Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack

Late last week, the business network systems of Colonial Pipeline, the biggest supplier of fuels on the East Coast of the United States, were compromised due to a ransomware attack, forcing the company to temporarily shut down its operations while investigations are underway.

Monday morning, Pacific time, the FBI confirmed that the ransomware culprit is DarkSide, a fairly new strain that started making a name roughly in mid- to late-2020. In this post, we take a look at the malware and the criminal gang, who many believe are based in Eastern Europe, behind the Colonial Pipeline attack.

Threat profile: DarkSide ransomware

DarkSide was first observed in the wild in August 2020 and used by the APT group Carbon Spider, also known as Carbanak and FIN7 among others, for their Big Game Hunting (BGH) campaigns. According to Crowdstrike’s adversary profile on this group, it originated in the Russian Federation and/or Ukraine. Since being active in 2013, Carbon Spider has targeted institutions in the Middle East, Europe, and eventually, the United States.

DarkSide ransomware is sold to affiliates using the Ransomware-as-a-Service (RaaS) distribution model, so attacks are carried out by affiliates.

There are currently two known versions of DarkSide: DarkSide v1.0 and DarkSide v2.1. The latter is less weighty in terms of file size (53 KB versus 59.5 KB) and has a shorter decryption time.

Screenshot of DarkSide 2.0 debut forum post back in March 2021 (Source: Twitter user 3xp0rt, who is associated with Kela, an Israeli cyber intelligence outfit)

v2.1 has a new “call on us” feature, which allows ransomware affiliates to conduct a Voice Over IP (VoIP) session with victim organizations, their partners, and even journalists. It is believed that they added this feature to exert extra pressure against their victims.

DarkSide also has a Linux version that is capable of targeting VMWare ESXi vulnerabilities, making virtual machines (VMs) susceptible to hijacking and encryption of virtual drives.

Like other Big Game Hunting ransomware families, DarkSide is human-operated. This means that the ransomware is executed by an actual person behind the screen after they have successfully infiltrated a target network. This makes it possible for threat actors to move laterally, scouring the entire network to persistently backdoor several systems until they gain administrative access. They use these administrator credentials to deploy the DarkSide.

DarkSide operators are not shy about asking $2M USD from their victims. Sometimes, they even double the price.

They also use their time in the network to harvest data and upload to their servers, before they encrypt the victim’s copy.

Once deployed, DarkSide begins to:

  • Encrypt all files using a combination of Salsa20 and RSA-1024
  • Empty the Recycle Bins
  • Uninstall services
  • Delete shadow copies
  • Terminate processes
  • Encrypt local disks
  • Encrypt network shares

After all the data have been exfiltrated, the threat actors post it on their leak site, DarkSide Leaks, along with other pertinent information about the attack, such as the name of the company, the date it was breached, how much data was stolen, sample screenshots of the stolen data, and the types of stolen data.

It is observed that DarkSide and REvil ransomware, also known as Sodinokibi, share some similarities:

  • Their ransom notes seem to have come from the same template.
  • Both ransomware families use Windows PowerShell to delete shadow volume copies on compromised systems,
  • …and both families also use a particular string of PowerShell code to perform this action.

DarkSide ensures that victims feel their personalized touch by customizing the ransom note and file extension for their victims. For example, a checksum of the victim’s MAC address is used as the extension name of encrypted files when, normally, ransomware would just use their own pre-defined extension. (HelloKitty ransomware uses .kitty, for example.)

A portion of a DarkSide ransom note is reproduced below. Ransom notes include the type of files, a link to the victim organization’s personal leak page, and instructions on what victims can do.

----------- [ Welcome to DarkSide 2.0] ----------->

What happend?
Your computers and servers are encrypted, backups are deleted. We use Strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.

Data leak
First of all we have uploaded more than full dump data.

These files include:
- finance
- private information
- partners documents

The DarkSide leaks website has a “Press Center” section where journalists can register. It has a section where “recovery companies”—victimized organizations that had no choice but to give in to DarkSide’s ransom demand—can register to receive decryptors, get additional “discounts”, and have a ready line to the threat actor’s support service. All of which demonstrates how organized DarkSide operators can be.

Malwarebytes’ signature-less protection detects all known variants of DarkSide.

Adversary profile: DarkSide operators

Leslie Carhart, DFIR at Dragos, has taken note that DarkSide operators have been increasing their double-extortion attacks yet somehow successfully getting little attention.

The threat actors behind DarkSide ransomware are doing all this to gain money. However, its original creators declared that criminal groups who want to partner with them via their RaaS scheme should avoid targeting companies in certain sectors. These are:

  • Healthcare
  • Education
  • Nonprofit
  • Government

DarkSide may seem like your common-or-garden ransomware gang who only cares about making money off of the backs of organizations, including hospitals, but they would like you to think otherwise. One of the things that separates the DarkSide gang from the other “heartless” gangs is their declared intent to “make the world a better place”.

In 2020, the gang did just that by donating a portion of the money they extorted from victims to charity—not realizing that charities, knowing that the money is fraudulent, would never accept it. Not only that, charities who do accept fraudulent money without them knowing can get into a lot of trouble from the law. They can be charged with crimes related to money laundering—something perhaps the DarkSide gang didn’t see coming when thinking about the children.

In common with many other ransomware gangs, it’s also their mandate not to target states under the Commonwealth of Independent States (CIS), including Georgia and Ukraine.

While they reach for this dubious moral high ground, let us not forget that DarkSide threat actors have not only threatened victim organizations to leak all their files but also weaponize them by sharing them to their competitors, the media, and government regulators.

After the Colonial Pipeline attack made headlines and got the attention of no less than the FBI and the US government, DarkSide released a statement about it:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our [sic] motives.

Our goal is to make money, and not creating problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Many suspect that DarkSide operators are already in a mad rush to patch things up, having bitten off more than they can chew.

The straw that broke the camel’s back?

The DarkSide attack on the Colonial Pipeline may turn out to be the straw that broke the camel’s back. Last week, the White House held emergency meetings to take a look at an already drafted Executive Order on cybersecurity—possibly to strengthen it following this latest attack—that is expected to be released soon. Prior to that, the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, and been urged by the Ransomware Task Force’s strategic plan for tackling ransomware to treat ransomware as a national security threat.

Yesterday, the FBI and the US cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory (CSA) against DarkSide ransomware. It contains detailed mitigation steps that business should follow to reduce the risk of successful ransomware attacks overall. These include simple steps, such as:

Organizations of all sectors should take heed of these best practices. Because before the publication of this article, DarkSide appears to have netted another victim.

The post Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack appeared first on Malwarebytes Labs.

Get patching! Wormable Windows flaw headlines Patch Tuesday

It looks like patching a wormable Remote Code Execution (RCE) bug in the HTTP stack of Windows 10 and Windows Server is likely to be top of most sysadmins’ todo lists after reading May’s Patch Tuesday updates. The monthly bug bonanza also features three other critical items among its 55 patches.

Although the wormable RCE (CVE-2021-311660) is not known to have been exploited in the wild, Microsoft warns that the attack complexity is low, and that “An attacker can expect repeatable success against the vulnerable component” with no need for authentication or user interaction. It has given the vulnerability a CVSS score of 9.8 out of 10.

The attack on the vulnerable component could be triggered by no more than a specially crafted packet. Since that packet is processed by http.sys, which runs in the kernel, the malicious code runs with commensurate privileges.

Worms that turned

A wormable flaw is one that can be used to create a network worm, a bit of malware that replicates itself across a network. Network worms invade a vulnerable system and then use it to launch further attacks on other vulnerable systems. Because each infected computer can infect many others, network worms have the potential to replicate exponentially and spread with alarming speed. (In fact, even if a worm has no malicious payload, the volume of activity it generates can be enough to cause significant problems by itself.)

Where vulnerable systems are accessible from the Internet, network worms can spread around the world in a matter of minutes or hours. In 2003, the infamous SQL Slammer worm infected all 75,000 its global, Internet-accessible victims within ten minutes of the attack starting. More recently, the WannaCry ransomware worm spread around the globe (and into and through numerous computer networks along the way) and infected hundreds of thousands of targets in a single morning.

Although worm-ability poses a significant risk, it isn’t by itself a guarantee of criminal success. Sometimes turning a vulnerability into an exploit is simply too difficult, or the results too unreliable to create a viable attack. Readers may remember the furore that surround the May 2019 Patch Tuesday, which featured a fix for a wormable RDP vulnerability, know as CVE-2019-0708, later dubbed BlueKeep. The widely-expected, globe-trotting RDP worm never materialised. Despite the appearance of proof-of-concept code, no widespread attacks ever occurred. Perhaps criminals simply found no need for an RDP worm that was bound to attract a lot of unwanted attention while they were having sustained success simply milking so many weak RDP passwords.

Those responsible for Windows systems should assume that criminals have read the same information they have and are poring over the fixes in an attempt to reverse engineer them. Act accordingly: you are in a race, patch as soon as you can.

Critical issues

The other critical patches made available this May include CVE-2021-26419, a scripting engine flaw that can be triggered by having an Internet Explorer user (yes, somehow that dinosaur among Internet users is still not extinct) visit a malicious website. Or, perhaps more likely, the flaw can be triggered from Microsoft Office documents. According to Microsoft, an attacker “could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document”. Who could have guessed that in 2021 we’d still be finding ways to attack people with documents.

CVE-2021-28476 is an RCE vulnerability in the Hyper-V component of numerous Windows versions, with a CVSS score of 9.9. The flaw allows guest machines to meddle with their hosts, a strict security no-no. Microsoft reports that the most likely result of this meddling is denial of service but the flaw has the potential to trigger “device specific side effects that could compromise the Hyper-V host’s security.”

The last of the four critical vulnerabilities from this month’s lode is CVE-2021-31194, an OLE Automation RCE about which the company has little to say. Taciturn it may be, but it does tell us the bug has a CVSS of 8.8 and it’s rated critical, both signals you should patch it anyway.

Overall this month’s patch Tuesday is small compared to recent months, which we hope will be a relief to any sysadmins kept busy by recent Exchange vulnerabilities.

Take your rest while it’s (relatively) quiet. You know it won’t last.

The post Get patching! Wormable Windows flaw headlines Patch Tuesday appeared first on Malwarebytes Labs.

Colonial Pipeline attack expected to trigger imminent hardening of cybersecurity rules for federal agencies

The ransomware attack on Colonial Pipeline last week caused the White House to hold emergency meetings to possibly strengthen a planned Executive Order on cybersecurity that could be released in the coming days or weeks, the New York Times reported.

The Executive Order—currently a draft—could place new restrictions on businesses that develop software and sell it to the federal government, such as the requirements to use multi-factor authentication and to access federal databases only when completely necessary. Such a strategy seemed like an appropriate response several months ago, when cybercriminals believed to be working with the Russian government infiltrated nine federal agencies by first hacking into the IT management company SolarWinds.

But the recent attack on Colonial Pipeline reveals that new rules meant only for federal contractors could still leave broad swaths of the American public at risk. Complicating the issue is that, while President Joe Biden has taken a harder stance against Russian cyberaggression than the past administration, the attack on Colonial Pipeline has no confirmed connection to the Russian government.

“I’m going to be meeting with President Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there’s evidence that the actors’ ransomware is in Russia,” Biden said this week.

According to multiple reports of the planned Executive Order, companies that sell their products to the government could have to implement several new cybersecurity measures.

Such companies would have to use multi-factor authentication and they would have to encrypt data that belongs to federal government clients. The government would also begin using a “zero-trust” model with these contractors, meaning that such contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any cyberbreach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

In speaking with Reuters, a spokeswoman for the National Security Council explained the importance of such a requirement, noting that the SolarWinds attack showed that “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly.”

She continued: “Simply put, you can’t fix what you don’t know about.”

According to The New York Times, companies that violate these rules would have their products banned from being sold to the federal government. For many companies that count the federal government as their largest client, such a ban could serve as a revenue death knell.

Finally, the Executive Order could create a “cybersecurity incident review board” to investigate major cyberattacks in the US, and the Order could ask victims of cyberattacks to work with the FBI and the Department of Homeland Security’s cybersecurity and Infrastructure Security Agency when responding to attacks.

The post Colonial Pipeline attack expected to trigger imminent hardening of cybersecurity rules for federal agencies appeared first on Malwarebytes Labs.

Avaddon ransomware campaign prompts warnings from FBI, ACSC

Both the Australian Cyber Security Centre (ACSC) and the US Federal Bureau of Investigation (FBI) have issued warnings about an ongoing cybercrime campaign that is using Avaddon ransomware.

The FBI states that is has received notifications of unidentified cyber actors using Avaddon ransomware against US and foreign private sector companies, manufacturing organizations, and healthcare agencies.

In a separate advisory (pdf), the ACSC says it is also aware of an ongoing ransomware campaign using the Avaddon Ransomware malware. This campaign is actively targeting Australian organizations in a variety of sectors.

Avaddon ransomware

Ransom.Avaddon is sold to criminal affiliates as a Ransomware-as-a-Service (RaaS) strain. It has been around since 2019 and in June of 2020 it got some real traction due to a malspam campaign. Later it started promoting higher rates for its affiliates using adverts on networks and RDP. Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. When encrypted the files get the .avdn extension.

Free decryptor

In February 2021 a researcher found a flaw in the Avaddon encryption routine that allowed them to create a free decryptor. One day later the ransomware developer posted a message that the flaw was fixed. So, the decryptor only works for older infections.

FBI description of Avaddon

Avaddon is used in targeted, “big game” ransomware attacks using familiar tactics. According to the FBI, Avaddon ransomware actors have compromised victims through remote access login credentials—such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in the Commonwealth of Independent States (CIS). Finally, a copy of the victim’s data is exfiltrated before the victim’s systems are encrypted.

Not afraid of law enforcement

Like many other ransomware operators hailing from the CIS they act as if they have nothing to fear from law enforcement. And as long as they do not attack organizations in their home country that is unfortunately probably true. Some Russian gangs have even been getting aggressive against law enforcement in the US. Statistics of how many police departments have been hit by ransomware attacks are hard to come by, as is information on whether departments ever pay a ransom. Homeland Security Secretary Alejandro Mayorkas has called ransomware a threat to national security and said the issue is a top priority of the White House. That sentiment was echoed in a recent report by the Ransomware Task Force.

Ransomware as a Service (RaaS)

Avaddon is offered as a Ransomware-as-a-Service (RaaS), a system that sees affiliates do the dirty work and use the ransomware however they like, provided they return a percentage of their profits to the Avaddon developers. The ACSC notes that Avaddon also has an active presence on underground dark web cybercrime forums, where it advertises the malware to potential affiliates. Avaddon threat actors also use a data leak site to identify victims who fail or refuse to pay ransom demands.

Typically, with RaaS you will see affiliates run different distribution vectors and look over each other’s shoulder to see what is working best. Probably because of this model we have seen Ransom.Avaddon spread by a botnet, in malspam campaigns, by exploit kits (RIG-EK), and recently by brute forcing RDP and VPN credentials.

Additional threats

Like many other ransomware operators Avaddon has also increased pressure on its victims by threatening to publicize exfiltrated data on the dark web, and by performing DDoS attacks. The extortion/data leak process typically follows these steps:

  • Leak warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon dark web leak website. The warning consists of screenshots from files and proof of access to the victim’s network.
  • 5 percent leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the stolen files. The Avaddon actors leak this data by uploading a small .zip file to Avaddon’s dark web leak website.
  • Full leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .zip files in the “Full dumps” section of the Avaddon dark web leak website.

Detection and protection

Malwarebytes detects Ransom.Avaddon and protects user by means of real-time protection, both by using detection rules as well as patented anti-ransomware technology.

Malwarbytes stops Avaddon ransomware

Stay safe, everyone!

The post Avaddon ransomware campaign prompts warnings from FBI, ACSC appeared first on Malwarebytes Labs.

Alleviating ransomware’s legal headaches with Jake Bernstein: Lock and Code S02E08

This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don’t just derail a company’s reputation and productivity, but also throw them into potential legal peril.

In 2020, the cybersecurity community noticed a worrying trend from ransomware operators. No longer satisfied with just demanding a ransom payment to unlock their victims’ encrypted files, some ransomware gangs employed a new device to squeeze their targets: after initially breaching a business, they would pilfer sensitive data and then threaten to publish it online.

These are the so-called “double extortion” attacks, in which ransomware operators can hit the same target two times over—we’ve not only locked your files, which will cost money to decrypt, we’ve also stolen your data, which will cost money to keep private. But this threat doesn’t stop there. For companies hit with these attacks, not only do they often rebuild their databases, not only can they lose days or even weeks of work, not only are their reputations pummeled if their sensitive data is published online, but, depending on how much data is leaked, and what kind, they could also get into legal trouble.

“This is a big deal, and it is a legal issue,” Bernstein said. “It is not just an IT problem.”

Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Alleviating ransomware’s legal headaches with Jake Bernstein: Lock and Code S02E08 appeared first on Malwarebytes Labs.

Ransomware attack shuts down Colonial Pipeline fuel supply

Ransomware caused major trouble last week, as the famous Colonial Pipeline fell victim to a devastating cyber-attack.

Presenting: the Colonial Pipeline

The pipeline exists to supply gasoline and other products across the southern and eastern United States. We’re talking from Texas all the way up to New Jersey. The pipeline is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast.

This is an incredible volume of supply and demand, and anything going wrong could be disastrous. There’s enough to worry about with more general accidents, without the threat of people maliciously breaking into systems.

That’s where we are now.

What happened?

Ransomware brought everything to a standstill on Friday. According to those performing analysis on the attack, the culprits are likely a group known as DarkSide. This is a group that rose to mainstream prominence in 2020, via dubious donations to charities. Going for that whole Robin Hood angle, they stole from corporations and handed the cash to causes they felt were deserving.

Well, they tried to.

When help turn out to be a hindrance

As it happens, charities don’t want a bunch of stolen money circulating in their bank accounts. Charity trustees can get into all kinds of trouble. Not just charities; any organisation could end up in a baffling sequence of money laundering shenanigans if not careful.

There were also suspicions that the “Good Samaritan” act was a way to cover for the fact that they’re still criminals, stealing money. The group behind these attacks seemed to have got the message. The Robin Hood charity drive went away, and we wondered what the criminal group’s follow up would be.

If the investigators are correct, this is several orders of magnitude more serious than anything people could have imagined.

 Lockdown and emergency powers

The US government declared an emergency and brought in emergency powers to ensure people are still supplied with fuel. Those emergency powers allow for more flexibility for drivers to transport petroleum products to various locations. From the text:

FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

The digital to physical impact of the Colonial Pipeline attack

The real-world consequences from this attack are clear, and spread in several directions. There’s the immediate risks of transporting fuel across 5,500 miles, and of people having no supplies. We also have potential danger on the roads, as road use increases and drivers have to cope with potentially longer driving hours. Fuel prices? Those appear to have risen, though it seems the supply would need to be down for a few days for it to cause significant impact. 

Finally, there’s the issue of the shutdown itself. How many systems are compromised? What’s the damage? Can they guarantee all traces of infection are gone?

If it does turn out to be DarkTrace, then this surely destroys their whole Robin Hood angle. And, if a recent message via DarkTracer is to be believed (the message has not been verified by Malwarebytes) then the group is making no pretence this time: “Our goal is to make money.”

If this attacker is DarkSide, it clearly doesn’t help those in need to eliminate their fuel reserves.

They’re coming for your Crypto-coins…maybe

2021 is already shaping up to be a mast year for ransomware. Ransomware gangs now have years of experience and tool making to draw on, cash in the bank, and a cryptocurrency boom to profit from. It is hard to imagine the status quo holding and it seems inevitable governments will respond strongly.

Prior to the attack the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, that will include an analysis of how cryptocurrencies enable cybercrime. This echoes concerns raised in a recent strategic plan for tackling ransomware, conducted by the Ransomware Task Force. Among many recommendations, the task force called for ransomware to be treated as a national security threat, and for greater regulation of the cryptocurrency sector. A collision course seems inevitable at some point, and it’s already a significant talking point for experts in this field.

That’s for the future, though. For now, we’re left with supply lines left reeling. A few megabytes of code, perhaps a stray email with a dubious attachment, or maybe even just a server vulnerability that someone didn’t manage to patch in time.

Small issues, massive consequences.

The post Ransomware attack shuts down Colonial Pipeline fuel supply appeared first on Malwarebytes Labs.

A week in security (May 3 – 9)

Last week on Malwarebytes Labs, we discussed how Spectre attacks have come back from the dead; why Facebook banned Instragram ads by Signal; we highlighted the differences between the most popular VPN protocols; pointed out that Google is about to start automatically enrolling users in two-step verification, and how millions are put at risk by old, out of date routers.

Other cybersecurity news:

  • Cisco HyperFlex web interface has a critical flaw. (Source: The Register)
  • NSA advised to strengthen the security of operational technology (OT). (Source: Tripwire)
  • Tesla automobiles vulnerable to compromise over WiFi. (Source: Kunnamon)
  • Fix for critical Qualcomm chip flaw is making its way to Android devices. (Source: ArsTechnica)
  • Multiple critical vulnerabilities in Exim Mail Server dubbed 21Nails. (Source: Qualys)
  • Domain hijacking via logic error; Gandi and Route 53 vulnerability. (Source: Cyberis)
  • Tour de Peloton: Exposed user data. (Source: PenTestPartners)
  • Apple fixes 2 iOS zero-day vulnerabilities actively used in the wild. (Source: BleepingComputer)
  • Google and Mozilla will bake HTML sanitization into their browsers. (Source: The Daily Swig)
  • tsuNAME, a vulnerability that can be used to DDoS DNS. (Source:

Stay safe, everyone!

The post A week in security (May 3 – 9) appeared first on Malwarebytes Labs.

Millions put at risk by old, out of date routers

Since the first stay-at-home measures were imposed by governments to keep everyone safe from the worsening COVID-19 pandemic, we at Malwarebytes have been making sure that you, dear reader, are as cyber-secure as possible in your home network, while you try to work and while your children attend online classes.

There has been much discussion of antivirus protection, patching your software, and using VPNs. But what if the security flaws aren’t in your phones or laptops, but the router your ISP gave you?

Which?, a consumer watchdog in the UK, recently released its findings about routers issued by UK Internet Service Providers (ISPs). Based on its assessment, it reckons that at least two million Britons are at risk from routers that haven’t been updated since 2016. This alone seems to go against the Secure by Design proposal, an already-drafted law that gives power to the Department of Culture, Media, and Sports (DCMS) to order tech makers (phone, tablet, IoT) to be transparent about when they’ll stop providing security updates to their new devices from launch.

Granted, the Secure by Design hasn’t been made law yet, so the ISPs aren’t breaking any regulations. However, it seems preposterous to think that companies would have to wait to be mandated before they start caring about their customers’ security and privacy.

Router flaws found by Which?

Which? has looked into routers provided by EE, Sky, TalkTalk, Virgin Media, and Vodafone. Based on 13 router models it tested, the watchdog found that two-thirds—9 routers out of the 13—had flaws that, if the Security by Design law were in effect, would easily mark these providers as non-compliant. Below are the old router vulnerabilities Which? found:

* Weak default passwords. These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.

* Local network vulnerabilities. While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites.

* Lack of updates. Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at hadn’t had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The consumer body is concerned that many UK internet users are using old router models with no guarantee of an upgrade, thus making them “low hanging fruits” for criminal hackers to target. With its findings, Which? encourages customers of UK ISPs mentioned in the report to contact their provider and ask about potentially getting a router upgrade.

Although one of the companies that Which? contacted is using old routers, they said that they continue to monitor for threats and provide updates if needed. Despite this claim, Which? did find an unpatched vulnerability on one of the routers it tested. This could suggest that, although ISPs are doing what they can to patch flaws, it’s likely that they’d miss a few holes.

Virgin Media, one of the ISPs, didn’t accept the testing results from Which?, telling the BBC that “nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.” However, Which? Noted that Virgin only considered the number of paying households, whereas the testing counted each member of the household.

A wake up call to ISPs

Which? is a proponent of ISP transparency with regard to routers receiving firmware and security updates, a requirement of the Secure by Design proposal. The company also calls for the government to ban the use of default passwords, or ISPs allowing users to set weak passwords on their routers.

This is a good move. Although convenient, setting a weak password isn’t going to strengthen anyone’s security. On top of that, ISPs allowing users to always take the convenient and insecure route misses a good opportunity to educate their customers on good computer—and password creation and management—practices.

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.” says Kate Bevan, computer editor for Which?, in a press release. “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Lastly, Which? calls for UK ISPs to “be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them.”

Is your router secure?

Many households rely heavily on their routers, for working from home, studying, or simply keeping in touch with friends and families during these tough times. Sure, you may have been using it for years and you haven’t been hacked yet—”to the best of your knowledge”—but you shouldn’t take comfort in this for long. Now is a good time as any to focus on securing your router.

Using routers that can’t be patched if a serious vulnerability appears increases your risk of being exposed to attacks, and increases the risks for everyone else too. Routers are computers like any other and (as the Mirai botnet showed) they can be compromised and added to a botnet like any other.

So, the best way to stay safe is to make sure you’re using your ISPs latest router. 

Whatever router you’re using, be sure to change the default password if it had one. These are known to criminals and there are vast lists of default passwords circulating on the Internet for anyone to read. For more steps to take, Which? has a section on what to do if you’re affected by the routers mentioned in its lab tests.

The post Millions put at risk by old, out of date routers appeared first on Malwarebytes Labs.

Google to start automatically enrolling users in two-step verification “soon”

If you use a Google account, it may soon be mandatory to sign up to Google’s two-step verification program. As recently as 2017, a tiny amount of GMail users made use of its two-step options. Maybe the uptake is still slow, and Google has decided enough is enough. With so much valuable data stuffed inside Google accounts, it’s beyond time to ensure they’re locked down properly.

It’s enrolment time

With this need for security in mind, Google has announced the roll-out of automatic two-step verification. If your account is “appropriately configured”, you’ll be ushered into a land of extra security measures. There doesn’t seem to be any additional information about what “appropriately configured” means yet. The Google blog cites the security check-up page, but that simply lists:

  • Devices which are signed in
  • Recent security activity from the last 28 days
  • 2-step verification, in terms of sign-in prompt style, authenticator apps, phone numbers, and backup codes
  • Gmail settings (specifically, emails which you’ve blocked)

How this translates into “Hello, we’re going to enrol you into our two-step verification program”, I’m not entirely sure. Perhaps they’ll add more specific requirements which need to be met to enable the enrolment process at a later date. If the requirement is a minimum level of setting up various security options, then only the most security conscious might be asked to enable it in the first place. This would surely mean those in most need of security fine-tuning, won’t get it.

The password problem

Questions how this will work aside, Google continues to keep plugging away at the eternally relevant password problem. Their password import feature allows people to save passwords as a CSV file, then port it into Chrome. If you’re hopping from one password manager to another, and have a lot of yourself tied into Google services, this may be ideal.

We’re all impacted by weak security. Compromised logins have a knock-on effect for everybody. When your email is broken into, it allows attackers potential access into every account tied to it. A few password resets later, and one account used for spam is now multiple accounts spamming, sending infections, social engineering, the works. This is how people quickly build up small armies of compromise and go about their shenanigans on a daily basis.

It doesn’t have to be a major campaign. The operators don’t have to be criminal masterminds. A couple of random people with a little bit of tech know-how can quickly figure out how to monetise a few dozen stolen accounts. That’s how you eventually do end up with major campaigns, with more work for law enforcement and security researchers to figure out who the new kids on the block are.

Step up, and lock down

By keeping your accounts secure, you’re not just helping yourself. You’re helping everybody, and preventing them losing their savings or non-compromised PC to attackers leveraging your bad password practices. This is a good thing to keep in mind as we wave goodbye to this year’s World Password Day. It’s never too late to start brushing up on your passwords. Get yourself familiar with a couple of password managers and pick the right one for you.

Lock down your master password. Set up restrictions on who can login, and how. Make it so that only people in your specific geographical region can log in. Make yourself some backup codes, print them off, put them somewhere safe in case you lose master password access. Just a few of these steps will go a long way towards keeping both yourself and others much more secure than you were previously. There can’t be any better way to close out the week playing host to World Password Day than that.

The post Google to start automatically enrolling users in two-step verification “soon” appeared first on Malwarebytes Labs.

VPN protocols explained and compared

A Virtual Private Network (VPN) creates a safe “tunnel” between you and a computer you trust (normally your VPN provider) to protect your traffic from spying and manipulation. Any VPN worth its money encrypts the information that passes through it, so in this article we will ignore those that don’t use encryption. Among VPNs that offer encryption there is a large choice of available protocols. Every one of those protocols has some advantages and disadvantages. These are the important factors to look at when you are about to choose one:

  • Speed
  • Strength of the encryption
  • Stability
  • Ease of use
  • Security/privacy

In this article we’ll look at the different VPN tunneling protocols and how they perform.

What does the VPN protocol do?

Basically, the VPN protocol, or better the rules it uses, decides how exactly your data is routed through a connection. All these protocols have different rule sets based on what they care about most. For example, some VPN protocols prioritize data throughput speed while others focus on masking or encrypting data packets for privacy and security.

How many VPN protocols are there?

This extensive list is not complete, but it covers the most commonly used VPN protocols:

  • OpenVPN
  • L2TP/IPSec
  • SSTP
  • IKEv2
  • PPTP
  • WireGuard

Why does a fast VPN protocol matter?

Even though speed should not be the deciding factor, a slow VPN will discourage users and will therefore quickly be abandoned. You don’t pay top dollar for a fast internet connection just for the VPN to slow it down. Or, when you have a slow connection, you don’t want your VPN to make it even worse. But speed is often a trade-off with other characteristics like the encryption strength and security. And the speed also depends on factors outside of the protocol, like the distance to the VPN server, and obviously the basic speed of your internet connection. Using a VPN will never make it faster.

Security and privacy

This will be the deciding factor for many users when they are about to make a choice for a VPN. It needs to be said that the vendor is at least as important here as the protocol. After all, what good is a secure protocol if it turns out the vendor is willing to hand over your data at the first request? So, if you hear people ask what is better than OpenVPN, for example, the answer is that it depends on what you are looking for exactly. Many protocols are capable of comparable speeds and levels of secure encryption.

Ease of use

A point that we have made often in the past is that security and privacy software that is hard to set up or difficult to manage often misses the target. Misconfigured software doesn’t do what it potentially can do for the user, so it’s basically a waste of time and money. To be honest, we have seen cases where the user would have been safer using a free VPN or none at all.

What VPN protocol should I use?

This is a question that everyone has to answer for themselves. We can tell you about some protocols that are often recommended and why. But you will have to make up your own mind.


OpenVPN is an excellent open-source protocol, but many users struggle to set it up properly. If you have an installer software or expert help, then this is not your problem. You will find that OpenVPN is the default protocol used by many paid VPN providers. It is a secure protocol but not super-fast (not super-slow either).


L2TP/IPSec is actually a combination. Layer 2 Tunnel Protocol (L2TP) is the protocol that is paired with Internet Protocol Security (IPsec). In speed and security, it is on par with OpenVPN. It is easier to set up unless you have to bypass a firewall. Some security concerns have been raised because the NSA helped develop IPSec.


SSTP is short for Secure Socket Tunneling Protocol which was developed by Microsoft. Although the protocol works on Linux it is primarily thought of as a Windows-only technology. It is easy to set up on Windows machines as you might expect. It is impossible to use on Macs and hard to deploy on Linux. Speed and security are about the same as for OpenVPN and L2TP/IPSec.


IKEv2 was developedin a joint effortby Microsoft and Cisco. It is very well suited for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. The protocol is very fast and secure. It is also easy to set up on the few devices that are compatible.


PPTP is short or point-to-point-tunneling. This protocol was originally developed by Microsoft for dial-up networks. PPTP is fast and easy, but this is mostly due to a low encryption standard and it comes with some known vulnerabilities, it is no longer suitable for users that are privacy-focused.


WireGuard is relatively new compared to the other protocols, but it’s quickly become widely adopted because of the high security standard. This does not take away from the speed because WireGuard ditched a lot of unnecessary extras that other protocols are burdened with, and it runs from a Linux kernel. Which also makes it suitable for many platforms and applications.

Choose wisely!

We can only hope you read this article because you set out to make an informed decision (and we hope we have helped you with that). It is important to consider what matters to you in a VPN and also take into account that VPN software is more than just the protocol. The reason why you need a VPN and whether you trust the VPN provider should be equally important. Aside from a few outdated protocols, speed should no longer be an issue. Internet speeds are usually so much higher than what we actually need, a modern VPN should not interfere in a way that is noticeable.

The post VPN protocols explained and compared appeared first on Malwarebytes Labs.