IT News

Trouble is potentially brewing in Internet of Things (IoT) land, even if the consequences may still be a little way off. System updates and issues surrounding expiring certificates will pose problems for manufacturers and headaches for consumers.

System updates for fun and profit

One of the first mainstream collisions of putting updates out to pasture and angry device owners yelling “Why doesn’t this work anymore” was probably at the tail end of 2019 and involved streaming giant Netflix. If you have internet connected devices, then those devices will require updating. It may be a security issue, it could be a UI redesign, perhaps the code deep down in the guts between the backend and what you see in front of you has had a change cascading its way through how everything operates.

People realised this very quickly when Netflix started letting people know their TVs would no longer work quite how they had previously. This approach makes sense; there’s only so much you can do with older bits and pieces of hardware with regards the ever-present march of the new. At some point, it simply won’t be able to cut the mustard and then (best case scenario) you’re having to fall back on third party apps instead of official solutions. That could end up being a security risk all by itself.

Not so smart device?

White goods like fridges, freezers, and more general kitchen equipment around the home, are usually pretty expensive. Devices with IoT tech in them, even more so. You’re paying a premium for functionality you may not use that often. It’s likely some folks buy IoT devices for the home without even knowing they possess said capability. It’d certainly go some way to explaining why so many of these things are found online, unsecured, with no password (or a fixed password easily Googled).

Into this hot mess steps a number of expectations; primarily among them, how long you can expect the device to be supported.  We’re not talking about apps allowing you perform smaller tasks now, so much as we are raising expectations about core functionality. Namely: how long will manufacturers ensure our IoT device, all hooked up to the big wide web, keep ticking over. Not only in terms of “does it work”, but also “is it still secure?”

As always, the devil is in the details (or at least some additional information).

Mapping out the end times

Planned obsolesce is something that’s been around in tech circles for years. The basic idea is to keep making money by building in some form of limited shelf life into a device, in a way which makes you continually fork over some cash above  and beyond the original purchase…because  you’re now onto the next one…and the one after that…and the latest model does a handful of new things,  so you’d better buy that too…

You get the idea. Design cycles become shorter, new product releases are rushed out the door, potentially filled with bugs, leaving you to wonder if the new additions could’ve been included in the product you already own.

The addition of more new and intricate technology in white goods is arguably adding to the list of things which could break and/or go wrong over time. Reliance on the ever-shifting sands of the Internet also means things will simply go out of date a lot faster than if it were a plain old washing machine, tumble drier, or fridge.

It’s wise not to become too wrapped up in conspiracy theories on this subject; some caution is advised. By the same token, this is absolutely a thing that happens and major organisations have caught some heat for it.

Even so, we’re now at a point where IoT is firmly established in homes whether we like it or not. More of our devices are becoming internet connected; even if you purposely go out of your way to avoid it, chances are you’ll begrudgingly get stuck with it at some point. For most people in that situation, it tends to end up being a television set. However, the IoT sky is the limit and it could be pretty much anything, really.

Behold my impressive collection of legal documents

At this point, we’re at warranties and guarantees. These can differ greatly with regards to protection depending on where you live, but they are typically tied to laws relevant to your area. You’d think it’d be straightforward; in actual fact, it’s more along the lines of Cole Porter singing Anything Goes as he desperately tries to make sense of 600 pages of legalese.

More often than not, the extended warranty is what offers the most protection. It’s also the one which involves handing over more money, registering on the website, sending off a card, or just forgetting to do any of those previously mentioned then panicking when the toaster explodes.

With all new IoT tech inside your washing machine, you may well be more likely to want extra protection in the event of things going wrong. One slight annoyance, Cole Porter yells from behind his impressive correction of legal documents: will that fancy extended 7-year warranty outlive the IoT tech in your fridge?

Going back to the above article, it’s all a bit worryingly vague. When asked how long support can be expected, answers range from “issued as required,” to “up to ten years,” and at least one vendor who said “a maximum of two years,” with the not massively reassuring caveat that support is not limited to two years.

Glad we’ve cleared that one up, then. Thanks, Cole.

As per the “Which report?” advice, you may have to start asking manufacturers exactly how long IoT tech in a device will be supported versus the length your warranty runs for. Good luck.

Be certain with your certificates

SSL certificates help keep the web safe by firing up the old encryption cannon and ensuring everything you do is kept from prying eyes, be it regular browsing, online banking, gaming, or just streaming some TV shows. The problem is, lots of those certificates are due to expire in the next few years and all of those IoT devices in your home making use of them could be caught in the fallout.

Such a thing impacted users of Roku, who found an expiring certificate broke their service. More general warnings of certificate expiration peg the next big fallout sometime around the tail end of 2021. I, for one, am looking forward to the immense joy gleaned from being told by text that the SSL certificate on my fridge freezer has expired and I’ll have to fix it myself.

A televisual turning point

With all of the above becoming things for a harried shopper to consider, it’s worth remembering that the smart in some devices gives manufacturers additional valuable data on people buying their things. I hope you like adverts the moment you fire up your TV, or the big box in your front room watching pretty much everything you do related to it.

It’s in their interest to push digital into as many devices as possible, and claims from manufacturers already exist that stripping the previously not included smart tech from devices, would make said devices more expensive. Put simply: it isn’t going away anytime soon.

Warranties which may not warranty, certificates which might fail to certify, lifespans which don’t match the length of cover promised, and data harvested from advertisements to try and upsell more smart tech. That’s the current lie of the land when you next go out to replace that 5 year old fridge in need of patching up.

Should you figure it out, please let us know – I think we’d all appreciate the helping hand.

The post End of line: supporting IoT in the home appeared first on Malwarebytes Labs.

This blog post was authored by Hossein Jazi and Jérôme Segura

On June 10, we found a malicious Word document disguised as a resume that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack that we believe is associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.

This attack is particularly clever for its evasion techniques. For instance, we observed an intentional delay in executing the payload from the malicious Word macro. The goal is not to compromise the victim right away, but instead to wait until they restart their machine. Additionally, by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.

Lure with delayed code execution

The lure document was probably distributed through spear phishing emails as a resume from a person allegedly named “Anadia Waleed.” At first, we believed it was targeting India but it is possible that the intended victims could be more widespread.

The malicious document uses template injection to download a remote template from the following url:

https://yenile[.]asia/YOOMANHOWYOUDARE/indexb.dotm

The domain used to host the remote template was registered on February 29, 2020 by someone from Hong Kong. Creation time for the document is 15 days after this domain registration.

The downloaded template, “indexa.dotm”, has an embedded macro with five functions:

• Document_Open
• VBA_and_Replace
• Base64Decode
• ChangeFontSize
• FileFolderExist.

The following shows the function graph of the embedded macro.

The main function is Document_open which is executed upon opening the file. This function drops three files into the victim’s machine:

• Ecmd.exe: UserForm1 and UserForm2 contain two Base64 encoded payloads. Depending on the version of .Net framework installed on the victim’s machine, the content of UserForm1 (in case of .Net v3.5) or UserForm2 (other versions) is decoded and stored in “C:ProgramData”.
• cf.ini: The content of the “cf.ini” file is extracted from UserForm3 and is AES encrypted, which later on is decrypted by ecmd.exe.
• ecmd.exe.lnk: This is a shortcut file for “ecmd.exe” and is created after Base64 decoding the content of UserForm4. This file is dropped in the Startup directory as a trigger and persistence mechanism.

Ecmd.exe is not executed until after the machine reboots.

ChangeFontSize and VBA_and_Replace functions are not malicious and probably have been copied from public resources [1, 2] to mislead static scanners.

Intermediary loader

Ecmd.exe is a .Net executable that pretends to be an ESET command line utility. The following images show the binary certificates, debugger and version information.

The executable has been signed with an invalid certificate to mimic ESET, and its version information shows that this is an “ESET command line interface” tool (Figure 6-8).

ecmd.exe is a small loader that decrypts and executes the AES encrypted cf.ini file mentioned earlier. It checks the country of the victim’s machine by making a HTTP post request to “http://ip-api.com/xml“. It then parses the XML response and extracts the country code.

If the country code is “RU” or “US” it exits; otherwise it starts decrypting the content of “cf.ini” using a hard-coded key and IV pair.

The decrypted content is copied to an allocated memory region and executed as a new thread using VirtualAlloc and CreateThread APIs.

ShellCode (cf.ini)

A Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with the goal of avoiding detection. A custom profile can be created for each target.

The shell code uses the Cobalt Strike Malleable C2 feature with a jquery Malleable C2 profile to download the second payload from “time.updateeset[.]com”.

This technique has been used by two other recent Chinese APTs—Mustang Panda and APT41.  

The shellcode first finds the address of ntdll.exe using PEB and then calls LoadLibrayExA to load Winint.dll. It then uses InternetOpenA, InternetConnectA, HttpOpenRequestA, InternetSetOptionA and HttpSendRequestA APIs to download the second payload.
The API calls are resolved within two loops and then executed using a jump to the address of the resolved API call.

The malicious payload is downloaded by InternetReadFile and is copied to an allocated memory region.

Considering that communication is over HTTPS, Wireshark is not helpful to spot the malicious payload. Fiddler was not able to give us the payload either:

Using Burp Suite proxy we were able to successfully verify and capture the correct payload downloaded from time.updateeset[.]com/jquery-3.3.1.slim.min.js. As can be seen in Figure 16, the payload is included in the jQuery script returned in the HTTP response:

After copying the payload into a buffer in memory, the shellcode jumps to the start of the buffer and continues execution. This includes sending continuous beaconing requests to “time.updateeset[.]com/jquery-3.3.1.min.js” and waiting for the potential commands from the C2.  

Using Hollow Hunter we were able to extract the final payload which is Cobalt Strike from ecmd’s memory space.

Attribution

A precise attribution of this attack is a work in progress but here we provide some insights into who might be behind this attack. Our analysis showed that the attackers excluded Russia and the US. The former could be a false flag, while the latter may be an effort to avoid the attention of US malware analysts.

As mentioned before, the domain hosting the remote template is registered in Hong Kong while the C2 domain “time.updateeset[.]com” was registered under the name of an Iranian company called Ehtesham Rayan on Feb 29, 2020. The company used to provide AV software and is seemingly closed now. However, these are not strong or reliable indicators for attribution.

In terms of TTPs used, Chinese APT groups such as Mustang Panda and APT41 are known to use jQuery and the Malleable C2 feature of Cobalt Strike. Specifically, the latest campaign of Mustang Panda has used the same Cobalt Strike feature with the same jQuery profile to download the final payload which is also Cobalt Strike. This is very similar to what we saw in this campaign, however the initial infection vector and first payload are different in our case.

IOCs

Anadia Waleed resume.doc
259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621

Remote Template: indexa.dotm
7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2

Remote Template Url:
https://yenile[.]asia/YOOMANHOWYOUDARE/

C2:
time.updateeset[.]com

Ecmd.exe:
aeb4c3ff5b5a62f5b7fcb1f958885f76795ee792c12244cee7e36d9050cfb298
dcaaffea947152eab6572ae61d7a3783e6137901662e6b5b5cad82bffb5d8995
5f49a47abc8e8d19bd5ed3625f28561ef584b1a226df09d45455fbf38c73a79c

cf.ini:
0eba651e5d54bd5bb502327daef6979de7e3eb63ba518756f659f373aa5f4f8b

Cf.ini shell-code after decryption:
5143c5d8715cfc1e70e9db00184592c6cfbb4b9312ee02739d098cf6bc83eff9

Cobalt Strike downloaded shellcode:
8cfd023f1aa40774a9b6ef3dbdfb75dea10eb7f601c308f8837920417f1ed702

Cobalt Strike payload
7963ead16b6277e5b4fbd5d0b683593877d50a6ea7e64d2fc5def605eba1162a

The post Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature appeared first on Malwarebytes Labs.

We are going to talk today about something you’ve likely heard of before: VPNs, or Virtual Private Networks. We at Malwarebytes have delved into these tools in greater depth, and we’ve literally discussed them on the digital airwaves.

But we want to answer a question we’ve been getting more and more. Folks aren’t as curious about what a VPN is anymore, as they are about whether they should use one.

The answer is: it depends. For that, we’re here to help.

How a VPN works

To understand how a VPN works and whether you should use one, it is best to first understand what happens when you’re browsing the Internet. Whenever you open up a web browser and go to a website, you’re connecting to that website and exchanging information with it. This is your Internet “traffic,” and it can reveal quite a bit of information about you, including what websites you visit, your IP address, and more.

A VPN acts like a “tunnel” for your Internet traffic. Your traffic goes into the tunnel, and emerges out of one of the exit nodes of the VPN service. The tunnel encrypts your data, making it undecipherable to your Internet Service Provider (ISP). At best, your ISP can see that some encrypted traffic is going to a VPN service, but not the contents of that traffic, and not where it comes out of.

The interesting thing to note here is that, with this basic functionality, a VPN can actually serve many different needs. As we wrote before:

Depending on who you ask, a VPN is any and all of these: [1] a tunnel that sits between your computing device and the Internet, [2] helps you stay anonymous online, preventing government surveillance, spying, and excessive data collection of big companies, [3] a tool that encrypts your connection and masks your true IP address with one belonging to your VPN provider, [4] a piece of software or app that lets you access private resources (like company files on your work intranet) or sites that are usually blocked in your country or region.

Without a VPN, your Internet Service Provider, or ISP, can see almost everything you interact with online. Who you connect to, what type of traffic, where you are geographically. No bueno.

Obscuring your traffic with a VPN

If you use a VPN, your ISP knows you’ve connected to a VPN, but it cannot inspect the content of your traffic, and does not know where it comes out at the other end.

Also, despite the recent surge in popularity for VPNs, these tools have been in use for businesses for a long time now. They are typically used to access resources remotely as if you were at the office.

In some cases we have even seen performance boosts by using a VPN, where artificial throttling is circumvented by the use of a VPN. Because you’re tunneling your connection, your ISP can’t peek at your traffic and throttle it, based on the kind of traffic. Believe it or not, this is a real issue, and some ISPs throttle users’ traffic when they see file sharing for example.

Consumer recommendations

There are several paths you can take when deciding to implement a VPN. Not only do these tools works on your personal devices like your laptops and mobile phones, but, in some cases, you can insert your own router into the mix.

In many cases, the router provided by your ISP is not a device that you fully control, and using it for your networking needs might open you to possible security issues.

These devices sometimes have administrative functions that aren’t accessible to subscribers. Some mid to higher range routers offered on the market today allow you to put the VPN on the router, effectively encapsulating all your traffic.

The hardware route

A possible solution would be to get such a router and install the VPN on it, rather than on your individual machines. This has the added bonus that it provides VPN protection to devices that don’t support VPNs, like handhelds, consoles, and smart devices.

In the past, we have seen ISP hardware breached by hard coded accounts on the modem/routers they offer to their subscribers.

Sadly, ISP customer support often balks at helping out if you insert your own equipment in the mix. (In fact, they might make you remove it from the equation before they’ll provide support.)

This solution is specific to each router, and a bit more advanced.

The software route

You can also use a VPN application provided by the VPN provider. This application will provide VPN tunneling to the computer it is installed on, and only that, so keep that in mind.

One of the strongest options to consider for your software solution is a “kill switch” functionality. This ensures that if anything happens to the VPN application, it doesn’t “fail open” or allow internet traffic through if the VPN is broken. Think about it. You’re installing this application for the explicit functionality that it can tunnel your traffic. If the app malfunctions, there might be privacy risks in the app still allowing you to connect to the Internet, but letting your traffic go un-tunneled.

More than anything, a kill switch prevents the chance that you’re operating with a false sense of security. What you say online, and the chance that it was you who said it, can draw attention in some countries with far stricter laws on free speech.

Another factor that makes a VPN really perform is when they have a lot of exit nodes. These exit nodes are locations that can be used to circumvent geolocation. The more that are available, and the greater the variety, the more versatile and useful the VPN service is.

Speed is also a factor for VPN exit nodes. There’s not much point in having a ton of exit nodes unless they’re fast. One of the drawbacks of using a VPN is that by adding all these “hops” between nodes, your traffic will take longer to route. If the nodes are reasonably fast, the end user shouldn’t notice significant slowdowns.

You should have a VPN provider that doesn’t discriminate the type of traffic that flows through their network. Some smaller VPNs don’t have the necessary infrastructure to handle large volumes of Peer-to-peer or bittorrent traffic, and either ban it outright or have actual data caps.

Final thoughts

Remember, when you’re thinking about adopting one of these tools, you’re transferring trust: When you use a VPN you transfer access to your traffic to a 3^rd party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.

There are documented cases where a VPN provider revealed that their users could be de-anonymized and that the VPN provider did in fact keep logs and was willing to turn them over.

Remember, VPNs should not be viewed as shadowy tools. They are, in all actuality, business and privacy tools. They let the researchers who fight malware find out what that malware actually does. They let employees connect to company resources away from the office—which is of the utmost importance today. And they allow you, the user, to reclaim a measure of privacy.

It is therefore important to choose carefully. Most VPNs offer a service where they promise not to log or inspect your traffic. In many cases, though, this claim is impossible to verify.

The best option for VPNs, then? Read reviews, scour forums, and look for the functionalities that are important, specifically, to you. You may find what you’re looking for just around the corner.

The post VPNs: should you use them? appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked into nasty search hijackers that worried a lot of Chrome users; a list of considerations for MSPs when looking for an RMM platform; the complaint faced by ParetoLogic, the company that issues SpeedyPC, a product that claims to find and remove various PC errors; and a ransomware attack that affected car manufacturers like Honda and Enel.

Other cybersecurity news

• SEO attacks lured victims to gift card sites. (Source: Avast Blog)
• It’s important to remain safe while working from home in the time of COVID-19. Other good advise can be found in this Help Net Security article.
• Brave’s CEO apologized for adding affiliate links to URLs. (Source: Sophos’s Naked Security Blog)
• A data breach from Babylon Health’s GP app happened early last week. (Source: The BBC)
• Whoops! WhatsApp numbers appeared in Google search. (Source: The Register)
• The FBI released a PSA about the increasing trend of banking app attacks. (Source: FBI PSA)
• A privacy backlash ensued over Singapore’s contact tracing wearable devices. (Source: ThreatPost)
• Going back to work after governments ease the lockdown has left many email inboxes a potential danger zone, according to security experts. (Source: Computer Weekly)
• Twitter discovered and removed thousands of accounts tied to an operation that spread misinformation. (Source: The BBC)
• Facebook worked with the FBI to take down a child predator. (Source: Vice)

Stay safe, everyone!

The post A week in security (June 8 – 14) appeared first on Malwarebytes Labs.

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can’t be removed because the browser is managed from the outside.

As you can imagine, that has freaked out quite a few Chrome users.

We have talked about the search hijacker’s business model in detail. Suffice to say, it is a billion-dollar industry and a lot of search hijackers want a piece of this action as even a small portion can amount to a hefty income.

One search hijacker doesn’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn’t care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

What have they done this time?

We were alerted by some of our customers who said they were unable to remove Chrome extensions as they ran into this restriction:

Basically, this is telling the user that the browser may be managed outside of Chrome and the administrator has installed an extension. Even users that have Administrator accounts on the affected systems are unable to remove these extensions.

The extension in question is easily spotted in an overview of all the installed extensions as it is the one that has no “Remove” option.

We have found several of these search hijackers in the Chrome webstore but installing them from there does not lead to the “managed browser symptoms.” It takes a Windows installer to make the necessary registry changes, so users that installed it from the webstore should be able to remove it themselves in the normal way.

What all the hijackers that use the managed browser technique have in common is that they add the registry keys:

HKEY_LOCAL_MACHINESOFTWAREPoliciesChromiumExtensionInstallForcelist    
 HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeExtensionInstallForcelist

under which the forced extensions are numerated as registry values like this:

"1"="REG_SZ", "lpfpbajbnhddlpljjnfndngbkkfkjfna;https://clients2.google.com/service/update2/crx"

The description in the Chromium documentation about the ExtensionInstallForcelist states:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

How do these hijackers land on victim’s systems?

We are not completely sure but we did manage to round up some stand alone installers from the Temp folder on affected Windows systems. And it looks as if these installers were part of a bundler.

What victims will typically see is an installer notice like this one:

and then nothing until they open Chrome and see this new tab:

and the “your browser is managed by a remote administrator” type of comment scattered throughout the Chrome menu and settings.

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

• The hijacker redirects victims to the best paying search engine.
• The hijacker redirects victims to their own site and show additional sponsored ads.
• The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

• The extension lets the hijacker take over as the default search engine.
• The extension takes over as “newtab” and shows a search field in that tab.
• The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

This family is of the kind that uses their own site as a redirect to the search engine they get paid by, and the extension takes over as default search engine. The default is the one that gets queried when the user searches from the address bar.

Removal

Malwarebytes recognizes these hijackers and removes them from affected systems. You can find a few removal guides on our forums:

Removal guide for Mazy Search

Removal guide for SearchSpace

And at the rate they are pushing out new ones, more will probably follow.

IOCs

Extension identifiers

fhmghdmcgkkdadabbnkmnejhoncccjio (Capita)

lpfpbajbnhddlpljjnfndngbkkfkjfna (search space)

fifailmmmlkdabfkkoejgffjdfgbieji (Mazy)

Domains

search-space.net

mazysearch.com

capita.space

defaultsearch.link

Stay safe everyone!

The post Search hijackers change Chrome policy to remote administration appeared first on Malwarebytes Labs.

MSPs naturally adapt and mature as innovative technologies and more effective processes are introduced into the industry. But with ransomware cyberattacks happening left and right, pushing them to evolve even further, MSPs are left with no choice but to go with the flow. Going for improved functionalities—although important—is simply no longer enough. MSPs must begin putting a lot of emphasis on improving their security for the continuous protection of their most valuable assets.

With ransomware threat actors exploiting weaknesses in remote monitoring and management (RMM) platforms to get into endpoints by the thousands, MSPs have found themselves wondering whether their platform is secure, robust, and agile enough with the changing threat landscape. To help them decide, let us look at the key points to consider when choosing an RMM that is right for them.

Helping MSPs look for “the one”

Indeed, there is no “one-size-fits-all” RMM platform. Every MSP has its own unique needs, and vendors must meet those needs so both can deliver high quality service and grow together as one.

Whether you’re an experienced MSP who is evaluating your current RMM or contemplating on switching to another vendor, or you’re a new MSP who is on the lookout for an RMM platform that best fits your unique business needs, we offer you a guide in finding “the one.”

Security

Ask: “Does this RMM vendor take security seriously as much as we do?”

A security-conscious MSP looks for security present in an RMM vendor’s product. This should be a necessity as their business is at stake, most especially if you’re an MSP that handles all your clients’ data. It is only logical to look for a vendor that cares about the security of their clients’ assets the same way you, the MSP, care about the assets of your clients, too.

MSPs can start assessing for security by checking if the communication between entities are secure. For example, are endpoints communicating securely with the monitoring server? Is the monitoring server communicating securely with remote management devices/systems? Overall, does the RMM take a layered approach to secured communication between devices and apps, which in turn, protects the entire support chain?

Another point to think about is whether the platform provides multiple security role assignments for various kinds of users. Certain users can only have read-only access, for example, while others are granted higher privileges based on their job functions.

We cannot stress enough the importance of MSPs securing themselves to keep their clients safe from online attacks like ransomware. Being consistent in this regard on every facet of the decision-making process will only put MSPs at a significant advantage.

Scalability

Ask: “Does this RMM adapt to new demands and scale really well with the changing trends?“

RMM platforms and solutions aren’t something new. In fact, some of them have been around for decades. With this in mind, MSPs should look at how much the RMM has changed since it first offered its service, what has it done so far to keep up with the ever-changing business landscape, and how it has planned to evolve for the future.

Legacy RMMs were never created with the modern MSP, thousands upon thousands of endpoints to support, and the Internet of Things (IoT) in mind. There are far better designed RMMs today that are built to deliver robust, multi-tenant solutions—meaning, the ability to manage disparate multiple clients and/or managing access to multiple application for various clients using a single application or platform—for MSPs. RMMs that offer these are foreseen as best positioned for the future. It is, therefore, paramount for MSPs to partner with a vendor that scales well with market demand and doesn’t hold them back when it comes to their own business growth.

Proactive, with the drive for change

Ask: “Does the RMM vendor provide proactive patching and show momentum in improving?“

Not only should MSPs look for an RMM that has a long-term product roadmap and how they regularly release updates for it, but they should also start looking at how their current or potential vendor go about actively [1] monitoring the threat landscape and [2] looking for flaws to their own software before the bad guys would even have time to know about and create an exploit for it.

MSPs have realized that reacting to cyberattacks doesn’t work. And while it is admirable for an RMM vendor to be able to determine a security flaw and patch it as quickly as they can to mitigate infection, preventing something big from happening far outweighs mitigating what has already happened.

Apart from patching, a good RMM must also show that it is continuously improving their own products by adding more helpful functionalities, enhancing what’s most used, and doing away with whatever is not beneficial for MSPs.

Ease of use

Ask: “How easily can my employees use this platform?“

MSPs look for software that not only gets the job done but are also easy to operate. Aesthetics (better designed, interface-wise) combined with functionality come into play here. The UI must be easy to understand and navigate, each bit of what is shown gives technicians a clear idea of what they want to know about their endpoints. Furthermore, it must allow MSPs to customize the tool that fits their business needs.

Of course, no matter how intuitive the platform claims to be, it’s still new software that no one in the company is familiar with it. That said, a good RMM must offer training for MSP technicians to fully understand the platform and use it well and proficiently. Know that the more complex the tool, the longer the training; the longer the training, the greater the cost; and the more complex the tool, the higher the risk that the trained technician would be making mistakes.

Mobile-enabled

Ask: “Can the RMM platform be accessed via mobile devices?“

With everyone carrying at least one mobile device with them, going mobile is no longer a want but, for many, is also now a need. An RMM solution that MSP technicians can use outside of the office can be an extremely valuable feature, especially when a real-time alert kicks in. The MSP technician must be able to perform troubleshooting tasks using a small screen and over a cellular network. An MSP that can deliver quality service anytime and anywhere is something that current and potential clients vie for and may become highly in-demand in the future.

For MSPs, security is at the forefront in these uncertain times

Choosing a vital tool like an RMM platform is not an easy and quick process for MSPs to go through. It takes careful thinking and a lot of time and effort in evaluating. For new MSPs, this process is probably one of the most challenging, more so if all RMMs seemingly offer the same. At the end of the day, however, finding that one RMM vendor you can grow your business and expand your portfolio offerings with is totally worth it. Potential and current clients not only see MSPs as software and hardware experts, but they are quickly looking up to them as security advisers as well.

Having insight on the current trends and following these considerations, coupled with asking the right questions, is not only strategic. It is also the first step in laying down the cornerstone for future-proofing your business.

Good luck in your search!

The post MSPs, know what you’re really looking for in an RMM platform appeared first on Malwarebytes Labs.

Car manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later confirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the companies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos Aires.

Based on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this blog post, we review what is known about this ransomware strain and what we have been able to analyze so far.

Targeted ransomware with a liking for ICS

First public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez sharing information about a new targeted ransomware written in GOLANG.

The group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by security firm Dragos.

On June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT. When we started looking at the code, we found several artefacts that corroborate this possibility.

When the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it does, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware allegedly tied to Enel.

Target: Honda

• Resolving internal domain: mds.honda.com
• Ransom e-mail: CarrolBidell@tutanota[.]com

Target: Enel

• Resolving internal domain: enelint.global
• Ransom e-mail: CarrolBidell@tutanota[.]com

RDP as a possible attack vector

Both companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference here). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.

• RDP Exposed: /AGL632956.jpn.mds.honda.com
• RDP Exposed: /IT000001429258.enelint.global

However, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper internal investigation will be able to determine exactly how the attackers were able to compromise the affected networks.

Detection

We tested the ransomware samples publicly available in our lab by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses.

We detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection layers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our anti-ransomware technology was able to quarantine the malicious file without the use of any signature.

Ransomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target big companies in order to extort large sums of money.

RDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently learned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map out all assets, patch them, and never allow them to be publicly exposed.

We will update this blog post if we come across new relevant information.

Indicators of Compromise (IOCs)

Honda related sample:

d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1
mds.honda.com

Enel related sample:

edef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a
enelint.global

The post Honda and Enel impacted by cyber attack suspected to be ransomware appeared first on Malwarebytes Labs.

A short while ago we reported on the FTC ruling against payment provider RevenueWire. Now, another Canadian company is under scrutiny, and the cases are very much related. Not only are these companies hailing from the same city, they also share some founders.

The company ParetoLogic is involved in a US class action lawsuit in which it is accused of having circulated programs that would charge customers to fix non-existent computer problems.

As we saw in our previous coverage, RevenueWire—acting under the name SafeCart—was charged under the accusation that they provided services as a payment provider for companies that were involved in tech support scams. RevenueWire denies the allegations, and issued a statement saying it settled to avoid protracted litigation and legal costs.

The case of ParetoLogic

In the case at hand, the plaintiff Archie Beaton sued Defendant SpeedyPC Software (“SpeedyPC”), a British Columbia company, alleging that it was engaged in fraudulent and deceptive marketing of SpeedyPC Pro (“Speedy PC Pro” or the “Software”), a computer software product that claimed to be able to diagnose and repair various PC errors.

In this context it is good to know that SpeedyPC Pro is the name of a program that the plaintiff purchased, and this program was produced, marketed, and sold by ParetoLogic.

The United States District Court for the Northern District of Illinois Eastern Division set out under the notice that “SpeedyPC Software appears to be the trade name of a company known as ParetoLogic, Inc. To avoid confusion, the Court will refer to the defendant only as SpeedyPC Software.”

ParetoLogic software

SpeedyPC was not the only software issued by ParetoLogic. Many similar programs were marketed in very much the same way. What they all had in common is that they fall in a category we refer to as “system optimizers.” This type of software combines some or all of the below functionalities:

• Registry cleaner
• Driver updater
• Temp file cleaner
• Disk optimizer (disk defragmenter)
• System error reporter

Since all these functionalities are offered by free tools built into the Windows operating system, many system optimizers are considered Potentially Unwanted Programs (PUPs), especially if they exaggerate the seriousness of possible improvements that can be made on a user’s system.

A well-known example of a ParetoLogic product is PC Health Advisor:

The ties with RevenueWire

What’s interesting in this case is that ParetoLogic Inc. was co-founded by the same partners behind another Victoria, Canada tech company, RevenueWire, that recently settled fraud charges with the U.S. Federal Trade Commission for US$6.7 million.

RevenueWire handled the sales and distribution of software and digital products for many developers and publishers worldwide. In fact, part of RevenueWire’s alleged scheme involved serving as a legitimate face for software companies that had already been denied by large, trusted payment processors, and according to at least one online forum, ParetoLogic may have fit that description, as it did not appear to accept PayPal.

The case against ParetoLogic

ParetoLogic has been fighting the plaintiffs’ right to start a class-action case in the US on several grounds since 2015 but was unsuccessful in this attempt to avoid going to court over the charges. Archie Beaton’s motion to certify a class for his complaint—which basically serves as a request to gather other folks facing similar, alleged wrongdoing into one lawsuit—against ParetoLogic was granted in October 2017 and was upheld at the U.S. Court of Appeals for the Seventh Circuit in Chicago in October 2018.

Grounds for the case

Beaton looked online for a fix for some computer problems he was experiencing and found a free trial of SpeedyPC Pro. As per usual with this type of software the program reported some problems with the system, but let the user know they needed the paid version to fix said problems.

From the Court of Appeals for the Seventh Circuit:

Using his personal business’s credit card, [Beaton] purchased SpeedyPC Pro and ran it on his laptop. It began by scanning his device, just as the free trial had done. The program then told Beaton to click on “Fix All.” Beaton dutifully did so. Yet nothing happened. Beaton ran the software a few more times, to no avail. Feeling ripped off, and suspecting that his experience was not unique, Beaton sued Speedy in 2013 on behalf of a class of consumers defined as “All individuals and entities in the United States who have purchased SpeedyPC Pro.” Despite Speedy’s lofty pledges, Beaton claimed, the software failed to perform as advertised. Instead, it indiscriminately and misleadingly warned all users that their devices were in critical condition, scared them into buying SpeedyPC Pro, and then ran a functionally worthless “fix.”

Decision of the court

Speedy identified 10 individual issues that allegedly defeated predominance. The district court was not persuaded. It found that some were best addressed on a class‐wide basis, and they outweighed the remaining individualized inquiries.

“Finding no abuse of discretion in the district court’s decisions to certify the nationwide class and the Illinois subclass, we affirm the court’s certification orders,” the court wrote.

In layman’s terms, this means the plaintiff can represent other victims of ParetoLogic’s SpeedyPC and seek compensation for their damages.

Conclusion

This case has been on the table since 2014 and it can take a few more years before the courts decide on a final ruling about compensation. Meanwhile, ParetoLogic’s Victoria offices have been closed and its website has been taken offline. Provincial government records show it is still registered as an active corporation and its last annual report was filed in January.

The post ParetoLogic facing complaint of alleged wrongdoing appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to John Donovan, head of security at Malwarebytes, and Adam Kujawa, director of Malwarebtyes Labs, about securely working from home (WFH).

With shelter-in-place orders now in full effect to prevent the spread of coronavirus, countless businesses find themselves this year in mandatory work-from-home situations. On today’s episode, we go beyond just talking about threats. We have a dialogue.

First, what types of malware and attack methods are we seeing, and then, how has Malwarebytes responded. We want to give you an inside look, because even though we’re a cybersecurity company, staying cyber secure goes beyond malware detection. It reaches into educating your employees and implementing proper policies to protect your company.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

• Labs report finds: Coronavirus campaigns lead to surge in malware threats
• A brief history of video game saves and data modification
• Teaching from home might become part of every teachers’ job description
• New LNK attack tied to Higaisa APT
• Sodinokibi ransomware gang auctions off stolen data

Plus other cybersecurity news:

• Bug bounty hunter snags $100,000 award for zero-day bug in ‘Sign in with Apple‘ system. (Source: TechSpot)
• 100,000 company inboxes hit with voice message phishing. (Source: Bleeping Computer)
• 80% of organizations suffered at least one cloud data breach in the past 18 months. (Source: Ciso Mag)
• Mongolia arrests 800 Chinese citizens in cybercrime probe. (Source: Reuters)
• Minnesota used contact tracing to track protestors, which created a trust problem for medical workers in the pandemic. (Sources: BGR and Cnet)

Stay safe, everyone!

The post Lock and Code S1Ep8: Securely working from home (WFH) with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.

This post was authored by Hossein Jazi and Jérôme Segura

On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019.

The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea.

In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.

Distribution

The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via spear-phishing.

We were able to identify two variants of this campaign that possibly have been distributed between May 12th and 31st:

• “CV_Colliers.rar”
• “Project link and New copyright policy.rar”

Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results. The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.

The following shows the overall process flow when executing the malicious LNK file.

LNK file

The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload. Here is the list of commands that will be executed:

• Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
• Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
• Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
• Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to “o423DFDS4.tmp”.
• Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using “expand.exe -F:*” (Figure 3) .
• Copy “66DF33DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
• Execute the JS file by calling Wscript.
• Open the decoy document.

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.

Both LNK files embedded within the archive are executing similar commands with the different Command and Control (C&C) configurations. Running each of them would show a different decoy document.

JS file

The JavaScript file performs the following commands:

• Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
• Execute the dropped “svchast.exe”.
• Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
• Add “officeupdate.exe” to scheduled tasks.
• Send a POST request to a hardcoded URL with “d3reEW.exe” as data.

svchast.exe

Svchast.exe is a small loader that loads the content of the shellcode stored in “63DF3DFG.tmp”.

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final shellcode.

The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C server.

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.

Chaining techniques for evasion

While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more advanced attackers will often try unconventional means to infect their victims.

We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR and therefore completely stopped the attack.

IOCs

CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d

Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9

Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81

International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6

Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com

C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info

MITRE ATT&CK techniques

The post New LNK attack tied to Higaisa APT discovered appeared first on Malwarebytes Labs.