Malware Bytes

A week in security (May 10 – 16)

Malware Bytes Security - 6 hours 22 min ago

Last week on Malwarebytes Labs, we watched and reported on the Colonial Pipeline ransomware attack as developments of its story unfolded. This attack triggered the White House to refine a planned Executive Order on cybersecurity. We also profiled DarkSide, the ransomware responsible for the Colonial Pipeline attack, and the criminal gang behind it.

Speaking of ransomware, we spoke with Jake Bernstein, a cybersecurity and privacy attorney and our guest in the latest Lock and Code podcast episode, to talk about the legal ramifications ransomware-turned-data-breach victims may face when they have been successfully attacked.

We also highlighted “wormable” Windows vulnerabilities on last week’s Patch Tuesday updates; touched on FragAttack, a term used to describe newly found Wi-Fi vulnerabilities that basically affects all Wi-Fi devices; addressed the question “Why MITRE ATT&CK matters”; warned about Avaddon, a new ransomware campaign; raged about WhatsApp call and message features breaking unless you share data with Facebook; applauded game developers who included cybersecurity as part of the whole gaming experience, and went “ooh!” at a novel way someone can exfiltrate data out of air-gapped networks using iPhones and AirTags.

Our expert threat hunters also noted the increase in iPhone spam attacks and observed Magecart Group 12 continuing to go strong and using a PHP-based skimmer as a new tool.

Lastly, we talked about Wi-Fi and honeypots.

Other cybersecurity news
  • The group behind the Colonial Pipeline attack claimed to be behind the Toshiba attack and data breach. (Source: Kyodo)
  • DarkSide also netted Benntag, a chemical distribution company, and got paid for it—to the tune of $4.4M USD. (Source: BleepingComputer)
  • Imposter Amazon robocalls are reaching 150 million consumers per month, according to YouMail. (Source: PR Newswire)
  • Threat actors take advantage of routine site maintenance to get people to download malformed copies of MSI Afterburn from fake website. (Source: MSI News)
  • According to a report from Immersive Labs, 81 percent of software developers have knowingly released applications that are vulnerable. (Source: Immersive Labs)
  • Panda, a new information stealer, could nab account credentials of NordVPN, Telegram, Discord, and Steam users. It also goes after cryptocurrency wallets. (Source: The Coin Radar)
  • A report on TeaBot, an new Android malware targeting European banks, was released. (Source: Cleafy)
  • Users are at risk as they continue to use Windows 7, which has already reached its end of life. (Source: Security Brief)

Stay safe!

The post A week in security (May 10 – 16) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Gamers level up with rewards for better security

Malware Bytes Security - Fri, 05/14/2021 - 1:11pm

There was a time when stolen gaming accounts were almost treated as a fact of life. Console hacks weren’t taken particularly seriously. Security research in this area was occasionally derided as unimportant or trivial. Gaming accounts had an essence of innate disposability to them, even if this wasn’t the case (how disposable is that gamertag used to access hundreds of dollars worth of gaming content)?

These days, gaming security is taken very seriously indeed. The gradual roll-out of Two-factor Authentication (2FA) across both gaming platforms and titles themselves is a wonderful thing, but one worries about buy-in. When sign-up rates for something as common as Google accounts are struggling to hit double figures, it’s definitely a concern.

Customer support: compromised accounts all the way down

There’s also the impact on publisher bottom lines. More stolen accounts means more time tying up customer support lines. If the victims of the stolen accounts have invested lots of money into a title, there’s the possibility of bad press should it get that far. Forgotten passwords will tie up support’s time, for sure. But the moment someone calls through with one single account compromise, the customer service rep has no idea what they’re walking into.

It could be a fairly straightforward phish. Alternatively, someone may have imitated a game developer on a Twitch stream. Did the attacker bypass text-based 2FA by social engineering the mobile provider? Perhaps the victim fell for bogus loot crates via a YouTube video. Fake game developers sending private messages? You bet.

The possibilities are endless, and also potentially endlessly time consuming.

The digital expansion of gaming

Games haven’t been a one-purchase-and-done procedure for a long time. Downloadable content, expansions, and the concept of “Games as a Service” mean content can flow forevermore. This is particularly true in the realm of Massively Multiplayer titles. It’s not uncommon for the most popular games to keep on trucking for a decade or longer. These titles offer a variety of payment options.

Some games are a one-off payment with paid-for expansions down the line. Others might have a free-to-play option, with subscription accounts for more features and content access. A few mix all of these approaches, and there’s really no set standard.

When roleplaying sets the stage for security

MMORPGs are one online realm where security has been a big part of the overall package for years. Developers had the foresight to realise account protection would become increasingly important over time. World of Warcraft developers Blizzard released their first authenticator way back in 2009. People are often surprised when they find out how long WoW has had authentication in place. Yes, this may well be something of an outlier. They’ve also run into occasional issues with people trying to bypass the system.

Even so, this is probably one of the ways mainstream gamers run into this kind of authentication for the very first time. When the biggest organisations in a space use this tech, it hopefully encourages other companies to consider doing the same thing. In 2018, they were offering backpack upgrades for anybody using authentication and their SMS Protect service.

An increasingly valuable treasure chest

What I’m fascinated by is MMORPGs with frequently expensive in-game items bought with real money. Those in-game stores often offer premium items, and it can quickly turn into an expensive hobby. Some items are cosmetic, some give in-game benefits which can occasionally turn into “pay to win” accusations.

However you stack it up, accounts with lots of purchases are incredibly valuable targets. Going back to what I said earlier, the last thing Big Game Company Inc needs is a ton of bad press where they weren’t seen to be helping “premium” gamers. They also don’t want support channels flooded with stolen account calls.

In 2012, Steam encouraged users to enable Steam Guard in return for a badge during a community event. In 2015, they took this one step further and offered sale discounts.

A few months prior to this, MMORPG developers were already gamifying 2FA and offering rewards for enabling it. ArenaNet, developers of Guild Wars 2, were handing out a cool looking dragon for enabling 2FA. Here’s another game from 2015, Wakfu, which seems to have given small stat bonuses for using their 2FA system.

The security problems facing game developers

I’m not sure if 2015 was some sort of specific flashpoint for “everybody start using this, please” but clearly the groundwork was being laid. Due to a lot of videogame reporting being lost to the ages via link rot, I’m also uncertain if games using 2FA years prior to this offered up incentives for using it. I would assume quite a few of the older titles would say the incentive was simply “not losing your account”. Perhaps this is one reason why uptake is low. After all, people are complaining about the hassle of having to use it despite freebies on the Wakfu forums.

With this in mind, what we have is:

  • Users reluctant to use the tech
  • Depending on game, a potentially very young audience who may not want the hassle of setting up 2FA
  • Accounts in use for long periods of time, with significant years of purchases behind them

This is clearly not ideal. As a result, gamifying the overall approach and offering up perks and items is the way to go.

Some current examples of security bonuses Black Desert Online

A few months ago, the incredibly popular MMORPG Black Desert Online ran a “security campaign” event. If players set up a OTP (one time password) process for their logins, they were rewarded with a 7-day value pack. These value packs are incredibly useful for BDO players. They grant significant boosts for loot collection, buffs, inventory, storage, weight limit, marketplace sales, and much more.

If you’re even a semi-serious BDO player, these are prized items and you’ve likely bought quite a few, or grinded out events to get some for free. The alternative is paying for a variety of different Value Packs in the game’s Pearl Store via real money transactions. Although the event is now over, I’d be surprised if it doesn’t get another outing.

Star Wars: The Old Republic

This Bioware / EA juggernaut has been around for a few years and shows no signs of slowing down. It’s essentially free to play, but with various restrictions applied unless you purchase a subscription. It also contains an in-game store which offers up cosmetics, items, large scary animals which you can ride around on, the works.

I’ve played quite a few MMORPGs where large store purchases are involved, yet there often seems to be a lack of additional security to help keep accounts secure in some titles. That’s not the case here, as we’ll see.

The basic rule with premium stores is, everything is pretty expensive. There may be essential items like storage capacity or crafting bags hidden behind paywalls. You might be able to buy a house for cheap, but then you have to spend a lot more money to fill it with items or even unlock different rooms.

Developers really want you to feel that premium, exclusive angle on every purchase you make. As a result, anything given away for free in many games is often not very good. You’ll almost never get any of those premium items for free unless it’s during a special event.

Items are usually purchased with special forms of in-game currency. That is usually bought via a gaming platform for real money. In Star Wars: The Old Republic, this currency is called Cartel Coins. Developers don’t give premium store funds away for free, because that wouldn’t make any sense.

And yet.

One of the big pulls for setting up 2FA with the game’s dedicated authenticator app, is indeed free premium currency. As a bonus for setting up the app, gamers are rewarded with 100 Cartel Coins a month. That’s 1,200 coins every year the app is ticking over, which is certainly enough to buy an item or two a month, or one of the bigger discounted bundles when the player breaks the 1,000 barrier.

I’m not sure if this giveaway approach is something which coincided with the release of the app, or an additional perk which came later. As far as encouraging players to make use of additional security features, I’d give this effort 10/10.

Final Fantasy Online

Square Enix are big on One Time Passwords. They use various options like physical security tokens or software authentication to get the lockdown job done. Their in-game reward is free teleportation. Many MMORPGs charge nominal amounts to fast travel, which adds up very quickly. This is a fantastic way to get buy-in from an MMORPG audience.

Gaming platform account bonuses

It’s not just individual games handing out the freebies. Gaming platforms like the Epic Store are getting in on the act too. In 2018, if you added 2FA to your Epic Games account, you received a free skin.

If you enable Two-Factor Authentication for your Epic Games account, you'll unlock the Boogie Down skin! #Fortnite

— Fortnite News (@FortniteBR) August 23, 2018

This may not sound like much but trust me, kids love free gaming skins.

As of 2019, the offer had broadened out considerably. In addition to a skin, players also received armory slots, backpack slots, and a free legendary troll stash Llama because hey, why not.

Interestingly, the 2FA reward program isn’t just limited to platform logins and Fortnite. If you want to keep claiming the endless selection of free titles offered on the Epic Store, you now need 2FA up and running. No additional security? No free games.

This is smart in a realm where Steam arguably still rules the roost in terms of most established PC gaming platform. By carving out chunks of the Epic Store’s most impressive platform offerings and placing them behind good security practices, the pull factor is no doubt strong. There have to be a good chunk of Epic users now sporting much better protected accounts, and that’s a win-win.

Closing thoughts

While some gamers will quibble about the value of giveaways on some titles, ultimately the devs are doing them a favour. When the worst case scenario is “You don’t lose your account to compromise”, that sounds like a pretty good deal to me. Receiving some free goodies to feed back into your gameplay loop is the icing on the cake. An easy win for everybody apart from account thieves is surely the best Game Over screen we can hope for.

The post Gamers level up with rewards for better security appeared first on Malwarebytes Labs.

Categories: Malware Bytes

iPhone calendar spam attacks on the rise

Malware Bytes Security - Fri, 05/14/2021 - 12:36pm

Recently, we have seen an increasing number of reports from iPhone users about their calendars filling up with junk events. These events are most often either pornographic in nature, or claim that the device has been infected or hacked, and in all cases they contain malicious links. This phenomenon is known as “calendar spam.”

Calendar spam became a big problem for Apple’s iCloud calendars back in 2016. At that time, Apple put some protections in place on iCloud to prevent these issues. Whatever they did was working, up until recently. Let’s take a look at how the scammers have changed their tactics.

Fake captcha page example

Users will encounter a scam web page like the following one (though this is just an example). These pages are reached via a number of techniques, including malvertising, compromised WordPress sites, and Search Engine Optimization (SEO) tricks. In this case, the page displays a fake captcha that users are expected to tap in order to prove they’re not a bot.

For this particular page, tapping the “I’m not a robot” box (or, really, anywhere else on the page) results in a prompt attempting to trick the user into subscribing to a calendar.

Normally, this prompt would ask the user if they want to subscribe to a particular calendar by name. In this case, the scammers have given the calendar a name containing whitespace and the “Tap OK to Continue” / “Tap Cancel to Close Browser” message. Clicking Cancel will return you to the page, and if you do this a couple times, you’ll trigger a redirect. (More on that shortly.)

Clicking OK results in the spam calendar, and all its events, being added to the user’s Calendar app. These events all have alerts that cause notifications to appear in the Notification Center. Tapping a notification will take you into Calendar, which will display the content of the event. In all cases, the content is a scam message trying to get you to open a link.

At this time, the links go to a 404 page, but we believe they would have linked out to apps in Apple’s App Store.

Redirects to “security” apps

Whether you do or don’t subscribe to the calendar, the page will go back to the fake captcha. Tapping the captcha a second time, and clicking either OK or Cancel, will result in your browser being redirected to a scam page claiming your iPhone is infected or that hackers are watching you.

These pages will redirect to a variety of App Store apps. Mostly, these are junk VPNs or supposed security apps. They mostly have high ratings, and have been around for 4+ years, but the total number of ratings given is low. This could be an indication that the ratings have been reset periodically.

Worse, many of these apps have high price, short duration subscriptions. In most cases, prices are around $8.99 or $9.99 per week.

Removing the subscribed calendar(s)

If you have been impacted, your iPhone has fortunately not actually been hacked or infected (regardless of what the messages claim), and there is a simple solution. You can just delete the subscribed calendars.

First, open your Calendar app, and then tap the Calendars button at the bottom center of the screen, shown below.

This will result in seeing a view like the following, showing all the calendars loaded on your iPhone. Note the odd item with a green tick and no title, under the heading “SUBSCRIBED”.

The calendar name appears blank here, but that may not be true in every case. You’ll want to remove all subscribed calendars, except those that you are certain are legitimate. To do this, tap the button showing the letter i in a circle next to the subscribed calendar. (If you have more than one, you’ll have to repeat for each one.)

On the next screen, tap the Delete Calendar button at the bottom of the screen. (On some devices, you may have to scroll down to see it.)

How to prevent the issue

First and foremost, if you find yourself seeing a strange message in Safari on your iPhone, don’t believe it, and don’t do what it tells you to do. Don’t click any buttons consenting to whatever the site is asking, such as OK, Allow, Install, etc. If you can close the tab or navigate to another page in the browser, do so. If an alert is preventing that, click Cancel if that’s an option.

If there is an alert preventing you from taking action until you tap a button, and you don’t know what to do, just restart your iPhone.

You can also use the Web Protection feature in Malwarebytes Security for iOS. This should prevent you from visiting malicious pages in Safari. Of course, as with all things, nothing is infallible, so if you find that a malicious site has slipped past, please copy the address of the page from Safari’s address bar and submit it via a support ticket to Malwarebytes support. A screenshot would help as well.

Unfortunately, since users are essentially consenting to this scam via existing Apple-provided mechanisms for obtaining consent, there may not be much that Apple can do to stop this particular wave of calendar spam. However, we’ve notified Apple anyway, and hope it can at a minimum take action against the apps promoted by these scams.

What about other platforms?

Although we’re seeing a lot of this on iOS right now, the scam affects other platforms as well. On macOS, for example, it will attempt to add a calendar, though the process is far less convincing.

The same is also true on Windows.

You may also be offered a browser extension by some variants of this scam, depending on your browser. (Google Chrome is a common target.)

Regardless of the platform, if you see something odd like this in the browser, do not allow it, and close the page.

The post iPhone calendar spam attacks on the rise appeared first on Malwarebytes Labs.

Categories: Malware Bytes

WhatsApp calls and messages will break unless you share data with Facebook

Malware Bytes Security - Fri, 05/14/2021 - 4:26am

WhatsApp told users last week that there was no need for alarm regarding an upcoming privacy policy deadline, as users who refuse to accept the privacy policy will not have their accounts deleted—they will just have their apps rendered useless, eventually incapable of receiving calls and messages.

The planned removal of core features represents a stunning reversal for a company that long ago prioritized data privacy, transforming WhatsApp’s offering into an unworkable contradiction: Private messaging only for those who surrender a separate piece of their privacy.

At issue is WhatsApp’s 2021 privacy policy, which users first learned about in January. According to notifications sent at that time, WhatsApp began asking users to agree to share some of their data with WhatsApp’s parent company—Facebook—by a February 8 deadline.

That data does not include the content of any WhatsApp user’s messages or calls, as the company’s end-to-end encryption remains intact, and WhatsApp has repeatedly promised that its message security will not be compromised. However, the data does include interactions that users have with certain businesses over WhatsApp. And, per the new privacy policy, the entities at Facebook that will have access to that data include Facebook itself, Facebook Payments, Facebook Technologies, Onavo, and CrowdTangle.

We want to address some rumors and be 100% clear we continue to protect your private messages with end-to-end encryption.

— WhatsApp (@WhatsApp) January 12, 2021

The January notifications released a user avalanche, with many people ditching the service to install a separate, private messaging app called Signal. According to a report from TechCrunch, in just five days in January, the rival private messenger was downloaded more than 7.5 million times—growing its overall userbase at the end of 2020 by more than one third. Similar, meteoric growth was enjoyed by another private messaging app, Telegram.

But to hear WhatsApp tell the story, users got the wrong impression about the 2021 privacy policy update. The company tried to explain to some news outlets that the changes were not as dramatic as many had interpreted because the changes were not even new.

They had been in place since 2016.

According to reporting from Wired, in August of 2016, WhatsApp quietly updated its data sharing practices with Facebook:

“Under the new user agreement, WhatsApp will share the phone numbers of people using the service with Facebook, along with analytics such as what devices and operating systems are being used,” Wired wrote at the time. “Previously, no information passed between the two, a stance more in line with WhatsApp’s original sales pitch as a privacy oasis.”

Those changes came with an opportunity for then-existing WhatsApp users to opt out of the impact of that data sharing, but every new WhatsApp user who installed the app after those 2016 changes received no such option. Some of their data, according to Wired, was automatically sent to Facebook per WhatsApp’s new rules.

Technically, then, WhatsApp was right: Users misunderstood the January 2021 privacy policy notifications. There were no dramatic shifts to how WhatsApp would share data with Facebook, just minor changes to how WhatsApp will handle and share businesses-related interactions.

But those explanations did not sit right with users, security researchers, or digital rights activists.

As Matthew Green, cryptographer and professor at Johns Hopkins University, told Wired:

“WhatsApp is great for protecting the privacy of your message content. But it feels like the privacy of everything else you do is up for grabs.”

Gennie Gebhart, the acting director of activism at Electronic Frontier Foundation, also criticized WhatsApp’s unclear messaging in January.

“WhatsApp’s obfuscation and misdirection around what its various policies allow has put its users in a losing battle to understand what, exactly, is happening to their data,” Gebhart wrote.

The public blowback caused WhatsApp to postpone its initial February 8 deadline to May 15, and in the weeks in between, many users feared that the company would simply delete their accounts if they refused to accept the updated privacy policy.

But last week, WhatsApp clarified that “no one will have their accounts deleted or lose functionality of WhatsApp” on May 15 because of their choices to refuse to accept the new privacy policy.

Unfortunately, the alternative is nearly as harsh.

For WhatsApp users who decline to have their data shared with Facebook, WhatsApp will steadily remove core features, beginning with the option to view chat lists, and ending with the inability to even receive calls or messages on WhatsApp.

WhatsApp said that it has warned users about its new data policy agreement for weeks now. For users who do not agree to the privacy policy changes by May 15, WhatsApp said that “after a period of several weeks” the notification they’ve received will become persistent. At that point, WhatsApp said it will dole out consequences.

The company said:

“At that time, you’ll encounter limited functionality on WhatsApp until you accept the updates. This will not happen to all users at the same time.

You won’t be able to access your chat list, but you can still answer incoming phone and video calls. If you have notifications enabled, you can tap on them to read or respond to a message or call back a missed phone or video call.

After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone.”

What message are users supposed to take from these limitations other than the fact that WhatsApp simply does not want users who refuse to share their data with Facebook? A private messaging app that cannot receive messages is useless, and it is ludicrous that the reason it is useless is because the company has chosen to make it that way.

This is an anti-privacy choice. It is also an anti-user choice, as users are being punished for their refusal to share data. And, finally, it is a sad but expected turn for WhatsApp, a former privacy darling launched by two co-founders—Jan Koum and Brian Acton—who both seemingly regret selling their company to Facebook for billions of dollars.

That sale in 2014 startled many users, as the two companies—one, a steadily-growing advertising giant, the other led by a man whose motto was reportedly “no ads, no games, no gimmicks”—were diametrically opposed. At the time, Koum tried to calm those fears, saying that “if partnering with Facebook meant that we had to change our values, we wouldn’t have done it.”

Four years later, Koum left. His co-founder, Acton, had left the year prior.

In an exclusive interview with Forbes, Acton explained his departure. Much of it was due to conflicting ideas on privacy.

“At the end of the day, I sold my company. I sold my users’ privacy to a larger benefit. I made a choice and a compromise,” Acton said. “And I live with that every day.”

In 2018, Acton donated $50 million to a familiar cause with a different name: the development of Signal.

The post WhatsApp calls and messages will break unless you share data with Facebook appeared first on Malwarebytes Labs.

Categories: Malware Bytes

What is a honeypot? How they are used in cybersecurity

Malware Bytes Security - Fri, 05/14/2021 - 3:38am

Cybersecurity experts strive to enhance the security and privacy of computer systems. Quietly observing threat actors in action can help them understand what they have to defend against. A honeypot is one such tool that enables security professionals to catch bad actors in the act and gather data on their techniques. Ultimately, this information allows them to learn and improve security measures against future attacks.

Definition of a honeypot

What does “honeypot” mean in cybersecurity? In layman’s terms, a honeypot is a computer system intended as bait for cyberattacks. The system’s defenses may be weakened to encourage intruders. While cybercriminals infiltrate the system or hungrily mine its data, behind the smokescreen, security professionals can study the intruder’s tools, tactics and procedures. You might think of it as laying a trap for someone you know is coming with bad intentions and then watching their behavior so you can better prepare for future attacks.

Types of honeypots

In the world of cybersecurity, a honeypot appears to be a legitimate computer system, while the data is usually fake. For example, a media distribution company may host a bogus version of a film on a computer with intentional security flaws to protect the legitimate version of the new release from online pirates.

There are several different types of honeypots. Each has its own set of strengths. The kind of security mechanism an organization uses will depend on their goals and the intensity of threats they face.

Low-interaction honeypots

A low-interaction honeypot offers hackers emulated services with a narrow level of functionality on a server. The objective of this trap is usually to learn an attacker’s location and nothing more. Low-interaction honeypots are low-risk, low-reward systems.

High-interaction honeypots

Unlike the low-interaction variety, a high-interaction honeypot offers a hacker plenty to do on a system with few restrictions. This high-interaction ploy aims to study a threat actor for as long as possible and gather actionable intelligence.

Email traps

Technology companies use email traps to compile extensive deny lists of notorious spam agents. An email trap is a fake email address that attracts mail from automated address harvesters. The mail is analyzed to gather data about spammers, block their IP addresses, redirect their emails, and help users avoid a spam trap.

Decoy database

A SQL injection is a code injection procedure used to attacks databases. Network security experts create decoy databases to study flaws and identify exploits in data-driven applications to fight against such malicious code.

Spider honeypot

A spider honeypot is a type of honeypot network that consists of links and web pages that only automated crawlers can access. IT security professionals use spider honeypots to trap and study web crawlers in order to learn how to neutralize malicious bots and ad-network crawlers.

Malware honeypot

A malware honeypot is a decoy that encourages malware attacks. Cybersecurity professionals can use the data from such honeypots to develop advanced antivirus software for Windows or robust antivirus for Mac technology. They also study the malware attack patterns to enhance malware detection technology and thwart malspam like GuLoader and the like.

Pros and cons of honeypot use

Although there are many benefits of honeypots, they can also backfire if they fail to cage their prey. For example, a skilled hacker can use a decoy computer to their advantage. Here are some pros and cons of honeypots:

Benefits of using honeypots
  • They can be used to understand the tools, techniques and procedures of attackers.
  • An organization can use honeypots to ascertain the skill levels of potential online attackers.
  • Honeypotting can help determine the number and location of threat actors.
  • It allows organizations to distract hackers from authentic targets.
Dangers and disadvantages of using honeypots
  • A clever hacker may be able to use a decoy computer to attack other systems in a network.
  • A cybercriminal may use a honeypot to supply bad intelligence.
  • Its use can result in myopic vision if it’s the only source of intelligence.
  • A spoofed honeypot can result in false positives, leading IT professionals on frustrating wild goose chases.

While there are pros and cons, careful and strategic use of a honeypot to gather intelligence can help a company enhance its security response measures and stop hackers from breaching its defenses, leaving it less vulnerable to cyberattacks and exploits.

The post What is a honeypot? How they are used in cybersecurity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity

Malware Bytes Security - Thu, 05/13/2021 - 2:18pm

This blog post was authored by Jérôme Segura

Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus.

In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.

We believe that Magecart Group 12, identified as being behind the Magento 1 hacking spree last fall, continues to distribute new malware that was observed by security researchers recently. These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores. This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.

Web shell hidden as favicon

While performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.

The way it is injected in compromised sites is by editing the shortcut icon tags with a path to the fake PNG file. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.

Web shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote access and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e. SQL injection).

To better understand what it does, we can decode the reverse Base64 encoded blurb. We see that it is meant to retrieve data from an external host at zolo[.]pw.

Further looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.

The data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on WordPress sites (Smilodon malware) which also steals user credentials:

A similar PHP file (Mage.php) was reported by SanSec as well:

That same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:

This hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at the infrastructure being used.

Magecart Group 12 again

Because we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the hacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found. RiskIQ documented these compromises and linked them with Magecart Group 12 at the time.

The newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.

There is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and cockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.

Dynamically loaded skimmer

There are a number of ways to load skimming code but the most common one is by calling an external JavaScript ressource. When a customer visits an online store, their browser will make a request to a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach.

In comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request to the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.

We continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure their stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with security tools such as our Malwarebytes web protection and Browser Guard.


Indicators of Compromise




The post Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

What does WiFi stand for?

Malware Bytes Security - Thu, 05/13/2021 - 2:10pm

We use WiFi to connect to the Internet, but what is it, and what does it stand for? How does it have such a catchy name, and why do we sometimes have a weak Internet connection with a strong WiFi signal and vice versa? Read on to answer these questions and more.

What does WiFi mean?

Many people assume that WiFi is short for “wireless fidelity” because the term “hi-fi” stands for “high fidelity.” Some members of the WiFi Alliance, the wireless industry organization that promotes wireless technologies and owns the trademark, may even have encouraged this misconception.

The reality is that WiFi is a made-up marketing term that doesn’t really stand for anything. The Alliance tasked marketing company Interbrand with creating a palatable term that they could trademark because “Institute of Electrical and Electronics Engineers (IEEE) wireless communication standard 802.11 technology” doesn’t quite roll off the tongue.

How does WiFi work?

In a nutshell, WiFi is a wireless network that allows wireless-capable devices like computers, tablets, smartphone, modems, microwaves, fridges, and routers to connect with each other through radio frequency signals. Any suitably equipped device can connect to a WiFi network, regardless of whether it, or the network its connecting to, have an Internet connection or not.

What is the difference between WiFi and Internet? Can you have WiFi without Internet?

Your computer can communicate with your router through a WiFi signal (or a cable) even if your router isn’t online. That’s why you can have a strong WiFi signal with a weak or nonexistent Internet connection. Similarly, your Internet router can have a healthy Internet connection which feels like it’s slow to you, because of a less than ideal WiFi signal between you and your router.

How did WiFi become an official standard?

Until 1997, the world couldn’t quite agree on a common and compatible WiFi standard. Then, a group of industry experts formed a committee to decide. Think of them like the council from Lord of the Rings but tech-savvy and with less pointy ears.

Not only did the committee agree on a wireless communication standard, but they formed an alliance called the Wireless Ethernet Compatibility Alliance (WECA). In 2002, WECA was rebranded to WiFi Alliance, which features hundreds of renowned member companies today. Pointy ears still isn’t a requirement for joining.

What is a WiFi hotspot?

A WiFi hotspot is any physical location where a device can connect to the Internet through a Wireless Local Area Network (WLAN). Nowadays, you can easily create a WiFi hotspot with a modern smart device. For example, most smartphones can produce a WiFi hotspot, which effectively turns them into an Internet-connected WiFi router. Any wireless-capable device in range can use it to connect to the Internet (using the phone’s connection to the cellular network) in the same way as they would use an Internet router at home.

When is it safe to use WiFi?

A WiFi connection’s safety depends on its security settings and the source of the WiFi connection. In public, using shared WiFi carries risks (more on that below). If you have to use public WiFi hotspots, it’s wise to also use a VPN to keep your activity private while you use that connection.  A VPN wraps your network traffic (including web browsing, email, and other things) in a protective tunnel and makes up for any weaknesses in their encryption.

For home WiFi, here are some tips that can help you improve your network security settings:

  • Update your router’s firmware to the latest version to patch any vulnerabilities.
  • Use a modern router if you can because an old router can be a security risk.
  • Change the default SSID to a different WiFi network name. A hacker can sometimes determine the make and model of your router from the SSID and use the information to exploit known weaknesses and breach your network.
  • Use the latest version of your WiFi Protected Access (WPA) protocol to enhance security. It’s advisable to avoid using the Wired Equivalent Privacy (WEP) algorithm because it’s outdated and easier to crack.
  • Enable your router and operation system’s respective firewalls to raise a network barrier that monitors traffic.
  • Set a long password for your router and your WiFi network. Always change default passwords.
How can I enhance my WiFi signal?

The strength of your WiFi signal depends on the distance between your router and your device, what’s between them, and other radio interference. Of course, it’s not always possible to keep your device near your router. That’s why it’s a good idea to keep your router in a central location in your home, away from impediments.

You can also purchase a range extender to improve your WiFi signal across your home or buy a more technologically advanced router.

Is it unsafe to use public WiFi connections?

Public WiFi connections are undoubtedly convenient. When you’re on the move, you can connect to the Internet at the airport, shopping mall, café, or restaurant through a public WiFi connection. However, many public networks are unsecured, to make it easy for people to connect. It is also impossible to tell who is operating the hotspot and whether they are benign, malicious or careless.

Because they are a bottleneck to lots of traffic, WiFi hotspots create an ideal place for committing identity theft, financial fraud, and other cybercrimes. Here are some common public WiFi attacks you should watch out for:

  • Person-in-the-middle attack: Hackers intercept communications on a public WiFi network and modify them to steal sensitive data like credit card data, emails, messages, pictures, and videos, or to inject or malicious code . This attack has also been known as a Man-in-the-Middle or MitM attack.
  • Fraudulent Hotspot: A hacker may create a compromised WiFi network with a plausible name (perhaps the same name as an existing hotspot that’s very popular) to trick users into connecting to the fake network. The hacker can use it to conduct a person-in-the-middle attack, or deploy malicious code like the new AgentTesla variant into the devices connected to the fraudulent hotspot.
How to reduce public WiFi security risks

Although the encryption that is widely used in web browsing and email delivery will help protect you from attacks, it isn’t perfect and isn’t used everywhere. It can be hard to see when it isn’t used, where it’s weak, or where it might be vulnerable to downgrade attacks, particularly in mobile apps, all of which can be exploited by attackers.

You can also use a Virtual Private Network (VPN) to secure your traffic when using public WiFi connections. By wrapping your imperfectly-encrypted traffic in a single, impenetrable tunnel, the best VPN services will keep your data safe from rogue WiFi hotspots and attempts to intercept your communications. You can also read up on VPN protocols to learn about how they secure your connection.

A top VPN service also protects your privacy by cloaking your IP address. Privacy threats can sometimes come from unlikely sources. For example, a Dutch city was recently fined for trailing its citizens with a WiFi tracking system.

Turn WiFi off on your devices when you don’t need them. It’ll make your battery last longer and it stops your device being used as a tracking beacon.

The post What does WiFi stand for? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Using iPhones and AirTags to sneak data out of air-gapped networks

Malware Bytes Security - Thu, 05/13/2021 - 1:19pm

Someone has found an extraordinary way to exfiltrate data by piggybacking data on the backs of unsuspecting iPhones.

Say what?

A researcher has found out that it is possible to upload arbitrary data from non-internet-connected devices by sending Bluetooth Low Energy (BLE) broadcasts to nearby Apple devices that will happily upload the data for you. To demonstrate their point, they released an ESP32 firmware that turns the micro-controller into an (upload only) modem. They also created a macOS application to retrieve, decode and display the uploaded data.

How AirTags are involved

The investigation was triggered by the release of AirTags. AirTags are marketed by Apple as a super-easy way to keep track of your stuff. Basically, you attach an AirTag to your valuables and you can find out where they are using Apple’s Find My app. Unlike a GPS tracker, which requires cell service and can drain batteries quickly, AirTags rely on the popularity of Apple products. The iPhones, iPads, and Macs used by hundreds of millions of people around are nodes in a distributed “Find My” network, joined by BLE signals.

Research theory and practice

Building on previous work by TU Darmstadt, the researcher was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to Wi-Fi or mobile internet. The data would be broadcasted via BLE and hopefully picked up by nearby Apple devices on the Find My network. Then, if those devices were later connected to the Internet, the devices could forward the data to Apple servers, from where it could be retrieved. In theory, such a technique could be used to avoid the cost and power-consumption of mobile Internet access. More interesting from our point of view, it could also be interesting for exfiltrating data!

Sometimes theoretical ideas like this get shot down by practical issues, like the bandwidth restrictions in the AirTag system, for example. But as it turned out, some security and privacy decisions in the design of the Offline Finding mechanism enabled the goal quite efficiently, and, according to the researcher, make it almost impossible to protect against.

Security through obscurity

The Apple Find My Offline Finding system is designed so that:

  • There are no secrets on the AirTag.
  • There is no access for Apple to the user’s location.
  • Tracking protection against nearby adversaries is achieved by rolling public keys

The consequence of this for the research lies in the fact that Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you. This means that any device with an Apple ID can get location reports from any AirTag. The security solely lies in the encryption of those location reports: The location can only be decrypted with the correct private key, which is on the owner’s device.


Since there is no way for Apple to check what kind of device is sending out the signal, for the sending side the researcher chose the ESP32, as it is a very common and low-cost microcontroller. Using firmware based on the TU Darmstadt research, the device can broadcast a hardcoded default message and then listens for any new data to broadcast in a loop until a new message is received.

Designing a protocol

To make the sender and receiver understand each other took some tinkering. If you are interested in the more technical aspects, I advise you to read the researcher’s post. But the end goal to set arbitrary bits in the shared key-value store and query them, was reached. Once both the sender and receiver agree on an encoding scheme, it is possible to transfer arbitrary data.

To send properly authenticated retrieval requests the researcher used an AppleMail plugin, a trick that was also described in the German research.

Bridging the air gap

Because devices on the Find My network will cache received broadcasts until they have an Internet connection, this technique can be used to upload data from areas without mobile or Wi-Fi coverage, as long as iPhone owners pass by from time to time. The easiest to imagine use case would be uploading data from remote IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity, but it could also be used in sneakier ways.

In the world of high-security networks, where exotic techniques like blinking server lights and drone cameras are noteworthy techniques for bridging air gaps, visitors’ Apple devices might also be a feasible method for exfiltrating data.

Air-gapped systems where considered the holy grail of security a decade ago. An air-gapped network is one that is physically isolated and not connected to any other network. The idea was that the only way data can be transferred into or out of such a network is by physically inserting some sort of removable media, such as a USB or removable disk, or by connecting a transient device like a laptop. Since then, a lot of research has gone into methods to exfiltrate data from air-gapped networks. It seems this researcher has found another one.


As mentioned earlier, it would be hard for Apple to defend against this kind of misuse if they wanted to. Apple designed the system on the principle of data economy. They cannot read unencrypted locations and do not know which public keys belong to your AirTag, or even which public key a certain encrypted location report belongs to (as they only receive the public key’s SHA256 hash).

However, the researcher points out that hardening of the system might be possible in the following two areas:

  • Authentication of the BLE advertisement.
  • Rate limiting of the location report retrieval.

The authentication could be used to exclude anything other then an AirTag from sending data to Finder devices. The rate limiting could enforce the 16 AirTags per AppleID and make abuse to send large amounts of data a lot harder.

This technique looks more like interesting research than a pressing, real-world problem and it remains to be seen how seriously Apple treats this threat. In the meantime, the company is well aware that data exfiltration isn’t the only nefarious activity that AirTags can be repurposed for.

The post Using iPhones and AirTags to sneak data out of air-gapped networks appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Why MITRE ATT&CK matters—Choosing alert quality over quantity

Malware Bytes Security - Thu, 05/13/2021 - 10:25am
Round 3 Carbanak/FIN7 results evaluation

Last month, the researchers at MITRE Engenuity released the results of their most recent ATT&CK Evaluation, offering businesses an opportunity to make informed choices about their own security needs. This year, by modeling the ATT&CK testing after attack methods deployed by the hacker groups Carbanak and FIN7, MITRE Engenuity’s newest evaluation sheds lights on how some of the most trusted cybersecurity solutions on the market fare when pitted against some of the most prolific and advanced attacker tactics and techniques to date.

These are the kinds of results that can make any business consider reevaluating its cybersecurity strategy, but before leaping to conclusions, companies should consider whether the results they’re reading are meaningful for their own situations.

For instance, the results are particularly interesting when you put them into the context of real-world environments and experience. As such, it’s critical that organizations without the in-house expertise of a SOC use solutions that are intuitive and effective: The barrage of security alerts can overwhelm, many IT and security teams aren’t going to be able to easily identify the ones that matter, and the more time they spend in the data weeds, the less time they have to dedicate to growing the business. These organizations also may not be set up to tackle the complex configuration updates some products require to deliver quality results.

Thus, while the ATT&CK Evaluation results do reveal Endpoint Detection and Response (EDR) product scope—revealing how much these products detect in an environment—it is important to also evaluate both the quality (not just the quantity) of that data and how easily the results can be replicated and acted on by your team.

In their article “Winning MITRE ATT&CK, Losing Sight of Customers” Forrester analysts Jeff Pollard and Allie Mellendo explore this exact challenge, noting that “’domination’ of the results does not prove the tool will be effective given your infrastructure, your team, or your business goals,” and that the ATT&CK Evaluation is “focused on the TOOL.”

“It’s NOT focused on the experience,” Pollard and Mellendo said. “There are lots of great products poorly deployed, not deployed at all, misconfigured, or lacking the right visibility to be maximally effective.” To put this year’s ATT&CK Evaluation into context for our readers, we are going to listen to the experts—including Pollard and Mellen—and we are going to apply the framework created last year by former Forrester analyst Josh Zelonis to evaluate the Round 2 APT29 results (Zelonis has updated his framework for Round 3 in his GitHub repository).

Because of this, the graph we’re going to show you may not look like the graphs you’ve seen across the Internet. We understand that. But we think it is just as important to present you actionable information delivered out of the box as it is to present you true information. And, fairly, this applies to all the cybersecurity providers included in this year’s ATT&CK Evaluation. 

With that in mind, we will also explain further below how we arrived at the following results:

Eliminating configuration changes

First, Zelonis’s framework discards mid-test configuration changes that improved detection capabilities.

During the test, vendors may choose to change a standard setting to better detect the attacker technique being tested. These revised configurations are likely not the default settings for customers because they’d result in too many alerts. It’s better not to have a detection rule in place you know will be noisy, generate false positives, and leave you scratching your head about what really matters in all that signal. Similarly, making these same configuration changes in-house is an unreasonable expectation of many customers. The vendors themselves had a team of experts on hand to review the results, determine the changes to make, and respond.

To map the test results to the needs and knowledge of many customers, we will discard any steps that were detected with a significant configuration change that affects the product’s detection capabilities. Now, we can better compare out-of-the-box product configuration and alert investigation experiences.

Determining alert quality

Alert quality is also critical when you want to quickly determine what you need to investigate and respond to. We suggest you use the following to help interpret the ATT&CK Evaluations results:

Security analytics

In this test detections can be any of the three types of alerts—General, Tactic, and Technique—and there is a hierarchy to these detection types.

The highest quality alerts are Techniques. They are where the real detail comes into play—where you know what you are dealing with, the specific steps taken, and what to investigate swiftly. For example, compare the following two alerts:

  1. “A PowerShell script executed”
  2. “T1041 – Exfiltration Over Command and Control Channel”

The latter provides precise, actionable details about what occurred— the theft of data—and how. 

The more Techniques in the vendor’s results, the better the analytics capabilities of their EDR product and the swifter the investigation. Thus, we determine the quality of the alerts triggered by an EDR product by dividing the total number of Technique Alerts by the total number of Detections. 

We strongly believe that small IT and security teams should prioritize alert quality over quantity when evaluating an EDR product, while enterprises and MSPs will also benefit from enriching their SOC data with greater context.

Quality rate

EDR vendors should strive for quality alerts out of the box, but they also have to trigger enough quality alerts for IT and security teams to have that all-important level of detail about every action that attackers have taken. To complete this perspective of the data, then, we define Quality Rate by dividing the total number of Technique alerts by the total number of steps during the test. Was there a quality alert for each step?

Getting the complete picture

One last consideration is worthwhile. EDR is an essential endpoint security strategy today, but endpoint protection—the prevention side of the story—also plays a critical role, and even more so for those who aren’t looking to hire or invest in an incident response team. Just as reducing the noise helps you zero in on alerts that matter, reducing the attack surface—assessing vulnerabilities and securing weak points in your defenses—helps you limit the threats that get through so you can more easily respond to them.

In the Round 3 evaluation, MITRE Engenuity also assessed protection capabilities. Let’s combine the protection and detection results to get the complete picture:

When viewed in context, Malwarebytes blocked eight out of 10 attacks on the earlier stages of the attack chain. Malwarebytes is not an EDR-only solution. It is a complete, integrated EP + EDR solution that provides multi-layered defense-in-depth for all types of modern cyberattacks, while remaining easy to use out of the box by organizations of all sizes.

We share this information to inform. Companies deserve to know exactly what they are buying when they purchase a cybersecurity solution, and they deserve to know how those solutions are tested—that includes the conditions, the circumstances, and the real-world applications of those tests.

At Malwarebytes we must be realistic about those real-world applications. For many businesses, cybersecurity is a set-it-and-forget-it product, and in-house SOCs and internal teams that can routinely adjust alert settings are luxuries. That’s just a fact, and it does not matter whether the cybersecurity industry likes or doesn’t like that fact—what matters is whether cybersecurity vendors are willing to honestly support their customers’ needs.

The post Why MITRE ATT&CK matters—Choosing alert quality over quantity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

FragAttack: New Wi-Fi vulnerabilities that affect… basically everything

Malware Bytes Security - Wed, 05/12/2021 - 1:31pm

A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found.

The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.

The research

The researcher that uncovered the Wi-Fi vulnerabilities, some of which have existed since 1997, is Mathy Vanhoef. The vulnerabilities he discovered affect all modern Wi-Fi security protocols, including the latest WPA3 specification. You may remember Vanhoef as one of the researchers behind the KrackAttacks weaknesses in the WPA2 protocol. As Vanhoef puts it:

“it stays important to analyze even the most well-known security. Additionally, it shows that it’s essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.”

Packet fragmentation

In each network, there is a maximum size to the chunks of data that can be transmitted on a network layer, called the MTU (Maximum Transmission Unit). Packets can often be larger than this maximum size, so to fit inside the MTU limit each packet can be divided into smaller pieces of data, called fragments. These fragments are later re-assembled to reconstruct the original message.

Wi-Fi networks can use this packet fragmentation to improve throughput. By fragmenting data packets and sending more, but shorter frames, each transmission will have a lower probability of collision with another packet. So, if the content of a message is too large to fit inside a single packet, the content is spread across several fragments, each with its own header.

Just like packets, frames are small parts of a message in the network. A frame helps to identify data and determine the way it should be decoded and interpreted. The main difference between a packet and a frame is the association with the OSI layers. While a packet is the unit of data used in the network layer, a frame is the unit of data used on the layer below it in the OSI model’s data link layer. A frame contains more information about the transmitted message than a packet.

The vulnerabilities

The researcher found several implementation flaws that can be abused to easily inject frames into a protected Wi-Fi network. These vulnerabilities can be grouped as follows:

Device-specific flaws
  • Some Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.
  • Certain devices accept plaintext aggregated frames that look like handshake messages.
  • Worse than those, some devices accept broadcast fragments even when sent unencrypted.
Design flaws in the Wi-Fi feature that handling frames
  • The frame aggregation feature of Wi-Fi uses an “is aggregated” flag that is not authenticated and can be modified by an adversary.
  • Another design flaw is in the frame fragmentation feature of Wi-Fi. Receivers are not required to check whether every fragment that belongs to the same frame is encrypted with the same key and will reassemble fragments that were decrypted using different keys.
  • The third design flaw is also in Wi-Fi’s frame fragmentation feature. When a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory.

A few other implementation vulnerabilities that can be used to escalate the flaws mentioned above.


Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Although each affected codebase normally receives a unique CVE, the agreement between affected vendors was that, in this specific case, using the same CVE across different codebases would make communication easier.

The design flaws were assigned the following CVEs:

  • CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network were assigned these CVEs:

  • CVE-2020-26145: Samsung Galaxy S3 accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Samsung Galaxy S3 accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Alfa Windows 10 driver for AWUS036H accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Alfa Windows 10 driver 1030.36.604 for AWUS036ACH accepting fragmented plaintext data frames in a protected network.

Other implementation flaws are assigned the following CVEs:

  • CVE-2020-26139: NetBSD forwarding EAPOL frames even though the sender is not yet authenticated.
  • CVE-2020-26146: Samsung Galaxy S3 reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Linux kernel 5.8.9 reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: OpenBSD 6.6 kernel processing fragmented frames as full frames.
  • CVE-2020-26141: ALFA Windows 10 driver for AWUS036H not verifying the TKIP MIC of fragmented frames.
Vulnerable devices

On the dedicated site the researcher states that

“experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”

The statement is based on testing more than 75 devices, which showed they were all vulnerable to one or more of the discovered attacks.


To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices will need to be updated. Unfortunately, not all products get regular updates.

Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router’s NAT/firewall to directly attack devices.

The impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned.

Graveness of the vulnerabilities

We have been here before. When the KRACK vulnerabilities were revealed a few years ago some people treated it as if it was the end of Wi-Fi. You’ll have noticed it wasn’t. That doesn’t mean it was nothing, either, but a little perspective goes a long way.

The CVEs registered to the FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. Which indicates that the chances of anything resembling remote control is probably too difficult to achieve to make it attractive. The data stealing options however are more imminent and could well be used in specific attacks.

Proof is in the pudding

If you are interested, you can find a demo and a link to a testing tool on the dedicated website. You can also find some FAQs and a pre-recorded presentation made for USENIX Security about these vulnerabilities.

Stay safe, everyone!

The post FragAttack: New Wi-Fi vulnerabilities that affect… basically everything appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack

Malware Bytes Security - Wed, 05/12/2021 - 10:15am

Late last week, the business network systems of Colonial Pipeline, the biggest supplier of fuels on the East Coast of the United States, were compromised due to a ransomware attack, forcing the company to temporarily shut down its operations while investigations are underway.

Monday morning, Pacific time, the FBI confirmed that the ransomware culprit is DarkSide, a fairly new strain that started making a name roughly in mid- to late-2020. In this post, we take a look at the malware and the criminal gang, who many believe are based in Eastern Europe, behind the Colonial Pipeline attack.

Threat profile: DarkSide ransomware

DarkSide was first observed in the wild in August 2020 and used by the APT group Carbon Spider, also known as Carbanak and FIN7 among others, for their Big Game Hunting (BGH) campaigns. According to Crowdstrike’s adversary profile on this group, it originated in the Russian Federation and/or Ukraine. Since being active in 2013, Carbon Spider has targeted institutions in the Middle East, Europe, and eventually, the United States.

DarkSide ransomware is sold to affiliates using the Ransomware-as-a-Service (RaaS) distribution model, so attacks are carried out by affiliates.

There are currently two known versions of DarkSide: DarkSide v1.0 and DarkSide v2.1. The latter is less weighty in terms of file size (53 KB versus 59.5 KB) and has a shorter decryption time.

Screenshot of DarkSide 2.0 debut forum post back in March 2021 (Source: Twitter user 3xp0rt, who is associated with Kela, an Israeli cyber intelligence outfit)

v2.1 has a new “call on us” feature, which allows ransomware affiliates to conduct a Voice Over IP (VoIP) session with victim organizations, their partners, and even journalists. It is believed that they added this feature to exert extra pressure against their victims.

DarkSide also has a Linux version that is capable of targeting VMWare ESXi vulnerabilities, making virtual machines (VMs) susceptible to hijacking and encryption of virtual drives.

Like other Big Game Hunting ransomware families, DarkSide is human-operated. This means that the ransomware is executed by an actual person behind the screen after they have successfully infiltrated a target network. This makes it possible for threat actors to move laterally, scouring the entire network to persistently backdoor several systems until they gain administrative access. They use these administrator credentials to deploy the DarkSide.

DarkSide operators are not shy about asking $2M USD from their victims. Sometimes, they even double the price.

They also use their time in the network to harvest data and upload to their servers, before they encrypt the victim’s copy.

Once deployed, DarkSide begins to:

  • Encrypt all files using a combination of Salsa20 and RSA-1024
  • Empty the Recycle Bins
  • Uninstall services
  • Delete shadow copies
  • Terminate processes
  • Encrypt local disks
  • Encrypt network shares

After all the data have been exfiltrated, the threat actors post it on their leak site, DarkSide Leaks, along with other pertinent information about the attack, such as the name of the company, the date it was breached, how much data was stolen, sample screenshots of the stolen data, and the types of stolen data.

It is observed that DarkSide and REvil ransomware, also known as Sodinokibi, share some similarities:

  • Their ransom notes seem to have come from the same template.
  • Both ransomware families use Windows PowerShell to delete shadow volume copies on compromised systems,
  • …and both families also use a particular string of PowerShell code to perform this action.

DarkSide ensures that victims feel their personalized touch by customizing the ransom note and file extension for their victims. For example, a checksum of the victim’s MAC address is used as the extension name of encrypted files when, normally, ransomware would just use their own pre-defined extension. (HelloKitty ransomware uses .kitty, for example.)

A portion of a DarkSide ransom note is reproduced below. Ransom notes include the type of files, a link to the victim organization’s personal leak page, and instructions on what victims can do.

----------- [ Welcome to DarkSide 2.0] -----------> What happend? --------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use Strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak --------------------------------------------- First of all we have uploaded more than full dump data. These files include: - finance - private information - partners documents

The DarkSide leaks website has a “Press Center” section where journalists can register. It has a section where “recovery companies”—victimized organizations that had no choice but to give in to DarkSide’s ransom demand—can register to receive decryptors, get additional “discounts”, and have a ready line to the threat actor’s support service. All of which demonstrates how organized DarkSide operators can be.

Malwarebytes’ signature-less protection detects all known variants of DarkSide.

Adversary profile: DarkSide operators

Leslie Carhart, DFIR at Dragos, has taken note that DarkSide operators have been increasing their double-extortion attacks yet somehow successfully getting little attention.

I don’t think people appreciate how effectively Darkside has been ramping up operations mostly under the radar for the last year. This was a very big “oops”. They were doing a really good job of decimating businesses, including infrastructure – and everyone has been really quiet.

— Lesley Carhart (@hacks4pancakes) May 10, 2021

The threat actors behind DarkSide ransomware are doing all this to gain money. However, its original creators declared that criminal groups who want to partner with them via their RaaS scheme should avoid targeting companies in certain sectors. These are:

  • Healthcare
  • Education
  • Nonprofit
  • Government

DarkSide may seem like your common-or-garden ransomware gang who only cares about making money off of the backs of organizations, including hospitals, but they would like you to think otherwise. One of the things that separates the DarkSide gang from the other “heartless” gangs is their declared intent to “make the world a better place”.

In 2020, the gang did just that by donating a portion of the money they extorted from victims to charity—not realizing that charities, knowing that the money is fraudulent, would never accept it. Not only that, charities who do accept fraudulent money without them knowing can get into a lot of trouble from the law. They can be charged with crimes related to money laundering—something perhaps the DarkSide gang didn’t see coming when thinking about the children.

In common with many other ransomware gangs, it’s also their mandate not to target states under the Commonwealth of Independent States (CIS), including Georgia and Ukraine.

While they reach for this dubious moral high ground, let us not forget that DarkSide threat actors have not only threatened victim organizations to leak all their files but also weaponize them by sharing them to their competitors, the media, and government regulators.

After the Colonial Pipeline attack made headlines and got the attention of no less than the FBI and the US government, DarkSide released a statement about it:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our [sic] motives.

Our goal is to make money, and not creating problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Many suspect that DarkSide operators are already in a mad rush to patch things up, having bitten off more than they can chew.

The straw that broke the camel’s back?

The DarkSide attack on the Colonial Pipeline may turn out to be the straw that broke the camel’s back. Last week, the White House held emergency meetings to take a look at an already drafted Executive Order on cybersecurity—possibly to strengthen it following this latest attack—that is expected to be released soon. Prior to that, the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, and been urged by the Ransomware Task Force’s strategic plan for tackling ransomware to treat ransomware as a national security threat.

Yesterday, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory (CSA) against DarkSide ransomware. It contains detailed mitigation steps that business should follow to reduce the risk of successful ransomware attacks overall. These include simple steps, such as:

Organizations of all sectors should take heed of these best practices. Because before the publication of this article, DarkSide appears to have netted another victim.

The post Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Get patching! Wormable Windows flaw headlines Patch Tuesday

Malware Bytes Security - Wed, 05/12/2021 - 8:46am

It looks like patching a wormable Remote Code Execution (RCE) bug in the HTTP stack of Windows 10 and Windows Server is likely to be top of most sysadmins’ todo lists after reading May’s Patch Tuesday updates. The monthly bug bonanza also features three other critical items among its 55 patches.

Although the wormable RCE (CVE-2021-311660) is not known to have been exploited in the wild, Microsoft warns that the attack complexity is low, and that “An attacker can expect repeatable success against the vulnerable component” with no need for authentication or user interaction. It has given the vulnerability a CVSS score of 9.8 out of 10.

The attack on the vulnerable component could be triggered by no more than a specially crafted packet. Since that packet is processed by http.sys, which runs in the kernel, the malicious code runs with commensurate privileges.

Worms that turned

A wormable flaw is one that can be used to create a network worm, a bit of malware that replicates itself across a network. Network worms invade a vulnerable system and then use it to launch further attacks on other vulnerable systems. Because each infected computer can infect many others, network worms have the potential to replicate exponentially and spread with alarming speed. (In fact, even if a worm has no malicious payload, the volume of activity it generates can be enough to cause significant problems by itself.)

Where vulnerable systems are accessible from the Internet, network worms can spread around the world in a matter of minutes or hours. In 2003, the infamous SQL Slammer worm infected all 75,000 its global, Internet-accessible victims within ten minutes of the attack starting. More recently, the WannaCry ransomware worm spread around the globe (and into and through numerous computer networks along the way) and infected hundreds of thousands of targets in a single morning.

Although worm-ability poses a significant risk, it isn’t by itself a guarantee of criminal success. Sometimes turning a vulnerability into an exploit is simply too difficult, or the results too unreliable to create a viable attack. Readers may remember the furore that surround the May 2019 Patch Tuesday, which featured a fix for a wormable RDP vulnerability, know as CVE-2019-0708, later dubbed BlueKeep. The widely-expected, globe-trotting RDP worm never materialised. Despite the appearance of proof-of-concept code, no widespread attacks ever occurred. Perhaps criminals simply found no need for an RDP worm that was bound to attract a lot of unwanted attention while they were having sustained success simply milking so many weak RDP passwords.

Those responsible for Windows systems should assume that criminals have read the same information they have and are poring over the fixes in an attempt to reverse engineer them. Act accordingly: you are in a race, patch as soon as you can.

Critical issues

The other critical patches made available this May include CVE-2021-26419, a scripting engine flaw that can be triggered by having an Internet Explorer user (yes, somehow that dinosaur among Internet users is still not extinct) visit a malicious website. Or, perhaps more likely, the flaw can be triggered from Microsoft Office documents. According to Microsoft, an attacker “could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document”. Who could have guessed that in 2021 we’d still be finding ways to attack people with documents.

CVE-2021-28476 is an RCE vulnerability in the Hyper-V component of numerous Windows versions, with a CVSS score of 9.9. The flaw allows guest machines to meddle with their hosts, a strict security no-no. Microsoft reports that the most likely result of this meddling is denial of service but the flaw has the potential to trigger “device specific side effects that could compromise the Hyper-V host’s security.”

The last of the four critical vulnerabilities from this month’s lode is CVE-2021-31194, an OLE Automation RCE about which the company has little to say. Taciturn it may be, but it does tell us the bug has a CVSS of 8.8 and it’s rated critical, both signals you should patch it anyway.

Overall this month’s patch Tuesday is small compared to recent months, which we hope will be a relief to any sysadmins kept busy by recent Exchange vulnerabilities.

Take your rest while it’s (relatively) quiet. You know it won’t last.

The post Get patching! Wormable Windows flaw headlines Patch Tuesday appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Colonial Pipeline attack expected to trigger imminent hardening of cybersecurity rules for federal agencies

Malware Bytes Security - Tue, 05/11/2021 - 5:22pm

The ransomware attack on Colonial Pipeline last week caused the White House to hold emergency meetings to possibly strengthen a planned Executive Order on cybersecurity that could be released in the coming days or weeks, the New York Times reported.

The Executive Order—currently a draft—could place new restrictions on businesses that develop software and sell it to the federal government, such as the requirements to use multi-factor authentication and to access federal databases only when completely necessary. Such a strategy seemed like an appropriate response several months ago, when cybercriminals believed to be working with the Russian government infiltrated nine federal agencies by first hacking into the IT management company SolarWinds.

But the recent attack on Colonial Pipeline reveals that new rules meant only for federal contractors could still leave broad swaths of the American public at risk. Complicating the issue is that, while President Joe Biden has taken a harder stance against Russian cyberaggression than the past administration, the attack on Colonial Pipeline has no confirmed connection to the Russian government.

“I’m going to be meeting with President Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there’s evidence that the actors’ ransomware is in Russia,” Biden said this week.

According to multiple reports of the planned Executive Order, companies that sell their products to the government could have to implement several new cybersecurity measures.

Such companies would have to use multi-factor authentication and they would have to encrypt data that belongs to federal government clients. The government would also begin using a “zero-trust” model with these contractors, meaning that such contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any cyberbreach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

In speaking with Reuters, a spokeswoman for the National Security Council explained the importance of such a requirement, noting that the SolarWinds attack showed that “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly.”

She continued: “Simply put, you can’t fix what you don’t know about.”

According to The New York Times, companies that violate these rules would have their products banned from being sold to the federal government. For many companies that count the federal government as their largest client, such a ban could serve as a revenue death knell.

Finally, the Executive Order could create a “cybersecurity incident review board” to investigate major cyberattacks in the US, and the Order could ask victims of cyberattacks to work with the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency when responding to attacks.

The post Colonial Pipeline attack expected to trigger imminent hardening of cybersecurity rules for federal agencies appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Avaddon ransomware campaign prompts warnings from FBI, ACSC

Malware Bytes Security - Tue, 05/11/2021 - 1:11pm

Both the Australian Cyber Security Centre (ACSC) and the US Federal Bureau of Investigation (FBI) have issued warnings about an ongoing cybercrime campaign that is using Avaddon ransomware.

The FBI states that is has received notifications of unidentified cyber actors using Avaddon ransomware against US and foreign private sector companies, manufacturing organizations, and healthcare agencies.

In a separate advisory (pdf), the ACSC says it is also aware of an ongoing ransomware campaign using the Avaddon Ransomware malware. This campaign is actively targeting Australian organizations in a variety of sectors.

Avaddon ransomware

Ransom.Avaddon is sold to criminal affiliates as a Ransomware-as-a-Service (RaaS) strain. It has been around since 2019 and in June of 2020 it got some real traction due to a malspam campaign. Later it started promoting higher rates for its affiliates using adverts on networks and RDP. Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. When encrypted the files get the .avdn extension.

Free decryptor

In February 2021 a researcher found a flaw in the Avaddon encryption routine that allowed them to create a free decryptor. One day later the ransomware developer posted a message that the flaw was fixed. So, the decryptor only works for older infections.

FBI description of Avaddon

Avaddon is used in targeted, “big game” ransomware attacks using familiar tactics. According to the FBI, Avaddon ransomware actors have compromised victims through remote access login credentials—such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in the Commonwealth of Independent States (CIS). Finally, a copy of the victim’s data is exfiltrated before the victim’s systems are encrypted.

Not afraid of law enforcement

Like many other ransomware operators hailing from the CIS they act as if they have nothing to fear from law enforcement. And as long as they do not attack organizations in their home country that is unfortunately probably true. Some Russian gangs have even been getting aggressive against law enforcement in the US. Statistics of how many police departments have been hit by ransomware attacks are hard to come by, as is information on whether departments ever pay a ransom. Homeland Security Secretary Alejandro Mayorkas has called ransomware a threat to national security and said the issue is a top priority of the White House. That sentiment was echoed in a recent report by the Ransomware Task Force.

Ransomware as a Service (RaaS)

Avaddon is offered as a Ransomware-as-a-Service (RaaS), a system that sees affiliates do the dirty work and use the ransomware however they like, provided they return a percentage of their profits to the Avaddon developers. The ACSC notes that Avaddon also has an active presence on underground dark web cybercrime forums, where it advertises the malware to potential affiliates. Avaddon threat actors also use a data leak site to identify victims who fail or refuse to pay ransom demands.

Typically, with RaaS you will see affiliates run different distribution vectors and look over each other’s shoulder to see what is working best. Probably because of this model we have seen Ransom.Avaddon spread by a botnet, in malspam campaigns, by exploit kits (RIG-EK), and recently by brute forcing RDP and VPN credentials.

Additional threats

Like many other ransomware operators Avaddon has also increased pressure on its victims by threatening to publicize exfiltrated data on the dark web, and by performing DDoS attacks. The extortion/data leak process typically follows these steps:

  • Leak warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon dark web leak website. The warning consists of screenshots from files and proof of access to the victim’s network.
  • 5 percent leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the stolen files. The Avaddon actors leak this data by uploading a small .zip file to Avaddon’s dark web leak website.
  • Full leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .zip files in the “Full dumps” section of the Avaddon dark web leak website.
Detection and protection

Malwarebytes detects Ransom.Avaddon and protects user by means of real-time protection, both by using detection rules as well as patented anti-ransomware technology.

Stay safe, everyone!

The post Avaddon ransomware campaign prompts warnings from FBI, ACSC appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Alleviating ransomware’s legal headaches with Jake Bernstein: Lock and Code S02E08

Malware Bytes Security - Mon, 05/10/2021 - 10:15am

This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don’t just derail a company’s reputation and productivity, but also throw them into potential legal peril.

In 2020, the cybersecurity community noticed a worrying trend from ransomware operators. No longer satisfied with just demanding a ransom payment to unlock their victims’ encrypted files, some ransomware gangs employed a new device to squeeze their targets: after initially breaching a business, they would pilfer sensitive data and then threaten to publish it online.

These are the so-called “double extortion” attacks, in which ransomware operators can hit the same target two times over—we’ve not only locked your files, which will cost money to decrypt, we’ve also stolen your data, which will cost money to keep private. But this threat doesn’t stop there. For companies hit with these attacks, not only do they often rebuild their databases, not only can they lose days or even weeks of work, not only are their reputations pummeled if their sensitive data is published online, but, depending on how much data is leaked, and what kind, they could also get into legal trouble.

“This is a big deal, and it is a legal issue,” Bernstein said. “It is not just an IT problem.”

Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Alleviating ransomware’s legal headaches with Jake Bernstein: Lock and Code S02E08 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Ransomware attack shuts down Colonial Pipeline fuel supply

Malware Bytes Security - Mon, 05/10/2021 - 9:43am

Ransomware caused major trouble last week, as the famous Colonial Pipeline fell victim to a devastating cyber-attack.

Presenting: the Colonial Pipeline

The pipeline exists to supply gasoline and other products across the southern and eastern United States. We’re talking from Texas all the way up to New Jersey. The pipeline is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast.

This is an incredible volume of supply and demand, and anything going wrong could be disastrous. There’s enough to worry about with more general accidents, without the threat of people maliciously breaking into systems.

That’s where we are now.

What happened?

Ransomware brought everything to a standstill on Friday. According to those performing analysis on the attack, the culprits are likely a group known as DarkSide. This is a group that rose to mainstream prominence in 2020, via dubious donations to charities. Going for that whole Robin Hood angle, they stole from corporations and handed the cash to causes they felt were deserving.

Well, they tried to.

When help turn out to be a hindrance

As it happens, charities don’t want a bunch of stolen money circulating in their bank accounts. Charity trustees can get into all kinds of trouble. Not just charities; any organisation could end up in a baffling sequence of money laundering shenanigans if not careful.

There were also suspicions that the “Good Samaritan” act was a way to cover for the fact that they’re still criminals, stealing money. The group behind these attacks seemed to have got the message. The Robin Hood charity drive went away, and we wondered what the criminal group’s follow up would be.

If the investigators are correct, this is several orders of magnitude more serious than anything people could have imagined.

 Lockdown and emergency powers

This is science fiction. Except it isn't. "The main fuel supply line to the U.S. East Coast has shut down indefinitely after the pipeline's operator suffered what is believed to be the largest successful cyberattack on oil infrastructure in the country's history."

— Harry Litman (@harrylitman) May 9, 2021

The US government declared an emergency and brought in emergency powers to ensure people are still supplied with fuel. Those emergency powers allow for more flexibility for drivers to transport petroleum products to various locations. From the text:

FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

The digital to physical impact of the Colonial Pipeline attack

The real-world consequences from this attack are clear, and spread in several directions. There’s the immediate risks of transporting fuel across 5,500 miles, and of people having no supplies. We also have potential danger on the roads, as road use increases and drivers have to cope with potentially longer driving hours. Fuel prices? Those appear to have risen, though it seems the supply would need to be down for a few days for it to cause significant impact. 

Finally, there’s the issue of the shutdown itself. How many systems are compromised? What’s the damage? Can they guarantee all traces of infection are gone?

If it does turn out to be DarkTrace, then this surely destroys their whole Robin Hood angle. And, if a recent message via DarkTracer is to be believed (the message has not been verified by Malwarebytes) then the group is making no pretence this time: “Our goal is to make money.”

DarkSide ransomware gang, which shut down the largest oil pipeline in the U.S., posted a notice that their only goal was money.

— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) May 10, 2021

If this attacker is DarkSide, it clearly doesn’t help those in need to eliminate their fuel reserves.

They’re coming for your Crypto-coins…maybe

2021 is already shaping up to be a mast year for ransomware. Ransomware gangs now have years of experience and tool making to draw on, cash in the bank, and a cryptocurrency boom to profit from. It is hard to imagine the status quo holding and it seems inevitable governments will respond strongly.

Prior to the attack the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, that will include an analysis of how cryptocurrencies enable cybercrime. This echoes concerns raised in a recent strategic plan for tackling ransomware, conducted by the Ransomware Task Force. Among many recommendations, the task force called for ransomware to be treated as a national security threat, and for greater regulation of the cryptocurrency sector. A collision course seems inevitable at some point, and it’s already a significant talking point for experts in this field.

That’s for the future, though. For now, we’re left with supply lines left reeling. A few megabytes of code, perhaps a stray email with a dubious attachment, or maybe even just a server vulnerability that someone didn’t manage to patch in time.

Small issues, massive consequences.

The post Ransomware attack shuts down Colonial Pipeline fuel supply appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (May 3 – 9)

Malware Bytes Security - Mon, 05/10/2021 - 6:49am

Last week on Malwarebytes Labs, we discussed how Spectre attacks have come back from the dead; why Facebook banned Instragram ads by Signal; we highlighted the differences between the most popular VPN protocols; pointed out that Google is about to start automatically enrolling users in two-step verification, and how millions are put at risk by old, out of date routers.

Other cybersecurity news:
  • Cisco HyperFlex web interface has a critical flaw. (Source: The Register)
  • NSA advised to strengthen the security of operational technology (OT). (Source: Tripwire)
  • Tesla automobiles vulnerable to compromise over WiFi. (Source: Kunnamon)
  • Fix for critical Qualcomm chip flaw is making its way to Android devices. (Source: ArsTechnica)
  • Multiple critical vulnerabilities in Exim Mail Server dubbed 21Nails. (Source: Qualys)
  • Domain hijacking via logic error; Gandi and Route 53 vulnerability. (Source: Cyberis)
  • Tour de Peloton: Exposed user data. (Source: PenTestPartners)
  • Apple fixes 2 iOS zero-day vulnerabilities actively used in the wild. (Source: BleepingComputer)
  • Google and Mozilla will bake HTML sanitization into their browsers. (Source: The Daily Swig)
  • tsuNAME, a vulnerability that can be used to DDoS DNS. (Source:

Stay safe, everyone!

The post A week in security (May 3 – 9) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Millions put at risk by old, out of date routers

Malware Bytes Security - Fri, 05/07/2021 - 1:53pm

Since the first stay-at-home measures were imposed by governments to keep everyone safe from the worsening COVID-19 pandemic, we at Malwarebytes have been making sure that you, dear reader, are as cyber-secure as possible in your home network, while you try to work and while your children attend online classes.

There has been much discussion of antivirus protection, patching your software, and using VPNs. But what if the security flaws aren’t in your phones or laptops, but the router your ISP gave you?

Which?, a consumer watchdog in the UK, recently released its findings about routers issued by UK Internet Service Providers (ISPs). Based on its assessment, it reckons that at least two million Britons are at risk from routers that haven’t been updated since 2016. This alone seems to go against the Secure by Design proposal, an already-drafted law that gives power to the Department of Culture, Media, and Sports (DCMS) to order tech makers (phone, tablet, IoT) to be transparent about when they’ll stop providing security updates to their new devices from launch.

Granted, the Secure by Design hasn’t been made law yet, so the ISPs aren’t breaking any regulations. However, it seems preposterous to think that companies would have to wait to be mandated before they start caring about their customers’ security and privacy.

Router flaws found by Which?

Which? has looked into routers provided by EE, Sky, TalkTalk, Virgin Media, and Vodafone. Based on 13 router models it tested, the watchdog found that two-thirds—9 routers out of the 13—had flaws that, if the Security by Design law were in effect, would easily mark these providers as non-compliant. Below are the old router vulnerabilities Which? found:

* Weak default passwords. These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.

* Local network vulnerabilities. While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites.

* Lack of updates. Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at hadn’t had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The consumer body is concerned that many UK internet users are using old router models with no guarantee of an upgrade, thus making them “low hanging fruits” for criminal hackers to target. With its findings, Which? encourages customers of UK ISPs mentioned in the report to contact their provider and ask about potentially getting a router upgrade.

Although one of the companies that Which? contacted is using old routers, they said that they continue to monitor for threats and provide updates if needed. Despite this claim, Which? did find an unpatched vulnerability on one of the routers it tested. This could suggest that, although ISPs are doing what they can to patch flaws, it’s likely that they’d miss a few holes.

Virgin Media, one of the ISPs, didn’t accept the testing results from Which?, telling the BBC that “nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.” However, Which? Noted that Virgin only considered the number of paying households, whereas the testing counted each member of the household.

A wake up call to ISPs

Which? is a proponent of ISP transparency with regard to routers receiving firmware and security updates, a requirement of the Secure by Design proposal. The company also calls for the government to ban the use of default passwords, or ISPs allowing users to set weak passwords on their routers.

This is a good move. Although convenient, setting a weak password isn’t going to strengthen anyone’s security. On top of that, ISPs allowing users to always take the convenient and insecure route misses a good opportunity to educate their customers on good computer—and password creation and management—practices.

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.” says Kate Bevan, computer editor for Which?, in a press release. “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Lastly, Which? calls for UK ISPs to “be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them.”

Is your router secure?

Many households rely heavily on their routers, for working from home, studying, or simply keeping in touch with friends and families during these tough times. Sure, you may have been using it for years and you haven’t been hacked yet—”to the best of your knowledge”—but you shouldn’t take comfort in this for long. Now is a good time as any to focus on securing your router.

Using routers that can’t be patched if a serious vulnerability appears increases your risk of being exposed to attacks, and increases the risks for everyone else too. Routers are computers like any other and (as the Mirai botnet showed) they can be compromised and added to a botnet like any other.

So, the best way to stay safe is to make sure you’re using your ISPs latest router. 

Whatever router you’re using, be sure to change the default password if it had one. These are known to criminals and there are vast lists of default passwords circulating on the Internet for anyone to read. For more steps to take, Which? has a section on what to do if you’re affected by the routers mentioned in its lab tests.

The post Millions put at risk by old, out of date routers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Google to start automatically enrolling users in two-step verification “soon”

Malware Bytes Security - Fri, 05/07/2021 - 9:34am

If you use a Google account, it may soon be mandatory to sign up to Google’s two-step verification program. As recently as 2017, a tiny amount of GMail users made use of its two-step options. Maybe the uptake is still slow, and Google has decided enough is enough. With so much valuable data stuffed inside Google accounts, it’s beyond time to ensure they’re locked down properly.

It’s enrolment time

With this need for security in mind, Google has announced the roll-out of automatic two-step verification. If your account is “appropriately configured”, you’ll be ushered into a land of extra security measures. There doesn’t seem to be any additional information about what “appropriately configured” means yet. The Google blog cites the security check-up page, but that simply lists:

  • Devices which are signed in
  • Recent security activity from the last 28 days
  • 2-step verification, in terms of sign-in prompt style, authenticator apps, phone numbers, and backup codes
  • Gmail settings (specifically, emails which you’ve blocked)

How this translates into “Hello, we’re going to enrol you into our two-step verification program”, I’m not entirely sure. Perhaps they’ll add more specific requirements which need to be met to enable the enrolment process at a later date. If the requirement is a minimum level of setting up various security options, then only the most security conscious might be asked to enable it in the first place. This would surely mean those in most need of security fine-tuning, won’t get it.

The password problem

Questions how this will work aside, Google continues to keep plugging away at the eternally relevant password problem. Their password import feature allows people to save passwords as a CSV file, then port it into Chrome. If you’re hopping from one password manager to another, and have a lot of yourself tied into Google services, this may be ideal.

We’re all impacted by weak security. Compromised logins have a knock-on effect for everybody. When your email is broken into, it allows attackers potential access into every account tied to it. A few password resets later, and one account used for spam is now multiple accounts spamming, sending infections, social engineering, the works. This is how people quickly build up small armies of compromise and go about their shenanigans on a daily basis.

It doesn’t have to be a major campaign. The operators don’t have to be criminal masterminds. A couple of random people with a little bit of tech know-how can quickly figure out how to monetise a few dozen stolen accounts. That’s how you eventually do end up with major campaigns, with more work for law enforcement and security researchers to figure out who the new kids on the block are.

Step up, and lock down

By keeping your accounts secure, you’re not just helping yourself. You’re helping everybody, and preventing them losing their savings or non-compromised PC to attackers leveraging your bad password practices. This is a good thing to keep in mind as we wave goodbye to this year’s World Password Day. It’s never too late to start brushing up on your passwords. Get yourself familiar with a couple of password managers and pick the right one for you.

Lock down your master password. Set up restrictions on who can login, and how. Make it so that only people in your specific geographical region can log in. Make yourself some backup codes, print them off, put them somewhere safe in case you lose master password access. Just a few of these steps will go a long way towards keeping both yourself and others much more secure than you were previously. There can’t be any better way to close out the week playing host to World Password Day than that.

The post Google to start automatically enrolling users in two-step verification “soon” appeared first on Malwarebytes Labs.

Categories: Malware Bytes

VPN protocols explained and compared

Malware Bytes Security - Fri, 05/07/2021 - 7:11am

A Virtual Private Network (VPN) creates a safe “tunnel” between you and a computer you trust (normally your VPN provider) to protect your traffic from spying and manipulation. Any VPN worth its money encrypts the information that passes through it, so in this article we will ignore those that don’t use encryption. Among VPNs that offer encryption there is a large choice of available protocols. Every one of those protocols has some advantages and disadvantages. These are the important factors to look at when you are about to choose one:

  • Speed
  • Strength of the encryption
  • Stability
  • Ease of use
  • Security/privacy

In this article we’ll look at the different VPN tunneling protocols and how they perform.

What does the VPN protocol do?

Basically, the VPN protocol, or better the rules it uses, decides how exactly your data is routed through a connection. All these protocols have different rule sets based on what they care about most. For example, some VPN protocols prioritize data throughput speed while others focus on masking or encrypting data packets for privacy and security.

How many VPN protocols are there?

This extensive list is not complete, but it covers the most commonly used VPN protocols:

  • OpenVPN
  • L2TP/IPSec
  • SSTP
  • IKEv2
  • PPTP
  • WireGuard
Why does a fast VPN protocol matter?

Even though speed should not be the deciding factor, a slow VPN will discourage users and will therefore quickly be abandoned. You don’t pay top dollar for a fast internet connection just for the VPN to slow it down. Or, when you have a slow connection, you don’t want your VPN to make it even worse. But speed is often a trade-off with other characteristics like the encryption strength and security. And the speed also depends on factors outside of the protocol, like the distance to the VPN server, and obviously the basic speed of your internet connection. Using a VPN will never make it faster.

Security and privacy

This will be the deciding factor for many users when they are about to make a choice for a VPN. It needs to be said that the vendor is at least as important here as the protocol. After all, what good is a secure protocol if it turns out the vendor is willing to hand over your data at the first request? So, if you hear people ask what is better than OpenVPN, for example, the answer is that it depends on what you are looking for exactly. Many protocols are capable of comparable speeds and levels of secure encryption.

Ease of use

A point that we have made often in the past is that security and privacy software that is hard to set up or difficult to manage often misses the target. Misconfigured software doesn’t do what it potentially can do for the user, so it’s basically a waste of time and money. To be honest, we have seen cases where the user would have been safer using a free VPN or none at all.

What VPN protocol should I use?

This is a question that everyone has to answer for themselves. We can tell you about some protocols that are often recommended and why. But you will have to make up your own mind.


OpenVPN is an excellent open-source protocol, but many users struggle to set it up properly. If you have an installer software or expert help, then this is not your problem. You will find that OpenVPN is the default protocol used by many paid VPN providers. It is a secure protocol but not super-fast (not super-slow either).


L2TP/IPSec is actually a combination. Layer 2 Tunnel Protocol (L2TP) is the protocol that is paired with Internet Protocol Security (IPsec). In speed and security, it is on par with OpenVPN. It is easier to set up unless you have to bypass a firewall. Some security concerns have been raised because the NSA helped develop IPSec.


SSTP is short for Secure Socket Tunneling Protocol which was developed by Microsoft. Although the protocol works on Linux it is primarily thought of as a Windows-only technology. It is easy to set up on Windows machines as you might expect. It is impossible to use on Macs and hard to deploy on Linux. Speed and security are about the same as for OpenVPN and L2TP/IPSec.


IKEv2 was developedin a joint effortby Microsoft and Cisco. It is very well suited for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. The protocol is very fast and secure. It is also easy to set up on the few devices that are compatible.


PPTP is short or point-to-point-tunneling. This protocol was originally developed by Microsoft for dial-up networks. PPTP is fast and easy, but this is mostly due to a low encryption standard and it comes with some known vulnerabilities, it is no longer suitable for users that are privacy-focused.


WireGuard is relatively new compared to the other protocols, but it’s quickly become widely adopted because of the high security standard. This does not take away from the speed because WireGuard ditched a lot of unnecessary extras that other protocols are burdened with, and it runs from a Linux kernel. Which also makes it suitable for many platforms and applications.

Choose wisely!

We can only hope you read this article because you set out to make an informed decision (and we hope we have helped you with that). It is important to consider what matters to you in a VPN and also take into account that VPN software is more than just the protocol. The reason why you need a VPN and whether you trust the VPN provider should be equally important. Aside from a few outdated protocols, speed should no longer be an issue. Internet speeds are usually so much higher than what we actually need, a modern VPN should not interfere in a way that is noticeable.

The post VPN protocols explained and compared appeared first on Malwarebytes Labs.

Categories: Malware Bytes