Malware Bytes

China’s RedEcho accused of targeting India’s power grids

Malware Bytes Security - Fri, 03/05/2021 - 1:28pm

RedEcho, an advanced persistent threat (APT) group from China, has attempted to infiltrate the systems behind India’s power grids, according to a threat analysis report from Recorded Future [PDF].

It appears that what triggered this attempt to gain a foothold in India’s critical power generation and transmission infrastructure, was a tense standoff at Pangong Tso lake in May 2020. However, the report by Recorded Future, a cybersecurity company specializing in threat intelligence, claims that RedEcho were on the prowl way before this time.

Incidents at the border

China and India have been locked in a territorial dispute for decades, over an ill-defined, disputed border between Ladakh and Aksai Chin. This de-facto boundary called the Line of Actual Control (LAC) sits in the Himalayan region. Because of snowcaps, rivers, and lakes along the frontier, the LAC can shift, and soldiers from both sides often find themselves face to face with each other, increasing the risk of a confrontation.

The most recent conflict at the border transpired in June 2020, barely a full month after the May skirmish. This time, Chinese and Indian soldiers clashed in Galwan, with China accusing India of crossing onto the Chinese side. A total of 63 casualties—20 troops from India and 43 from China—were reported. Both countries insisted that no bullets were exchanged. Instead, they engaged using, literally, sticks and stones (“rocks and clubs”, according to the BBC).

Incidents in cyberspace

Although Recorded Future had observed a lot of intrusion activity towards Indian organizations in the digital space before the clash, it gained momentum after the Indian and Chinese troops faced off in May.

“In the lead-up to the May 2020 skirmishes, we observed a noticeable increase in the provisioning of PlugX malware C2 infrastructure, much of which was subsequently used in intrusion activity targeting Indian organizations,” the report said. “The PlugX activity included the targeting of multiple Indian government, public sector, and defense organizations from at least May 2020.”

RedEcho is the latest APT group to target India via its energy sector using ShadowPad, a modular backdoor that has been in use since 2017. The company also noted in its report that ShadowPad is shared among other state-backed threat actor groups who are affiliated with both the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). Some of these groups include APT41 (aka Barium, among others), Icefog, KeyBoy (aka Pirate Panda), Tick, and Tonto Team.

RedEcho allegedly penetrated a total of 12 organizations, including four of India’s five Regional Load Despatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs). These organizations are responsible for ensuring the optimum scheduling and dispatching of electricity based on supply and demand across regions in India. According to Recorded Future, “The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.”

This isn’t the first time India’s critical infrastructure has been in the crosshairs. In November 2020, APT41 had set their sights on India’s oil and gas sectors. Media reports suggested that the October 2020 power outage in Mumbai and neighboring areas, which crippled train transportation, closed the stock exchange, and hampered those working from home amidst the pandemic, was sabotage. Some called the outage a “warning shot” from China.

“Profoundly disturbed”

Subrahmanyam Jaishankar, India’s foreign minister, described the relationship between India and China as “profoundly disturbed”. RedEcho is just one threat actor group that has entered the scene, but we can expect that they won’t be the last. And things might only get worse because of rising geopolitical tensions, not just between China and India but also between other countries that are currently in dispute.

Remember the December 2016 power grid attack against Ukraine by Russian hackers?

And to accentuate the likely reality that more attacks against critical infrastructures will happen in the future, Dragos Inc, a cybersecurity firm specializing in industrial cybersecurity, released its “2020 Year in Review” report in late February 2021 determining that threats against industrial control systems (ICSs) and operational technology (OT) have increased threefold.

It’s worth mentioning that not all attacks on critical infrastructure are backed by nation states though. And while this is true, the outcome is still the endangerment of lives. Take, for example, the attempted poisoning of a Florida city’s drinking water last month, which was likely an act of vandalism, but could have had the impact of a terrorist attack.

The post China’s RedEcho accused of targeting India’s power grids appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Update now! Chrome fix patches in-the-wild zero-day

Malware Bytes Security - Thu, 03/04/2021 - 8:24am

The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability (CVE-2021-21166) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is not the first time that Chrome’s audio component was targeted by an exploit.

No details available

Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.

An object lifecycle is used in object oriented programming to describe the time between an object’s creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.

For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn’t go well, and memory is mismanaged, that could lead to a flaw – or vulnerability – in the program.

More vulnerabilities patched in the update

As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:

Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

The CVE’s

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

  • CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
  • CVE-2021-21160: Heap buffer overflow in WebAudio.
  • CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
  • CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
  • CVE-2021-21164: Insufficient data validation in Chrome for iOS.

When more details about the vulnerabilities come to light it’s possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.

How to update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

After the update your version should be at or later

Stay safe, everyone!

The post Update now! Chrome fix patches in-the-wild zero-day appeared first on Malwarebytes Labs.

Categories: Malware Bytes

21 million free VPN users’ data exposed

Malware Bytes Security - Wed, 03/03/2021 - 1:39pm

Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves. The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.

The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.

For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.

Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”

He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”

So this is a mess, and a timely reminder of why trust in a VPN provider is so crucial. This level of logging isn't what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.

— Troy Hunt (@troyhunt) February 28, 2021 The data leak of SuperVPN, GeckoVPN, and ChatVPN

In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.

The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.

Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.

Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.

According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.

According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”

Past VPN errors

The unfortunate truth about the recent VPN app data leak is that this type of data mishap is nothing new.

In 2019, the popular VPN provider NordVPN confirmed to TechCrunch that it suffered a breach the year before. According to TechCrunch:

“NordVPN told TechCrunch that one of its data centers was accessed in March 2018. ‘One of the data centers in Finland we are renting our servers from was accessed with no authorization,’ said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server—which had been active for about a month—by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”

Separate from the NordVPN breach, last July, seven VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

The seven VPN providers investigated by vpnMentor were:

  • Fast VPN
  • Free VPN
  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

The researchers at vpnMentor also explained that there was good reason to believe that the seven apps were all made by the same developer. When analyzing the apps, vpnMentor discovered that all of them shared a common Elasticsearch server, were hosted on the same assets, shared the same, single payment recipient—Dreamfii HK Limited—and that at least three of the VPNs shared similar branding and layouts on their websites.

Finally, the report also highlighted the fact that all seven of the apps claimed to keep “no logs” of user activity. Despite this, vpnMentor said that it “found multiple instances of internet activity logs on [the apps’] shared server.”

The report continued: “We viewed detailed activity logs from each VPN, exposing users’ personal information and browsing activities while using the VPNs and unencrypted plain text passwords.”

So, not only did these apps fail to live up to their own words, but they also collected extra user data that most users did not anticipate. After all, most consumers might rightfully assume that a promise to refrain from collecting some potentially sensitive data would extend to a promise to refrain from collecting other types of data.

But, according to vpnMentor, that wasn’t the case, which is a clear breach of user trust.

Let’s put it another way:

Imagine choosing a video baby monitor that promised to never upload your audio recordings to the cloud, only to find that it wasn’t just sending those recordings to an unsecured server, but it was also snapping photos of your baby and sending those pictures along, too. 

Which VPN to trust?

The trust that you place into your VPN provider is paramount.

Remember, a VPN can help protect your traffic from being viewed by your Internet Service Provider, which could be a major telecom company, or it could be a university or a school. A VPN can also help protect you from government requests for your data. For instance, if you’re doing investigative work in another country with a far more restrictive government, a VPN could help obfuscate your Internet activity from that government, should it take interest in you.

The important thing to note here, though, is that a VPN is merely serving as a substitute for who sees your data. When you use a VPN, it isn’t your ISP or a restrictive government viewing your activity—it’s the VPN itself.

So, how do you find a trustworthy VPN provider who is actually going to protect your online activity? Here are a few guidelines:

  • Read trusted, third-party reviews. Many of the issues in the above apps were spotted by good third-party reviewers. When picking a VPN provider, rely on the words of some trusted outlets, such as Tom’s Guide, TechRadar, and CNET.
  • Ensure that a VPN provider has a customer support contact. Several of the VPN apps investigated by vpnMentor lacked any clear way to contact them. If you’re using a product, you deserve reliable, easy-to-reach customer support.
  • Check the VPN’s privacy policy. As we learned above, a privacy policy is not a guarantee for actual privacy protection, but a company’s approach to a privacy policy can offer insight into the company’s thinking, and how much it cares more about its promises.  
  • Be cautious of free VPNs. As we wrote about last week, free VPNs often come with significant trade-offs, including annoying ads and the surreptitious collection and sale of your data.
  • Consider a VPN made by a company you already trust. More online privacy and cybersecurity companies are offering VPN tools to supplement their current product suite. If you already trust any of those companies—such as Mozilla, Ghostery, ProtonMail, or, yes, Malwarebytes—then there’s good reason to trust their VPN products, too.

It’s a complicated online world out there, but with the right information and the right, forward-looking research, you can stay safe.

The post 21 million free VPN users’ data exposed appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Patch now! Exchange servers attacked by Hafnium zero-days

Malware Bytes Security - Wed, 03/03/2021 - 7:34am

Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.

“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The Hafnium attack group

Besides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to file sharing sites. Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).

Exchange Server

In many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.

In this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.

Not one, but four zero-days

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE’s (with descriptions provided by Microsoft) used in these attacks were:

  • CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
  • CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
  • CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
  • CVE-2021-27065: Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

They all look the same. Boring you said? Read on!

The attack chain

While the CVE description is the same for the 4 CVE’s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — would allow an attacker to write a file to any part of the server.

Together these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

Urgent patching necessary

Even though the use of the vulnerabilities was described as “limited”, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.

Or as Microsoft’s vice president for customer security Tom Burt put it:

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

Users of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.

Microsoft also advises that the initial stage of the attack can be stopped by “restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access”, although the other parts of the attack chain can still be exploited, if other means of access are used.

Stay safe, everyone!

The post Patch now! Exchange servers attacked by Hafnium zero-days appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Ryuk ransomware develops worm-like capability

Malware Bytes Security - Tue, 03/02/2021 - 3:07pm

The French government’s computer emergency readiness team, that’s part of the National Cybersecurity Agency of France, or ANSSI, has discovered a Ryuk variant that has worm-like capabilities during an incident response.

For those unacquainted with Ryuk, it is a type of ransomware that is used in targeted attacks against enterprises and organizations. It was first discovered in the wild in August 2018 and has been used in numerous cyberattacks since, including high profile incidents like the attack on the Tampa Bay Times and other newspapers in January 2020. According to the FBI, it is the number one ransomware in terms of completed ransom payments.

How has Ryuk changed?

The French team found a variant of Ryuk that could spread itself from system to system within a Windows domain. Once launched, it will spread itself on every reachable machine on which Windows Remote Procedure Call (RPC) access is possible. (Remote procedure calls are a mechanism for Windows processes to communicate with one another.)

Why is this remarkable?

This is notable for two separate reasons.

  • Ryuk used to be dropped into networks and spread manually, by human operators, or deployed into networks by other malware.
  • Historically, one of the major players when it came to dropping Ryuk has been Emotet. And as it happens, the Emotet botnet suffered a serious blow when, in a coordinated action, multiple law enforcement agencies seized control of the Emotet botnet. And if the plan behind this takedown works, the botnet will be rolled up from the inside.

Targeted ransomware attacks command high ransoms because they infect entire networks, grinding whole organizations to a halt. Until this discovery, Ryuk had always relied on something else to spread it through the networks it attacked.

Given the timing of the Emotet takedown (January 27, 2021) and the discovery of the worm-like capabilities (“early 2021”) it’s tempting to connect the two. However, it would have required a very quick turn-around for these new capabilities to have been developed in response to the loss of Emotet. On the other hand, I’m not a firm believer in coincidence, especially when there are compelling reasons to suspect otherwise.

Not an Emotet alternative

But the new-found worm capabilities of Ryuk are not an alternative to the initial infection of a network that was done through Emotet. The worm-like capabilities can be deployed once they are inside and not to get inside.

And even though Emotet was renowned for appearing in combination with Ryuk, it certainly wasn’t its exclusive dealer. It is still hard to tell what the impact of the Emotet takedown will be on the malware families that were often seen as its companions.

Ryuk’s technical capabilities

The team behind Ryuk has proven with earlier tricks that they are very adept in using networking protocols. In 2019 researchers found that Ryuk had been updated with the ability to scan address resolution protocol (ARP) tables on infected systems, to obtain a list of known systems and their IP and MAC addresses. For systems found within the private IP address range, the malware was then programmed to use the Windows Wake-on-LAN command, sending a packet to the device’s MAC address, instructing it to wake up, so it could remotely encrypt the drive. Wake-on-LAN is a technology that allows a network professional to remotely power on a computer or to wake it up from sleep mode.

The combination of ARP and RPC.

Summing up, this new variant can find systems in the “neighborhood” by reading the ARP tables, wake those systems up by sending a Wake-on-LAN command, and then use RPC to copy itself to identified network shares. This step is followed by the creation of a scheduled task on the remote machine.

In 2019, the NCSC reported that

“Ryuk ransomware itself does not contain the ability to move laterally within a network,”

meaning that attackers would first conduct network reconnaissance, identify systems for exploitation and then run tools and scripts to spread the crypto-locking malware. With the development of this new capability, this statement is now no longer true.

Mitigating network traversal

One of the mitigation processes that were proposed, and that didn’t involve any cyber-security software, was to disable the user account(s) that are in use to send the RPC calls, and to change the KRBTGT domain password. The KRBTGT is a local default account that acts as a service account for the Kerberos Distribution Center (KDC) service. Every Domain Controller in an Active Directory domain runs a KDC service. Disabling the user account(s), and especially changing the KRBTGT domain password, will have a serious effect on the network operations and require many systems to reboot. But these troubles don’t outweigh the ramifications of a full network falling victim to ransomware.

Keep your networks safe, everyone!

The post Ryuk ransomware develops worm-like capability appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03

Malware Bytes Security - Mon, 03/01/2021 - 9:00am

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech.

In January, the New York Times exposed a public harassment campaign likely waged by one woman against the family of her former employer. Decades after being fired, the woman allegedly wrote dozens of fraudulent posts across the Internet, ruining the family’s reputation and often slipping past any repercussions.

Frequently, the websites that hosted this content refused to step in. And, in fact, depending on what anyone posts on major websites today, those types of refusals are entirely within a company’s right.

These stories frequently produce reactionary “solutions” to the Internet—from proposals to change one foundational law to requiring individuals to fully identify themselves for every online conversation. Those solutions, however, can often harm others, including government whistleblowers, human rights activists working against oppressive governments, and domestic abuse survivors.

Tune in to hear about the importance of online anonymity for domestic abuse survivors and why changing one key Internet law will not actually fix the problems we have today, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on: Other cybersecurity news

Stay safe, everyone!

The post Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

To pay, or not to pay? That is the VPN question

Malware Bytes Security - Sat, 02/27/2021 - 9:00am

VPNs have been a subject of deliberation for a long time.

Is it even important to use one? I think the pandemic has made it clear that, yes, using a VPN is useful, even necessary, most especially for those working remotely.

But should you pay for it? Or would you rather settle for free?

We’re going to take a look at free VPNs and paid VPNs in general. Mind you, we didn’t recommend any brands. Instead, we paved a way to help you make an informed choice on which one to use. Let’s face it, although the security- and privacy-conscious lean heavily into using paid VPN services, free VPN services—if we’re going to be honest—also have their place.

But what exactly is free?

We think there are three kinds of “free” in the context of VPNs:

  • The “free-for-a-while” VPN. These are the VPN products that are free trial versions of paid products. Key features can be used by anyone who is interested in giving the VPN a test run, but only for a while.
  • The honest free VPN. Like “free-for-a-while”, these VPN products are often designed to entice you into paying for a VPN, but they are not time limited and are distributed to the public for free. Genuinely free. Their marketing makes it clear what potential users will get, and what they will not get by not paying. This may include bandwidth throttling, sporadic disconnections—you get the idea.
  • The mystery free VPN. This is perhaps the trickiest of the free ones. It’s tricky because some of the information that users would like to know about a VPN (most importantly, why it’s free) is not there—they are not “visibility friendly”. Just because a VPN provider doesn’t make it clear what the trade offs of using its products are, that doesn’t mean that there aren’t any. As a result, users are hindered from making an informed choice, leaving them trying out a product blind.
Why use a free VPN?

There are several reasons why someone might use a free VPN. And the most obvious one is to save money. Why pay for something when you can get it for free?

Someone can also reason that, although they heard that some free VPNs can be bad, not this VPN, because it was recommended by a friend, a neighbor, or a tech-savvy colleague who knows what they’re talking about.

At times, internet users use free VPNs because they may have no choice. Some institutions, such as universities and non-profit organizations, provide free VPNs for members to use.

The most important thing to remember when choosing a VPN is that it effectively becomes your Internet Service Provider (ISP). You are hiding your traffic from everyone else by pushing it through the VPN. So you had better trust your VPN provider a lot.

Are free VPNs safe?

So, the key questions to ask about a free VPN are: Why is it free, and how is it paid for? And, if somebody else is paying for your VPN, what are they getting in return?

A widespread problem one may encounter with genuinely free VPNs is resource constraint. This may be deliberate, in the hope you’ll upgrade to a paid service, or just a side effect of using an under-funded service.

The problem with mystery free VPNs, is the possibility of your internet activity being monetised, either by recording it for sale, or by tampering with it (by injecting ads, for example). When we took a look at free mobile VPNs last year, we concluded that many of them have problems and they are generally not safe to use.

Speaking of data recording and storage, there’s a population of internet users who have accepted the fact that one way or another, their activity and data are being recorded. This becomes another reason for them to use free VPNs, in the belief that even paid providers cannot guarantee that they won’t keep records about how their users use their service. For many, this is perhaps the make-or-break factor when weighing the odds. Why pay for privacy when it’s not genuinely offered by the VPN providers, free or paid?

If you understand who’s paying for your free VPN and why, we think it’s alright to use a free VPN service. It’s perhaps most suitable for occasional and light VPN users. They may consider the many limitations normally offered by free VPNs as not problems at all. In fact, they may willingly accept these limitations.

A light VPN user typically would like to protect their data when occasionally using public hotspots, such as in a restaurant, hotel lobby, public park, mall, or coffee shop. They would also like to temporarily visit a website that is normally geo-blocked when accessed in the user’s current location.

Keep in mind that even if you trust your VPN, you should keep your cybersecurity senses about you. A VPN over a public Wi-Fi protects your traffic from snooping and manipulation, but it doesn’t protected you from all possible online threats, nothing does. So, it’s still important to practice good internet safety habits while on the go with your mobile device.

Why pay for your VPN?

To get our money’s worth, we need to know where our money goes.

In the case of VPNs, the really good ones boast of speed, unfettered connections, unlimited data, multiple server connection options, a high level of privacy—factors that a great majority of free VPN service providers can’t compete with.

When it comes to price, free will always come on top, of course. But contrary to what many people think or expect from commercial VPNs, the majority of which are based on a monthly subscription scheme, the must-haves they offer are actually quite affordable. Depending on the kind of package that is on offer, you can expect to dish out as little as $1.99 USD/month (£1.40/month). The most expensive package we’ve seen so far amounts to $12.99 USD/month (£9.17/month), and it’s still not bad value.

Incidentally, several VPN providers accept cryptocurrency as payment for their services although this is not yet a fully accepted form of payment. This is handy for anyone who’d like to take their privacy journey a bit further.

To date, accepted cryptocurrencies are Bitcoin, Ethereum, and Ripple.

As you may already know, a paid premium VPN does more than just hide your true location and enable you to watch Netflix from countries where it’s normally unavailable. Here’s a high-level breakdown of what they offer and see if they are, indeed, worth our $13 dollars a month:

  • Truly protected data. These are big words. Some of us are used to hearing but not believing them most of the time. Premium VPN service provides do have the technology and know-how to truly protect user data. All the top tier ones can make your session data disappear whenever you disconnect from the web. And that’s a good thing. What’s more, they keep no logs of user activity, provide AES 256-bit end-to-end encryption, support many tunneling protocols, and use other protection features that won’t leak your data even if you get temporarily disconnected from your VPN server.
  • Truly unlimited bandwidth and speed. More big words, but again, these are possible for paid premium VPNs to offer. They have servers optimized for not just bandwidth and speed but also security, privacy, peer-to-peer (P2P) file sharing, media streaming, and video gaming.
  • More server locations to choose from. The more servers a provider offers in different locations, the more change you have of unblocking region-restricted content at a speed you are happy with. Some VPN providers also let paid users manually pick their own servers to connect to, whereas sometimes, in their free trial versions, this convenient feature is not included.
  • Added security features. The age of VPNs only caring about privacy is gone, and the age of VPNs also providing security has come. Some paid-for VPNs stop you from accessing blocklisted sites and stop invasive and annoying ads or malvertising.
  • Support availability. This is already a given, but it’s still worth mentioning. Many paid providers offer 24/7 support for their clients in need of technical assistance.
We’ve weighed the odds. Now what?

Running a VPN is an expensive business and we think that “you get what we pay for” is—for the most part—true. But truth be told, there are exceptions to this. At the end of the day, it all boils down to how you want to use a VPN and how you want your VPN to work for you.

If you’re looking for free, we recommend you choose a brand that has a freemium model that lets you access a basic service for free in the hope you’ll upgrade—the “free-for-a-while” and honest free options. It’s better to go this route than risk inviting the very thing that threatens your privacy and security.

The post To pay, or not to pay? That is the VPN question appeared first on Malwarebytes Labs.

Categories: Malware Bytes

TikTok pays $92 million to end data theft lawsuit

Malware Bytes Security - Fri, 02/26/2021 - 1:47pm

TikTok, the now widely popular social media platform that allows users to create, share, and discover, short video clips has been enjoying explosive growth since it appeared in 2017. Since then, it hasn’t stopped growing—more so during the current pandemic

While we can no longer categorize TikTok as a kids’ app, most concerns about the app have been around the privacy of children. You can read more details about its track record in this field in our article Are TikTok’s new settings enough to keep kids safe?

Last year the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Now TikTok has agreed to pay $92 million to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

What was TikTok accused of?

In fact, there were dozens of lawsuits alleging that the popular video-sharing app used personal data from users improperly. The suits were merged into one multi-district action in the Northern District of Illinois that cited violations of privacy laws in Illinois and California.

One lawsuit accused the social media platform of deploying a complex artificial intelligence (AI) system to scan for facial features in users’ videos, combined with algorithms to identify a user’s age, gender and ethnicity.

Another point brought forward, claims that TikTok doesn’t adequately disclose how user data is shared with entities outside the US. Since the owner of the app is the Chinese company ByteDance this behavior has already prompted some organizations—including Wells Fargo and some branches of the US military—to ask their employees to not use the app on devices that also contain data about them.

According to lawyers representing TikTok users, the app “clandestinely vacuumed up” vast quantities of private and personally identifiable data that could be used to identify and surveil users without permission. Even information from draft videos that were never shared publicly were mined by TikTok for data, the lawyers for the users alleged. Tiktok also shared information about users, without their consent, with Facebook, Google and other companies, the suit claims.

Code obfuscation

One of the arguments brought forward to prove their case was that investigators hired by the plaintiffs’ lawyers found that TikTok went to great lengths to obfuscate its data collection and sharing practices. It is worth noting here that obfuscation is not only done to hide illegal practices. Sometimes obfuscation is simply done to keep out the competition.

Did TikTok admit anything?

No. A spokesperson said:

Rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.

So, they would rather spend their time elsewhere, rather than in court. Understandable, but $92 million is a hefty sum. And maybe, just maybe, they would like to keep their lawyers available for possible future actions against the company. Former President Donald Trump threatened to ban TikTok unless ByteDance sold the app to a US-based owner. The Biden administration has pulled back from that take on TikTok, instead launching a broader review of Americans’ use of Chinese technology.

TikTok has always denied the allegations of sharing data, arguing other competing social networks have similar data collection practices, and insisting the company does not ship American user data to foreign servers.

So, this is settled now?

Well, not completely. This part of the battle has taken the best part of a year. And a federal judge still needs to sign off on the $92 million agreement. If it is approved, the settlement money will be divided up among US-based TikTok users (it’s roughly one dollar per American TikTok user).

The proposed TikTok settlement follows a similar deal struck last year in which Facebook paid $650 million to resolve legal claims over collecting and storing the biometric data of millions of users.

Besides the monetary settlement, TikTok will no longer record users’ biometric information, including facial characteristics, nor track their locations using GPS data. TikTok also committed to stop sending US users’ data overseas, and the app said it would no longer collect data on draft videos before the content is published.

Biometric data

TikTok’s use of facial biometric data is interesting, but unexceptional. All across the world, governments and corporations are developing facial recognition technology. Facebook uses it, Apple Photos uses it, police forces all over the world use it.

There are many concerns, however. Lack of oversight, ethics, failures and false positives, and bias against marginalized groups are all pressing concerns. As a result, a backlash has started and bans or moratoriums on facial recognition are now being implemented or considered in many jurisdictions.

With increased scrutiny on the use of facial recognition, and on the use of Chinese technology, the use of biometrics and other personal data by social media with ties to foreign entities, especially China, is likely to attract a lot of attention from now on. Just ask Clubhouse.

The post TikTok pays $92 million to end data theft lawsuit appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Scammers, profiteers, and shady sites? It must be tax season

Malware Bytes Security - Thu, 02/25/2021 - 11:46am

US tax season is upon us, a time of the year when a special kind of vermin comes crawling out of the woodwork: tax scammers! Not that their goals are any different from any other scammers. They want your hard-earned dollars in their pockets.

Most of the tax-related attacks follow a few tried and true methods: A phishing email or scam call from someone purporting to be from the IRS, or an accountant offering to help you get a big refund. With all the financial and personal data to be had, it’s a time to keep a close eye on who you give your details to.

Below you is a real example you can use as a guide to the things you need to consider if you decide to use an online tax filing service.

Online tax services

This blogpost was triggered by a web push notification I got from a search hijacker from the SearchDimension family I was investigating. Many search hijackers in this family also use notifications, which qualifies them as adware.

It’s not that I recognized the form displayed in the notifications, but I knew the notification would likely be aimed at US users of the extension I was investigating since I had set my VPN to New York.

Anyway, the thought of someone providing their financial status and personal data to a website that was advertized in this manner gave me the creeps.

The website

The full URL behind the “Click Here” field was:

The items after the question mark are Google Analytics campaign tracking parameters that help a website understand where its traffic is coming from. In this case the site appears to be using them so it can attribute traffic to different affiliates (presumably so the site knows how much to pay them).

A click on that link in the notification brought me to this site:

Note that I went from free to a 30% discount in just one click. A bad start! Some digging revealed that the domain originally belonged to a record shop called “Vinyl Junkie.” The internet archive has a first snapshot dating back to October of 2000. In 2005 the domain had switched to an outfit selling software to organize and store files. The first snapshot promoting an online tax filing service shows up in 2010.

Phishing sites tend not to hang around that long, so while the domain’s history is certainly interesting, it is not in itself a bad sign.


Another interesting piece of information can be found in the page about their affiliate program.

There is no indication that e-file is using search hijackers itself. In this case it seems as if an affiliate is, and e-file may not know that it has an affiliate doing that. But offering the most aggressive payouts (“double what many of our competitors pay!”), even when the customer does not spend any money, is exactly what attracts the most obnoxious advertisers on the web.

We asked Dr. Fou of FouAnalytics to have a look at the affiliate program details and the notification I clicked on, and this is what he told us:

Anyone running or using affiliate programs to drive more leads and sales should carefully review who is sending the links, leads, and sales. This is clearly an example of scammers taking advantage of an affiliate program and using shady techniques to get paid. They are trading off of your good name, and consumers will think you scammed them. This is just like malvertising that happens on mainstream publishers’ sites; the consumers think the publisher compromised their device because they didn’t realize the malicious code came in through an ad served into the page.


One way to find out more information about a company or site is to look for reviews from other users. When we did this for and found many complaints that might indicate that their services are not always as free as they claim.

Other reviews speak of missed opportunities for a refund and a lack of service. Bad reviews aren’t proof of wrong doing though, and you may say: “OK, what did you expect from a free service?” If a service is offered for free, but it still promises to pay its affiliates high rates, that money is coming from somewhere.

Speaking for myself, I am not sure a free service is how I would try to save money in tax season.

ID theft

We are not accusing e-file of being up to no good, but one of its affiliates is. And they are not the only ones trying to make a quick buck from you in tax season. Chief among them are ID thieves.

Scammers like tax season because people don’t like tax, many are baffled by it, lots of people will be in a hurry or looking for ways to make it easier, and in they end they will have to hand over a lot of personal information.

For those that have no idea what information you do (and don’t) need to provide when you file your taxes, here is a pretty extensive list. Remember that a social security number, birth date, and a bank account number is all the information a cyber-criminal needs to perform identity theft. And the consequences of that theft can be devastating. Identity theft is not to be taken lightly. It can take years to recover from and be very costly. A good resource for information about it is the ITRC.

So, it is wise to do some research before you trust any website with your personal details (and not just those that help with your tax).

And even if a service is legitimate, you should consider how secure your data will be if you entrust it to them. If the data gets exposed in a breach, the result for you is practically the same as if it had been sold anyway.

You can find more general tips to stay safe in tax season in our blogpost Coughing in the face of scammers: security tips for the 2020 tax season.

Stay safe, everyone!

The post Scammers, profiteers, and shady sites? It must be tax season appeared first on Malwarebytes Labs.

Categories: Malware Bytes

LazyScripter: From Empire to double RAT

Malware Bytes Security - Wed, 02/24/2021 - 11:06am

Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of this paper.

APT groups are traditionally tracked according to specific targets and tools or methodologies they employ. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest. In this case, we initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation.

Digging deeper we uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines.

In the following analysis, we walk through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor. We take a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, we detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water.

This in-depth and detailed analysis has revealed a developing campaign by what we believe to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. For this reason, we continue to track this new group LazyScripter as the threat evolves.

Download paper here.

The post LazyScripter: From Empire to double RAT appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Clop targets execs, ransomware tactics get another new twist

Malware Bytes Security - Tue, 02/23/2021 - 10:17am

Ransomware peddlers have come up with yet another devious twist on the recent trend for data exfiltration. After interviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be systematically targeting the workstations of executives. After all, the top managers are more likely to have sensitive information on their machines.

If this tactic works, and it might, it’s likely that other ransomware families will follow suit, just as they’ve copied other successful tactics in the past.

What is Clop ransomware?

Clop was first seen in February 2019 as a new variant in the Cryptomix family, but it has followed its own path of development since then. In October 2020 it became the first ransomware to demand a ransom of over $20 million dollars. The victim, German tech firm Software AG, refused to pay. In response, Clop’s operators published confidential information they had gathered during the attack, on a dark web website.

Clop’s Dark Web leak site Copycat tactics

When we first came across file-encrypting ransomware, we were astounded and horrified at the same time. The simplicity of the idea—even though it took quite a bit of skill to perfect a sturdy encryption routine—was of a kind that you immediately recognize as one that will last.

Since then, ransomware has developed in ways we have seen before in other types of malware, but it has also introduced some completely new techniques. Clop’s targeting of executives is just the latest in list of innovations we’ve witnessed over the last couple of years.

Let us have a quick look at some of these innovations ranging from technical tricks to advanced social engineering.

Targeted attacks

Most of the successful ransomware families have moved away from spray-and-pray tactics to more targeted attacks. Rather than trying to encrypt lots of individual computers using malicious email campaigns, attackers break into corporate networks manually, and attempt to cripple entire organisations.

An attacker typically accesses a victim’s network using known vulnerabilities or by attempting to brute-force a password on an open RDP port. Once they have gained entry they will likely try to escalate their privileges, map the network, delete backups, and spread their ransomware to as many machines as they can.

Data exfiltration

One of the more recent additions to the ransomware arsenal is data exfiltration. During the process of infiltrating a victim’s network and encrypting its computers, some ransomware gangs also exfiltrate data from the machines they infect. They then threaten to publish the data on a website, or auction it off. This gives the criminals extra leverage against victims who won’t, or don’t need to, pay to decrypt their data.

This extra twist was introduced by Ransom.Maze but is also used by Egregor, and Ransom.Clop as well, as we mentioned above.

Hiding inside Virtual Machines

I warned you about technical innovations. This one stands out among them. As mentioned in our State of Malware 2021 Report, the RagnarLocker ransomware gang found a new way to encrypt files on an endpoint while evading anti-ransomware protection.

The ransomware’s operators download a virtual machine (VM) image, load it silently, and then launch the ransomware inside it, where endpoint protection software can’t see it. The ransomware accesses files on the host system through the guest machine’s “shared folders.”

Encrypting Virtual Hard Disks

Also mentioned in the State of Malware 2021 Report was the RegretLocker ransomware that found a way around encrypting virtual hard disks (VHD). These files are huge archives that hold the hard disk of a virtual machine. If an attacker wanted to encrypt the VHD, they would endure a painfully slow process (and every second counts when you’re trying not to get caught) because of how large these files are.

RegretLocker uses a trick to “mount” the virtual hard disks, so that they are as easily accessible as a physical hard disk. Once this is done, the ransomware can access files inside the VHD and encrypt them individually, steal them, or delete them. This is a faster method of encryption than trying to target the entire VHD file.

Thwarting security and detection

Ransomware is also getting better at avoiding detection and disabling existing security software. For example, the Clop ransomware stops 663 Windows processes (which is an amazing amount) and tries to disable or uninstall several security programs, before it starts its encryption routine.

Stopping these processes frees some files that it could not otherwise encrypt, because they would be locked. It also reduces the likelihood of triggering an alert, and it can hinder the production of new backups.

What next?

It remains to be seen if Clop’s new tactic will be copied by other ransomware families or how it might evolve.

It has been speculated that the tactic of threatening to leak exfiltrated data has lowered some victims’ expectations that paying the ransom will be the end of their trouble. Targeting executives’ data specifically may be a way to redress this, by increasing the pressure on victims.

Clop, or a copycat, may also try to use the information found on managers’ machines to spread to other organisations. Consider, for example, the method known as email conversation thread hijacking, which uses existing email conversations (and thus trust relationships) to spread to new victims. Or the information could be sold to threat actors that specialize in business email compromise (BEC).

For those interested, IOCs and other technical details about Clop can be found in the Ransom.Clop detection profile.

The post Clop targets execs, ransomware tactics get another new twist appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The mystery of the Silver Sparrow Mac malware

Malware Bytes Security - Tue, 02/23/2021 - 7:15am

Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow. This malware is notable in being one of the first to include native code for Apple’s new M1 chips, but what is unknown about this malware is actually more interesting than what is known!


We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, we do not know how these files were delivered to the user.

These .pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.”

This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late. You’d already be infected.

Malware life cycle

The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named once per hour. This script has several functions.

First, it will contact a command & control server formerly hosted on Amazon AWS. The data it gets back looked something like this at the time of analysis:

{ "version": 2, "label": "verx", "args": "upbuchupsf", "dls": 4320, "run": true, "loc": "~/Library/._insu", "downloadUrl": "" }

Next, the malware will check for the file ~/Library/._insu. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.

Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server.

However, as can be seen from the data, at the time of analysis, the download URL was blank. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines.

If the payload were actually downloaded, it would be launched with the args data as the arguments.

Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both of these apps appear to be very simplistic placeholder apps that don’t do anything interesting.

Silver Sparrows in the wild

Malwarebytes researchers collaborated with Red Canary researchers on their find, and have collected significant data about the infection at this point. At the time of this writing, we’ve seen 39,080 unique machines with components of Silver Sparrow detected by Malwarebytes.

Those detections are primarily clustered in the US, with more than 25,000 unique machines having Silver Sparrow detections. This, of course, is affected by Malwarebytes’ heavily US-based customer base, but the malware does appear to be quite widespread, with detections in 164 different countries.

CountryDetectionsUnited States25,331United Kingdom2,785Canada2,389France2,218Germany920Italy636Australia509Spain368India306Mexico196Silver Sparrow detections by country

The paths detected show a rather interesting pattern. The vast majority of “infections” are actually represented by the ._insu file, and machines that have that file present do not have any of the other components (as expected).

PathDetections~/Library/._insu38,869/Applications/updater.app1,627/Applications/tasker.app763~/Library/Application Support/verx_updater731~/Library/LaunchAgents/init_verx.plist707/tmp/version.plist649/tmp/version.json568/tmp/agent.sh86Malwarebytes Silver Sparrow detections Conclusions

At this time, we have yet to see the /tmp/verx payload. None of the infected machines have it installed. This means that, as Red Canary said, we have little information on what the intent of this malware is.

The args value in the data from the command and control server (upbuchupsf) looks similar to an affiliate code, often used by adware. However, we can’t make assumptions based on a single ten-character string, as such assumptions could very easily be wrong. After all, malware that is sold to, and used by, multiple people may very well include some kind of “customer code.”

The fact that the ._insu file has been seen in such high numbers is interesting. Since this file signals that the malware should delete itself (though we don’t know how the file gets created), that is a strong indicator that these are probably formerly infected machines.

Thus, it’s highly likely that this infection may have been present at some point in the recent past, but the operators sent out a silent “kill” command to cause the malware to delete itself. This could correspond to the first appearance of the newest malicious installer being uploaded to VirusTotal, which would be an indicator to the creator that the malware had been spotted, or it could have been prompted by some other event.

It’s unlikely that these machines were infected for a very long time, as the two command and control server domains were registered in August and December of 2020, per Red Canary findings.

Malwarebytes detects these files as OSX.SilverSparrow.

The post The mystery of the Silver Sparrow Mac malware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (February 15 – February 21)

Malware Bytes Security - Mon, 02/22/2021 - 6:37am

Last week on Malwarebytes Labs, the spotlight fell on the State of Malware 2021 report, wherein we have seen cyberthreats evolve.

We also touched on ransomware, such as Egregor and a tactic known as Remote Desktop Protocol (RDP) brute forcing that has long been part of the ransomware operators’ toolkit; insider threats, such as what Yandex recently experienced with one of its own sysadmins; romance scams; and put social media under scrutiny—looking at you, Clubhouse and Omegle; some wins for the good guys; and course, Cyberpunk 2077.

Other cybersecurity news
  • Following the water supply hack in a Florida city, the US government warned critical infrastructure operators to upgrade their Windows 7 operating systems. (Source: Security Week)
  • Baby monitor vulnerabilities are in the spotlight once again after the cybersecurity team at SafetyDetectives, an independent review site, unearthed a flaw that allows miscreants to take over a camera’s video stream. (Source: SafetyDetectives)
  • Phishers used “financial bonus” as lure to deliver the Bazar Trojan. (Source: ZDNet)
  • Speaking of phishing scams, they’re also promising free COVID vaccines. Again. (Source: Infosecurity Magazine)
  • Intelligence officials from South Korea claimed that North Korea is behind the COVID vaccine cyberattack against Pfizer. (Source: Computer Weekly)
  • A flaw in Agora, a voice and video platform, was discovered that could allow attackers to spy on private calls. (Source: CyberScoop)
  • Palo Alto’s Unit42 uncovered a cryptojacking campaign that has been in operation for the last couple of years. (Source: Palo Alto Networks)
  • ScamClub, a malvertising group, was discovered using an iPhone browser bug to push ads. (Source: Confiant)
  • With the introduction of Apple’s M1 computer processors, new malware made for them is starting to emerge. (Source: Motherboard)

Stay safe, everyone!

The post A week in security (February 15 – February 21) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Omegle investigation raises new concerns for kids’ safety

Malware Bytes Security - Sat, 02/20/2021 - 9:46am

Social media site Omegle is under fire after an investigation found boys using the platform to expose themselves on camera, and adults exposing themselves to minors.

Omegle users are paired with a random stranger who they can socialize with via text or video chat. An investigation by the British Broadcasting Corporation (BBC) found boys and adults exposing themselves on camera, after its founder, Lief K-Brooks, claimed that he had increased moderation efforts months ago.

Just like TikTok, Omegle’s popularity has exploded during the pandemic. According to data collected by Semrush, an online visibility management platform, Omegle has enjoyed a global growth of 65 million visits from January 2020 to January 2021—a staggering 91 percent growth. Users from the US, the UK, India, and Mexico have helped spark interest.

What contributed to Omegle finding fame is that TikTok users started sharing Omegle videos to their friends and followers. TikTok now has a very active #omegle hashtag, which has been viewed 9.4 billion times as of this writing.

MEL magazine’s Magdalene Taylor theorized that it’s the allure of talking to strangers—or being exposed what our parents warned us about: “stranger danger”—that is fuelling this growth. “People wanted to experience what the Internet was like when people were still afraid,” Taylor wrote.

Read: Stranger Danger and the Sociable Child

Investigators from the BBC, who had monitored Omegle for approximately 10 hours, were paired with dozens of other users who appeared to be under 18 years of age, even as young as seven or eight. But within one two hour period they were connected with 12 men performing sexual acts (“a common occurrence”, the BBC noted), eight naked males, and a handful of pornographic ads. In instances wherein BBC investigators were paired with people who appeared to be, or identified themselves as, underaged Omegle user performing sexual acts, the broadcaster says “These instances were not recorded, and we ended both chats swiftly before reporting them to the authorities.”

Keira, a 15-year-old Omegle user from the US told the BBC that “Men being gross is something me and my friends see a lot. It should be better monitored. It’s like the dark web but for everyone.”

Like most popular social media platforms, Omegle has a minimum age limit of 13, and its terms of use say that users under 18 should only use it with a parent or guardian’s permission. It’s home page also features a prominent warning: “Video is monitored. Keep it clean!”. It does not attempt to verify users’ age, however.

Omegle’s home page asks users to “Keep it clean”

The Internet Watch Foundation (IWF), an international charity based in the UK that aims to minimize available abuse content against children, expressed concern over what the investigators have unearthed but are not surprised as this follows a trend. According to Chris Hughes, hotline director for IWF, they have found self-abuse material that were recorded from Omegle and distributed by predators online. They also know that such acts happen in a household where parents are present as evidence of background conversations they can hear in the videos.

“I’m absolutely appalled. This sort of site has to take its responsibilities seriously,” says Julian Knight MP, the House of Commons Digital, Culture, Media, and Sport Select Committee chairman in an interview with the BBC. “What we need to do is to have a series of fines and even potentially business interruption if necessary, which would involve the blocking of websites which offer no protection at all to children.”

The saga exposes some familiar fault lines. Age verification is fine in theory but it is difficult to do. Even if it’s implemented effectively it can simply replace one set of potential harms with a different one.

The history of social media suggests that if Omegle tried to tackle the problem by increasing the number of human moderators, it’s unlikely it could ever hire enough to effectively police the platform effectively.

Until (and perhaps even if) these intractable problems find a solution, parents who want to protect their children will have to educate themselves, and their children, to the hazards they might face online.

The post Omegle investigation raises new concerns for kids’ safety appeared first on Malwarebytes Labs.

Categories: Malware Bytes

North Korean hackers charged with $1.3 billion of cyberheists

Malware Bytes Security - Fri, 02/19/2021 - 2:17pm

The US Department of Justice recently unsealed indictments detailing North Korea’s involvement in several global cyberattack campaigns against institutions in the financial and entertainment sectors, and money laundering schemes in certain US states.

The first unsealed indictment is for hacking activities done by three computer programmers from North Korea. Prosecutors name Jon Chang Hyok (전창혁; aka “Alex/Quan Jiang”), Kim Il (김일; aka “Julien Kim” and “Tony Walker”), and Park Jin Hyok (박진혁; aka “Pak Jin Hek”, “Pak Kwang Jin”, and “Jin Hyok Park”) as members of the Reconnaissance General Bureau (RGB), a military intelligence arm of the Democratic People’s Republic of Korea (DPRK) that is known for conducting clandestine operations on behalf of its country.

Park was already indicted back in Septmber 2018 for his involvement in multiple destructive cybercrime attacks, which includes the creation of WannaCry that made headlines in 2017, the Bangladesh Bank cyber heist in 2016, and the attack on Sony Pictures Entertainment (SPE) in 2015.

According to the Justice Department, the RGB is known by many names in the cybersecurity industry, such as the Lazarus Group and Advanced Persistent Threat 38 (APT38). Other crimes the three North Koreans are charged with include: attempting to hack banks’ networks and sending falsified SWIFT messages; the theft of millions of US dollars worth of cryptocurrency from cryptocurrency companies; conducting ATM cash-out (aka FASTcash) and spear phishing schemes; deploying multiple malicious cryptocurrency applications; and the creation and marketing of the Marine Chain Token, an attempt to gain funds and evade US sanctions. A charge was also unsealed against Ghaleb Alaumary, a Canadian-American described by the FBI as a “prolific money launderer”.

While Jon, Kim, and Park are based in North Korea, their government has stationed them in other countries like Russia and China, the report further claims.

North Korean actors have not only heavily targeted the financial sector but also several cybersecurity professionals. Jérôme Segura, director of threat intelligence at Malwarebytes details, “In one of the most recent campaigns, Lazarus APT has targeted vulnerability researchers and exploit developers to steal new exploits as well as any additional tools they may be able to use in the future. This campaign has been conducted to broaden their capabilities in using zero days in their future attacks.”

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” the report quotes Acting US Attorney for the Central District of California Tracy L. Wilkinson. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

Alaumary is already in custody while Jon, Kim, and Park remain at large.

A copy of the indictment in PDF can be downloaded here.

The post North Korean hackers charged with $1.3 billion of cyberheists appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy

Malware Bytes Security - Fri, 02/19/2021 - 5:39am

What game caused some players to experience seizures, allows you to have unauthorized sex with Keanu Reeves, features a lead character who can’t keep the contents of his pants contained, was pulled from the PlayStation Store weeks after release, and still managed to shatter sales and streaming records? 

Of course we’re talking about Cyberpunk 2077, the latest game from Polish developer CD Projekt Red.

In spite of countless, often embarrassing, bugs CDPR created an engrossing open world RPG that even the game’s detractors can’t stop hate-playing. Arguably, a big part of Cyberpunk’s appeal is its setting. Taking place in a fictional American metropolis known as Night City during the year 2077, this dystopian vision of the future attempts to cram every single sci-fi cyberpunk trope into one 30 hour game. Hacking, virtual reality, body modification, sentient computer AIs—it’s all in there.

For all its high tech wonder, some aspects of day to day life in Night City feel familiar. The Internet (or Net, as it’s called in the game) looks about the same as it does in real life, with players browsing websites on a monitor, a mouse, and keyboard. And it’s still possible to get a computer virus. In fact, falling victim to a computer virus is central to the game’s plot.

Since Cyberpunk features computers, hacking, viruses, and has the word “cyber” in the title, we obviously had to write about it.

So, the two members of the Malwarebytes Labs staff who actually played the game were asked to weigh in on cybersecurity in Cyberpunk 2077. And if we get to talk about video games for work, we’re all for it.

SPOILER ALERT: This discussion covers some major plot points. Who are you?

Philip Christian: Hi! I was an avid gamer through college. Now I play a few major releases per year. I completed the main quest in Cyberpunk. All in, I’ve sunk about 70 hours into the game. I played on Google Stadia (don’t hate me). I work at Malwarebytes so I must know something about cybersecurity, but when it comes down to how threats operate on a technical level, I turn to the experts, like Chris.

Chris Boyd: I’m a Lead Malware Intelligence Analyst for Malwarebytes. I’ve played games dating back to the Atari 2600 days, have worked on a few titles you won’t have heard of many moons ago, and particularly enjoy modding the guts out of Bethesda titles. I’ve put roughly 200 hours into Cyberpunk, and spend a long time looking at hacking in games generally.

The most cringeworthy cybersecurity moment?

Philip: The hacking mini game was total baloney. When you try to hack a computer you’re shown this number matrix and you’re trying to select the correct numbers from the matrix. Not sure what this has to do with hacking unless hacking IRL has something to do with Sudoku.

If I’m being generous, it does bear a vague resemblance to brute force attacks, which are kinda big right now. With a brute force you’re just mashing in numbers, letters, and characters hoping you guess the correct login credentials, but you’re doing it really fast with an automated program entering the credentials for you.

Chris: Would have to agree, the hacking minigame is a horribly confusing pattern matching puzzle which is badly explained and not very realistic. This is common in games, and unless the game is entirely focused on hacking I think the right approach is to try and keep it simple. Sadly, that hasn’t worked here.

The most realistic cybersecurity moment?

Philip: There’s a mission in the game where you need to hack into someone’s password-protected computer. The mission entails looking at websites and figuring out the person’s password from what they’ve shared about themselves online. It’s really just a small part of a larger mission to find a missing teenager. This is a more realistic take on hacking than the numbers mini game. We all reveal way too much about ourselves via social media and cybercriminals use that info against us.

Chris: The cybersecurity realism in the game seems to come from incredibly meta real-world happenings related to the title. For example, the character Goro Takemura is a legendary personal bodyguard / security expert who trains literal cyber ninjas. The gag is he is also absolutely useless with technology, and often sends accidental selfies to the player character while trying to do something else.

Sure enough, a bug occurred in the game which could essentially break saves and prevent progress. The cause? Goro, the guy who can’t use his phone properly, would call the player character and the call would bug out.

“Videogame character who can’t use his phone breaks your game, with his phone” is meta enough. But then we have Elon Musk announcing a Tesla model will be able to play cyberpunk, at roughly the same time it’s announced his Neuralink, Musk’s neurotechnology company, may be trialling computer chips in brains by the end of the year.

Being able to play a game about the dangers of placing chips in your brain, in a car built by somebody who wants to put chips in people’s brains, is the kind of crossover I live for!

It can play Cyberpunk

— Elon Musk (@elonmusk) January 28, 2021 Best representation of hacking in the future?

Philip: My favorite NPC in the game is Delamain the AI taxi driver. He looks like a cross between Johnny Cab from Total Recall and Death from Bill and Ted’s Bogus Journey. Anyway, his system gets infected by a rogue AI and it’s up to you to help him clean it out and regain control of his fleet of computer controlled taxis. Cars today are computers on wheels and car hacking is already a thing.

Chris: More than the hacking mini game, the real hacking meat on the bone here concerns Biohacking and more technology-centric body modifications. Almost everyone in the game is walking round with some sort of Internet-connected body part at all times.

People can overload your ocular implants, fry chips in your body, shut down devices and leave you at a standstill, wipe your short-term memory, and more.

It’s only natural we’ll see an increasing number of technological solutions for medical issues, and the tech industry has a habit of connecting things to the Internet without much care for security. In some ways the future is already here, and has been for some time.

Pacemaker hacks already exist. “Looping”, a DIY method for hacking your own insulin pump, has brought about a surge in purchases for the device needed to do it. A killer-app remote control for insulin pumps? Yep, those exist too.

As we creep towards Transhumanism, we’re going to have to be very careful regarding our final destination. If we aren’t careful we’ll quickly arrive at a point where anybody could be running anything. How do you prepare for that? How do you secure it? It’s entirely possible that we won’t be able to.

Johnny Silverhand is feeling frisky tonight. Scariest representation of hacking in the future?

Philip: Someone put out a mod that swaps the Johnny Silverhand skin (modeled and voiced in-game by Keanu Reeves) with one of the sex workers (aka joytoys), allowing your character to have sex with an NPC that looks exactly like Keanu. It’s more weird than anything, but the incident got me thinking about deepfakes. This incident isn’t a deepfake in the strictest sense of the word, but it does give us a high profile example of a real person’s likeness being manipulated with technology. It’s something we’re just starting to see and we should expect to see more of it in the near future.

Chris: In games specifically, character swaps are nothing new. As good as Cyberpunk 2077 looks, even the highly detailed models such as Keanu’s are very much video gamey and not very realistic looking, once you get up close. It’s more an approximation of what the developers think he looks like, as opposed to even a fairly basic deepfake which can look very real indeed. Having said that, the developers were well within their rights to shut the mod down because the modder didn’t have Keanu’s permission. The issue of consent is paramount, whether the mod is ultra-realistic or some sort of PlayStation 2 callback.

I think games have a long way to catch up to deepfake levels of controversy, and this would be a subject to revisit if and when realistic models of real people work their way into VR titles.

What else caught your attention?

Philip: I liked how you could hack mundane items like soda vending machines, TVs, and security cameras as a way of distracting enemies. IRL it’s already possible to hack IoT (Internet of things) devices, control them remotely, and cause them to behave in weird ways. There’s examples of coffee machines being hacked, baby monitors, smart TVs—you name it. If it’s connected to the Internet, it’s susceptible to hacking so maybe think twice. Does your refrigerator really need to be connected to the Internet?

Chris: A major aspect of the game is trying to cheat death by any means necessary. Replacing vital organs and upgrading body parts, even when there’s no medical requirement for it, to make yourself run faster or punch harder. You can even scan people in the street with ocular implants tied to the city’s crime database (hello, facial recognition glasses).

The biggest push where that’s concerned involve’s the game’s main quest. Corporations offer immortality by copying your consciousness to a computer chip, and the ramifications thereof.

It’s amusing to me that we’re playing through this fairly common sci-fi/technology trope at the same time as Microsoft’s patent for dead relatives revived as AI chatbots was discovered.

Where this technology goes from here is anyone’s guess.

Is it safe to mod your game?

Philip: Going back to the Keanu Reeves sex mod thing. CDPR had the mod removed from the site where it was being hosted. Since it’s not available through legitimate channels I think people who are curious will try to obtain it through less safe backchannel methods. This is a perfect scenario for scammers and criminals. In fact, CDPR recently advised gamers not to install mods from unknown sources due to a vulnerability that might allow criminals to remotely execute code on the target system.

Chris: They’ve already updated the game to address issues from that vulnerability, which is great news. Having said that, there’s always a risk from modding any game where you download unknown code and files. Most major mod sites perform some sort of security check on files offered for download, but gamers should always run some tests of their own. You’re entrusting your whole system to random people offering you files.

Some of the mental safeguards we deploy to avoid sketchy downloads tend to come down when modding. “I’m on a trusted site, everything here is legit, what could possibly go wrong”. A little caution is always a good thing where modding is concerned, whether it’s your favorite game or your ocular implants.

The post Cybersecurity in Cyberpunk 2077: the good, the bad, and the cringeworthy appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Romance scams: FTC reveals $304 million of heartache

Malware Bytes Security - Thu, 02/18/2021 - 1:26pm

In 2020, reported losses to the FTC for romance scams went up by 50% from 2019, totalling $304 million. And things weren’t exactly good before: Romance scams have cost people a fortune for 3 years running, according to the FTC. Their latest report suggests a steady rise in these kind of scams generally and ponders the impact of the pandemic. If nobody can go out, it stands to reason that dating in the virtual world would experience a surge of interest.

Love is most definitely in the air for people up to no good.

Some key findings
  • Scams often begin on social media but are unexpected. Potential victims aren’t necessarily on a site for dating in the first place.
  • The use of gift cards for sending money to scammers increased 70%.
  • Reports of money lost increased across every age group in 2020.

Many of the old tricks are still in play, because they’re tried and tested. Throw enough of them out there and a scammer snags a bite eventually. It only takes one or two direct hits to make a small fortune. Meanwhile, people face losing huge sums of money which is often not recoverable.

Sending all my love…and my money

The report mentions many reports of large losses involve scammers claiming to send a victim money. Once the victim receives it, the scammer invents a reason why they need it sent back, or forwarded to a third party. This is how people end up as money mules. As we often mention, this is a bad situation to be in. While the mule ends up in various degrees of legal trouble, the anonymous scammer pulling the strings gets away with it.

It’s unfair, and very cruel for people who would naturally assume they’d done nothing wrong.

We see a variety of romance con-tricks involving requests to move funds. One we examined recently adds a small spin to proceedings. The scam works as follows:

  • The scammer connects with a victim on a dating app, and supplies photos and audio recordings.
  • After some small talk, the scammer says they want to send the victim some money. The scammer “can’t use their account” from their location, but they’re happy to give login details so the victim can do it themselves.
  • The scammer sends a link to a fake banking website where the victim is likely to be asked to complete a transaction, to increase their trust in the scammer, or for their own personal or banking details.
Gift cards: a wealth of opportunity

As mentioned already, gift cards are an attractive proposition for people up to no good. They’re easy to obtain and can be bought in small amounts. Unlike a few years back, they’re not limited to a narrow selection of items or stores. This is good for fakers, because they’re less likely to make victims feel like they’re being sent on a wild goose chase. They can pretty much buy anything and it’ll be of value to the scammer, either through usage or selling on. If gift cards are ever mentioned on dating apps or on social media, you’ve every right to be suspicious.

Steering victims away from the theoretical safety of their online space is a common tactic, not specific to dating scams. (Gaming scams will often take victims away from their gaming console ecosystem to third party sites, for example.) Romance scammers often try to lure people away from the dating apps where they met. This is good for the scammer, problematic for the victim: The digital paper trail becomes muddied, certain protections and safety mechanisms may not apply or be usable, and so on.

A trick of the eye

Catfishing romance scams use fictional personas that often rely on stolen images. People will use photos of models from different parts of the world, or pretend to be U.S. Army soldiers, or even celebrities, to get the job done. All they care about is grabbing the cash, and it doesn’t matter how much the victim on the other side of the screen is impacted.

To combat this, people should make use of reverse image search to see where else the images appear. AI generated images are also common in this realm though, so reverse image search is useful but not foolproof.

On a similar note, refusing to do video calls could be suspicious. They may simply be shy, but one would probably expect video for dating is a reasonable expectation a year into the pandemic.

Tips for avoiding romance scams

Attempts to get you away from the platform where you met, requests for cash, or requests for a lot of personal information / logins should set alarm bells ringing. Asking for money for a visa / travel, or sudden medical aid, should too. Sending scans of passport pages is also a bit unusual. Anything which goes from 0 to 60 in the blink of an eye or seems too good to be true should definitely cause you to be very careful.

Be sure to check out our tips for dating safety and security before you next delve into the world of digital dating. The last thing anybody needs right now is financial fallout caused by a bogus romantic interlude. The more you can reduce the odds of that happening, the better everyone using dating platforms will be for it. Let’s consign these fakers to the digital rubbish bin, where they belong.

The post Romance scams: FTC reveals $304 million of heartache appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Clubhouse under scrutiny for sending data to Chinese servers

Malware Bytes Security - Wed, 02/17/2021 - 11:26am

The audio-chat app Clubhouse is the latest rage in the social media landscape. What makes it so popular and, now it’s part of the social media landscape, can we trust it?

The Clubhouse app

Clubhouse was launched about a year ago and was initially only used by Silicon Valley’s rich and famous. It is different from other social media in that it focuses on the spoken word. Clubhouse members can enter virtual rooms to listen in or participate in live conversations. The conversations can only be joined when they are live and the people having the conversation determine who is allowed to listen and who can talk.

The Clubhouse app is freely available for download to every iPhone user, and an Android version is in the pipeline, but participation is kept exclusive by making it invitation only.

Every new user only gets a few (initially only two) invitations to give away. The developers claim it was done this way to allow for a controlled growth, so as not to overload the server infrastructure. Whether by design or coincidence, this also seems to work as a clever marketing scheme. Deep down, we all want to be part of the club of cool kids.

As a member you can select the subjects you are interested in and apply to be allowed in on conversations about those subjects. The conversations are not saved by the app, so the idea is that you “had to be there” to know what they talked about. But in the digital world thinking that some information is gone for good is very often an illusion. What’s to stop someone from recording a conversation they’re in?

Chinese servers

Recently Clubhouse went viral among Chinese-speaking audiences. But as soon as the Chinese government became aware of political discussions on the app, it was abruptly blocked by the country’s online censors, on Monday February 8, 2021. This line of events made some researchers wonder how private the conversations really were.

An investigation by the Stanford Internet Observatory found that some of the back-end infrastructure for the Clubhouse App was provided by Agora. Agora is a Shanghai-based start-up, with US headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. Exactly what Clubhouse needed to roll out their app.

The Stanford Internet Observatory

In their blog Clubhouse in China: Is the data safe? the Stanford Internet Observatory (SIO) team unravels the ties between Clubhouse and Agora and speculates not why the Chinese government banned the app, but rather why it took them so long.

According to the article “SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio … It is also likely possible to connect Clubhouse IDs with user profiles.”

In a series of tweets one of the team members, Alex Stamos, adds:

“We found Chinese servers being used even for conversations that only involved Americans.”

He goes on to say that neither Agora, nor another Chinese supplier, EnjoyVC, are listed as data sub-processors in the Clubhouse privacy policy.

Alex Stamos is adjunct professor at Stanford University’s Center for International Security and Cooperation. He is also the former chief security officer at Facebook, so he does know a thing or two about social media.

Clubhouse statement

Clubhouse’s reaction to the analysis done by the Stanford Internet Observatory was:

“Clubhouse is deeply committed to data protection and user privacy.

We designed the service to be a place where people around the world can come together to talk, listen and learn from each other. Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the App Store to make it available in every country around the world, with the exception of China. Some people in China found a workaround to download the app, which meant that—until the app was blocked by China earlier this week—the conversations they were a part of could be transmitted via Chinese servers.

With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client. Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.

We welcome collaboration with the security and privacy community as we continue to grow. We also have a bug bounty program that we operate in collaboration with HackerOne, and welcome any security disclosures to be sent directly to”

Countered by Alex Stamos with:

“We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated.”

Meaning that not only is the Chinese infrastructure essential for Clubhouse at this point, but it will also prove to be hard to keep the US traffic away from it.

So, is it safe?

As TikTok discovered last year, popularity comes with scrutiny. The Stanford Internet Observatory report is interesting but it isn’t a poof of malice. It should help Clubhouse improve its privacy and security though, and Clubhouse will be under no illusion that people are watching it closely on both sides of the Great Firewall.

Our advice is to treat Clubhouse the same way you do with every social media app. Once you release information on social media it is out of your control and you should treat it as if it’s freely available. It is up to each user to decide much information they are willing to share about themselves. It is not always easy to balance the scales between privacy and social interaction. But it is better to be aware of the risks and not invest your trust in a social media app, just because it is cool to be a part of. Or just because they claim to value data protection and user privacy.

Stay safe, everyone!

The post Clubhouse under scrutiny for sending data to Chinese servers appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Yandex sysadmin caught selling access to email accounts

Malware Bytes Security - Wed, 02/17/2021 - 9:32am

Yandex, a European multinational technology firm best known for being the most-used search engine in Russia, has revealed it had a security breach, leading to the compromise of almost 5,000 Yandex email accounts.

The company says it spotted the breach after a routine check by its security team. They found that one of their system administrators with access to customer accounts was allowing third-parties to see some of these accounts “for personal gain”. Yandex made it clear in its official press release that no payment details were compromised.

With so much attention paid to eye-catching external threats like ransomware and BEC, it’s easy to forget that one of the biggest threats organisations face isn’t trying to force its way into their network, it was invited in.

Insider threats

Current and former employees, contractors, business partners, suppliers, third-party vendors, and service providers are all potential insiders. And they don’t have to be technologically savvy to pull off an “inside job”.

In fact, some insiders aren’t even intentionally malicious. The most common cause of incidents is employee negligence, such as the misuse of access privileges or a general inattention to keeping sensitive information private and secure, can cause employers a lot of headaches. This can be further compounded by a lack of effective cybersecurity and privacy training programs or an utter absence of an intentional culture of security.

Negligent and careless employees (or what others call “accidental insider threats”), more often than not, have zero intention to hurt their organizations; malicious employees, on the other hand, knowingly act against their employers for personal gain.

According to the 2020 Cost of Insider Threats: Global Report from the Ponemon Institute, the costliest insider threat is credential theft, which averages to nearly $875,000 USD to remediate. Not only that, incidents of credential theft have tripled in the last 5 years. With a booming demand for employees who are willing to share company secrets with criminals, it wouldn’t be a stretch to expect that cases involving this would be popping up more frequently. They pay well after all.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source forum,” said Brandon Hoffman, chief information security officer at Netenrich, an IT service management company, in an interview with Threatpost. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee.”

Organizational breaches have become a mainstay in news outlets, with many of them about outside parties forcing themselves inside private networks either by force (hacking) or social engineering (phishing). With the current pandemic and everyone working remotely, spotting insider threats has become more challenging than ever. This should make businesses more vigilant and determined in curbing insider threats before it happens. For those who don’t know where to start, here’s a good place: look at the zero trust model, and see how you can adapt it within your organization.

The post Yandex sysadmin caught selling access to email accounts appeared first on Malwarebytes Labs.

Categories: Malware Bytes

RDP, the ransomware problem that won’t go away

Malware Bytes Security - Tue, 02/16/2021 - 2:22pm

The year 2020 will certainly be remembered as one of the most difficult and tragic years humankind has faced in modern times. The global pandemic changed the way we live and work in ways unimaginable, perhaps forever.

It also altered the cybersecurity landscape dramatically. The FBI reported a 300 percent increase in cybercrime in the first quarter of that year, and the rate and cost of ransomware attacks escalated at an unprecedented rate. Almost thirty attacks were reported in December 2020 alone, including the infamous $34 million demand levied against electronics giant Foxconn.

One of the primary reasons these attacks are growing rapidly is due to a shift from secure office locations to less secure remote work environments. Prior to the global pandemic, less than 4 percent of the population worked from home. The genie is out of the bottle now though, and there’s no going back. It’s no surprise then, that a recent Gallup poll found that 82 percent of business leaders plan to maintain a larger work-from-home (WFH) posture well after the pandemic.

While many organizations can benefit from a wider selection of job candidates and reduced maintenance and facility costs, for security professionals, work-from-home environments expand the attack surface they have to protect, and increase the risks for phishing, malware, and ransomware.

The target for today’s organized and sophisticated cybercriminals, like the ones operating Maze or Ryuk, isn’t a single computer, but an organization’s entire network. A majority of all ransomware attacks gain access to a victim’s network  through a “backdoor” approach that exploits weaknesses in Remote Desktop Protocol (RDP) software, or the way it is deployed.

The threat of RDP brute forcing has been widely reported, and brute force protection for RDP has been a “must have” for several years, and yet these attacks continue to succeed. The truth is that simply telling people to harden RDP isn’t working fast enough. Brute force protection needs to be more than just another item in an overworked system administrator’s ever growing task list. Instead, we need to see RDP brute forcing for what it is, an endpoint detection and response (EDR) problem, and handle it there.

Less well publicized are the vulnerabilities that continue to be turn up in popular RDP software. In 2020, security researchers found twenty-five vulnerabilities  in some of the most popular RDP clients used by businesses. These include:

  • FreeRDP, which is the most popular open-source RDP client on Github
  • Microsoft’s built-in RDP client with the executable file mstsc.exe
  • Rdesktop, another open-source RDP client and a default RDP client in Kali distributions of Linux

Many security professionals may not be aware of the reverse RDP vulnerabilities that can affect a remote machine rather than the host where the user is connected. The grunt work of inventory taking and patching remains as vital as ever.

The post RDP, the ransomware problem that won’t go away appeared first on Malwarebytes Labs.

Categories: Malware Bytes