Malware Bytes

Biotech health care innovations meet security challenges

Malware Bytes Security - Tue, 02/25/2020 - 12:54pm

The level and speed of innovations taking place in the biotech industry are baffling. On the one hand, it makes us hopeful we can quickly reduce the number of illnesses and their consequences through technological advancement—saving thousands of lives. On the other, concerns about the application of Internet-connected technology leave us wondering: at what cost?

Where does the mix of technology and medicine lead us? Advancements in genetic therapy have reshaped cancer treatment as we know it. Yet, other applications, such as automating medicine intake by measuring biometrics, may introduce whole other problem sets the medical and security world haven’t solved for.

Knowing that every human body is unique and may react in another way to the same procedure, it seems prudent to draw the line at a certain amount of automation. But how do we determine where to draw the line? Is it smart to leave that decision to the big pharmaceuticals? Let’s have a look at the developments in biotech that require bigger picture thinking from the security and privacy perspectives.

Developments in the health care industry

Some of the most promising health care developments in late stages of refining or even already in use are techniques where sensors are attached to or inserted into the patient’s body. The sensors are designed to transmit data about certain bodily conditions back to healthcare personnel.

One such technology is inserted directly into patients’ medication via chip. These “smart pills” send biometric data from within the blood stream. When the patient ingests the pill, the chip will be detected by a patch on her stomach the moment it is digested. If the patch doesn’t receive the appropriate signal, it alerts the patient’s doctor.

A big step forward for the future of smart pills will be the automation and timely administering of medicine; something currently in development. These smart pills are being designed to make patients life’s easier by embedding a tracking system in the pill that trigger the release of the drug in a timely manner, so you can’t forget.

Smart pills could also be programmed to release the medication when certain circumstances are met. A system similar to this already exists for diabetes. Insulin pumps for type 1 diabetics are in use that release insulin when a low blood sugar is detected, basically by mimicking the way the pancreas would behave for healthy people.

Diagnostic biotech

Existing bio-sensors are internal measurement devices that broadcast body metrics like blood pressure, pulse, oxygen saturation, blood sugar, etc. These bio-sensors and sensors measuring the presence of other substances in the blood can be used to finetune the administration of drugs. But what if anybody else can receive these transmissions?

The feasibility of multiplex biosensors for bloodstream infection diagnosis has been under investigation for a few years and is another development that could lead to transmissions concerning our health from inside our body to a “smart” device.

Pharmaceutical companies have already released digital smart pills containing computer chips. The first digital cancer pill, which was released in early 2019, contains a chip and capsules filled with capecitabine, a cancer chemotherapy that patients need to take several times a day.

Other biotech innovations

The human genome has been almost fully mapped and we are rapidly finetuning the ability to read the map. But what does this prospect bode for the future of the information that can be extracted from the DNA samples we provided for various different reasons?  Will donating blood or participating in a DNA test now result in a privacy nightmare later on? Will the risk we take now grow on us as science finds out more about the information stored in our DNA.

Genetically detectable diseases

With greater understanding of our genetics comes greater capacity for their manipulation. And gene editing currently stands as one of the most exciting, and worrying, areas within the biotech industry.

Another worrying advancement is the use of artificial intelligence (AI) to make the development of new drugs faster and cheaper. AI particularly can be used to reduce the amount of trial and error needed to design a drug candidate once a promising disease target had been identified. It can also be used to investigate and find unexpected use cases for drugs that fail in clinical trials. Promising changes, for sure. But what might AI miss that the human mind would catch? And how much would morality come into play if machines are conducting all of the testing?

Remote control of artificial limbs and animals

The advancement of modern prosthetics has gone hand in hand with the upcharge in rapid developments in the biotech health care sector.

In a combination of robotics and neuro-engineering scientists are working on a new robotic hand that could be a life-changing device for amputees. The goal is to read and transmit intended finger movement read from the muscular activity on the amputee’s stump for individual finger control of the prosthetic hand.

In the military field sharks and other animals have been given brain implants that makes them remotely controllable. These sharks could for example be used to find enemy submarines.

Communication protocols in biotech

The smart pill, produced and patented by Proteus and called Abilify MyCite, sends a simple pulse from the pill to the patch as soon as the pill gets absorbed by stomach acid. No problem there, but then the patch sends data like the time the pill was taken and the dosage to a smartphone app over Bluetooth. The data is stored in the cloud where the patient’s doctor and up to four other people chosen by the patient, can access the information. The patient can revoke their access at any time.

In 2017 the FDA stated it was planning to hire more staff with “deep understanding” of software development in relation to medical devices, and engage with entrepreneurs on new guidelines, because it expected to get more approval requests for digital pills. This was after the approval of Abilify MyCite, which is a typical symptom of legislation running after technical innovations without ever truly catching up.

In 2018 hackers demonstrated they could install malware on an implanted pacemaker after they had discovered bugs Medtronic‘s software delivery network, a platform that doesn’t communicate directly with pacemakers, but rather brings updates to supporting equipment like home monitors and pacemaker programmers, which health care professionals use to tune implanted pacemakers.

Bluetooth and medical devices

Bluetooth is ideal for the short-range, continuous wireless connection, that we use for streaming audio and data. The most commonly used Bluetooth protocols in medical equipment are Bluetooth Low Energy (BLE) and Bluetooth Classic

BLE is a Bluetooth protocol that was launched in 2010, it was designed to achieve goals of low power consumption and latency while accommodating the widest possible interoperable range of devices. The downside is that it can behave differently depending on smartphone platforms. This is because the device advertises on a schedule for smartphone response. When the smartphone responds, a handshake (bonding) is made, facilitating a confirmed transfer of the data packet to the smartphone before closing the connection. This saves energy, but it’s also responsible for unpredictable data transfer speed.

BLE also does not require paring between the sender and receiver and it can send authenticated unencrypted data. We understand the benefits of saving energy:

  • Devices can stay longer in the body without having to be replaced
  • Batteries can be smaller, so easier to insert and less obtrusive

But depending on the nature and particularly the sensitivity of the transmitted data, other considerations might come into play. Unfortunately BLE devices have also been found to be impacted by SweynTooth vulnerabilities.

Recommendations

Developers of medical devices who intend to use Bluetooth as the technology to connect devices with each other and with Wi-Fi should consider carefully which Bluetooth protocol is right for their system. To do this, it is important to have a clear understanding of the needs for the system and the available options.

Medical devices should be easily updatable for those circumstances where new vulnerabilities are found and patches or other important updates need to be applied.

Maybe the healthcare industry should even consider designing a new protocol similar to Bluetooth. Combining the Low Energy properties with some extra security measures might pay off in the long run.

Cloud solutions that are used to store sensitive personal and medical data deserve to be held against a high security standard.

We recommend only giving up your DNA samples to trusted organizations and only for reasons of utmost importance like your health.

Machines are not without fault or as smart as we might think. Blind trust in machines when it comes to healthcare can end in a catastrophy. There is an area where personal attention does a lot more good than the fully automated application of medicine can ever do.

Stay safe, and stay healthy!

The post Biotech health care innovations meet security challenges appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Introducing Lock and Code: a Malwarebytes Labs podcast

Malware Bytes Security - Tue, 02/25/2020 - 12:27pm

Intrepid Labs readers might be happy to know that we’re stepping into territory long-requested and desired: we’re launching a podcast.

Malwarebytes researchers and reporters are on the front lines of cybercrime, delivering both fast-breaking news and thoughtful features on our blog to raise awareness and help users stay safe and private online. We want to take what we do here and bring it to a new medium so that even more folks can incorporate cybersecurity lessons into their daily lives.

As our real world and online world continue to blend, staying secure and aware are ever more critical in defending against attacks from criminals and encroachment on privacy from big tech. And that’s why, every two weeks, we’ll be breaking down the top headlines into easily digestible soundbytes and inviting marquee experts, both in-house and outside, to dive deep into some of the more complex issues.

Take a listen to the trailer for our podcast—Lock and Code—for a taste of things to come:

Lock and Code, a Malwarebytes podcast

Tune in next Monday, March 2, for the first episode of Lock and Code, where host David Ruiz will break down news from the RSA floor, plus talk with the annual conference’s Director of Content and Curation Britta Glade on this year’s theme: the human element.

The post Introducing Lock and Code: a Malwarebytes Labs podcast appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 17 – 23)

Malware Bytes Security - Mon, 02/24/2020 - 11:32am

Last week on Malwarebytes Labs, we highlighted the benefits and concerns of identity-as-a-service (IDaaS), an identity management scheme deployed from the cloud; reported on scammers and squatters taking advantage of Rudy Giuliani’s Twitter typos; and gave a high-level overview of RobbinHood, the latest ransomware baddie to specifically target organizations.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 17 – 23) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Why managed service providers (MSP) are critical for business continuity

Malware Bytes Security - Mon, 02/24/2020 - 11:00am

With the threat landscape becoming more hostile to businesses, small- and medium-sized businesses (SMBs) are often finding it difficult to cope. Hence, they turn to managed service providers (MSPs) for help, not only to keep their businesses going—the concept known as business continuity—but also to offer salve to known pain points that encompass all industries.

Short-staffed

One of the recognized pain points for SMBs is the apparent lack of skilled security professionals who can implement processes and procedures that snap back businesses to their original state of operations after experiencing a disruptive or business-ending event. With the cybersecurity industry experiencing a stunning zero percent unemployment rate with millions of opened positions, SMBs often have a hard time finding, or affording, “the right candidates.” Unfortunately, this staffing challenge is foreseen to continue through 2021. This could spell bad news for SMBs.

This doesn’t mean that there is no talent out there, however. Positions aren’t filled because many employers are underpaying for skilled specialistsMore remain open because employers and recruiters are looking inside a small bubble of candidates instead of exploring candidates with similar training and many of the appropriate “soft” skills, whose importance should not be overlooked in running IT and security teams. In addition, many current employees suffer from burnout, quitting their jobs after feeling overworked and underappreciated.

Conventional hiring trends, such as requiring experience and certifications at entry-level positions, plus a near-unreachable wish list of skills candidates must possess are other potential causes contributing to the shortage.

If an organization lacks the manpower to address their need to be resilient in the face of a threat landscape that is becoming more hostile toward business growth and evolution, a fully vetted MSP that offers tools and services that address an organization’s unique needs should step in to lighten the load.

Short budgets

SMBs are not known to set aside budget for security—another pain point. Unlike enterprises, we know that SMBs normally lack the resources they need to defend against cyberattacks. Whether that’s hiring the appropriate number of skilled staff, paying them a competitive salary, investing in security infrastructure, or purchasing enterprise-grade antivirus, network, and firewall protection, tight budgets typically mean corners must be cut.

Cybercriminals know this, and they are keen to pluck the low-hanging fruit. Therefore, it’s not a surprise to see an uptick of threat actors, particularly those behind ransomware campaigns, targeting SMBs—another reason why SMBs might consider using MSPs as an affordable alternative to full-blown security software suites to combat sophisticated malware attacks on-demand.

No training

Some businesses may be lucky enough to have the manpower, but still lack the foresight to provide staff with the knowledge and training in cybersecurity they will need and use throughout their entire tenure. While it is understandable to a degree, it’s also disconcerting to know that some organizations in industries severely targeted by malware attack campaigns, such as hospitals, schools, and government bodies, have little to no knowledge of what a phish looks like. And while it’s concerning that companies with IT security teams may not be as prepared as we expect them to be, even more worrying is the faith organizations put into their cybersecurity readiness, when it may not be as good as they thought.

Staff unskilled in cybersecurity cannot provide organizations the help they need to prevent security incidents. Time may be the key factor in deciding whether an organization should get some outside help or not. While they recognize the need to address the lack of training in their workforce, MSPs can help take charge and get things moving with little overhead.

Compliance, compliance

Cybersecurity standards are in place for a reason. Companies of all sizes need to know what it takes to build up their cybersecurity efforts, which in turn, makes a positive dent in their business resilience plans. MSPs may just be the answer they’re looking for.

MSPs are subject to well-known compliance regimes. This means that they don’t just follow one standard but many, and they likely overlap one another. For example, an organization based in New York who deals with clients in EU countries are subject to both the GDPR and regulations under the New York Department of Financial Services (DFS).

Helping take charge

SMBs have been feeling the pressure for years to respond to serious cybersecurity challenges their businesses face on a regular basis. They also know that such problems take time to address—they cannot be solved overnight. In the meantime, well-vetted MSPs can step in and help. Their fully qualified and trained staff can bridge the skills gap until a larger society shift happens (if it does); their resources, processes, and procedures make organizations they service compliant to known standards; and their overall service makes it easier for organizations to implement and manage in the long run.

The post Why managed service providers (MSP) are critical for business continuity appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Threat spotlight: RobbinHood ransomware takes the driver’s seat

Malware Bytes Security - Thu, 02/20/2020 - 1:09pm

Despite their name, the RobbinHood cybercriminal gang is not stealing from the rich to give to the poor. Instead, these ransomware developers are more like big game hunters—attacking enterprise organizations and critical infrastructure and keeping all the spoils for themselves.

In 2019, the RobbinHood ransomware creators successfully attacked and received ransom payouts from the cities of Baltimore, Maryland, and Greenville, North Carolina. Not ones for humility, they now mention those successes in revised ransom notes, pointing out to victims that it’s useless to try recovering their files in any other way than paying the ransom.

And the ransom isn’t exactly cheap. RobbinHood ransom demands can range from 3 Bitcoins for a single computer up to 13 Bitcoins for a complete network, which translates to tens of thousands of dollars.

“It’s impossible to recover your files without private key and our unlocking software. You can google: Baltimore City, Greenville city and RobbinHood ransomware.” How RobbinHood ransomware works

Like many other ransomware families, RobbinHood, which Malwarebytes detects as Ransom.RobbinHood, has been observed gaining access to organizations’ networks through brute force of Remote Desktop Protocols (RDP) or by using other Trojans that provide access to the attackers.

Once the attacker has gained sufficient access to the system, they introduce a vulnerable kernel driver from Gigabyte. This driver is signed by the motherboard manufacturer and will be accepted by Windows because of the digital signature. But the driver has a long-standing vulnerability listed as CVE-2018-19320, which allows a local attacker to take complete control of the affected system.

The attacker uses this vulnerability to stop 181 specific services, disabling many protective programs, backup software, and deleting files that would normally be locked. System services often keep critical files in use, so they can’t be deleted or modified. Being able to stop these services from the kernel driver level makes taking full control of a system much easier.

Before the actual encryption begins, RobbinHood also disconnects all network shares, deletes all shadow copies, clears event logs, and disables Windows automatic repair.

For the encryption process itself, it fetches a public key from the file pub.key in the Windows temp folder. While encrypting files, an AES key is created for each separate file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format:

Encrypted_[randomstring].enc_robbinhood

During encryption, these folders are skipped:

  • ProgramData
  • Windows
  • bootmgr
  • Boot
  • $WINDOWS.~BT
  • Windows.old
  • Temp
  • tmp
  • Program Files
  • Program Files (x86)
  • AppData
  • $Recycle.bin
  • System Volume Information

Four different ransom notes are dropped in every folder that contains encrypted files. Most of the notes contain information similar to the one below:

What happened to your files?
All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone:
1 -We encrypted your files with our “Public key”
2 -You can decrypt, the encrypted files with specific “Private key” and your private key is in our hands ( It’s not possible to recover your files without our private key )
Is it possible to get back your data?
Yes, We have a decrypter with all your private keys. We have two options to get all your data back.
Follow the instructions to get all your data back:
OPTION 1
Step 1: You must send us 3 Bitcoin(s) for each affected system
Step 2: Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your
OPTION 2
Step 1: You must send us 13 Bitcoin(s) for all affected system
Step 2: Inform us in panel, wait for confirmation and get all your decrypters
Our Bitcoin address is: xxx BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY
Access to the panel ( Contact us )The panel address: hxxp://xbt4titax4pzza6w[.]onion/ Alternative addresses
hxxps://xbt4titax4pzza6w.onion[.]pet/
hxxps://xbt4titax4pzza6w.onion[.]to/
Access to the panel using Tor Browser
If non of our links are accessible you can try tor browser to get in touch with us:
Step 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en
Step 2: Run Tor Browser and wait to connect
Step 3: Visit our website at: panel address
If you’re having a problem with using Tor Browser, Ask Google: how to use tor browser
Wants to make sure we have your decrypter?
To make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo.
Where to buy Bitcoin?
The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online  Decrypting may not be enough

As a warning to those who might consider paying the ransom, as Baltimore and Greenville did: Simply decrypting the files may not be enough to bring systems back online. The introduction of the vulnerable kernel driver and changing the behavior of the kernel may cause other problems on affected systems, which may result in deprecated performance or BSODs.

Reportedly, the recovery from the ransomware attack cost the city of Baltimore over US$10 million, which dwarfs the paid ransom of 13 Bitcoin (roughly US$80,000).

How to prevent RobbinHood ransomware

As with all ransomware families, the best method of protection is preventing the infection from happening in the first place. Since RobbinHood targets organizations, IT and security teams should take the following common precautions to secure against its attack:

Recommended reading: How to protect your RDP access from ransomware attacks

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against RobbinHood ransomware in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the RobbinHood binary itself. Detections can happen in real time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

Malwarebytes Anti-Ransomware recognizes and stops ransomware behavior.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

IOCs

Files (SHA256 hashes):

  • 791c32a95f401f7464214960e49e716656f6fd6fff135ac2a6ba607236d3346e
  • 99c3cc348f8ee4e87bce45b1dd185d31830c370ac43fd3e39ac50340f029ef79
  • e9188ace227b00cbf1f6fba3ceb32af8e4d456c3a0815300a224a9d9e00778a8
  • 47d892da6a49b02a2904bdc0d03ecef66c076481d19ab19251d86d11be494765

Ransom notes:

  • _Decrypt_Files.html
  •  _Decryption_ReadMe.html
  • _Help_Help_Help.html
  • _Help_Important.html

Extension of encrypted files:

.enc_robbinhood

Stay safe everyone!

The post Threat spotlight: RobbinHood ransomware takes the driver’s seat appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Rudy Giuliani’s Twitter mishaps invite typosquatters and scammers

Malware Bytes Security - Wed, 02/19/2020 - 12:21pm

Former cybersecurity czar Rudy Giuliani has been targeted by typosquatters on Twitter, thanks to copious misspellings and other keyboarding errors made in a number of his public tweets. In a tweet sent out on Sunday, Giuliani meant to send his 650,000-plus followers to his new website, RudyGiulianics.com. Instead, a space added after “Rudy” sent users on a redirection quest that ultimately landed on a web page laced with adware.

Typosquatting has long been used as a way to capitalize on mistakes made by those with clumsy fingers. A mistyped URL, which would normally lead users to a 404 error page, is instead redirected to a completely unrelated site—often one designed for ill intent. For example, let’s say you enter yotube.com into your browser’s address bar instead of youtube.com. Rather than seeing the normal YouTube portal, you will instead be redirected via a few ad networks and most likely end up to a scam page, thanks to the handy work of enterprising typosquatters.

Typosquatting can be a profitable business, as threat actors will register domains lexically close to big brand names or popular websites for heavy traffic gains. The end goal isn’t always to monetize via malvertising redirections—it could be phishing, data theft, or even hacktivism.

In Giuliani’s case, a public political figure has been identified by cybercriminals for his tendency toward typo-laden tweets. In fact, Giuliani’s Twitter account contains numerous tweets with misspellings around his personal website that sometimes lead to trolling attempts or redirect to malvertising schemes. We examine a few of these instances.

Typo leads to political trolling

Here’s a tweet sent from Giuliani’s account using an iPad. Whoever composed that tweet forgot to add a space between the word “Watch” and “rudygiulianics.com”.

As a result, the website becomes Watchrudygiulianics.com which was registered a day after the tweet:

Domain Name: watchrudygiulianics.com Registrar: GoDaddy.com, LLC Creation Date: 2020-02-16T05:23:50Z

Visiting the site immediately redirects users to https://www.drugrehab.com/treatment/, a site for help with substance abuse.

In another example, we see a much more subtle typo for Giuliani’s website, where a single ‘i’ is missing in RUDYGIULIANCS.com (the correct site is rudygiulianics.com).

The domain rudygiuliancs.com was also registered recently (but before the tweet came out, so it either was preemptive registration for a forthcoming typo or perhaps the typo had been made already).

Domain Name: rudygiuliancs.com Registrar: Wild West Domains, LLC Creation Date: 2020-02-07T16:30:38Z

This time, visiting this link redirects visitors to a Wikipedia page for the Trump-Ukraine scandal:

Malvertising and other traffic schemes

As mentioned earlier, typosquatters will typically watch popular domain names and register new ones that are likely going to be a result of a typo. Because Giuliani has over 650,000 followers on Twitter and is a well-known political figure regularly in the headlines, scammers know he’s a good source of potential web traffic purely from typosquatting.

In Sunday’s example, a typo led to a malvertising scheme. This time, a space was inserted between “Rudy” and “Giulianics.com”.

This typo resulted in a link to Giulianics.com, a domain registered at the end of January.

Domain Name: giulianics.com Registrar: GoDaddy.com, LLC Creation Date: 2020-01-31T20:29:50Z

As seen in the image above, a series of redirects will happen once you visit that domain. This is typical for malvertising chains that fingerprint your browser and other settings in order to deliver the appropriate payload.

In this instance, visiting from the United States via Google Chrome, we were served a browser extension called Private Browsing:

Although we did not examine the extension in detail, several comments from the Google Play Store say the extension was forced while browsing the web.

Among other capabilities, it can read your browser history, the data you enter on sites, and can change your default search engine. As a rule of thumb, it is generally recommended to refrain from installing too many browser extensions, especially when they are promoted via unwanted redirects.

In late January, there was a report that visiting Giuliani’s website distributed malware. We weren’t able to confirm it at that time, but in light of the current typo situation, we believe it’s more likely that one of the tweets containing the wrong link led to a malvertising chain, and possibly to a browser locker.

Monitoring popular accounts for mistakes

Many attacks we see in the wild are opportunistic, praying on the latest news or events likely to draw attention. There’s also always been great interest in popular social media accounts, but typically by hacking them directly. In this case, opportunistic actors are waiting for the next typo to happen in order to push out their own message or to monetize on it via malicious redirects.

This serves as a reminder that even well-known or verified social media accounts can send users in unintended directions leading to scams or malware. In a sense, any kind of communication can be abused for an attacker’s own gain by recognizing a pattern of predictable mistakes and immediately acting upon them.

For those wanting protection against such redirections and other malicious website activity, Malwarebytes offers a free browser extension that takes an aggressive stance on blocking malvertising and other dubious schemes.

The post Rudy Giuliani’s Twitter mishaps invite typosquatters and scammers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Harnessing the power of identity management (IDaaS) in the cloud

Malware Bytes Security - Tue, 02/18/2020 - 12:25pm

Sometimes, consumers have it easy.

Take, for example, when they accidentally lock themselves out of their personal email. Their solution? Reset the password. With one click, they’re able to change their old, complicated password with a new, more memorable one.

Self-service password reset is awesome like this. For users on a business network, it’s not so simple. That is, unless they’re using identity-as-a-service (IDaaS).

What is IDaaS?

IDaaS—pronounced “ay-das”—stands for identity-as-a-service. Essentially, it is identity and access management (IAM)—pronounced “I-am”—deployed from the cloud.

Organizations use IAM technology to make sure their employees, customers, contractors, and partners are who they say they are. Once confirmed via certain methods of authentication, the IDaaS system provides access rights to resources and systems based on permissions granted. And because it’s deployed through the cloud, business entities can request access securely wherever they are and whatever device they’re using.

Giving its own users self-service access to portals is just one of the ways an IDaaS system can provide support for businesses. In fact, the need to better engage with customers while securing their data and conforming to established standards has become the main driving force behind the move to IDaaS.

IDaaS vs. traditional IAM

While traditional, on-premise identity management systems offer levels of self-serve access for employees at the office, their benefits are limited in comparison to cloud-based options. This is because IAMs are:

  • Expensive to create and maintain. It costs more if the organization supports global users due to complexity of infrastructure. IAMs can also be unsustainable overall as the business grows. Both cost and infrastructure complexity increases, making IAMs more difficult to support.
  • Inefficiently managed, security-wise. IAMs that must be placed on legacy systems, for example, put organizations at risk because patching these systems is a challenge, leaving the door open for vulnerabilities at access points.
  • Time-consuming. Upgrading IAM hardware is time-consuming. Sometimes, the upgrade doesn’t happen if it means long downtimes and lost productivity. Also, IT teams are faced with significant time-consuming (and patience-testing) tasks, from password resetting to user provisioning.
  • Not future-proofed. Although some traditional IAMs can provide limited cloud support, they’re essentially designed to handle on-premise resources. Since IAMs inherently lack support for modern-day tech (mobile devices, IoT) and business disruptors (Big Data, digital transformation), they don’t address what current users need and want.
Benefits of IDaaS

Businesses can benefit from IDaaS in so many ways. For the sake of brevity, keep in mind these three main drivers for adapting IDaaS: new capabilities, speed of implementation, and innovation. Not only would these make them more attractive to potential customers, but also helps to retain current ones.

New capabilities, such as single sign-on (SSO), gives business customers the ease and convenience of accessing multiple resources using only a single login instance. Logging in once creates a token, which the IDaaS system then shares with other applications on behalf of the customer, so they would not need to keep logging in.

SSO also removes the burden of remembering multiple login credentials from users, which usually drives them to create memorable but also easily breakable passwords. Needless to say, SSO—and other protocols like Security Assertion Markup Language (SAML), OAuth (pronounced “oh-auth”), and OpenID Connect (OIDC)—will greatly enhance an organization’s security.

Since IDaaS is cloud-based, implementing it in your organization is a lot quicker. For one thing, hardware provisioning is already with the IDaaS provider. What usually takes a couple of years to realize will only take several months—sometimes even a few weeks.

Organizations that are still unsure of whether they want to fully embrace IDaaS but are curious to try it out can temporarily use the solution as a subset of their applications. Should they change their minds, they can pull back just as easily as they pushed on.

And finally, IDaaS removes the barriers that inhibits organizations from moving forward on innovation. Understaffed IT teams, the mounting costs surrounding IT infrastructure that only gets more complicated over time, and insufficient support for modern technologies are just a few of problems that hold modern businesses back from innovating in their own workforce processes, product offerings, and marketing and sales techniques.

Business leaders need to get themselves “unstuck” from these problems by outsourcing their needs to a trusted provider. Not only will doing so be lighter on their pockets, but they can also customize IDaaS’s inherent capabilities to fit their business needs and improve their customer engagement. It’s a win-win for all.

Note, however, that a pure IDaaS implementation may not be for every organization. Some organizations are simply not ready for it. In fact, the majority of enterprises today use hybrid environments—a combination of on-premise and cloud-based applications. This is because some organizations believe that there are some resources best kept on-premise. And when it comes to IDaaS adoption, utilizing the best of both worlds is increasingly becoming the norm.

My organization is small. Is IDaaS still necessary?

Absolutely. Small- and medium-sized businesses experience many of the same IAM issues enterprise organizations face. Every employee maintains a set of credentials they use to access several business applications to do their jobs. An SSO feature in IDaaS will significantly cut back on the number of login instances they have to face when switching from one app to another.

It’s a good question to ask if your business needs IDaaS. But perhaps the better—or bigger—question is whether your business is compliant enough to established security and privacy standards. Thankfully, having IDaaS will help with that issue as well. The caveat is that organizations, regardless of size, must evaluate potential IDaaS providers based on their maturity and their capability to offer a great solution. No two IDaaS offerings are the same.

Mike Wessler and Sean Brown, authors of the e-book “Cloud Identity for Dummies”, propose some questions to consider when deciding:

  • Are they a new company on a shoe-string budget catering to lower-end clients with cost as the primary driver?
  • Are they relatively new in either the cloud or IAM field where they gained those capabilities via recent acquisitions and are simply rebranding someone else’s products and services?
  • Do they have legitimate experience and expertise in cloud and IAM services where offering IDaaS is a logical progression?
What are the possible security problems?

Despite the good that IDaaS could bring to your organization, it is no cure-all. In fact, some security researchers have already noted concerns on some of its key capabilities. Using our previous example, which is the SSO, it is argued that this has become a “single point of failure” should the authentication server fails. Or it can also act as a “single breach point,” waiting to be compromised.

The cybersecurity sector has a dizzyingly long laundry list of use cases where organizations are breached due to compromised credentials. Australia’s Early Warning Network, which was compromised a year ago, was caused by the misuse of stolen credentials. And there are many ways credentials can be leaked or stolen. Organizations can thwart this by requiring the use of multi-factor authentication (MFA).

The bottom line is this: IDaaS or no, businesses still have to adopt and practice safe computing habits to minimize their attack surface.

If you’d like a more in-depth reading on IDaaS, please visit the following:

Stay safe!

The post Harnessing the power of identity management (IDaaS) in the cloud appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 10 – 16)

Malware Bytes Security - Tue, 02/18/2020 - 11:40am

Last week on Malwarebytes Labs, we explained how to battle online coronavirus scams with facts, discussed the persistent re-infection techniques of Android/Trojan.xHelper and how to remove it, provided cyber tips for safe online dating, and showed how Hollywood teaches us misleading cybersecurity lessons.

We also released the 2020 State of Malware Report describing the threat landscape of the year in detail, including top threats for Mac, Windows, Android, and the web, as well as the state of data privacy in commerce and legislation.

Other cybersecurity news
  • Medical transportation vendor, GridWorks experienced a burglary that resulted in a laptop stolen, which contained the personal identifiable information (PII) of 654,362 members. (Source: Security Boulevard)
  • Four members of China’s military were charged on with hacking into Equifax and stealing trade secrets and the personal data of about 145 million Americans in 2017. (Source: The New York Times)
  • Critical vulnerabilities addressed in the Accusoft ImageGear library could be exploited by remote attackers to execute code on a victim machine. (Source: Security Week)
  • Dell has copped to a flaw in the pre-installed program SupportAssist that allows local hackers to load malicious files with admin privileges. (Source: TheRegister)
  • The owner of the Helix Bitcoin Mixer was charged with laundering over $310 million in Bitcoin cryptocurrency while operating the dark web mixer between 2014 and 2017. (Source: BleepingComputer)
  • Emotet has found a new attack vector: using already infected devices to identify new potential victims that are connected to nearby Wi-Fi networks. (Source: The Hacker News)
  • A digitally signed Gigabyte driver has been discovered to be in use by Ransom.RobbinHood to fully encrypt the files on a computer. (Source: Guru 3D)
  • Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress resulting in an average tenure of only 26 months. (Source: ZDNet)
  • The Czech data protection authority announced an investigation into antivirus company Avast for harvesting the browsing history of over 100 million users. (Source: Vice.com)
  • Hackers are demanding nude photos to unlock files in a new ransomware scheme targeting women. (Source: FastCompany)

Stay safe, everyone!

The post A week in security (February 10 – 16) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Misleading cybersecurity lessons from pop culture: how Hollywood teaches to hack

Malware Bytes Security - Fri, 02/14/2020 - 12:32pm

In pop culture, cybercrimes are often portrayed as mysterious and unrealistic. Hackers are enigmatic and have extraordinary tech abilities. They can discover top secrets in a short time and type at breakneck speed to hack into a database.

In real life, though, hacking is not that straightforward. Hackers may have technical capabilities and high intelligence, but they are otherwise normal human beings. It takes a lot of time and research to come up with foolproof strategies to break into an organization’s secret files.

In the last few decades, hacking and cybersecurity have become important topics of discussion, and pop culture has capitalized on this wave of interest. Many movies and TV shows now find ways to weave cybercrime into their storylines. At times, the depiction is realistic and informative; most of the time, it’s plain misleading and ludicrous.

In this article, we take a look at some pop culture hacking scenes from TV and movies and the cybersecurity lessons, if any, we can learn from them.

Hackers are not always basement-dwelling nerds

Predominantly, male hackers are depicted in Hollywood movies to be either reclusive conspiracy theorists or super-smart, ex-intelligence officers. Picture Dennis Nedry from Jurassic Park or Martin Bishop in Sneakers. Their female counterparts—few and far between—tend toward the harsh, ass-kicking, boyish types, like Kate Libby in Hackers or Trinity in The Matrix.

The reality is, while we may be able to create criminal profiles for threat actors or even define skill sets and personality types that are attracted to hacking, there is no single stereotype that carries.

Hackers could be bubbly, social, feminine, sporty, narcissistic—the life of the party. They could also be relatively quiet, introverts, artists, compassionate, or deeply sensitive. Simply put, pop culture has a habit of stereotyping what it doesn’t understand, and hacking is still a widely misunderstood pastime/profession.

But there is one truth that unites all hacker types: Hacking requires strategic, conceptual thinking, so intelligence is required, as is practice. The best actual hackers spend years honing their craft, testing and testing code, working with mentors and peers, sometimes going to school or, yes, the military, for skills training.

However, cybercrime isn’t dominated by super-skilled hackers. Most criminals have softer code-writing skills, purchasing malware-as-a-service kits on the dark web or using social engineering techniques to scam users out of money. Meanwhile, there are hackers who use their skills for good, called white hats, often working as security researchers or in IT for businesses, schools, healthcare organizations, or the government.

Pop culture would benefit from seeing these more diverse representations of hackers, cybercriminals, and security professionals on TV and in the movies.

Hacking takes research and patience

Movies and TV shows are meant to be exciting and dramatic. As with most careers that aren’t well understood by those outside the industry—think theoretical physicist or brain surgeon—these professional portrayals are made out to be much more action-packed in pop culture than they are in the real world.

Real hackers and cybersecurity experts have to rely on patience and persistence gained through training and experience to strike gold—much more so than a magical solution that can resolve a plot point in five minutes or less.

3..2…1…”I’m in!”

Research is one of the most important parts of hacking or engineering or reverse-engineering, along with making mistakes. Real-world cybersecurity experts understand that failures are just as important as successes. Why?

Part of cybersecurity involves testing currently-active systems to find flaws and improve what needs improving. That can often take months or years of hard work, and not just a few minutes of elaborate schemes and computer wizardry. And even when criminals building the most sophisticated software discover that their cover is blown, they go back to the drawing table to advance on how best to come up with a better plan of infiltrating the host computer.

You can’t save a system by smashing buttons

When NCIS’ Abby is hacked, a million pop-ups fill her screen—Hollywood’s favorite “You’ve been hacked!” move. Thankfully, her friend heroically steps in, furiously typing on the keyboard until the problem is solved. Of course, that’s not quite how the scene would play out in real life.

When a computer is hacked, you cannot save it by pressing buttons aimlessly. You must, at minimum, unplug/shut down the computer and restart or install a USB drive or CD system. And you should also run a scan with an anti-malware program that can clean up infected devices. If you’re part of a business network, the process is more complicated: Alerting your company’s IT team is the best course of action if you suspect an infection. Button mashing will only make your fingers sore.

Hacking is not always flashy

Hollywood loves to make eye candy out of a hacking scene, often displaying colorful, polished graphic interfaces (GUIs) or 3D-immersive virtual reality experiences—neither of which have much to do with actual hacking. This infamous hacking scene in Swordfish, for example, shows Stanley completing some sort of digital Rubik’s Cube to “assemble crypto algorithm.” Whatever that means.

And there’s also this classic from Jurassic Park, where Ariana gains control of the automatic doors by “hacking” into the Unix security system in a matter of seconds.

Setting aside that saying, “It’s a Unix system, I know this” is like saying, “It’s a Windows system, I know this,” knowing Unix (or Windows) wouldn’t automatically bestow on someone the power to override security protocols—especially on custom GUIs reminiscent of a Minecraft beta.

Pop culture loves to spoon feed its audiences cheesy 3D visuals of viruses and authentication attempts. But these flashy visual interfaces, especially in 3D, are not accurate at all. What do your file systems look like on your home or work computer? How many of them are in 3D? How many times do you see a giant “ACCESS DENIED” painted across your whole screen when you enter an incorrect password or when your operating system can’t find a file?

A more accurate interface would be to show command line (code) displayed on a console or terminal, simply because it would be the most efficient way for hackers to obtain data quickly.

However, as much as pop culture has misrepresented hacking to the general public, it has also taught us varying real-life lessons about cybersecurity. Here are a few examples:

Do not download and install untrusted applications

In Ex Machina, we learned that the CEO of Blue Book, Nathan Bateman, fast-tracked the emotional growth of Ava by taking data from smartphone cameras across the world. This scenario is currently playing out in real life, as there are applications that can be downloaded from third-party platforms and even from Google Play and Apple App Store that can spy on users and steal their personal information.

This teaches us to be careful when downloading applications online. Verify each app’s capabilities and permission requests before installing them on your devices. If a music app is asking for access to your GPS location, for example, ask yourself why such information would be necessary for this app to function. If it seems like an unnecessary amount of access, it’s better to forget downloading.

Small distractions could be a diversion

Sometimes cybersecurity lessons can be learned from movie scenes that don’t involve computers at all. For example, in Star Wars: The Last Jedi, Poe creates a diversion, distracting the general and the First Order armada before bombing the Dreadnought. In fact, military strategy is often well intertwined with that of cyberwarfare.

Small distractions were used to a great effect in the 2015 distributed denial of services (DDoS) attacks on ProtonMail, for example. A small ransom note was dropped as a precursor to a 15-minute test DDoS attack, which diverted ProtonMail’s IT team to customer service assistance. The threat actors then followed up with the true mission, jamming up ProtonMail servers with a 50 Gigabit-per-second wave of junk data that took down the datacenter housing servers while simultaneously attacking several ISPs upstream, causing serious damage that took the company offline for days.

The lesson you can take away from this is that a small disruption of services could just be the blip on the radar meant to pull attention away from the storm. Make sure you stay on alert, especially if you notice this at work, where cybercriminals are focusing more of their efforts for larger returns on their investments.

Always use two-step verification

Always use two-factor authentication (2FA) to protect your online accounts—that cannot be overemphasized. In Mr. Robot, 2FAs were used to guard access to the company’s data and keep hackers out. Many IoT devices, password managers, and other applications have recognized the power of 2FA, or multi-factor authentication, in shielding user and proprietary data from hackers who are able to exploit bad password habits.

Hollywood tends to misrepresent what hacking and cybersecurity are to the general public. But it has also taught us valuable lessons about how to protect ourselves, our devices, and our information on the Internet. We hope that, as cybersecurity awareness increases, the misrepresentations are reduced to the barest minimum. That way, TV and movies can do to cybersecurity what they do best: educate, inform, and entertain the public about its importance to our daily lives.

The post Misleading cybersecurity lessons from pop culture: how Hollywood teaches to hack appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cyber tips for safe online dating: How to avoid privacy gaffs, exploits, and scams

Malware Bytes Security - Thu, 02/13/2020 - 11:36am

Research and reporting on this article were conducted by Labs writers Chris Boyd and David Ruiz.

Dating apps have been mainstream for a long time now, with nearly every possible dating scene covered—casual, long-term, gay, poly, of the Jewish faith, interested only in farmers—whatever you’re looking for. Sadly, wherever you find people trying to go about their business, you’ll also find others quite happy to intrude and cause problems.

Multiple pieces of research regularly highlight potential privacy flaws or security issues with dating apps galore. All this before we even get to the human aspect of the problem—no wonder online dating is exhausting.

Breaking into online dating circles

Dating apps are an unfortunate juicy target for cybercriminals, who will use any vulnerability—from software to psychological—to achieve their goal. Because it’s important to remember: Dating apps store more than just basic personally identifiable information (PII). They include sensitive data and images people might not be comfortable sharing elsewhere, which gives cybercriminals added leverage for blackmail, sextortion, and other forms of online abuse.

To start, the dating apps and sites themselves may not be safe from prying hackers looking to slurp user details. There’s the infamous 2015 compromise of cheating site Ashley Madison, or last year’s badly-timed announcement from dating app Coffee Meets Bagel, who informed users about a data compromise on Valentine’s Day.

How about location-based dating apps, like Tinder? In 2019, location-based dating app Jack’d allowed users to upload private photos and videos, but didn’t secure them on the backend, leaving users’ private images exposed to the public Internet. Now combine that with the ability to pinpoint a user’s exact location or track them on social media, and the end result is rather frightening.

Finally, online dating can wreak havoc in the workplace, too. If your organization supports a bring your own device (BYOD) policy, security vulnerabilities in dating apps could cause additional risk to your own reputation, as well as the company’s networks and infrastructure. (Though to be fair, you could argue “additional risk” is part and parcel of any BYOD policy.) A 2017 study by Kaspersky found that mobile dating apps were susceptible to man-in-the-middle attacks, putting any data or communications with the enterprise conducted via mobile device in danger.

Hints and tips for safe online dating

There are too many dating apps and websites out there to be able to give granular advice on privacy settings and security precautions for each and every one. However, a lot of security advice in this area is about common sense precaution, just as you would while dating in the real world. Many of these tips have been around forever; some require a little cybersecurity education, and a few rely on newer forms of technology to ensure things go smoothly.

Time to go hunting

Deploy some Google-Fu: One of the very first things you should do is a search related to your prospective date. There may well be multiple alarm bell–ringing search results for a troublesome dating site member all under the same username, for example. Or you could stumble upon multiple profiles begging for money on different sites, all using the same profile pic as your supposed date.

Checking photos and profile pics is a good idea in general. Use Google image search, Tineye, and other similar services to see if it’s been swiped from Shutterstock or elsewhere. It’s possible lazy scammers may start using deepfake images, which will be even harder to figure out, unless you read our blog and see some of the ways you can spot a fake.

Stay in on your night out

Don’t go outside the theoretical safety boundary of the app you’re using. This is one of the most common scam signs for any form of online shenanigans. Mysterious free video game platform gifts sent in your general direction? Surprise! You must receive the gift via dubious email link instead of the gaming platform you happen to be using. Making a purchase from a website you just discovered? Suddenly, you need to make a wire transfer instead of paying online—and so on.

Many dating apps restrict how much profile information you can reveal—that’s a good thing. However, that layer of privacy protection won’t work as well as it should if you’re convinced by a scammer to pass along lots of PII through other means. If the person on the other end of the communique is particularly insistent on this, that’s a definite red flag—for malware and for dating.

Hooking up with social media

A well-worn point, but it bears repeating: Sharing dating profiles with social media platforms may well open your data up to further scrutiny, thievery, and general tomfoolery. Your dating profile may be nicely locked down, but that approach again loses value if tied to public profiles containing a plethora of information on you, your friends, and your family. This just isn’t a risk worth taking.

Sharing is not always caring

Keeping your own dating data disconnected from social media platforms is just one step in protecting your sensitive information. Another step is awareness. When using dating apps, you should spend some time looking at their privacy policies and settings, as well as looking up news stories on them online, so that you know where your data is going, who is sending it around, and why.

For example, last month, the Norwegian Consumer Council revealed how the Android apps for Grindr, Tinder, and OkCupid sent sensitive personal information—including sexual preferences and GPS locations—to advertising companies, potentially breaching user trust.

The nonprofit’s report shone light on the digital advertising industry’s efforts to collect user information and channel it through a complex machine to find out who users are, where they live, what they like, who they support in elections, and even who they love. By analyzing 10 popular apps, the report’s researchers found at least 135 third parties that received user information.

Users’ GPS coordinates were shared with third parties by the dating apps Grindr and OkCupid. GPS “position” data was shared with third parties by the dating app Tinder, which also shared users’ expressed interest in gender. OkCupid also sent user information about “sexuality, drug use, political views, and much more,” the report said.

As to who received the information? The answers are less familiar. While Google and Facebook showed up in the report—both receiving Advertiser IDs—the majority of user data recipients were lesser-known companies, including AppLovin, AdColony, BuckSense, MoPub, and Braze.

There’s no cure-all to this type of data sharing, but you should know that privacy advocates in California are on it, having already asked the state’s Attorney General to investigate whether the data-sharing practices violate the California Consumer Privacy Act, which just came into effect at the start of this year.

General OPSEC tips

Operational security, or OPSEC for short, is pretty important as far as online dating is concerned. Some of the basic cybersecurity hygiene steps that we encourage our users to perform in their day-to-day business can help thwart unwanted digital access or steer you clear of physically dangerous situations. Here are a few examples:

Passwords, passwords, passwords

We all know password reuse is bad—across dating sites, apps, or any accounts—but depending on personal circumstances, it may also be bad to recycle usernames. If you don’t want people you’d rather avoid in the future tracking you down on social media, remember to use random names unrelated to your more general online activities.

While we’re on the subject, there are several other best practices for password security that we recommend, such as creating long passphrases that are unrelated to your name, birthday, or pets. If you can’t remember 85,000 different passwords, consider storing them in a password manager and using a single master password to control them all. If that seems like putting too much power in the hands of one password, we recommend using two- or multi-factor authentication.

The point is: Don’t reuse passwords on dating sites. There may be a plethora of intimate messages sent on these platforms, more so than on most other services you use. It makes sense to lock things down as much as possible.

Stranger danger

Meeting a date in person for the first time? Tell other people where you’re going on your date beforehand. It’s a basic, but invaluable safety step—especially if you have no way of vetting your date outside of the dating app constraints. Let your insider know the name/profile name/and anything else relevant to your date that might help them track you later, if necessary.

Also, try to obscure your literal latitude and longitude or home address from a virtual stranger before you get to know and trust them. Dating apps have taken those spammy “hot singles in your area” ads to their logical end point. Hot singles in your area really would be beneficial where dating is concerned, so why shouldn’t apps allow you to search on factors related to distance? However, on the flip side, this does rather tip your hand where revealing your general location is concerned.

So while your date will have some sort of idea as to where you’re based, you’ll want to have your first meeting(s) somewhere other than “the bar at the end of my street.” A little travel goes a long way to blocking some crucial details. Oh, and consider using public transport or your own vehicle to get to and from the date.

Ring, ring

If possible, don’t hand over your main phone number—especially when such a thing may be tied to SMS 2FA, which can lead to social engineering attacks on your mobile provider. If your mobile is your only phone, consider using a disposable phone specifically for dating that isn’t tied to anything important.

If that’s out of the question, you could try one of the many popular online services which provide their own number/voicemail.

Play it safe

After reading all of this, you may think that between potential security vulnerabilities, privacy exposures, and contending with awful scammers that it’s not worth the hassle to bother with online dating. That’s not our intention.

As long as you follow some of the advice listed above and keep in mind that dating apps can be compromised just like any other software, you should have a safe online dating experience. Just remember that anything you communicate online has the potential to drift offline—after all, that’s the whole goal of online dating in the first place.

Good luck, and stay safe out there!

The post Cyber tips for safe online dating: How to avoid privacy gaffs, exploits, and scams appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove

Malware Bytes Security - Wed, 02/12/2020 - 1:15pm

We first stumbled upon the nasty Android Trojan xHelper, a stealthy malware dropper, in May 2019. By mid-summer 2019, xHelper was topping our detection charts—so we wrote an article about it. After the blog, we thought the case was closed on xHelper. Then a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum:

“I have a phone that is infected with the xhelper virus. This tenacious pain just keeps coming back.”

“I’m fairly technically inclined so I’m comfortable with common prompt or anything else I may need to do to make this thing go away so the phone is actually usable!”

forum user misspaperwait, Amelia

Indeed, she was infected with xHelper. Furthermore, Malwarebytes for Android had already successfully removed two variants of xHelper and a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again.

Photo provided by Amelia

If it wasn’t for the expertise and persistence of forum patron Amelia, we couldn’t have figured this out. She has graciously has allowed us to share her journey. 

All the fails

Before we share the culprit behind this xHelper re-infection, I’d like to highlight the tactics we used to investigate the situation, including the many dead ends we hit prior to figuring out the end game. By showing the roadblocks we encountered, we demonstrate the thought process and complexity behind removing malware so that others may use it as a guide. 

Clean slate

First off, Amelia was clever enough to do a factory reset before reaching out to us. Unfortunately, it didn’t resolve the issue, though it did give us a clean slate to work with. No other apps (besides those that came with the phones) were installed besides Malwarebytes for Android, thus, we could rule out an infection by prior installs (or so we thought).

We also ruled out any of the malware having device admin rights, which would have prevented our ability to uninstall malicious apps. In addition, we cleared all history and cache on Amelia’s browsers, in case of a browser-based threat, such as a drive-by download, causing the re-infection.

The usual suspect: pre-installed malware

Since we had a clean mobile device and it was still getting re-infected, our first assumption was that pre-installed malware was the issue. This assumption was fueled by the fact that the mobile device was from a lesser-known manufacturer, which is often the case with pre-installed malware.  So Amelia tested this theory by going through the steps to run Android Debug Bridge (adb) commands to her mobile device. 

With adb command line installed and the mobile device plugged into a PC, we used the workaround of uninstalling system apps for current user. This method renders system apps useless even though they still technically reside on the device. 

Starting with the most obvious to the least, we systematically uninstalled suspicious system apps, including the mobile device’s system updater and an audio app with hits on VirusTotal, a potential indicator of maliciousness.  Amelia was even able to grab various apps we didn’t have in our Mobile Intelligence System to rule everything out. After all this, xHelper’s persistence would not end.

Photo provided by Amelia of xHelper running on mobile device Triggered: Google PLAY

We then noticed something strange: The source of installation for the malware stated it was coming from Google PLAY. This was unusual because none of the malicious apps downloading on Amelia’s phone were on Google PLAY. Since we were running out of ideas, we disabled Google PLAY. As a result, the re-infections stopped!

We have seen important pre-installed system apps infected with malware in the past. But Google PLAY itself!? After further analysis, we determined that, no, Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else.

In the hopes that our theory held true, we asked Amelia to look for suspicious files and/or directories on her mobile device using a searchable file explorer, namely, anything that started with com.mufc., the malicious package names of xHelper. And then…eureka!

Photos provided by Amelia The culprit

Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds.

Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google PLAY.  The “how” behind this is still unknown.

It’s important to realize that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected.

How to remove xHelper re-infections

If you are experiencing re-infections of xHelper, here’s how to remove it:

  • We strongly recommend installing Malwarebytes for Android (free).
  • Install a file manager from Google PLAY that has the capability to search files and directories.
    • Amelia used File Manager by ASTRO.
  • Disable Google PLAY temporarily to stop re-infection.
    • Go to Settings > Apps > Google Play Store
    • Press Disable button
  • Run a scan in Malwarebytes for Android to remove xHelper and other malware.
    • Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).
  • Open the file manager and search for anything in storage starting with com.mufc.
  • If found, make a note of the last modified date.
    • Pro tip: Sort by date in file manager
    • In File Manager by ASTRO, you can sort by date under View Settings
  • Delete anything starting with com.mufc. and anything with same date (except core directories like Download):
  • Re-enable Google PLAY
    • Go to Settings > Apps > Google Play Store
    • Press Enable button
  • If the infection still persists, reach out to us via Malwarebytes Support.
Mobile malware hits a new level

This is by far the nastiest infection I have encountered as a mobile malware researcher. Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware. This fact inadvertently sent me down the wrong path. Luckily, I had Amelia’s help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion.

This, however, marks a new era in mobile malware. The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating. We will continue analyzing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper. 

Stay safe out there!

The post Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Malwarebytes Labs releases 2020 State of Malware Report

Malware Bytes Security - Tue, 02/11/2020 - 3:01am

Malwarebytes Labs today released the results of our annual study on the state of malware—the 2020 State of Malware Report—and as usual, it’s a doozy.

From an increase in enterprise-focused threats to the diversification of sophisticated hacking and stealth techniques, the 2019 threat landscape was shaped by a cybercrime industry that aimed to show it’s all grown up and coming after organizations with increasing vengeance.

The 2020 State of Malware Report features data sets collected from product telemetry, honey pots, intelligence, and other research conducted by Malwarebytes threat analysts and reporters to investigate the top threats delivered by cybercriminals to both consumers and businesses in 2019.

Our analysis includes a look at threats to Mac and Windows PCs, Android and iOS, as well as browser-based attacks. In addition, we examined consumer and business detections on threats to specific regions and industries across the globe. Finally, we took a look at the state of data privacy in 2019, including state and federal legislation, as well as the privacy failures of some big tech companies in juxtaposition against the forward-thinking policies of others.

Here’s a sample of what we found:

  • Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.
  • The volume of global threats against business endpoints has increased by 13 percent year-over-year, with aggressive adware, Trojans, and HackTools leading the pack.
  • Organizations were once again hammered with Emotet and TrickBot, two Trojan-turned-botnets that surfaced in the top five threats for nearly every region of the globe, and in the top detections for the services, retail, and education industries. TrickBot detections in particular increased more than 50 percent over the previous year.
  • Net new ransomware activity is at an all-time high against businesses, with families such as Ryuk and Sodinokibi increasing by as much as 543 and 820 percent, respectively.

To learn more about the top threats of the year for Mac, Windows, Android, and the web, as well as the state of data privacy in commerce and legislation, check out the full 2020 State of Malware Report here.

The post Malwarebytes Labs releases 2020 State of Malware Report appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Battling online coronavirus scams with facts

Malware Bytes Security - Mon, 02/10/2020 - 11:56am

Panic and confusion about the recent coronavirus outbreak spurred threat actors to launch several malware campaigns across the world, relying on a tried-and-true method to infect people’s machines: fear.

Cybercriminals targeted users in Japan with an Emotet campaign that included malicious Word documents that allegedly contained information about coronavirus prevention. Malware embedded into PDFs, MP4s, and Docx files circulated online, bearing titles that alluded to protection tips. Phishing emails that allegedly came from the US Centers for Disease Control and Prevention (CDC) were spotted, too. Malwarebytes also found a novel scam purporting to direct users to a donation page to help support government and medical research.

All of these threats rely on the same dangerous intersection of misinformation and panic—a classic and grotesque cybercrime tactic. A great defense to these is, quite simply, the truth.

At Malwarebytes, we understand that safeguarding you from cyberthreats goes beyond technological protection. It also means giving you the information you need to make smart, safe decisions. Because of this, we’re presenting verified resources and data about coronavirus that will hopefully steer users away from online threats. If you see a sketchy-looking email mentioning the virus (like the one we found below), don’t open it. Instead, come here. If you want to immediately see what these online scams look like, scroll below.

What is coronavirus?

According to the World Health Organization, the current coronavirus that has infected thousands of people across the world is a single variant of a broader family of viruses, also called “coronavirus.” This particular strain of coronavirus was first identified in the city of Wuhan in central China’s Hubei province. It has the title “2019-nCoV.” Though 2019-nCoV is from the same family of coronaviruses as SARS—which spread to 26 countries between 2002 and 2003—it is not the same virus.

As of February 7, coronavirus has spread to at least 25 countries, including Australia, Vietnam, the United States, the Philippines, Nepal, Sweden, the United Kingdom, India, and more. Mexico has no reported cases—the only country in North America to avoid the virus, it appears. Countries in South America, including Brazil, Colombia, Venezuela, and Chile, have not reported any confirmed cases of the virus, either. While the majority of infections are reported in China, with 31,211 confirmed cases, the highest count of any other country is Singapore, with 30 cases.

Full, daily reports on the virus’ spread can be found at the World Health Organization’s resource page here: Novel Coronavirus (2019-nCoV) situation reports. The situation reports also provide information about every country with confirmed coronavirus cases, and this Al Jazeera article compiles that information up to February 6.

According to a February 6 report in The Wall Street Journal that cites scientists and medical academics in China, the recent coronavirus likely started in bats.

According to the US Center for Disease Control, coronavirus symptoms include fever, cough, and shortness of breath.

How can I protect myself from coronavirus?

Because coronavirus spreads from human-to-human contact, the best protection methods involve good hygiene. According to the WHO, individuals should:

  • Wash your hands frequently with soap and water or use an alcohol-based hand rub if your hands are not visibly dirty.     
  • Maintain social distancing—maintain at least 1 meter (3 feet) distance between yourself and other people, particularly those who are coughing, sneezing and have a fever.
  • Avoid touching eyes, nose, and mouth.
  • If you have fever, cough, and difficulty breathing, seek medical care early. Tell your health care provider if you have travelled in an area in China where 2019-nCoV has been reported, or if you have been in close contact with someone with who has travelled from China and has respiratory symptoms.
  • If you have mild respiratory symptoms and no travel history to or within China, carefully practice basic respiratory and hand hygiene and stay home until you are recovered, if possible. 

The WHO also actively dispelled some current myths about coronavirus. For instance, individuals cannot catch the virus from dogs and cats that are their pets, and vaccines against pneumonia do not protect against coronavirus.

For more information on coronavirus myths, please visit the WHO Myth Busters page here, along with the WHO Q&A page.

What else should I know about coronavirus?

Coronavirus is a serious threat, but it is not the world-ending plague that many fear. As of February 7, the virus has resulted in 637 total deaths. A February 6 notice by the Chinese media service CGTN reported more recoveries, at 1,542.

Individuals should not fear receiving packages from China, the WHO said, as the virus cannot survive long durations on physical objects like packages and letters. Similarly, individuals should not dip into unmeasured fear of all things Chinese. These fears have turned New York’s Chinatown district into a “ghost town,” said one local business owner, and have fueled multiple xenophobic and racist assumptions across the world.

The WHO says it is okay to receive packages delivered from China.

Coronavirus has also received a strong global response. Air travel has been severely limited, Olympic qualifying games were relocated, workers built a hospital in about 10 days, fast food restaurants temporarily closed their locations, and China closed off entire populations—which has come with its own tragic tales of quarantine camps, isolation, and fear.

The spread of the virus is scary, yes, but people are working day and night to prevent greater exposure.

What should I know about coronavirus scams?

Coronavirus online scams are largely similar to one another. By preying on misinformation and fear, cybercriminals hope to trick unwitting individuals into opening files and documents that promise information about the virus.

However, Malwarebytes recently found an email scam that preys on people’s desire to help during a moment like this.

The scam email—titled “URGENT: Coronavirus, Can we count on your support today?”—purportedly comes from the nondescript “Department of Health.” Inside, the email asks users to donate to coronavirus prevention causes.

“We need your support , Would you consider donating 100 HKD to help us achieve our mission?” the email says near its end, before offering a disguised link that opens an application, not a website. The link itself begins with neither HTTPS or HTTP, but “HXXP.”

A screenshot of an emailed coronavirus scam that preys on users’ good will.

Routine scams that allegedly include information about prevention and protection also come through emails, like this phishing scam spotted by Sophos.

A screenshot of the emailed coronavirus scam that Sophos discovered.

The malicious email informs its recipient to open an attached document that includes information about “safety measures regarding the spreading of coronavirus,” which then directs users to a page that asks for their email address and password.

These scams are becoming a dime a dozen, and we don’t expect them to dwindle any time soon. In fact, threat actors in China were spotted sending malware around through email and through the Chinese social media platform WeChat. Though the exact types of malware were not reported, the Computer Virus Emergency Response Center said the malware itself could be used to steal data or remotely control victims’ devices.

Coronavirus information and data resources

If you’re afraid about the spread of coronavirus, we understand. But please, do not click any links in any sketchy emails, and do not donate to any causes you have not already vetted outside of your email client.

If you want to know up-to-the-date information about the virus, again, please visit the following resources:

Stay safe, everyone.

The post Battling online coronavirus scams with facts appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 3 – 9)

Malware Bytes Security - Mon, 02/10/2020 - 11:46am

Last week on Malwarebytes Labs, we looked at Washington state’s latest efforts in providing better data privacy rights for their residents, and we dove into some of the many questions regarding fintech: What is it? How secure is it? And what are some of the problems in the space?

We also detailed a new adware family that our researchers had been tracking since late last year and pushed out a piece on performance art’s impact on Google Maps and other crowdsourced apps.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 3 – 9) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Google Maps: online interventions with offline ramifications

Malware Bytes Security - Fri, 02/07/2020 - 2:24pm

The places where online life directly intersection with that lived offline will be forever fascinating, illustrated perfectly through a recent performance piece involving Google Maps, a cart, and an awful lot of mobile phones.

Simon Weckert, an artist based in Berlin, Germany, showed how a little ingenuity could work magic on the ubiquitous Google Maps system. Turns out Google hadn’t accounted for what happens when 99 phones go for a relaxing walk down the streets of Berlin. The system was fooled into believing the world’s most aggressive traffic jam was taking place. Let’s see how it happened.

How does Google Maps help with traffic?

Back in the day, Google Maps dived into the world of traffic sensors to get a feel for how commutes and directions were impacted by traffic patterns.

In 2009, they made use of crowdsourcing, and phones with GPS enabled sent anonymous data allowing Google to figure out how vehicles were moving and where any traffic jams happened to be. The more people taking part, the greater the accuracy and benefits for all.

Things kept on moving, and in 2020 it’s a combination of sensors, user data, and satellite technology to keep things keeping on. You’d think a trolley of phones would be no match for this elaborate weave of crowdsourced mobile pocket power and additional data sources.

You would think.

Maps versus trolley

Imagine our surprise when one large jumble of phones trundled its way toward disruption heaven, proudly announcing 99 cars were not going anywhere anytime soon. Whatever failsafes Maps had in place, it simply couldn’t figure out shenanigans were afoot.

https://youtu.be/k5eL_al_m7Q

Streets formerly flagged as green (all clear) would suddenly show as red (traffic jam ahoy), with the knock-on effect of rerouting cars to other roads which may well have been free of cars but would now feel the impact of people trying to avoid the trolley hotspot. I think my favourite part of this story was when the trolley rumbled right past the Maps office. Chaos, then, but artistically done. Not the first time though…

Mapping out an artistic tribute

Art being used to make a point about technology, Google, and even Maps itself is not uncommon. Last year, an artist made use of their Google account to upload weird and wonderful pieces of 360 degree digital art using Google Business View. Sure, you could use it to give potential customers an in-depth look at your eatery before venturing inside—or you could generate chaotic mashups and loosen up the clinical aesthetic of vanilla Google Maps instead. The choice, as they say, is yours (unless someone says “no” and removes it all).

What could cause user generated content to be removed from Maps? Funny you should ask.

When does art become vandalism?

Maps may make use of crowdsourcing to great effect, but crowdsourcing alone is one consistent method to ensure chaos in the end. A few years ago, enthusiastic cartographers had the ability to make edits to Maps using the Map Maker tool. If you had a nice tip or a cool landmark you felt warranted closer inspection, you could add it manually to the map. This was one way to help out in regions where mapping hadn’t taken place, because even Google couldn’t be everywhere at once.

Other users would check and verify before edits went live. If you eventually gained enough kudos from the rest and your edits were constant and legitimate, you eventually bypassed the need for others to make sure you weren’t doing anything problematic.

Step forward, someone doing something problematic. 

Slowly but surely, people started to play pranks on the system and post a variety of spam and other nonsense. It’s possible Map Maker may have carried on if the dubious edits had been small, unnoticed, and otherwise unlikely to end up front page news.

On the other hand, this could happen and Map Maker could be thrown from the highest of cliff edges, never to return. Some features of Map Maker have made their way into regular Maps, but sadly this was lights out for the genuinely useful tool. If I could draw a 300-foot “RIP Map Maker” onto the side of a digitised mountain in the Himalayas, I would, but this written tribute of ours will have to suffice.

Getting down to business

Maps locations for businesses have also been exposed to shenanigans over the years, and not all of it confined to Maps exclusively. Whether it’s restaurant owners going out of business because of wrongly-listed opening hours, or Google+ (remember that?) listings directing hotel chain visitors to third-party websites generating commission, the conflict is nonstop and the repercussions can be enormous for those hit hard. If you’re not online much or familiar with the technology involved, then you have almost no chance of setting things straight.

Trouble in other realms

It isn’t just Google Maps beset by these antics. Other major platforms run into similar issues, and if the platform doesn’t provide the mapping tech directly, then the pranksters/malicious actors will simply go after the third-party suppliers instead. Mapbox found themselves facing a terrible edit, which worked its way into Snapchat, the Weather Channel, and others.

For as long as the ability to make use of the wisdom of the crowds (or, in many cases, the lack of wisdom) exists, these disruptions will continue to happen. A surprising amount of services we take for granted can’t really function well without an element of trust granted to the user base, so this isn’t exactly the easiest to police.

Sure, some of the shenanigans are lighthearted and may occasionally be quite funny. Some of these methods for gaming the system could also be profoundly troublesome and cause maximum discomfort with a little bit of effort.

On this occasion, at least, we can be content that the end result is “cool art project makes us think about online/offline interaction” and not “someone’s drawn a rude picture on the side of the Empire State Building.”

We make no guarantees about next time.

The post Google Maps: online interventions with offline ramifications appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Adware.Adposhel takes over your web push notifications administration

Malware Bytes Security - Thu, 02/06/2020 - 1:10pm

Since late last year our researchers have been monitoring a new method concerning web push notifications being deployed by an adware family detected by Malwarebytes as Adware.Adposhel.

What does Adware.Adposhel change?

The adware uses Chrome policies to ensure that notification prompts will be shown and add some of their own domains to the list of sites that are allowed to push web notifications. So far not very new. The recent twist however is that it enforces these settings as an administrator. This is done so the regular Chrome user will not be able to change the settings in the Notifications menu.

It seems they have now decided to fully deploy this tactic as we are seeing complaints about it emerging on computer forums and Reddit.

Victims will complain about being unable to remove domains from the list of domains that are allowed to show web push notifications and being unable to change the setting that controls whether websites can ask you to allow notifications.

Disabling that setting would stop a user from seeing prompts like these:

If I were to click Allow on that prompt this domain would be added to my allow list of URLs, but with the understanding that I would be able to remove it manually in the Notifications menu.

Adware.Adposhel uses the NotificationsAllowedForUrls policy to block users from removing their entries from the Allow list.

Where you would normally see the three dots (ellipsis) menu icon representing the settings menu.

For the entries submitted to a policy by Adware.Adposhel you will see the icon that tells you the setting is enforced by an administrator. And the accompanying text if you hover over the icon.

How do I undo the changes made by Adware.Adposhel?

This does not mean that you can change that setting just because you are the administrator of the system you are working on by the way. But if you are the system administrator you can fix the notifications changes made by the Adposhel installer by applying a simple registry fix:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "DefaultNotificationsSetting"=dword:00000001 [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls]

This is safe to do unless there were legitimate URLs in the list of URLs that are allowed to show notifications by policy, which I doubt. But we always advise to create a backup of the registry before making any changes.

 Backing up Registry with ERUNT

Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that!

Please download ERUNT and save the file to the desktop.

  • Install ERUNT by following the prompts, but say No to the portion that asks you to add ERUNT to the startup folder.
  • Right-click on the   icon and select   Run as Administrator to start the tool.
  • Leave the default location (C:\WINDOWS\ERDNT) as a place for your backup.
  • Make sure that System registry and Current user registry are ticked.
  • The third option Other open users registries is optional.
  • Press OK to backup and then press YES to create the folder.

This tool won’t generate any report.
You may uninstall it after we’re done with the cleaning.

Protection and detection

Malwarebytes detects the installers as Adware.Adposhel.

The URLs enforced by this Adpohel induced Chrome policy are detected as Adware.ForcedNotifications.ChrPRST.

IOCs

Domains:

aclassigned.info chainthorn.com cityskyscraper.com concreasun.info dimlitroom.com durington.info efishedo.info enclosely.info insupposity.info nineteducer.info oncreasun.info parliery.info qareaste.info stilysee.info suggedin.info

Stay safe everyone!

The post Adware.Adposhel takes over your web push notifications administration appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Fintech security: the challenges and fails of a new era

Malware Bytes Security - Wed, 02/05/2020 - 2:24pm

“I have no idea how this app from my bank works, and I don’t trust what I don’t understand.” Josh is not an old curmudgeon or luddite. He’s 42 with a decent understanding of technology. Nevertheless, the changes in fintech have come too fast for him. It’s not that he doesn’t trust his bank. He doesn’t trust himself to use and manage the banking app securely.

The world we live in has gone through some noticeable changes in the last decade. This is certainly true for the banking industry, which has grasped onto the concept of fintech as nearly interchangeable with finance. However, fintech—or computer programs and other technology used to support banking and other financial services—is the fastest-growing sector in venture capital. It may encompass anything from cryptocurrency to mobile payment apps.

The groundwork was laid for the rise of fintech through a series of major incidents over the last 10 years. These include:

  • The banking crisis and subsequent Great Recession of 2007–2009. If you had told someone 15 years ago that a number of big-name banks would not survive the decade, they would have laughed at you. Yet, the list is long.
  • New currencies introduced into the playing field, especially crypto. Bitcoin started in 2009, and hundreds of other cryptocurrencies have since followed suit.
  • Negative interest rates. Cash deposits incur a charge for storage at a bank rather than gaining interest. Some banks have to pay money to store their surplus in funds at national banks because of the negative interest rates. Some banks even charge their customers with this negative interest.
  • New players have entered the field that are different from the establishment. Some are related to the development of cryptocurrencies, but others simply look at financial business in a new and unique way.
  • Customers are increasingly expecting their payments to reach their destination account on the same day. This also helps the bank itself, as it reduces the amount they need to store against a negative interest.
What is fintech?

The hardware and software used in the financial world is generally referred to as fintech. But the expression is also used to describe the startups in the financial world. In this article it will be used to describe the technology as many of the settled financial institutions feel they need to adapt to the same new technology that the startups offer their customers. Because of this we can find these new features in banking and other financial applications both in the apps of accomplished firms along with those of the new financials.

Fintech security

While it may come as less than a surprise that Fintech startups are struggling with security, sometimes the established names surprise us with how easily they fall prey to data breaches, malware attacks, or compromised apps.

One of the reasons why some of the fintech startups are so successful lies in their ability to offer alternatives to conventional financial solutions through cryptocurrencies, online loans, and P2P. Along comes a variety of challenges and one of these challenges piques our interest: cybersecurity. To name one aspect, the huge growth in the number and size of online platforms makes this industry very vulnerable to security breaches.

Some of the problems

The introduction of new features sometimes looks as if they were done in a rush and without keeping in mind how secure they are and how clever crooks could abuse them. For example, a mobile banking app that allowed users to add an extra phone to control their account by simply scanning a QR code ended up cleaning out a few bank accounts. Clever imposters tricked people into adding their phone leaving the imposter in full control of the account.

Payment requests leading to fake websites are a quickly rising threat as banks are rolling out this feature. As always with newer technology, fraudsters benefit from the victim’s unawareness of how things work exactly. Someone pretending to buy from you on an online market can send you a payment request for the amount you are expecting. All you have to do is click “Accept” and enter your pin. And then find out that you paid them instead of the other way around.

Fake bank websites in general have been a problem for many years and this will probably remain a problem for some time to come. Most of the times these fake sites are designed to harvest login and payment credentials from the visiting victims. And they are very hard to distinguish from the real bank websites as the threat-actors simply copy all the content and layout from the original sites. And urging customers to look for the green padlock is hardly useful advice anymore.

Payment providers and online shops are plagued by web skimmers. As we have reported frequently especially there are several Magecart groups who are very active at this front. Payments are intercepted and payment card information stolen using compromised e-commerce sites.

And then there is virtual money, or since most money nowadays is virtual to some level, let’s talk about cryptocurrencies in particular. While the introduction of cryptocurrencies was intended to open up a whole new world of payment options, it also opened a virtual cesspit of options to be defrauded. The absence of a central authority gave way to types of fraud and robbery that were unheard of in the old school banking world. Huge steals from marketplaces, bank-owners running with the funds entrusted to them, stolen hot wallet credentials, and let’s not forget drive-by-mining. We covered many of these crimes in our blog about Bankrobbers 2.0.

Financials of all kinds have suffered data breaches in all sorts and sizes. From huge ones like Equifax and Capital One to equally painful ones, for those involved, like the one at P&N bank where sensitive account information was spilled.

Ransomware operators are particularly fond of financials as they usually can afford to pay large sums and they are invested in getting operations back up and running in a hurry. Travelex took the high road and refused to pay the ransom demand made after being hit with Ransom.Sodinokibi.

Privacy concerns

With governments asking for full disclosure of savings both offshore and internal, and on the other hand enforcing privacy laws, financial institutions are expected to balance these demands while keeping their customers on board.

With GDPR in Europe leading the way, financials should be ready or get ready to comply with GDPR or similar laws that apply to them and their customer base.

Countermeasures

The financial industry is considered to be vital infrastructure and for good reason. When we lose trust in our financial institutions, it turns our society upside down. When the paper is no longer worth the number printed on it, or you cannot withdraw money from your account, that rattles the bases of our economy.

Fintech needs to adapt a more security focused approach to developing new features, especially in their mobile apps. It also wouldn’t hurt to provide customers with elaborate instructions on how to safely use the new app or new features of the app.

As a financial startup you want to grow fast. But growing fast comes with its own problems. Making sure your security measures can scale along with your growth is a must. Unless you want to find yourself restricted in your growth or notice your security to start cracking at the seams.

However frustrating it may turn out to be, financials need to think about better identity management and control. Is it enough when someone is logged into an account to allow that entity to fully control the account? Or de we need to add another factor for special actions like raising the maximum amount, allowing withdrawals abroad, or even for transactions that are larger than normal.

Fintech startups can’t expect to get away with security mistakes that other startups might. Being in the financial sector brings with it different responsibilities and expectations.

As I’ve written before: It is key that our financial institutions protect our dollars and our data so that we can keep investing our money and our trust in them.

Stay safe, everyone!

The post Fintech security: the challenges and fails of a new era appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Washington Privacy Act welcomed by corporate and nonprofit actors

Malware Bytes Security - Tue, 02/04/2020 - 11:35am

The steady parade of US data privacy legislation continued last month in Washington with the introduction of an improved bill that would grant state residents the rights to access, control, delete, and port their data, as well as opting out of data sales.

The bill, called the Washington Privacy Act, also improves upon its earlier 2019 version, providing stronger safeguards on the use of facial recognition technology. According to some analysts, when compared to its coastal neighbor’s data privacy law—the California Consumer Privacy Act, which went into effect this year—the Washington Privacy Act excels.

Future of Privacy Forum CEO Jules Polonetsky called the bill “the most comprehensive state privacy legislation proposed to date.”

“It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not,” Polonetsky said.

Introduced on January 20 by state Senator Reuven Carlyle, the Washington Privacy Act would create new responsibilities for companies that handle consumer data, including the implementation of data protection processes and the development and posting of privacy policies.

Already, the bill has gained warm reception from corporate and nonprofit actors. Washington-based tech giant Microsoft said it was encouraged, and Consumer Reports welcomed the thrust of the bill, while urging for even more improvements.

“This new draft is definitely a step in the right direction toward protecting Washington residents’ personal data,” said Consumer Reports Director of Consumer Privacy and Technology Policy Justin Brookman. “We do hope to see further improvements to get rid of inadvertent loopholes that remain in the text.”

What the Washington Privacy Act would do

Like the many US data privacy bills introduced in the past 18 months, the Washington Privacy Act approaches the problem of lacking data privacy with two prongs—better rights for consumers, tighter restrictions for companies.

On the consumer side, the Washington Privacy Act would grant several new rights to Washington residents, including the rights to access, correct, delete, and port their data. Further, consumers would receive the right to “opt out” of having their personal data used in multiple, potentially invasive ways. Consumers could say no to having their data sold and to having their data used for “targeted advertising”—the somewhat inescapable practice that results in advertisements for a pair of shoes, a fetching sweater, or an 4K TV following users around from device to device. 

Consumers could exercise their rights with simple requests to the companies that handle their data. According to the bill, these requests would require a response within 45 days. If a company cannot meet that deadline, it can file for an extension, but it is required to notify the consumer about the extension and about why it could not meet the deadline.

Further, unfulfilled requests are not a dead end for consumers—companies must also offer an appeals process to the consumers whose requests they deny or do not fulfil. Requests must also be responded to free of charge, up to two times a year per consumer.

Perhaps one of the most welcome provisions in the bill is its anti-discrimination rules. Companies cannot, the bill says, treat consumers differently because of their choices to exert their data privacy rights. On the surface, that makes dangerous ideas like “pay-for-privacy” schemes much harder to enact.

Concerning new business regulations, the Washington Privacy Act separates the types of companies it applies to into two categories: “controllers” and “processors.” The two terms, borrowed from the European Union’s General Data Protection Regulation (GDPR), have simple meanings. “Controllers” are the types of entities that actually make the decisions about how consumer data is collected, shared, or used. So, a small business with just one employee who decides to sell data to third parties? That’s a controller. A big company that decides to collect data to send targeted ads? That’s a controller, too.

Processors, on the other hand, are akin to contractors and subcontractors that perform services for controllers. So, a payment processor that simply processes e-commerce transactions and nothing more? That’s a processor.

The Washington Privacy Act’s new rules focus predominantly on “controllers”—the Facebooks, Amazons, Twitters, Googles, Airbnbs, and Oracles of the world.

Controllers would have to post privacy policies that are “reasonably accessible, clear, and meaningful,” and would include the following information:

  • The categories of personal data processed by the controller
  • The purposes for which the categories of personal data are processed
  • How and where consumers may exercise their rights
  • The categories of third parties, if any, with whom the controller shares personal data

If controllers sell personal data to third parties, or process it for targeted advertising, the bill requires those controllers to clearly disclose that activity, along with instructions about how consumers can opt out of those activities.

Separately, controllers would need to perform “data protection assessments,” in which the company looks at, documents, and considers the risks of any personal data processing that involves targeted advertising, sale, and “profiling.”

The regulation of “profiling” is new to data privacy bills. It’s admirable.

According to the bill, “profiling” is any form of automated processing of personal data to “evaluate, analyze, or predict personal aspects concerning an identified or identifiable person’s economic situation, health, personal preference, interests, reliability, behavior, location, or movements.”

In today’s increasingly invasive online advertising economy, profiling is omnipresent. Companies collect data and create “profiles” of consumers that, yes, may not include an exact name, but still include what are considered vital predictors about that consumer’s lifestyle and behavior. 

These new regulations make the Washington Privacy Act stand out amongst its contemporaries, said Stacey Gray, senior counsel with Future of Privacy Forum.

“The big picture of the bill is that includes the same individual rights as the California Consumer Privacy Act—of access, sale, et cetera—and then more,” Gray said. “The right to correct your data, to opt out of targeted advertising, and out of profiling—that is further on the individual rights side.”

Gray added that the bill’s business obligations also go further than those in the CCPA, naming the data risk assessments previously discussed.

The Washington Privacy Act includes several more business obligations, all of which add up to meaningful data protections for consumers. For instance, companies would need to commit to data minimization principles, only collecting consumers’ personal data that is necessary for expressed purposes. Companies would also need to obtain affirmative, opt-in consent from consumers before processing any “sensitive data,” which is any data that could reveal race, ethnicity, religion, mental or physical health conditions or diagnoses, sexual orientations, or citizenship and immigration statuses.

But perhaps most intriguing in the Washington Privacy Act is its regulation of facial recognition technology.

Facial recognition provisions

In 2019, Washington state lawmakers crafted a bill aimed at improving the data privacy protections of consumers. They called it… the Washington Privacy Act. That original bill, which has now been substituted the 2020 version, included provisions on the commercial use of facial recognition.

On its face, the new rules looked good: Companies that used facial recognition tech for commercial purposes would have to obtain consent from consumers “prior to deploying facial recognition services.”

Unfortunately, the original bill’s very next sentence made that consent almost meaningless.

According to that bill, consumer “consent” could be obtained not by actually asking the consumer about whether they agreed to having their facial data recorded, but instead, by posting a sign on a company’s premises.

As the bill stated:

“The placement of conspicuous notice in physical premises or online that clearly conveys that facial recognition services are being used constitute a consumer’s consent to the use of such facial recognition services when that consumer enters those premises or proceeds to use the online services that have such notice, provided that there is a means by which the consumer may exercise choice as to facial recognition services.”

The length of the explainer is as broad as the exception it allows.

This loophole upset several privacy rights advocates who, in February 2019, sent a letter to key Washington lawmakers.

“[W]hile the bill purportedly requires consumer consent to the use of facial recognition technology, it actually allows companies to substitute notification for seeking consent—leaving consumers without a real opportunity to exercise choice or control,” the letter said. It was signed by Consumer Reports, Common Sense, Electronic Frontier Foundation, and Privacy Rights Clearinghouse.

The 2020 bill closes this loophole, instead requiring affirmative, opt-in consent for commercial facial recognition use, along with mandatory notifications—such as signs—in spaces that use facial recognition technology. The new bill also requires processors to open up their data-processing tools to outside investigation and testing, in an effort to root out what the bill calls “unfair performance differences across distinct subpopulations,” such as minorities, disabled individuals, and the elderly.

Moving the Washington Privacy Act forward

Despite the 2019 Washington Privacy Act gaining swift approval in the Senate two months after its January introduction, the bill ultimately failed to reach the House. Multiple factors led to the bill’s failure, including the bill’s definitions for certain terms, its approach to enforcement, and its treatment of facial recognition.

Some of those same obstacles could come up for the 2020 bill, Gray said.

“If this bill does not pass this year, that’s where we might see a source of conflict—is either with the facial recognition provisions, or with enforcement,” Gray said. For enforcement to take hold, Gray said the Attorney General’s office—tasked with regulation—will need increased funding and staffing. Further, there will likely be opposition to the bill’s lack of “private right of action,” which means that consumers will not be able to individually file lawsuits against companies that they allege violated the law. This issue has been a sticking point for data privacy legislation for years.

Still, Gray said, the bill shows improvement from its 2019 version, which could help push it forward.

“All things aside,” Gray said, “we’re more optimistic than last year about it passing.”

The post Washington Privacy Act welcomed by corporate and nonprofit actors appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (January 27 – February 2)

Malware Bytes Security - Mon, 02/03/2020 - 2:00pm

Last week on Malwarebytes Labs, we looked at the strengths and weaknesses of the Zero Trust model, gave you the low-down on spear phishing, and took a delve into the world of securing the managed service provider (MSP).

Other cybersecurity news

Stay safe, everyone!

The post A week in security (January 27 – February 2) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Securing the MSP: their own worst enemy

Malware Bytes Security - Thu, 01/30/2020 - 11:00am

We’ve previously discussed threats to managed service providers (MSPs), covering their status as a valuable secondary target to both an assortment of APT groups as well as financially motivated threat groups. The problem with covering new and novel attack vectors, however, is that behind each new vector is typically a system left unpatched, asset management undone, a security officer not hired (typically justified with factually dubious claims of a “skills shortage”) or a board who sees investment in infrastructure—and yes, security is infrastructure—as a cost center rather than a long-term investment in sustainable profits.

In short, malware can be significantly less dangerous to a business than that business’ own operational workflow.

Points of entry

Data on breach root causes is hard to come by, typically because security vendors tend to benefit by not providing industry vertical specific risk analysis. But the data that is available occasionally hints at corporate data breaches starting with some common unforced errors.

The 2019 Verizon DBIR claims that only 28 percent of observed data breaches involve the use of malware for the initial intrusion. While malware plays a significant role in the subsequent exploitation, the numbers suggest the majority of public breaches are not driven by zero-day exploits or outlandishly complex intrusion paths. So if you’re trying to secure an MSP, what are the most common entry points for attackers?

Under the broad heading of “hacking,” the most prominent observed tactics for point-of-entry include phishing, use of stolen credentials, and other social engineering techniques. Subsequent actions to further access include common use of backdoors or compromised web applications. Let’s break these down a little further.

Phishing is a reliable way of gaining a foothold to compromise a system. How would an employee clicking on a phish constitute an unforced error? Frequently, enterprises of all sorts incentivize their workers to click on absolutely everything, while simultaneously limiting their actual reading of messages. The consequences for poorly-designed corporate communications can be huge, as was seen when an MSP lost control of admin credentials via phishing attack that was subsequently used to launch ransomware.

Stolen credentials are a tremendously common attack vector that has been seen in several high profile MSP data breaches. “Stolen” is a bit of a misnomer though, and they would be better considered as “mishandled.”

Setting aside credentials gained via social engineering or phishing, companies can frequently lose track of credentials by keeping old or unnecessary accounts active, failing to monitor public exposure of accounts, failing to force resets after secondary breaches that may impact employees, failing to enforce modern password policies—basically failing to pay attention.

Should any single account with exposed credentials be over-privileged, a significant breach is almost guaranteed. And the consequences for MSPs with sloppy credential handling can be quite severe (1, 2).

Last in the lineup for unnecessary security failures is patch management. Like any other company trying to manage fixed infrastructure costs, MSPs rely heavily on third-party software and services. So when a business-critical support app is discovered to have multiple severe vulnerabilities, it introduces a wide-open channel for further exploitation. On occasion, the vulnerabilities used are brand new. Typically, they are not, and companies that fail to patch or mitigate vulnerable software get predictably exploited.

Mishandled mitigation

These attack entry points have a couple factors in common. First, they are not tremendously technically sophisticated. Even with regards to limited APT examples, the actors relied on compromised credentials and phishing first before deploying the big guns for lateral propagation. Second, mitigating these common entry points are actions that impacted MSPs should have been doing anyway.

Credential management that includes limited external monitoring, timely access control, and periodic privilege review doesn’t simply protect against catastrophic breaches—it protects against a host of attacks at all points of the technical sophistication spectrum.

Anti-phishing system design cues not only defend against employees leaking critical data, they also make for more efficient corporate communications, keep employees safe, and ideally reduce their overall email load.

Appropriate logging with timely human review cuts down time to breach discovery, but also assists in detailed risk analysis that can make for lean and effective security budgets into the future. The relationship between all of these security behaviors and observed MSP data breaches suggests that more attention to industry best practices could have gone a long way toward eliminating or sharply diminishing breach risk.

Finally, a patch management schedule that tracks third party software and services, fixing vulnerabilities in a timely manner is a great way to close some of the largest entry points into an MSP. Subordinating patches to non critical business needs, not having a test network to deploy patches, or simply not patching at all is a large signpost to attackers signifying an easy target.

MSP security: not a luxury

An MSP might be tempted to consider security as an expensive indulgence—something to be considered as a nice-to-have after uptime and availability of resources. Done well, it is neither expensive, nor a luxury.

Adherence to security norms that have been well defined for years can go a long way toward preventing big breaches, and can do so without expensive vendor contracts, pricy consultants, or best-in-class equipment. A managed service provider who chooses to ignore or delay those norms does so at its peril.

The post Securing the MSP: their own worst enemy appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pages