced, there is an extra reason at hand. Throwing confidential data online has proven to be an effective extra persuasion as many organizations can’t afford to have them publicly available.

Stay safe, everyone!

The post Maze: the ransomware that introduced an extra twist appeared first on Malwarebytes Labs.

Since its inception, the endpoint detection and response (EDR) market has evolved rapidly with new innovations to better address the cyber landscape and meet customers’ needs for an effective and simple solution that just works.

But finding something that just works means something quite different for every business, depending on their size, security expertise, and requirements.

Collectively, the EDR market has experienced three, sizable waves of innovation:

Wave 1: event visibility

With the market introduction of EDR solutions, the first innovation wave focused on providing security teams with visibility into all events that happen in the organization.

The predominant use case of a “first wave” EDR product is for the end user to search among millions of events and hope to find the “needle in the haystack” event that was critical and actionable.

However, this type of detection and response approach failed to provide enough relevant context or actionable intelligence for it to be useful for organizations with a security team of any size or skill level. Instead, the first wave of EDR solutions were mainly adopted by organizations with extremely experienced incident response investigators and Security Operations Center (SOC) teams with level 3-trained analysts who could apply the EDR event visibility as an additional datapoint during an attack investigation.

Wave 2: event alerting

Most EDR products in the market today are second-innovation-wave offerings. To address the first wave’s “needle in the haystack” usability shortcomings, EDR products added alert capabilities alongside the vast sea of event visibility and context.

However, these EDR offerings are not fully automated and are known to cause alert fatigue as the alerts are not correlated to an actionable remediation process. The practical usage for incident response efforts require a SOC level 2 analyst to analyze and investigate each detection, in-depth, to determine if it is critical or actionable, before closing the ticket.

What has the third wave introduced?

The EDR market is beginning to see some vendors—in a third wave of innovation—largely focus on democratizing security with usability and automation enhancements that make EDR an effective tool for organizations large and small and with security teams of any skill level.

There have been several market drivers creating the need for this third wave. First, with advances in attacker tools, cyber criminals have expanded their attack targets from enterprise-sized organizations to equally include small- and medium-sized businesses. In fact, small business victims now account for 43% of all corporate data breaches according to Verizon’s 2019 Data Breach Investigation Report. In parallel, the market has continued to see a widening and unsustainable gap in the available cyber security staff, which (ISC)² is now estimating at a global workforce shortage of 4.07 million.

With the number and severity of attacks increasing, combined with the pervasive lack of available or highly skilled cybersecurity staff, demand has increased for EDR solutions that can address these issues. Third-wave-EDR products strive to meet that need with the inclusion of:

• Actionability

The third wave of EDR products finds us at the height of automation’s promise, raising only actionable alerts to the end user. The premise is that the visibility and context of the first and second EDR waves are important but shouldn’t get in the way of actionability. Without actionability, an EDR product becomes unusable by organizations that don’t have large or advanced security teams to investigate these tens of thousands of daily events.

• Automation

This latest wave of EDR products has achieved the Herculean task of fully automating EDR—from detection through to remediation—to support small-to-medium organizations without a large security team, enabling them to benefit from the same advanced EDR technology that has been in use by organizations with trained security personnel.

• Comprehensive security

Third wave EDR products provide a tightly integrated set of capabilities to effectively manage the attack chain—from proactive protection to detection of a suspicious activity and automated incident response. These capabilities create an ecosystem that informs, learns, and adapts from itself, so, in essence, the whole security stack is greater than the sum of the parts.

Third-party testing

With these waves of EDR innovations, how do third-party test labs play a role in the selection process?

To aide companies in their search, third-party evaluation and testing resources have been available to help prospective buyers narrow the field in vendor selection. The unique paradox with these resources is that the testing methodologies are designed with a specific and narrowly defined scope to “even the playing field,” which, in turn, typically renders the testing one step behind the latest, cutting-edge EDR innovation. This makes sense, of course, because test centers cannot adapt their standardized methodologies until after they have seen and understood the latest EDR advances.

Given that the EDR market has moved into its third wave, testing labs will also need to adapt their evaluation and testing criteria to incorporate these innovations.

For example:

• Actionability vs. alert fatigue

Tests will need to discern between actionability and alert fatigue. The third wave of EDR products are focused on providing a customer-centric approach that makes security accessible and easy for organizations of all sizes, with security teams of all capabilities.

In terms of testing, that means avoiding alert fatigue by sharing only actionable detections found within suspicious activity—those that are most relevant to ultimately prevent an attack. These solutions provide additional drill-down search options to view detections if a security analyst wants to dig into them, and third-wave testing criteria should incorporate the concept of a “primary UI event notification” vs. a “secondary UI for searching additional detections.”

• Testing the whole and not the separate parts for effectiveness

Tests will need to focus on the overall efficacy of the solution that evaluates the integrated EDR ecosystem of protection, detection, and remediation working together as they were designed for real world functionality, rather than creating artificial product deficits by shutting off part of the system, such as protection, in order to narrowly test detection capabilities.

How can companies navigate this reality?

Third-party tests are a good resource to understand how different solutions fair against a specific testing methodology. Yet, because the tests innovate a cycle behind the technology they’re intended to evaluate, ultimately, no standardized test is as good as doing a solid proof of concept in an organization’s live environment.

In the same way that companies turn to trusted colleagues and community resources—like Spiceworks and Reddit forums—when finding suggestions on good EDR solutions, third party tests provide a valuable, similar resource: to serve as a compass guide on the top group of EDR solutions to evaluate.

When evaluating EDR solutions, organizations should focus on selecting a vendor with a detection and remediation strategy that aligns with their objectives. Some criteria to consider when developing an EDR evaluation include:

1. Identify the risks: where is all the sensitive data located and what are the routes to that data?
2. Prioritize protection on the data that matters: sensitive organizational and customer data.
3. Consider the level of available security expertise. Most organizations don’t have enough cyber security experts, so evaluations should look at the solution’s complexity level. Does it require additional integrations, have a complex UI, or need additional skillset to operate?
4. Consider the organization’s brand and reputation in peer review sites, such as G2Crowd, Gartner Peer Insights, and Capterra.
5. Choose the solution or solutions to evaluate that have the capabilities that align with the defined criteria.

In the end, once an organization has narrowed the field of EDR solutions to the group that they want to evaluate, nothing can replace the experience of conducting a live test to see how the product stands up in their unique environment, against their real-time attacks, and with their trusted team learning to navigate the solution to see how easy or difficult it is to manage.

EDR has grown at a blistering pace to do one thing—help you and your business detect, prevent, and remediate cyber threats. By better understanding the testing landscape today, you can better deliver on your EDR results tomorrow.

The post The best test for an EDR solution is one that works for you appeared first on Malwarebytes Labs.

Today, the Coalition Against Stalkerware brought aboard 11 new organizations to address the potentially dangerous capabilities of stalkerware, an invasive, digital threat that can rob individuals of their expectation of, and right to, privacy. These types of apps can provide domestic abusers with a new avenue of control over their survivors’ lives, granting wrongful, unfettered access to text messages, phone calls, emails, GPS location data, and online browsing behavior.

Founded last year, the Coalition Against Stalkerware brings together cybersecurity vendors, domestic violence organizations, and digital rights advocates.

Since its launch, Coalition members have published updated statistics on stalkerware-type apps, conducted vital research on their popularity, and informed journalists about why this subject matters. Further, the Coalition’s founding cybersecurity members—including Malwarebytes—have worked together to share intelligence to improve their products. This month, Malwarebytes also offered a remote training about mobile device security for the San Mateo-based nonprofit Community Overcoming Relationship Abuse.  

Today, the Coalition grows larger and stronger. We welcome Anonyome Labs, AppEsteem Corporation, Bundesverband Frauenberatungsstellen und Frauennotrufe (bff), Centre Hubertine Auclert, Copperhead, Corrata, Commonwealth Peoples’ Association of Uganda, Cyber Peace Foundation, F-Secure, Illinois Stalking Advocacy Center, and AEquitas with its Stalking Prevention, Awareness, and Resource Center (SPARC).

With the new additions, the Coalition Against Stalkerware is now 21 partners strong, with participation in the United States, Canada, Ireland, India, Uganda, France, Germany, and Greece. We are also represented within a network of support groups spread across Switzerland, Bulgaria, Slovakia, Norway, Georgia, Moldova, Italy, Austria, Cyprus, and Bosnia.

This global support comes at a necessary time.

In late January, the world shifted. Continuously more governments implemented shelter-in-place orders to prevent the spread of coronavirus. These efforts are for the public’s safety—attempts to slow down an illness deadlier and more contagious than the flu. But for survivors of domestic abuse, harm comes not just from the outside world—sometimes it lives at the same address.

In China, the non-governmental organization Equality, which works to stop violence against women, reported increased call volume to its support hotline. In Spain, a similar uptick of 18 percent occurred. And in France, police reported a 30 percent surge in domestic violence across the nation.

These issues are worldwide. Support can be local.

The Coalition already depends on multidisciplinary expertise to better understand and address the threat of stalkerware. We lean on domestic abuse advocates to learn about why there is no one-size-fits-all solution to these problems, and why we, as cybersecurity vendors, should not presume that all domestic abuse survivors can comfortably access the malware-scanning tools we build. We lean on digital rights experts to inform us about how these types of potentially invasive apps intersect with the law, and potentially violate our rights. And we lean on one another in the cybersecurity industry to improve our products to detect stalkerware-type apps.

With today’s additions, we’re expanding our approach to multidisciplinary expertise. We are leaning on experts who support survivors in languages we sometimes don’t speak, and who, through decades of committed work, have built immeasurable trust within their communities beyond our current reach.

We work better when we work together.

The post Coalition Against Stalkerware bulks up global membership appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Pieter Arntz, malware intelligence researcher at Malwarebytes, about web browser privacy—an often neglected subcategory of data privacy. Without the proper restrictions, browsers can allow web trackers to follow you around the Internet, resulting in that curious ad seeming to find you from website to website. But, according to Arntz, there are ways to fight back.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

• When the coronavirus infodemic strikes
• 10 best practices for MSPs to secure their clients and themselves from ransomware
• Shining a light on “Silent Night” Zloader/Zbot
• Going dark: encryption and law enforcement

Plus other cybersecurity news:

• Mandrake, a sophisticated Android spyware that hides in plain sight, was finally unearthed after years of being active. (Source: ZDNet)
• Face masks used to protect from coronavirus also frustrated facial recognition systems. (Source: The Register)
• A hacker was found selling dating app user data and credentials in an underground forum. (Source: Sophos’s Naked Security Blog)
• Security researchers debunked myths surrounding Magecart attacks. (Source: Help Net Security)
• Business email compromise (BEC) scammers defrauded Norfund, Norway’s state investment fund, worth $10M USD. (Source: BleepingComputer)

Stay safe, everyone!

The post Lock and Code S1Ep7: Sounding the trumpet on web browser privacy with Pieter Arntz appeared first on Malwarebytes Labs.

UPDATE, 05/22/2020: In the advent of the EARN IT Act, the debate on government subversion of encryption has reignited.  Given that the material conditions of the technology have not changed, and the arguments given in favor of the bill are not novel, we’ve decided to republish the following blog outlining our stance on the subject.

Originally published July 25, 2017

We’re hearing it a lot lately: encryption is an insurmountable roadblock between law enforcement and keeping us safe. They can’t gather intelligence on terrorists because they use encryption. They can’t convict criminals because they won’t hand over encryption keys. They can’t stop bad things from happening because bad guys won’t unlock their phones. Therefore—strictly to keep us safe—the tech industry must provide them with means to weaken, circumvent, or otherwise subvert encryption, all for the public good. No “backdoors”, mind you; they simply want a way for encryption to work for good people, but not bad. This is dangerous nonsense, for a lot of reasons.

1. It’s technically incorrect

Encryption sustains its value by providing an end to end protection of data, as well as what we call “data at rest.” Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. They also insist that they have no interest in weakening encryption as a whole, but just in retrieving the information they need for an investigation. From a technical perspective, this is contradictory gibberish. An encryption algorithm either encodes sensitive data or it doesn’t—the only method for allowing a third-party to gain access to plain-text data would be to either provide them with the private keys of the communicants in question or maintain an exploitable flaw in the algorithm that a third-party could take advantage of. Despite government protestations to the contrary, this makes intuitive sense: how could you possibly generate encryption secure against one party (hackers) but not another (government)? Algorithms cannot discern good intentions, so they must be secure against everyone.

2. They have a myriad of other options to get what they need

Let’s assume for a moment that a government entity has a reasonable suspicion that a crime has been committed, a reasonable certainty that a certain person did it, and a reasonable suspicion that evidence leading to a conviction lies on an encrypted device. Historically, government entities have not checked all these boxes before attempting to subvert decryption, but let’s give them the benefit of the doubt for the moment. Options available to various levels of law enforcement and/or intelligence include, but are not limited to:

• Eavesdropping on unencrypted or misconfigured comms of a suspect’s contact
• Collecting unencrypted metadata to characterize the encrypted data
• Detaining the suspect indefinitely until they “voluntarily” decrypt the device
• Geolocation to place the suspect in proximity to the crime
• Link analysis to place the suspect in social contact with confirmed criminals
• Grabbing unencrypted data at rest from compliant third party providers
• Eavesdropping on other channels where the suspect describes the encrypted data
• Wrench decryption

Given the panoply of tools available to the authorities, why would they need to start an investigation by breaking the one tool available to the average user that keeps their data safe from hackers?

3. They’re not really “going dark”

In 1993, a cryptographic device called the “clipper chip” was proposed by the government to encrypt data while holding private keys in a “key escrow” controlled by law enforcement. Rather than breaking the encryption, law enforcement would have simply had a decryption key available. For everyone. An academic analysis of why this was a stunningly bad idea can be found here.

Given that this program was shuttered in response to an overwhelmingly negative public opinion, has law enforcement and intelligence agencies been unable to collect data for the past 24 years? Or have they turned to other investigatory tools available to them as appropriate?

4. If we do give them a backdoor, what would they do with it?

1984-style heavy handed tactics are unlikely at present time, but a government breach that results in loss of control of the backdoor? Much more likely. The breach at OPM most likely endangered the information of up to a third of adult Americans, depending on who and how you count. (We don’t know for sure because the government didn’t say how they counted.) That breach involved data of sensitive, valuable, government employees. Would they do any better with a backdoor that impacts technology used by pretty much everyone?

No, they wouldn’t.

Let’s take a look at how they secure their own networks, post OPM. Oh dear….

If the most powerful and richest government in the world cannot secure their own classified data, why should we trust them with ours? The former head of the FBI once called for an “adult conversation” on encryption. We agree. So here’s a modest counter-proposal:

• Stop over-classifying cyberthreat intelligence. The security community cannot fix what it does not know. Threat intelligence over a year old is effectively worthless.
• Send subject matter experts to participate in ISACs, not “liaisons.”
• Collaborate in the ISACs in good faith: shared intelligence should have context and collaboration should extend beyond lists of IOCs.
• Exchange analytic tradecraft: analysts in the government often use techniques that while obscure, are not classified. This will improve tradecraft on both sides.
• Meet the DHS standard for securing your own machines, classified or otherwise. No one would trust someone with a key escrow if those keys are held in a leaky colander.

We think these are reasonable requests that can help keep people safe, without breaking the encryption the world relies on daily to do business, conduct private conversations, and on occasion, express thoughts without fear of reprisal. We hope you agree.

The post Going dark: encryption and law enforcement appeared first on Malwarebytes Labs.

When it comes to banking Trojans, ZeuS is probably the most famous one ever released. Since its source code originally leaked in 2011, several new variants proliferated online. That includes a past fork called Terdot Zbot/Zloader, which we extensively covered in 2017.

But recently, we observed another bot, with a design reminiscent of ZeuS, that seems to be fairly new (a 1.0 version was compiled at the end of November 2019), and is actively developed.

We decided to investigate.

Since the specific name of this malware was unknown among researchers for a long time, it happened to be referenced by a generic term Zloader/Zbot (a common name used to refer to any malware related to the ZeuS family).

Our investigation led us to find that this is a new family built upon the ZeuS heritage, being sold under the name “Silent Night,” perhaps in reference to a biochemical weapon used in the 2002 movie xXx.

The initial sample is a downloader, fetching the core malicious module and injecting it into various running processes. We can also see several legitimate components involved, just like in Terdot’s case.

In our newly published paper, which we produced in collaboration with HYAS, we take a deep dive into the functionality of this malware and its Command-and-Control (C2) panel. We provide a way to cluster the samples based on the values in the bot’s config files, while also comparing “Silent Night” with some other Zbots that have been popular in recent years, including Terdot.

Download the full report

The post Shining a light on “Silent Night” Zloader/Zbot appeared first on Malwarebytes Labs.

Lock-downs and social distancing may be on, but when it comes to addressing the need for IT support—whether by current of potential clients—it’s business as usual for MSPs.

And, boy, is it a struggle.

On the one hand, they keep an eye on their remote workers to ensure they’re still doing their job securely and safely in the comfort of their own homes. On the other hand, they must also address the ever-present threats of cybercrime. Although some threat actors were vocal about easing off on targeting hospitals and other organizations that are key to helping societies move forward again, sadly not all of them are like this.

Letting up and turning a blind eye to such groups is almost tantamount to not putting security in mind when safeguarding your organization’s future. Ransomware, in particular, has impacted the business world—MSPs included—unlike any other malware type. Business-to-business (B2B) companies not protecting themselves or their clients against it is simply not an option.

Why abide by best cybersecurity practices

The majority of what impacts MSPs in the event of a breach is not that different from what affects other B2B entities that keep data of their clients. MSPs are preferred targets because of the eventual cascade of successful infiltration they promise to threat actors. Traditionally, cybercrime groups target multiple companies, usually fashioning their campaigns based on intel they gleaned about them. For attackers, hitting one MSP is tantamount to hitting multiple companies at the same time with significantly lower effort and exponentially higher gain.

In the event of a ransomware attack, MSPs will have to face:

• Potential loss of data. Attacks threaten not just the data that belongs to the MSP, but also those of their clients.
• Cessation of services. An MSP suffering from a ransomware attack wouldn’t be able to provide service to their many business clients, who in turn also need support for their IT needs. The lack of support leaves them vulnerable to attacks.
• Loss of time. Time is an asset that is best used in providing the best service an MSP can offer. So, the more time spent attempting to recover from a ransomware attack, the less MSPs earn.
• High financial cost. Mitigating and remediating from a ransomware attack can be exorbitantly expensive. A lot of hardware may need replacing; third-party companies, fines and penalties, and lawsuits may need paying; and a good PR firm to help salvage the company’s reputation post-breach may need hiring.
• A crisis of credibility. Customers decide whether they stay with their current MSP or move to a new, more secure one, post-breach. Losing clients can deal a heavy blow to any business. And it can get worse if the word is out about an MSP and it hasn’t done anything to address its problems.

To serve and protect: a call for MSPs, too

To best protect their clients, MSPs must first protect themselves. Here are 10 best practices we advise them to take.

Educate your employees. Education shouldn’t stop with their clients; it should start within their own backyard. Remember, what employees don’t know may get the company in trouble.

Undergo cybersecurity training for two reasons: [1] to further aid their clients as more and more are expecting MSPs to provide this kind of service in addition to what they already offer, and [2] to have a general knowledge on basic computing hygiene, which will greatly help protect the MSP from online threats, such as phishing, when practiced.

Keeping your employees apprised with the latest threats will put MSPs on top of providing support to clients. Continuously simulating threats within their environment will also keep employee knowledge sharp and more adaptable to situations when it calls for one.

Invest in solutions that will protect you at their weak points. Threat actors see MSPs as low hanging fruit due to their sometimes poor security hygiene and outdated systems. Needless to say, MSPs must protect their assets like any other business.

To take this step, MSPs must first recognize what their assets are and find out where they lack protection. This means potentially hiring a third-party to do an audit or conduct a penetration test. For example, if a security inspection reveals that the MSP is not using a firewall to protect their servers, they may be advised to place one at the perimeter of high-risk networks. Moreover, place firewalls between endpoints within the network to limit host to host communication.

A full security suite that actively scans for malware, blocks potentially dubious URLs, quarantines malicious threats, and protects their employees from emails with malicious attachments and potentially harmful media can help in nipping online threats that target MSPs in the bud.

Backup sensitive files and data regularly. While backing up files is expected to be a staple service from MSPs, it is unfortunately largely overlooked.

According to a 2017 report from The 2112 Group and Barracuda, only 29 percent of MSPs backup data.

It has become essential now more than ever for MSPs to prioritize creating a backup strategy in their repertoire if they want to better protect their clients and address complications posed by ransomware. We recommend an effective three-point plan to guide you further.

Patch, patch, and patch some more. Some MSPs may just be inexperienced at protecting their own systems, thus, they miss out on updating their operating system and other software.

According to a 2018 study by the Ponemon Institute, 57 percent of companies that suffered a breach in the previous year said the breach was possibly caused by poor patch management. Worse, 34 percent of these had already known of their software vulnerabilities before they were attacked. This suggests that even when a patch is available for software an MSP uses, they either don’t apply it or manage patching poorly.

As you may already know, it’s not difficult for anyone to go through an open door the same way that it doesn’t take a genius to find out and exploit a software flaw—there’s a tool for that, after all.

MSPs should create a great patch management strategy and stick to it. But if they think this is too much to handle, scope out a good third-party provider that could do the job just as well.

Restrict or limit accounts with clients. It’s tragic that many companies hit with ransomware—MSPs included—are confirmed to be compromised by the use of stolen credentials, which is gained primarily via phishing. This point is to ensure that while MSPs must know their limits when in a client network, clients in turn must ensure that their MSP adheres to company password and permission management best practices they already have in place.

There are several ways organizations can limit MSPs regarding what they’re authorized to do and how deep in the network they’re allowed to go. MSP accounts must be removed from enterprise (EA) or domain administrator (DA) groups. Give them only the bare minimum access to systems they service. Client organizations should also restrict MSP accounts using time, such as setting an expiration date and time for MSP accounts based on the end-of-contract date; temporarily disabling accounts until their work is needed; and restricting MSP service hours only within business hours if this is required.

Isolate networks with servers housing sensitive information. MSPs should know better than to connect all their servers, including those where they keep extremely sensitive data of their customers and logs, to one network that is also public facing. Not only will this put their data at risk of being affected in the event of breach, there is also the possibility that someone who doesn’t have ill intent may stumble across the data online—especially if the MSP hasn’t secured it properly.

In the event of a threat actor successfully infiltrating an MSP, network segmentation will serve as a barrier between them and the MSP’s critical servers. Done right, this will not only prevent a potential outbreak from spreading further within the network but also hinders the bad guys—and malicious insiders—from viewing or grabbing sensitive data.

Monitor network activity continuously. Knowing that they are now targets, MSPs must invest in resources that would provide them 24/7 network monitoring and logging. This way, actively searching for anomalies and unusual behavior within the network—usually an indication of a possible attack—would be a lot easier to spot and investigate. To benchmark what is normal traffic within an MSP’s environments, they may need the aid of third-party platforms to create a baseline and alert them for network activities it finds out of the ordinary.

Enable multi-factor authentication (MFA). Username and password combinations are no longer enough to secure the types of sensitive data that MSPs are expected to protect. A layered approach to putting data under lock and key is an essential need, and there are multiple methods of authentication that MSPs can choose from that they can couple with those credentials.

Disable or remove inactive accounts. You’d think it would only be practical to remove or disable accounts of former employees. Yet, it is easy to forget or procrastinate on spring cleaning accounts, especially when the MSP is already swamped with high priority tasks. Perhaps they have forgotten that this, although simple to do, is also a critical task.

Having a good account management system or process in place should have this sorted. After all, threat actors only need a tiny opening to exploit, and an MSP’s goal—like any other business’s, cybersecurity-wise—is to make itself a hard target by making it as difficult as possible to for threat actors to infiltrate them.

Avoid shortcuts. While it’s tempting to cut corners or take unsecured shortcuts, especially when certain situations may seem viable for it, it’s important for MSPs to step back and realize that taking such measures may give them the benefit they expect but the risks will also increase.

For example: a stressed and busy MSP employee uses an access utility instead of loading up a VPN to apply an update on a client’s server. Only this time, he forgets to close the opening he created with the utility. While the task he was assigned to do is done, he also left his client’s server vulnerable.

Great expectations

Clients are expecting a lot from MSPs, relying on them for everything, and looking to them as the technology and service experts who understand their need for security and how to address them. Yet often, those expectations aren’t met or provided for.

MSPs, it’s time to gain competitive advantage in your space by ensuring that your company is as secure as it can be, so you can better give security advice, measures, and aid to the clients you serve. In the end, you can’t give security if you don’t have it yourself.

The post 10 best practices for MSPs to secure their clients and themselves from ransomware appeared first on Malwarebytes Labs.