Malware Bytes

The story of ZeroLogon

Malware Bytes Security - Tue, 01/19/2021 - 1:37pm

This is the story of a vulnerability that was brought about by the incorrect use of an encryption technique. After it was discovered by researchers, the vulnerability was patched and that should have been the end of the story. Unfortunately the patch caused problems of its own, which made it very unpopular. Cybercriminals seized the opportunity to use the vulnerability for their own purposes. This is the story of ZeroLogon.

What is ZeroLogon?

The ZeroLogon vulnerability was discovered by researchers at Secura and is listed in the Common Vulnerabilities and Exposures (CVE) database under CVE-2020-1472:

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.”

This vulnerability exploits a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log on to servers that are using NTLM (NT LAN Manager). Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly generated initialization vectors for each authentication message. Sadly, Windows didn’t take this requirement into consideration. An attacker can use zeros for the initialization vector, allowing them to take over a domain controller in a matter of seconds.

How bad is this vulnerability?

Very bad, is the short answer. ZeroLogon has been successfully weaponized by malware authors, who use it for the lateral infection of corporate endpoints. The sophisticated Trickbot Trojan uses ZeroLogon, which means that it can spread across a vulnerable network easily. Ryuk ransomware has also been seen using the ZeroLogon vulnerability.

Is there a patch?

Yes, but there’s a “but”. The vulnerability was actually patched in August 2020, and it wasn’t until a researcher published a report about the vulnerability in September that we started to see it used in malicious activity.

In late October, Microsoft warned that threat actors were actively exploiting systems that were unpatched against ZeroLogon privilege escalation.

In November Microsoft also added detection rules to Microsoft Defender to “detect adversaries as they try to exploit this vulnerability against your domain controllers.”

The general advice is to use Secure RPC to prevent these attacks. Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service. Secure RPC uses the Diffie-Hellman authentication mechanism, which uses DES encryption rather than AES-CFB8.

Why isn’t everything patched against ZeroLogon by now?

The problem with the patch is that it is not enough to update the server side (Domain Controller), because clients also need to be updated for the protocol to work. And even though Microsoft took care to issue patches for Windows devices, it didn’t provide a solution for legacy operating systems that are no longer supported, or for third-party products. This means that enforcing Secure RPC may break operations for these incompatible systems.

So, what’s next?

Now, Microsoft has announced that it will enforce the use of Secure RPC .

“beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default.  This will block vulnerable connections from non-compliant devices.  DC enforcement mode requires that all Windows and non-Windows devices use Secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”

Having read that you might be thinking: “But you said it might break incompatible systems!” True, so Microsoft has made a list of actions that will result in a detailed update plan.

The update plan outlined by Microsoft includes the following actions:

  • UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  • FIND which devices are making vulnerable connections by monitoring event logs.
  • ADDRESS non-compliant devices making vulnerable connections.
  • ENABLE enforcement mode to address CVE-2020-1472 in your environment.

This probably means there is still no happy ending to this story. Addressing the non-complaint devices will not be as easy at it sounds, in many cases. In many cases it will end with sysadmins making an exception for such a device. It is advisable however to at least try and follow the steps. Because in the end it will pay off to remove (or at least limit) the vulnerable devices and machines on your network. The cybercriminals will not let go of this treasure so easily.

Stay safe, everyone!

The post The story of ZeroLogon appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments

Malware Bytes Security - Tue, 01/19/2021 - 12:14pm

A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. We first reported on the event in our December 14 blog and notified our business customers using SolarWinds asking them to take precautionary measures.

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

How did this impact Malwarebytes?

We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.

We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.

Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.

What we know: SolarWinds Attackers Also Target Administrative and Service Credentials

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Coming together as an industry

While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets. It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.

We would like to thank the security community, particularly FireEye, CrowdStrike, and Microsoft for sharing so many details regarding this attack. In an already difficult year, security practitioners and incident responders responded to the call of duty and worked throughout the holiday season, including our own dedicated employees. The security industry is full of exceptional people who are tirelessly defending others, and today it is strikingly evident just how essential our work is moving forward.

The post Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments appeared first on Malwarebytes Labs.

Categories: Malware Bytes

What’s up with WhatsApp’s privacy policy?

Malware Bytes Security - Mon, 01/18/2021 - 7:18am

WhatsApp has been in the news recently after changes to its privacy policy caused a surge of interest in rival messaging app Signal. Initial reports may have worried a lot of folks, leading to inevitable clarifications and corrections. But what, you may ask, actually happened? Is there a problem? Are you at risk? Or should you keep using your apps as you were previously?

Setting the scene

WhatsApp users found themselves facing down an in-app notification this past week, letting them know of upcoming privacy policy changes. The message read:

By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you’ll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account.

Generally, I’m somewhat suspicious whenever a trusted app starts popping messages, or anything else I wasn’t expecting. After the initial burst of “Is this genuine?”, follows the part where I try to dig out the parts that have changed and see how it compares to what went before.

What worked…

Giving users a bit of time to see the upcoming changes, and work out if they want to be part of it, is good and should be encouraged. Often, privacy policy and EULA changes spring from nowhere, giving little to no time at all to digest them. Regardless of how everything else about this notification panned out, WhatsApp should be applauded for giving everyone plenty of forewarning.

…and what didn’t

The key focus of concern around the update, was how data would be shared going forward. Aspects which people objected to included some data remaining on a device even after deleting an account, lines about “respecting privacy” being removed from the privacy policy, and things like phone numbers being shared with Facebook.

This would naturally be a cause for concern for some people.

The messaging fixer-upper

This situation wasn’t ideal for WhatsApp, who had to clarify the mixed messages spreading online. They stressed that the upcoming update is related to messaging businesses on WhatsApp. Messages are still subject to the same privacy they were previously, and neither WhatsApp nor Facebook can read your messages or hear your calls.

Additionally, more clarifications had to be made that the changes don’t apply to EU/EEA/UK regions despite people in those areas being shown the privacy policy popup. This is not ideal and raises questions as to why the notification was sent to everybody if it didn’t apply to everybody. All that tends to happen in those situations is people get confused and start to worry. What happens after that, is lots of articles appear explaining what to do if you want to switch to other services.

Writers have described this potential migration away from WhatsApp as “self-inflicted”, and that seems to be an accurate summary. Simply by having to explain the differences between forms of messaging, data collection is thrown into sharp relief. That is to say, you may not have known prior to this how much…or little…your favourite apps collect.

But now you do. The data collection genie is out of the bottle, and yet it may not matter too much.

Decisions, decisions

Ultimately, people will use what they feel most comfortable with. This misstep isn’t going to kill WhatsApp, and if you still want to use it, don’t worry. It won’t be going anywhere. As with all things, informed choices are the best choices. We regularly remind people that it’s time for a security password spring clean whenever a major breach takes place.

On a similar note, this may be a good time to brush up on all those T&Cs tied to your favourite apps. Dig into what they do, which pieces of data they collect and use. At the absolute minimum, ensure your messages are as secure as can be and that only you and the recipients can read them (look for “end-to-end encryption”). Some people are fine with data collection, for others it’s a deal breaker.

Ultimately, the decision is down to you.

The post What’s up with WhatsApp’s privacy policy? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (January 11 – January 17)

Malware Bytes Security - Mon, 01/18/2021 - 6:30am

Last week on Malwarebytes Labs, we looked at IoT problems, Microsoft’s Patch Tuesday, and how cybercriminals want access to your cloud services. We also explored how VPNs can protect your privacy, and asked if MSPs have picked the right PSA.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 11 – January 17) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

MSPs, have you picked the right PSA for you yet?

Malware Bytes Security - Fri, 01/15/2021 - 1:54pm

Not long ago, we helped MSPs pick the right remote monitoring and management (RMM) platform for them, and make it an essential part of their service toolkit. As you may recall, an RMM is a tool that helps MSPs do the work. And what better way to track the work—and other elements associated with it—than to have professional service automation (PSA) software do it for you?

“Do we really need a PSA?”

A PSA is, essentially, an all-in-one tool that helps MSPs manage an array of tasks, such as project management, collaboration, invoicing, ticketing, resource planning, and reporting and data analysis (to name a few), of every client project, throughout its lifecycle. It keeps all data and processes about a project available and linked in one place, so MSPs can see the big picture and waste no time making decisions or adjustments as needed. Some may think and liken PSA software to Enterprise Resource Planning (ERP) software for MSPs.

Many MSPs are realizing that they have little time and patience to waste on tedious and time-consuming tasks when they could have been doing more productive things. If you’re an organization that is just breaking into the MSP world, or already have years of experience, “Do we really need a PSA?” should no longer be the question you ask.

A PSA is not just a nice-to-have anymore. It has become an integral and critical platform that MSPs must have to scale effectively and profitably. What you should be asking instead is “Which PSA is right for my business?”

Benefits of using a PSA

Gone are the days when PSAs were akin to helpdesk software. They have evolved beyond merely managing support tickets and tasks. The modern-day PSA’s kit can offer (but is not limited to) the following benefits:

  • Significantly cut the time it takes to search for documentation
  • Reduced time spent on doing repetitive tasks
  • Improved service level agreements (SLAs)
  • Accurate tracking and recording of onsite services from start to finish
  • Automatic generation of billing statements
  • Efficient management of customer engagement
  • Automatic patching and system updating
  • Increased customer satisfaction
  • A uniform consolidation of data used to make mission critical decisions

Know that each PSA in the market right now offers different solutions and bundles, and that MSPs could be impacted by them differently as well.

Of course, not every benefit above is what MPSs would want.

Not all MSPs, for example, want a suite that automatically applies patches to the system, because they would rather do some rigorous testing themselves first, before deployment. Picking the right PSA eventually boils down to what your organization needs, what you want to automate and/or improve on, and what best fits into your business practices and processes.

PSA considerations for the smart MSP

Before MSPs can take a deep dive into implementing a PSA suite, they must realize that this is no easy feat. It is a time-consuming, disruptive, and sometimes expensive task to undertake. But patience and perseverance have their rewards. Here are three simple questions MSPs should ask when deciding which PSA to pick.

“How well does it integrate with our other tools?”

While a PSA houses all of an MSP’s data under one virtual roof and boasts an assortment of other tools for their employees to use, it’s not the only system the business uses. An MSP could have its own bespoke customer relationship management (CRM) tool or use other systems from third parties, too, such as an accounting, data backup and recovery, RMM, and, of course, endpoint security software. Make sure that the PSA of your choice can achieve deep integrations with the tools you rely on.

“Is it scalable?”

Every organization’s goal is to grow its customer base, making it especially important for MSPs to have a PSA that can scale with its growth. Pick a PSA that has been designed and built with scalability in mind, so it can cope with these “growing pains”.

On an additional note, you will want to know how the cost of the PSA will change as your business grows. Make sure that it’ll still be within a reasonable budget and sustainable in the long run.

“Will it help us achieve accountability and efficiency?”

One of the main reasons for using a PSA is to bridge those gaps that are inherently found in disparate systems used by different departments in an organization. A good PSA should be able to eradicate siloed data by tracking, recording, and reporting everything. This way, employees are expected to perform tasks efficiently and in a timely manner, clients are provisioned with the best resources to get issues resolved quickly, and bills are issued accurately.

“Can it provide data that’ll help us make informed decisions?”

A PSA can also help MSPs handle unforeseen hurdles, such as customer security issues, or delays in project deliveries. Your choice of PSA should be capable of not only collecting and keeping data from different departments but also processing, analyzing, and presenting it to your users in a way that shows trends, reveals problem points, and forecasts needs, so that you can make improvements, create plans months ahead, and effectively respond to security threats.

All we need is time

Of all the different assets MSPs must manage efficiently in order to be profitable and remain competitive, the most important is time. And what better way to manage time than to automate important but mundane daily tasks, so employees can make better use of their time and provide a higher level of security to customers. That said, the choice of investing or not investing in a PSA is no longer up for debate for MSPs. The benefits of having one as part of your toolkit just far outweighs the costs and initial challenges that naturally come with change. At the end of the day, you’ll be glad you went for one.

The post MSPs, have you picked the right PSA for you yet? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How a VPN can protect your online privacy

Malware Bytes Security - Fri, 01/15/2021 - 10:08am

Have you ever experienced the feeling of relief that comes when you do something silly, but you’re glad you did it where people don’t know you? Or maybe you wished you were somewhere like that, but alas…

That is what a Virtual Private Network (VPN) can do for you: it can put you in a place where you are unknown.

To determine if and when you need a VPN, you must define what your goal is. If your main goal is to improve your privacy online, then a VPN is one of the possible solutions. Privacy is a right that is yours to value and defend. If you don’t fall into the categories of people who say “I have nothing to hide” or “they already know everything about me” then you may care enough about your privacy to use a VPN.

For the latest Malwarebytes Labs reader survey we asked “Do you use a VPN?” 2,330 responded and an impressive 36 percent said they now used a VPN. For perspective, ten years ago, only 1.5 percent of Americans used VPNs.

So, how does a VPN work?

In short and easy terms, a VPN acts as a middle-man between a user and the Internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

In this post we will focus on the consumer using a VPN to browse the web. But it is good to know that many organizations use a VPN to allow secure, remote access to company resources. For example, an employee working from home can log in on a VPN to get access to systems, files or email, for example.

Hide your IP address

Your IP address is the address your home network uses on the Internet. It is usually assigned to you by your Internet Service Provider (ISP). The first thing a website you visit will receive is your IP address, because it’s the return address for the information that you requested. If you are using a VPN the website will receive the IP address of the VPN server instead. The VPN will reroute the information so that it reaches your screen, without the website ever seeing your IP address.

Not everyone is willing to share their IP address because it can be used to determine their approximate location, and to identify their ISP (who can, in turn, identify who the IP is assigned to).

Hide your traffic from your ISP

Speaking of which, people who distrust their ISP and don’t want them to know which sites they’re visiting, route their traffic through a VPN. The encrypted tunnel between the user and the VPN stops anyone, including their ISP, from seeing their traffic. And this isn’t a theoretical or unlikely problem: In the USA ISPs can sell information about their users’ browsing habits to the highest bidder.

If you use a VPN to hide your traffic from your ISP it’s important to keep in mind that you are now putting your trust in the hands of that VPN provider instead. In theory, the VPN provider can now track your online behavior.

Pretend to be in another country

Another reason we often hear for using a VPN, is when you want to pretend you are in another country. Certainly, a VPN is the easiest solution to accomplish that. Some websites or services are only available in certain territories (geofenced), so pretending to be somewhere you aren’t can give you access to resources that would otherwise be hidden from you.

Imagine being a foreign correspondent in a country where news media from abroad are blocked or redacted. Or you are having a vacation in a country where Facebook is forbidden, and you want to check up on your family and friends. That is where using a VPN comes in very handy. Keep in mind however that in many such countries the use of a VPN is forbidden as well and using one could get you into trouble.

Disadvantages of using a VPN

So far, we have discussed the advantages and reasons for choosing a VPN. Why does there always have to be a downside? In this case, it’s a typical you win some, you lose some scenario.

  • It can make browsing slower. Even though Internet traffic can theoretically move at the speed of light, taking a detour takes time. Using a VPN can have a performance impact that varies from hardly noticeable to considerable. Another point to research when you are deciding which one to use.
  • Some websites will block known VPN servers. Usually this is for reasons that would be grounds for not wanting to visit those sites anyway, but it can be annoying to disable your VPN for a specific site.
  • Some sites don’t work correctly. Some sites are designed without considering that a visitor might be using a VPN. This can sometimes result in a partial loss of the information being sent back and forth so you may have to fill out a form twice or you may have to temporarily disable the VPN to complete the data transaction.
  • Overconfidence can come back to bite you. Just because you are hiding behind a VPN, that doesn’t mean it’s impossible to find out who you are. And if your actions might put you in danger where you are using the VPN, some extra measures may be needed.
Choosing a VPN

To achieve the goal of enhancing privacy it is most important to choose a VPN that you can trust. A VPN provider that logs your activities and either sells them to advertisers or surrenders them to the authorities may not have the same goals as you do.

Another important feature for a VPN is that it encrypts the traffic between your computer and the VPN server, so that nobody can tap into the connection to find out what you are doing. That encryption stops at the VPN server, so anyone with access to that server can see see or modify the traffic. Again, putting too much trust in such a feature can prove to be misguided.

To go back to our comparison, even if they can’t conclusively prove that it was you, sometimes a strong suspicion can be just as damaging for your reputation.

Stay safe, everyone!

The post How a VPN can protect your online privacy appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cybercriminals want your cloud services accounts, CISA warns

Malware Bytes Security - Thu, 01/14/2021 - 3:29pm

On January 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about several recent successful cyberattacks on various organizations’ cloud services.

What methods did the attackers use?

In the initial phase, the victims were targeted by phishing emails trying to capture the credentials of a cloud service account. Once the attackers had stolen a set of valid credentials, they logged into the compromised account and used it to send phishing emails to other accounts within the organization. Those phishing emails used links to what appeared to be existing files on the organization’s file hosting service.

In some cases, threat actors modified victims’ email rules. On one user’s account an existing rule was set up to forward mail to their personal account. The threat actors updated the rule to forward all email to their own accounts. In other cases, the attackers created new rules that forwarded mails containing certain keywords to their own accounts.

As an alternative to the phishing attempts, attackers also used brute force attacks on some accounts.

Perhaps most eye-catching of all though, in some cases multi-factor authentication (MFA) logins were defeated by re-using browser cookies. These attacks are called “pass-the-cookie” attacks and rely on the fact that web applications use cookies to authenticate logged-in users.

Once a user has passed an MFA procedure, a cookie is created and stored in a user’s browser. Browsers use the cookie to authenticate each subsequent request, to spare visitors from having to log in over and over again in the same session. If an attacker can capture an authentication cookie from a logged-in user they can bypass the login process completely, including MFA checks.

Who is behind these attacks on cloud services?

Even though the attacks that CISA noticed had some overlap in the tactics they used, it is unlikely that they were all done by the same group. While some were clear attempts at a business email compromise (BEC) attack, there could be other groups active that are after different targets.


Educate users on cybersecurity in general and point out the extra risks that are involved in working from home (WFH). For these specific attacks, extra training to recognize phishing certainly wouldn’t hurt.

Use a VPN to access an organization’s resources, such as its file hosting service. The temptation to leave these resources openly accessible for remote employees is understandable, but dangerous.

Sanitize email forwarding rules or at least let the original receiver of the mail be notified when a forwarding rule has been applied. If there are rules against forwarding mails outside of the environment (and maybe there should be) it should not be too hard to block them.

Use MFA to access all sensitive resources. (It’s important to note that although the CISA report mentions a successful attack where MFA was bypassed, it also mentions unsuccessful attacks that were defeated by MFA.)

Ensure resources are only be accessible to people authorized to use them, and enable logging so you can review who has used their access.

Set the lifespan of authentication cookies to a sensible time. Find a balance between keeping session duration short, without annoying legitimate users and “allowing” attackers to use stale cookies to get access.

Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.


The CISA report also links to a downloadable copy of IOCs for those that are interested.

The post Cybercriminals want your cloud services accounts, CISA warns appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Microsoft issues 83 patches, one for actively exploited vulnerability

Malware Bytes Security - Wed, 01/13/2021 - 2:40pm

Every second Tuesday of the month it’s ‘Patch Tuesday’. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.

It’s always important to patch, but the update that was released on January 12 is one to pay attention to. That’s because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.

The vulnerability in Windows Defender

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in Windows Defender was registered as CVE-2021-1647—a Remote Code Execution (RCE) vulnerability—and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft:

“While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.”

I don’t see an update for this vulnerability

If you are missing this fix in your list, it’s possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.

What version of Windows Defender am I using?

The first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:

  • From the Windows Start Menu, search for Windows Security and click on the result that has the App text and the “white on blue” shield.
  • When Windows Security opens, click on the gear box icon with the Settings text at the bottom left of the Window.
  • When the Settings screen opens, click on the About link.
  • The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).
  • The engine version is the one that matters here. It needs to be at 1.1.17700.4 or newer.
Finding the Windows Defender version The rest of the Microsoft updates

The total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It’s always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.

Stay safe, everyone!

The post Microsoft issues 83 patches, one for actively exploited vulnerability appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Ubiquiti breach, and other IoT security problems

Malware Bytes Security - Tue, 01/12/2021 - 1:01pm

Networking equipment manufacturer Ubiquiti sent out an email to warn users about a possible data breach. The email stated there had been unauthorized access to its IT systems that are hosted with a third-party cloud provider.

Ubiquiti Networks sells networking devices and IoT devices. It did not specify which products were affected but pointed at, which is its customer web portal. The servers in this domain store user profile information for, the web portal that Ubiquiti makes available to customers who bought one of its products. From there, users can manage devices from a remote location and access a help and support portal.

According to Ubiquiti, the intruder accessed servers that stored data on users, such as names, email addresses, and salted and hashed passwords, although the company says there’s no evidence of the attacker accessing the specific databases that contained user information.

Ubiquiti advised users to change their password and enable 2FA for their Ubiquiti account. The manufacturer also warned customers who stored their physical address and phone number in their account that these may also have been accessed.

What happened exactly?

Unfortunately, there is very little other information about this breach. How many Ubiquiti users are impacted and how the data breach occurred is unknown at this time.

Image courtesy of a Ubiquiti customer Ubiquiti’s advice

The advice provided by Ubiquiti as shown in a copy of the email is sensible:

  • Change the password.
  • Enable 2FA.
  • Don’t forget to change passwords on sites where you have used the same credentials.
Other IoT shenanigans

In other IoT news this week, a security flaw in a chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously. The internet-linked sheath has no manual override, so owners might have been faced with the fear of having to use a grinder or bolt cutter to free themselves from its metal clamp. Luckily a workaround was provided by the Chinese developer.

Also, a group of Dutch safety experts have demonstrated that a traffic light system for bikes connected to a smartphone app can be hacked, potentially causing an accident. The smart system, part of which is still in the testing phase, has currently only been installed by ten local councils, but future plans included all the traffic at some 1,200 crossroads to be regulated via the internet to improve the flow of the traffic.

IoT insecurity

These are all examples of IoT insecurity that reached us this week alone, and clearly there is still a lot of work to be done to improve IoT security in general.

The examples show that there are a lot of angles that attackers can look at when they want to breach devices or interfere with their operations. The Ubiquiti attack was carried out through the online customer portal. The chastity belts were operated by compromising the server that provided remote control. The Dutch white hats were able to send false information to the traffic lights by reverse engineering and altering the signal sent by the app.

Advice for IoT users

Firstly, users should ask themselves if they need the device they are buying to be an IoT device. Is the remote functionality a mere “gadget” or is it something you expect to use regularly?

Secondly, look at the manufacturers track record when it comes to data privacy and the nature of the data you are providing them with. If it looks dodgy, it may well be.

Stay safe, everyone!

The post Ubiquiti breach, and other IoT security problems appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (January 4 – January 10)

Malware Bytes Security - Mon, 01/11/2021 - 11:01am

Last week on Malwarebytes Labs, we released survey results about VPN usage and found that 36 percent of our respondents use it. We also talked about Adobe Flash Player reaching its end of life—meaning, Adobe won’t be supporting the updating and patching of its Flash Player software; covered the ransomware attack against Funke Media Group, one of Germany’s largest publishers; and reported on a new Bitcoin sextortion scam making rounds since the eve of 2021. Lastly, we profiled the latest campaign of APT37, a North Korean threat actor, wherein they used a self-decoding VBA Office file to inject RokRat, a cloud-based RAT, onto Notepad.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (January 4 – January 10) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

“I have full control of your device”: Sextortion scam rears its ugly head in time for 2021

Malware Bytes Security - Thu, 01/07/2021 - 11:38am

Malwarebytes recently received a report about a fresh spate of Bitcoin sextortion scam campaigns doing the rounds.

Bitcoin sextortion scams tend to email you to say they’ve videoed you on your webcam performing sexual acts in private, and ask you to pay them amount in Bitcoin to keep the video (which doesn’t exist) private. This type of blackmail has become quite popular since the middle of 2018.

Sextortion scammers frequently use spoofed or made up email addresses to contact their targets. Previous campaigns have targeted those with compromised account passwords scraped from third-party breaches, minors, and other vulnerable groups. In this case, our experts believe that these emails have been targeting .org email addresses, and senior leadership almost exclusively.

From: {spoofed sender name}

Subject: I have full control of your device

Message body:


Did you notice that I sent you an email from your address? Yes, that means I have full control of your device. I am aware you watch adults [sic] content with underage teens frequently. My spyware recorded a video of you masturbating. I also got access to your address book. I am happy to share these interesting videos with your address list and social media contacts. To prevent this from happening, you need to send me 1000 (USD) in bitcoins.

Bitcoin wallet part 1: 1C1FfgyNsJGJZfuR2ePXxTraa

Bitcoin wallet part 2: CqE6WLWSM

Combine part 1 and part 2 with no space between them to get the full bitcoin wallet.

Quick tip! You can procure bitcoins from Paxful. Use Google to find it.Once I receive the compensation (Yes, consider it a compensation), I will immediately delete the videos, and you will never hear from me again. You have three days to send the amount. I will receive a notification once this email is opened, and the countdown will begin.

What we may perceive as a-dime-a-dozen, cookie-cutter blackmail email may be something new to someone, especially those who aren’t aware of such a charade. Make no mistake: Email scams that contain little to no threats towards recipients have worked repeatedly like a charm.

This is why it’s important to keep up with what’s happening in cybersecurity, how online threats affect aspects of our lives, and how we can better protect ourselves, our data, and the people around us from those who scare, threaten, and bluff their way into our wallets. Treat all emails like this with a healthy amount of skepticism and you should be able to really see the email as it truly is: a fake.

[JD quote here]

Malwarebytes has extensively written about Bitcoin sextortion scams through the years. And what we advised then is still relevant to these new sextortion scams.

Change your passwords—or, better yet, consider using a password manager to help you create and store more complicated passwords for you.

Always use multi-factor authentication (MFA) to add an extra step of security. Most companies with an online presence have this, so make full use of it.

Do not pay the scammer.

If you received a sextortion email at work, let your IT department know. If you’re in the United States, feel free to report this to the FBI’s IC3.

Our Director of Mac and Mobile, Thomas Reed, had drafted a post aimed at Mac users who have received such scammy emails but need guidance on what these are what they need to do.

Stay safe, as always, and remain vigilant.

Bitcoin addresses related to this scam (as of this writing):

  • 1Nd3JST1daeyzmPovkRoemjysA6JfXjVRg
  • 17qBCU7Y5yrS9eimxvydRYw3XNF9meuSCY
  • 1C1FfgyNsJGJZfuR2ePXxTraaCqE6WLWSM

The post “I have full control of your device”: Sextortion scam rears its ugly head in time for 2021 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Funke Media Group suffers nationwide ransomware attack in Germany

Malware Bytes Security - Thu, 01/07/2021 - 6:05am

On December 22, Germany’s third largest publisher fell victim to a cyberattack that affected systems in offices all around the country. The Funke Media Group publishes dozens of newspapers, like Berliner Morgenpost, Hamburger Abendblatt, and Bergedorfer Zeitung, as well as magazines, several local radio stations, and online news portals. It reaches over 3 million readers on a daily basis.

The impact of the ransomware attack

The attack hindered work at the newspaper editorial offices and halted some of its major printing houses. As a result, subscribers received only emergency issues of a few pages. Because of this impact on the printed editions of the newspapers, the publishing house has decided to temporarily remove the paywall that is normally active on its news site, so everyone has full access to all of its articles. Unlike the newspapers, the publishing of the magazines that belong to the Funke Media Group are not expected to be delayed.

The press release by Funke states that several of its main systems in offices around Germany had been encrypted. This would indicate a ransomware attack. In a later press release, Funke stated that over 6000 laptops and thousands of other systems (endpoints and servers) were affected, and that its IT staff worked with the help of cybersecurity professionals throughout the holidays to get as many systems as possible up and running again. The attack is under investigation by police.

Getting the damage undone

The IT specialists have organized wipe and rebuild lines in the style of a digital car wash. These are functional in three of the publisher’s main locations where all the laptops are checked, cleaned, re-installed, and then returned to users. On January 4, some 1200 endpoints had undergone this procedure.

As we’ve pointed out many times before, the damage that’s done by ransomware is far greater than the amount of the ransom. It takes huge efforts to get a large-scale operation up and running again, especially in this case where the victim is a wide-spread and highly computerized organization like a major publisher.

Leaked data

A lot of the major current ransomware families threaten to publish breached data in order to create greater leverage for the victim to pay the ransom. With over three million subscribers and maybe even some interesting information unearthed by journalists, the obtained information could be very costly.

Since it’s unknown which type of ransomware was used in this attack, it is not yet possible to tell whether any data were exfiltrated during the attack, and whether any such data will be published if the Funke Media Group refuses to pay the ransom. Of course, we will keep you posted about any developments.

Stay safe, everyone!

The post Funke Media Group suffers nationwide ransomware attack in Germany appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

Malware Bytes Security - Wed, 01/06/2021 - 10:14am

This post was authored by Hossein Jazi

On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago.

The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.

Based on the injected payload, we believe that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.

In the past, this APT has relied on Hangul Office documents (hwp files) to target victims, as it’s software that’s commonly used in South Korea. However, in this blog we describe an interesting alternative method, delivered via self-decoding VBA Office files. To the best of our knowledge, this is a first for this APT group.

Document analysis

The actor used the VBA self-decoding concept in its macro that was first introduced in 2016. A malicious macro is encoded within another that is then decoded and executed dynamically.

Figure 1: Malicious document

We can consider this technique an unpacker stub, which is executed upon opening the document. This unpacker stub unpacks the malicious macro and writes it into the memory of Microsoft Office without being written to disk. This can easily bypass several security mechanisms.

Figure 2: Self decoding technique

Figure 3 shows the macro used by this document. This macro starts by calling the “ljojijbjs” function, and based on the results will take different paths for execution.

Figure 3: Encoded macro

Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically—which is the case here—the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value.

To check if it can bypass the VBOM, it looks to see if the VBOM can be accessed or not. The “ljojijbjs” function is used for this purpose and checks read access to the VBProject.VBComponent. If it triggers an exception, it means the VBOM needs to be bypassed (IF clause). If there is no exception, it means the VBOM is already bypassed and VBA can extract its macro dynamically (Else clause).

Figure 4: Check VB object model accessibility

“fngjksnhokdnfd” is called with one parameter to bypass VBOM. This function sets the VBOM registry key to one.

Figure 5: Modifying VBOM registry key

After bypassing VBOM, it calls another function which creates a Mutex in the victims’s machine by calling CreateMutexA API call and names it “mutexname”. This could be used by the actor to make sure it infects its victim only once but in this document we didn’t observe any evidence of checking the mutex.

Figure 6: Mutex creation

Finally, in order to perform the self-decoding process, it needs to open itself by creating a new Application object and load the current document in it in invisible mode.

Figure 7: Self open

If VBOM is already bypassed, The function Init is called and generates the malicious macro content in obfuscated format.

Figure 8: Obfuscated macro

In the next step, this obfuscated macro is passed to “eviwbejfkaksd” to be de-obfuscated and then executed into memory.

Figure 9: De-obfuscator

To de-obfuscate the macro, two string arrays have been defined:

  • StringOriginal which contains an array of characters before de-obfuscation
  • StringEncoded which contains an array of characters after de-obfuscation

A loop has been defined to de-obfuscate the macro. For each iteration it takes a character in the obfuscated macro and looks for its index in StringEncoded. When it finds its index, it looks for its equivalent index in StringOriginal, takes that character from it and adds it to the new macro. As an example “gm* bf” as encoded macro will be decoded to “Option”.

Figure 10: De-obfuscation loop

Following this process gives us the final macro that will be executed in the memory space of Microsoft Office. In order to execute this decoded macro, it creates a module and writes into it before calling its main function to execute the macro.

The main function defines a shellcode in hex format, and a target process which is Notepad.exe. Then, based on the OS version, it creates a Notepad.exe process and allocates memory within its address space using VirtualAlloc. It then writes the shellcode into the allocated memory using WriteProcessMemory. At the end it calls CreateRemoteThread to execute the shellcode within the address space of Notepad.exe.

Figure 11: De-obfuscated macro Shellcode analysis (RokRat):

The shellcode injected into Notepad.exe is a variant of a cloud-based RAT known as RokRat which has been used by this group since 2017. This sample compilation date is 29 Oct 2019. This RAT is known to steal data from a victim’s machine and send them to cloud services (Pcloud, Dropbox, Box, Yandex).

Figure 12: Encoded cloud services

Similar to its previous variants, it uses several anti-analysis techniques to make sure it is not running in an analysis environment. Here are some of the checks:

  • Checking the DLLs related to iDefense SysAnalyzer, Microsoft Debugging DLL and Sandboxies
  • Calling IsDebuggerPresent and GetTickCount to identify a debugger
  • Checking VMWare related file
Figure 13: Anti-analysis techniques

This RAT has the following capabilities:

  • Capture ScreenShots
Figure 14: Capture screenshots
  • Gather system info (Username, Computer name, BIOS)
Figure 15: Gather BIOS data
  • Data exfiltration to cloud services
Figure 16: Data exfiltration
  • Stealing credentials
  • File and directory management

For more detailed analysis of this RAT you can refer to the reports from NCC Group and Cisco Talos.


The primary initial infection vector used by APT37 is spear phishing, in which the actor sends an email to a target that is weaponized with a malicious document. The case we analyzed is one of the few where they did not use Hwp files (Hangul Office) as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro. That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document.

The final payload used by this threat actor is a known custom RAT (RokRat) that the group has used in previous campaigns. In the past, RokRat has been injected into cmd.exe, whereas here they chose Notepad.exe.

Indicators of Compromise



The post Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Adobe Flash Player reaches end-of-life

Malware Bytes Security - Wed, 01/06/2021 - 5:44am

“What now? My farm is no longer working. Can you have a look, honey?”

Like millions of other people my wife likes to play online browser games. You know, the ones that don’t require a fast connection because your virtual life is not in constant danger, and an occasional harvest is enough to make progress in the game.

So, when her browser refused to open her virtual farm, and there were many, many other users like her, this caused some turmoil in the community. Especially when some of the developers acted as if it came as a surprise and took their time to decide what to do next.

Some developers took their games to another platform

Facebook and some other social platforms used to host a ton of these games and what most had in common is that they were using Adobe Flash Player for their animations. Flash let web designers and animators deliver animated content that could be downloaded relatively quickly.

But as of last month, the major browsers have stopped supporting Adobe Flash Player after Adobe itself announced to stop support as of the 31st of December 2020. Specifically, Adobe announced years ago that it will stop updating and distributing Flash Player.

What caused this end of life?

Adobe Flash Player has seen more than its fair share of exploits and vulnerabilities. Arguably, it’s because the software was so popular that it made for an attractive target, but since it was based on a 1996 release it may have become impossible to keep on patching it. Developers are changing to HTML5, and other options, to produce new content.

Advice for Flash users

Home users should uninstall Adobe Flash Player as it will no longer receive any security updates. The general feeling among security professionals is that it will not take long before unpatched vulnerabilities will be exploited in the wild. In some cases, simply having Adobe Flash Player installed is all it takes to compromise your system. So, if there are no legitimate use-cases left, don’t run the risk of having it installed. Adobe has instructions for removing Flash on Windows and Mac computers on its website.

It could be a different scenario for business users, as some companies may still be using Adobe Flash Player for internal use. As it stands, it will become increasingly difficult to maintain this situation since Adobe will prevent Flash Player from displaying content from 12 January 2021.

If your site is reliant on the plugin for developing or playing content, it’s high time to consider a revamp of your website content. Adobe has some options for its customers who were taken by surprise.

Expected cybercrime abuse

We’ve seen fake Flash Player updates for years, which are in reality bundlers that sometimes include the actual latest version of Flash but might just as easily include older versions or no version of Flash at all. We suspect these will continue to show up. They might even become more popular as people have no way of finding legitimate versions and updates.

Fake Flash Player update notice

You may also see malicious campaigns promoting alternatives for playing Flash content, which could in reality install any kind of malware or potentially unwanted program.

And there may be some exploit kits that will take it upon themselves to incorporate all the latest vulnerabilities in their setup to victimize those that still have Adobe Flash Player installed.


End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Many companies, including Microsoft, announce the EOL dates for their products far in advance. Adobe announced this EOL in 2017, so most developers should have been aware. Many will be sad to see it go and some will be glad to point it to the door. Our advice will be the same as always.

Stay safe, everyone!

The post Adobe Flash Player reaches end-of-life appeared first on Malwarebytes Labs.

Categories: Malware Bytes

VPN usage is increasing, says survey

Malware Bytes Security - Tue, 01/05/2021 - 11:29am

I won’t reveal my mom’s exact age, but she’s in her late 60s. Other than her phone, my mom doesn’t own or use a computer—but she knows what Zoom is. Not since “Kleenex” has a brand become so pervasive that people use the brand name as a generic term for the product. For my mom, any kind of video call is now a “Zoom.” A FaceTime call, for example, is Zoom. I’ve stopped trying to correct her.

As the world returns to work and school from the unhappiest holiday season of our lifetimes, the majority of us continue to do so remotely. Whether you’re using Zoom, Google Hangouts, or Microsoft Teams, technologies like these will continue to play a central role in the way we get things done for the foreseeable future. As we spend more and more time online, it stands to reason that we will all be exposed to a greater number of online threats (and we are, by the way).

So, what about VPNs?

Here’s why VPNs matter more than ever. A VPN, shorthand for a virtual private network, is a handy tool that allows users to send and receive data as if they were on the same network, for example, someone working from home or taking classes from home as so many of us are at the moment.

For the latest Malwarebytes Labs reader survey we asked “Do you use a VPN?” 2,330 responded and an impressive 36 percent said they now used a VPN. For perspective, ten years ago, only 1.5 percent of Americans used VPNs.

Of those who do not use a VPN, 58 percent said they at least knew what one was. That’s a long way from being the next Zoom, but VPN awareness is starting to change thanks to COVID.

Google Trends shows that searches for “VPN” and “virtual private networks” hit an all time high in March of 2020, just as stay-at-home orders were issued for the majority of the world.

With interest in VPNs rising, what’s preventing some people from actually using one?

Survey says…

Taking a deeper dive into the survey results, most of the people who said they didn’t use a VPN cited cost as the main reason for not using one:

“Peace of mind is important; but, on a limited income, it is difficult to pay out additional funds—especially during this pandemic.”

Some said they didn’t think they needed a VPN, while others still said they didn’t like how VPNs they had tried in the past slowed down their Internet speeds. This may be a legacy thing, as newer technology—like the WireGuard VPN protocol used by Malwarebytes Privacy—tends to deliver speeds faster than traditional VPNs.

Of those who used a VPN, half said they used it all the time. The top five activities for using a VPN were: making purchases online, online banking, sending email or chatting, protecting personal information from hackers, and stopping businesses or advertisers from tracking online activity.

When asked why they used a VPN, the majority of users liked the additional layer of security:

“I value my security and privacy. Having a VPN is essential for doing anything online.”

One respondent provided a useful analogy, likening VPNs to the fence around your house:

“Good fences make for good neighbors.”

As we head into 2021, will my mom casually drop “VPN” into a sentence before year’s end? That remains to be seen, but the results of our latest Malwarebytes Labs reader survey suggests VPNs might get their moment in the sun very soon.

The post VPN usage is increasing, says survey appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (December 28 – January 3)

Malware Bytes Security - Mon, 01/04/2021 - 10:52am

First off we would like to wish all our readers a happy and secure 2021!

Last week on Malwarebytes Labs we presented an overview of developments in the SearchDimension hijackers, we looked at the most enticing cyberattacks of 2020, and we also looked back at the strangest cybersecurity events of 2020.

Other cybersecurity news:
  • Google patched a bug in its feedback tool that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents. (Source: The Hacker News)
  • Section 230: The social media law that is clogging up stimulus talks. (Source: CNet)
  • Apple has lost its copyright battle against iOS virtualization startup Corellium. (Source: TechSpot)
  • Microsoft confirmed that the suspected Russian hackers behind the SolarWinds security breach also viewed some of the company’s source code. (Source: CNN)
  • Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to connected devices. (Source: ZDNet)
  • A data breach broker is selling allegedly stolen user records for 26 companies on a hacker forum. (Source: BleepingComputer)
  • Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities. (Source: BBC News)
  • The US Department of Homeland Security (DHS) has published a guide to the risks that businesses run if they use tech created in China. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 28 – January 3) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The strangest cybersecurity events of 2020: a look back

Malware Bytes Security - Thu, 12/31/2020 - 11:00am

This year is finally coming to an end, and it only took us about eight consecutive months of March to get here. There is a ton to talk about, and that’s without even discussing the literal global pandemic.

You see, 2020’s news stories were the pressure-cooker product of mania, chaos, and the downright absurd. “Murder hornets” made the journey to the US. Mystery seeds from China arrived in US mailboxes. The Pentagon officially released three videos of “unidentified aerial phenomena”—which many interpreted as three videos of alien spacecraft.

Also, a star vanished. Yes. Brighter than our sun, nestled into the same distant galaxy that cradles the constellation of Aquarius, and glinting a pale, cornflower blue onto its neighbors, the massive star simply disappeared one day. No supernova. No stellar collapse. No black hole.

Honestly? Bravo, star.

So, in a year unbridled in strangeness, it only fits that the cybersecurity events we witnessed produced equally head-scratching responses. The following cybersecurity events of 2020 that we’ve collected for you are not the most destructive or the most shocking, or the most attractive, like we covered earlier this week. They are, instead, the mysteries, the embarrassments, and the face-palms.

They are the events that that made us collectively say: “Wait… seriously?”

A digital vaccine for a physical illness

We hate to start our jovial list with coronavirus news, but this was too incredulous to pass up.

In late March, we found threat actors trying to convince unsuspecting victims to install an alleged digital antivirus tool to protect themselves from the physical coronavirus. In the scheme, scam artists built a malicious website that advertised “Corona Antivirus -World’s best protection.”

The website also claimed:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.”


What threat actors were hiding behind the website was an attempt to install the BlackNET Remote Access Trojan, which can deploy DDoS attacks, take screenshots, execute scripts, implement a keylogger, and steal Firefox cookies, passwords, and Bitcoin wallets.

TikTok: an on-again, off-again relationship

Back in December of 2019, the US Army banned its members from downloading the massively popular video sharing app TikTok on government-issued devices. At the time, Army spokesperson Lieutenant Colonel Robin Ochoa described the app to the outlet as “a cyberthreat.”

Fast forward several months to the start of summer, when TikTok then received the worst kind of attention that any up-and-coming app can receive: that from a devoted Reddit user. The Reddit user claimed to have “reverse-engineered the app,” and said that TikTok was nothing more than “a data collection service that is thinly-veiled as a social network.” The app allegedly collected tons of data about users’ phones, the other apps they’ve installed, their network, and some GPS info.

The negative attention piled onto TikTok until, in August, President Donald Trump said he would ban the app from the US market.

With deadlines pressing, TikTok entered a flurry of sales talks, meeting with Microsoft, Oracle, and even Wal-Mart. A deal was initially struck with Oracle and Wal-Mart, with sign-off from the President granted partly in September. But the deal at the time still needed approval from a committee here in the US called the Committee on Foreign Investment in the United States, or CFIUS.

The way TikTok tells the story, that committee ghosted the company for months. As the company told the outlet The Verge:

“In the nearly two months since the President gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement – but have received no substantive feedback on our extensive data privacy and security framework.”

So, did the administration claim a national security threat and then just… forget about it?

Data leakers suffer leaked data

In January, the FBI seized the domain of the website, which claimed to have more than 12 billion records that contained personal information that was pilfered from more than 10,000 data breaches. The website offered a “subscription” service, letting users buy access to the database for months at a time.

It was a pretty nefarious service and after the FBI seized the domain, the saga actually continued in May.

You see, an older database of itself actually leaked online, including information belonging to countless users who bought WeLeakData’s subscription services. Now, the tables had turned—login names, email addresses, hashed passwords, IP addresses, and even private messages between users were being sold and purchased online.

Shade ransomware operators turn to the light

In April, a group that claimed to have developed the Troldesh ransomware—also known as the Shade ransomware—publicly published all of its remaining decryption keys for anyone still suffering from an earlier attack.

Posting on GitHub, the group said:

“We are the team which created a trojan-encryptor mostly known as Shade, Troldesh or Encoder.858. In fact, we stopped its distribution in the end of 2019. Now we made a decision to put the last point in this story and to publish all the decryption keys we have (over 750 thousands at all). We are also publishing our decryption soft; we also hope that, having the keys, antivirus companies will issue their own more user-friendly decryption tools. All other data related to our activity (including the source codes of the trojan) was irrevocably destroyed. We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.”

The decryption keys were real, and were even used by Kaspersky to help develop a decryption tool, which, in time, would be used by the No More Ransom initiative which helps victims of ransomware retrieve encrypted data without having to pay a ransom.

So, what changed these threat actors into threat solvers? A sudden clarity of the conscience? Or was it that Troldesh wasn’t really paying out anymore, so it wasn’t worth the trouble of keeping it running?

We don’t know, but we’re happy either way.

One password to ruin them all

Earlier this month, Florida police raided the home of former government data scientist Rebekah Jones who, after being fired in May, had continued to post statistics about the state’s COVID-19 cases and deaths. The police said they investigated Jones because she had allegedly gained unauthorized access into the state’s emergency-responder system to send a wide alert to government employees.

But, according to Jones, that’s not true. Jones told CNN that she did not access the state’s emergency-responder system, and that she did not author the widely sent message.

When The Tampa Bay Times followed up with the Florida police to ask what measures they had implemented to safeguard the system, the police were tight-lipped.

According to Ars Technica, that stonewalling might be because the actual truth was far too embarrassing: Every single employee who logs into the system uses the same username and password, both of which are available to the public online.

Source: Ars Technica

Where’s the face-palm emoji?

Of printers and problems

This Fall, we started getting reports about a new type of malware that we were allegedly not detecting, which was instead being reported by the built-in anti-malware features on macOS.

When we investigated further, though, we found that most of these “malware” reports were related to Hewlett-Packard (HP) printing drivers, and that many of the messages that users received generally popped up whenever those users had tried to print something on their HP printers. Curious, no?

The problem, we found, lied within certificates. What’s that? Allow us to explain.

Certificates help keep the Internet running. They are a way to verify that the server you connect to is really owned and operated by the business you’re trying to communicate with, like, say, your online bank. But for years now, Apple has increasingly pushed software developers into using certificates to cryptographically sign and verify their own software. Without developer signoff, software users will have a ton of trouble using that software on Apple devices.

Back to the HP printer problem. It turns out that an HP certificate that was used to sign HP drivers had been revoked. By who, you ask?

By HP! Seriously. As the company told The Register:

“We unintentionally revoked credentials on some older versions of Mac drivers. This caused a temporary disruption for those customers and we are working with Apple to restore the drivers.”

Unfortunately, we’re still getting reports of these problems today, and threat actors are jumping on the opportunities, setting up malicious websites that promise to fix the problem.

Dead eye

This is more of a digital surveillance story than a straight cybersecurity tale, but it deserved a place on our list as an honorable mention. This year, Motherboard revealed that a secretive company had been selling stealthy surveillance products to cops.

The products? Cameras hidden within vacuum cleaners, baby car seats, and gravestones.

Source: Motherboard


To a new year

We’re almost in 2021, but a new day doesn’t magically bring new, improved cybersecurity across the globe. Instead, read the news, install antivirus, and protect yourself online. It’s the most clear-headed advice out there.

The post The strangest cybersecurity events of 2020: a look back appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The most enticing cyberattacks of 2020

Malware Bytes Security - Wed, 12/30/2020 - 11:00am

In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.

It was a stressful and confusing time, and during it, cybercriminals adapted—sometimes a little too well.  

Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious—as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.

These are the most enticing—or the most impossible-to-ignore—cyberattack lures and cyberattack capabilities of 2020.

Coronavirus, coronavirus, coronavirus

Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.

First up, we found cybercriminals who impersonated the World Health Organization to distribute a fake coronavirus e-book. That attack vector must have worked, because in the same month, cybercriminals again impersonated the World Health Organization to spread the invasive keylogger Agent Tesla.

Other, similar efforts included impersonations of the non-descript “Department of Health” with pleas for donations, and reported Pakistani state-sponsored threat actors spreading a Remote Administration Tool through a coronavirus-themed spearphishing campaign. In fact, even the operators for the most-wanted cyberthreats Emotet and TrickBot switched up their lure language to focus on coronavirus.

One of the many impersonations found online immediately following the pandemic

We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.

Tupperware credit card skimmer just one of many similar attacks

In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.

But where online shopping increased, so did attempts to steal online credit card data.

In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.

To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.

The rogue payment form that greeted victims of the attack on Tupperware

After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late—the cyberthieves already had what they wanted.

The Tupperware attack was just one of many similar attacks in 2020. In fact, in March alone, we recorded a 26 percent increase in credit card skimming attacks compared to the month earlier. And February itself wasn’t a quiet month, as we also found threat actors hiding a credit card skimmer within a fake content delivery network.

Emotet blends into the crowd (of email attachments)

In 2020, one of the most devastating cyberthreats seriously improved its camouflage.

For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.

For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.

Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.

In roughly one year, Emotet found a way to not only insert itself into active email threads, but to also copy and re-send legitimate email attachments so as to hide its own malicious payload amongst a set of documents that an email user may already recognize.

In tandem with implementing these new techniques, Emotet also came roaring back in the summer. Months later, it also received a superficial facelift, lurking within in a fake Microsoft Office update request.

We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.

Ransomware grows fond of extortion  

In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.

This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.

In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:

“I am writing to you because we have breached Allied Universal security firm (, downloaded data and executed Maze ransomware in their network.

They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”

We gave them time to think until this day, but it seems they abandoned payment process.”

The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.

Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.

If only threat actors didn’t look to other threat actors for inspiration.

Release the Kraken

In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.

The attack first came through a malicious document—that was likely spread through spearphishing campaigns—that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.

The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.

After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.

There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.


Imposter syndrome

In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.

The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.

The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.

Scammers created a convincing copy of our site because they copied everything we wrote

The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.

If these cyberthieves were trying to flatter us, it didn’t work.

A very long year

In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.

It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.

Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.  

The post The most enticing cyberattacks of 2020 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

SearchDimension search hijackers: An overview of developments

Malware Bytes Security - Tue, 12/29/2020 - 11:05am
Background information on SearchDimension

SearchDimension is the name of a family of browser hijackers that makes money from ad clicks and search engine revenues. The family was named after the domain that popped up in 2017, and they still sometimes use the letter combo SD in the names of their browser extensions.

Recent developments in the SearchDimension family

Over the last year we have seen this family evolve and expand into the world of PUPs and adware. Below are some of the latest additions to their arsenal.

  • Web push notifications: together with Adware.Adposhel, SearchDimension was among the first families to make full use of the potential provided by web push notifications for advertising.
  • Your browser is managed: the SearchDimension developers created an installer that not only installed their search hijacking extension but also made the “Remove” button disappear on the extension listing, telling frustrated users their browser was not their own to manage
  • One of their most recent additions is a Chromium-based browser that replaces your default browser when you install it. This new default browser then behaves the same as a normal Chrome browser with one of the search hijacker extensions installed.
  • Another new trick comes with extensions that read your browser history to grab the search term the user looked for. The extension then closes the original search tab and opens a new tab with their own search engine looking for that search term. Basically this comes down to lying about the permissions so users will not notice the extension as a search hijacker.
How can you recognize SearchDimension hijackers?

There are many subfamilies and different versions within those families, but there are some tell-tale signs of the SearchDimension family. First and foremost, they use a few website templates that are very typical. These are the six most common ones.

Depending on the referring websites, you may be asked to accept notifications from the search hijacker’s domain. Every domain I have seen from them recently has this option but the referring URL does not always trigger this behavior. So, anyone directly visiting such a domain will not see the notifications prompt.

Then there is one page that comes up very often after you have installed one of the extensions. It looks like this:

The name of the extension and the “sponsors” will vary but the blue and white fields with the circular logo are very typical for the “Thank you for installing … “ page.

The wording in the entry in the list of installed Chrome extensions also comes from a rather limited set, and will usually have one of these formats:

  • Search by {extension name}. The best way to search. This one is by far the most common.
  • This extension configures your Default Search in Chrome browser to provide these features. Which features remain unsaid.
  • {extension name} is an extension that replaces your default search to Yahoo to provide more features. This one seems very specific for the PUP.Optional.SearchDimension subfamily.

Another weak spot in the development process for new variants seems to be the icon. Although they have come up with a lot of them, there is one that is repeated a lot.

The “A” in a blue field is often used for variants that have a short life span. These variants are often only around for a few days before they get removed from the Webstore.

Some variants, including the WebNavigator browsers, add a table of graphics representing Search Recommendations to the search results. This will look like this:

Different subfamilies of SearchDimension

One could divide this family up into subfamilies, based on their behavior, and at Malwarebytes we detect these subfamilies under different names. Below you will find a short description of the methods these subfamilies use and whether there is a Malwarebytes’ detection name for that subfamily.

  • The web push notifications are a part of all the subfamilies. If the user has accepted web push notifications, Malwarebytes will detect them as PUP.Optional.PushNotifications.Generic.
  • The subfamily that only uses the trick to close and open a new search tab will be detected by Malwarebytes as PUP.Optional.SearchEngineHijack.Generic.
  • The variants that change the default search engine and the ones that show “Search Recommendations” will be detected by Malwarebytes as Adware.SearchEngineHijack.Generic.
  • The subfamily that consists of Chromium-based browsers that replace your default browser is detected by Malwarebytes as PUP.Optional.WebNavigator.

Unfortunately, as some of these subfamilies use more than one method of browser hijacking, it is hard to be consistent. So sometimes detection names do not always completely follow this pattern as it depends on which behavior(s) our engine detects. The big advantage of the generic detections by our engine, however, is that it picks up new variants on their first appearance.

Advice on search hijackers and other adware

Changing your default search provider or installing adware should be done with user consent. Which is something these search hijackers often forget. They try to get installed by making promises they do not intend to keep and “forget to mention” what they actually are up to. We have seen search hijackers promising to be ad blockers, privacy protectors, and even ones that promise to provide antivirus protection. At best, they replaced existing advertisements with their own.

Installing a browser extension just to change your default search provider is something I would advise against. It’s easy enough to change the default search engine in the browser settings, and if the one of your choice is not listed there, I would recommend you only install an extension with a proven track record and one that really adds some value.

It’s an error to think that these search hijackers only bother Windows users. Most of the prevalent search hijackers aim at Chrome/Chromium browsers and sometimes Firefox. As a consequence, most of them can also be installed on macOS systems.

Recommended reading

For those interested in this subject, I have gathered some related links.

Removal methods:

How to remove adware from your PC

Browser push notifications: a feature asking to be abused

Adware the series, part 1


Mac adware is more sophisticated and dangerous than traditional Mac malware

Three million users installed 28 malicious Chrome or Edge extensions

Stay safe, everyone!

The post SearchDimension search hijackers: An overview of developments appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (December 21- December 27)

Malware Bytes Security - Mon, 12/28/2020 - 12:04pm

Last week on Malwarebytes Labs we warned our readers about not so festive social media scams, how Emotet returned just in time for Christmas, we tried out some free online games your kids are playing and here’s what happened, and our VideoBytes episode talked about what penetration testing tools malware gangs love to use and why they are better than what you can get on the black market.

Other cybersecurity news:
  • Cybercriminals issued a fake mobile version of Cyberpunk 2077 that’s actually ransomware. (Source: TechSpot)
  • The Trump administration is pushing to make major adjustments to the Pentagon organizations charged with cybersecurity and intelligence. (Source: CNN)
  • An international takedown of a virtual private network (VPN), dubbed Operation Nova ended an organization engaged in bulletproof hosting. (Source: US DoJ)
  • Europol and the European Commission are launching a new decryption platform to help law enforcement agencies decrypt data that have been obtained as part of a criminal investigation. (Source: GovInfoSecurity)
  • Hacker publishes stolen email and mailing addresses of 270,000 Ledger cryptocurrency wallet users. (Source: Hot for Security)
  • The group behind the SolarWinds hack also tried to compromise security firm CrowdStrike. (Source: engadget)
  • China used stolen data to track CIA operatives in Africa and Europe since around 2013. (Source: Fox Business)
  • Apple, Google, Microsoft, and Mozilla unite to ban Kazakhstan‘s citizen-tracking certificate. (Source: TechSpot)
  • A large scale phishing scam is underway that pretends to be a security notice from Chase stating that fraudulent activity has been detected and caused the recipient’s account to be blocked. (Source: BleepingComputer)
  • SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year. (Source: The Register)

Stay safe, everyone!

The post A week in security (December 21- December 27) appeared first on Malwarebytes Labs.

Categories: Malware Bytes