Cloud-based malware in on the rise. In this post, we’ll cover four ways you can help secure your business against cloud-based malware.
The post Cloud-based malware is on the rise. How can you secure your business? appeared first on Malwarebytes Labs.

There’s a lot of reasons to think the cloud is more secure than on-prem servers, from better data durability to more consistent patch management — but even so, there are many threats to cloud security businesses should address. Cloud-based malware is one of them.

Indeed, while cloud environments are generally more resilient to cyberthreats than on-prem infrastructure, malware delivered over the cloud increased by 68% in early 2021 — opening the door for a variety of different cyber attacks.  

But you might be asking yourself: Doesn’t my cloud provider take care of all of that cloud-based malware? Yes and no.

Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling many security threats, incidents, responses, and more. That means, in the case of a cloud-based malware attack, you need to have a game plan ready.

In this post, we’ll cover four ways you can help secure your business against cloud-based malware.

**What ways can malware enter the cloud?**

One of the main known ways the malware can enter the cloud is through a malware injection attack. In a malware injection attack, a hacker attempts to inject malicious service, code, or even virtual machines into the cloud system.

The two most common malware injection attacks are SQL injection attacks, which target vulnerable SQL servers in the cloud infrastructure, and cross-site scripting attacks, which execute malicious scripts on victim web browsers.  Both attacks can be used to steal data or eavesdrop in the cloud.

Malware can also get into the cloud through file-upload.

Most cloud storage providers today feature file-syncing, which is when files on your local devices are automatically uploaded to the cloud as they’re modified. So, if you download a malicious file on your local device, there’s a route from there to your business’ cloud — where it can access, infect, and encrypt company data.

In fact, malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for 69% of cloud malware downloads in 2021. 

**Four best practices to prevent cloud-based malware****1\. Fix the holes in your cloud security**

As we covered in our post on cloud data breaches, there are multiple weak points that hackers use to infiltrate cloud environments — and once they find a way into your cloud, they can drop cloud-based malware such as cryptominers and ransomware.

Fixing the holes in your cloud security should be considered one of your first lines of defense against cloud-based malware. Here are three best practices:

*   **Have strong** **identity and access management (IAM)** **policies**: IAM misconfigurations cause 65% of detected cloud data breaches.

*   **Properly configure your public APIs**: Researchers have found that two-thirds of cloud data breaches were caused by misconfigured APIs.

*   **Set up your cloud storage** **correctly**: This is relevant if your cloud storage is provided as Infrastructure-as-a service (like Google Cloud Storage or Microsoft Azure Cloud Storage). By not correctly setting up your cloud storage, you risk becoming one of many companies who suffer a cloud data breach due to a misconfiguration.

**2\. Protect your endpoints to detect and remediate malware before it can enter the cloud**

Let’s say you’re the average small to mid-sized company with up to 750 total endpoints (including all company servers, employee computers, and mobile devices). Let’s also say that a good chunk of these endpoints are connected to the cloud in some way — via Microsoft OneDrive, for example.

At any time, any one of these hundreds of endpoints can become infected with malware. And if you can’t detect and remediate the malware as soon as an endpoint gets infected, there’s a chance it can sync to OneDrive — where it can infect more files.

This is why endpoint detection and response is a great “second line of defense” against cloud-based malware.

Three features of endpoint detection and response that can can help track and get rid of malware include:

*   **Suspicious activity monitoring:** EDR constantly monitors endpoints, creating a “haystack of data“ that can be analyzed to pinpoint any Indicators of Compromises (IoCs).

*   **Attack isolation**: EDR prevents lateral movement of an attack by allowing isolation of a network segment, of a single device, or of a process on the device.  

*   **Incident response**: EDR can map system changes associated with the malware, thoroughly remove the infection, and return the endpoints to a healthy state.

**3\. Use a second-opinion cloud storage scanner to detect cloud-based malware**

Even if you have fixed all the holes in your cloud security and use a top-notch EDR product, the reality is that malware can still make it through to the cloud — and that’s why regular cloud storage scanning is so important.

No matter what cloud storage service you use you likely store _a lot_ of data: a mid-sized company can easily have over 40TB of data stored in the form of millions of files. 

Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.

Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.

A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches.

**4\. Have a data backup strategy in place**

The worst case scenario: You’ve properly configured your cloud, secured all your endpoints, and regularly scan your cloud storage — yet cloud-based malware still manages to slip past your defenses and encrypt all your files. 

You should have a data backup strategy in place for exactly this kind of ransomware scenario. 

When it comes to ransomware attacks in the cloud — which can cause businesses to lose critical or sensitive data — a data backup strategy is your best chance at recovering the lost files.

There are several important things to consider when implementing a data backup strategy, according to Cybersecurity and Infrastructure Security Agency (CISA) recommendations. In particular, CISA recommends using the **3-2-1 strategy.** 

The **3-2-1 strategy** means that, for every file, keep:

*   **One on a workstation**, stored locally for editing or on a local server, for ease of access.
*   **One stored on a cloud backup** solution.
*   **One stored on a long-term storage** such as a drive array, replicated offsite, or even an old school tape drive.

**Prevent cloud-based malware from getting a hold on your organization**

Cloud-based malware is one of many threats to cloud security that businesses should address, and since cloud providers operate under a shared responsibility model, you need to have a game plan ready in the case of a cloud-based malware attack. In this article, we outlined how malware can enter the cloud and four things you can do to better secure your business against it. 

Interested in reading about real-life examples of cloud-based malware? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.

Cloud-based malware is on the rise. How can you secure your business?

Google has patched a vulnerability in Chrome which was being exploited in the wild. Make sure you're using the latest version.
The post Update now! Chrome patches ANOTHER zero-day vulnerability appeared first on Malwarebytes Labs.

Google has released version 103.0.5060.114 for Chrome, now available in the Stable Desktop channel worldwide. The main goal of this new version is to patch CVE-2022-2294.

CVE-2022-2294  is a high severity heap-based buffer overflow weakness in the Web Real-Time Communications (WebRTC) component which is being exploited in the wild. This is the fourth Chrome zero-day to be patched in 2022.

**Heap buffer overflow**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

**The vulnerability**

WebRTC on Chrome is the first true in-browser solution to real-time communications (RTC). It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions. The technology is available on all modern browsers as well as on native clients for all major platforms.

A WebRTC application will usually go through a common application flow. Access the media devices, open peer connections, discover peers, and start streaming. Since Google does not disclose details about the vulnerability until everyone has had ample opportunity to install the fix it is unclear in what stage the vulnerability exists.

**How to protect yourself**

If you’re a Chrome user on Windows or Mac, you should update as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 103.0.5060.114 or later.

Since WebRTC is a Chromium component, users of other Chromium based browsers may see a similar update.

Stay safe, everyone!

Update now! Chrome patches ANOTHER zero-day vulnerability

Bug bounty platform HackerOne has disclosed that it was the victim of a rogue insider.
The post HackerOne insider fired for trying to claim other people’s bounties appeared first on Malwarebytes Labs.

The vulnerability disclosure platform HackerOne has revealed that one of their staff members had improperly accessed security reports for personal gain.

The—now former—staff member approached HackerOne customers with vulnerabilities that belonged to users of the platform.

**HackerOne**

HackerOne acts as a mediator between white hat hackers that find software vulnerabilities, and software vendors who want to know about weaknesses in their products. The vendors let HackerOne take care of the first steps after a vulnerability is discovered in their software. The hackers submit detailed reports to be evaluated and triaged by HackerOne.

Generally you will see the platform referred to as a bug bounty program, because part of the business entails paying rewards to the white hat hackers that find new vulnerabilities.

**Disclosure**

Responsible disclosure is one of the pillars of trust that platforms like HackerOne are built upon. The vendors trust that the found vulnerabilities will remain secret until they have had a chance to fix or patch them. That is, after all, how the platform contributes to a safer internet. And the bug bounty hunters rely on the platform to negotiate a fair reward for their efforts.

Having someone in your staff that steals ideas from one side and tries to monetize them on the other side breaks that trust on both sides.

**What happened?**

On June 22, 2022, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The vulnerability was suspiciously similar to one that was already under investigation. And the hacker, operating under the handle “rzlr” used intimidating language.

Bug collision, where two bug bounty hunters find the same vulnerability around the same time, happens on occasion, but the customer was able to convince HackerOne that this was not a coincidence.

According to HackerOne, it quickly became clear that this must have been an inside job, and a day after the customer’s inquiry HackerOne had a suspect on its radar. They terminated the suspect’s system access and remotely locked their laptop.

The company says it then managed to associate a HackerOne sockpuppet account to the suspected employee by following the money trail. The employee’s contract was terminated a week after the investigation started.

Vendors using HackerOne who have been contacted by someone using the handle “rzlr”, and who aren’t already coordinating with HackerOne, are urged to contact the company (for details on how, see HackerOne’s report of the incident).

It is believed that none of the vulnerabilities affected have been put to use in exploits, and that the insider’s actions have not affected any judgments or bounty amounts.

Customers who had any reports accessed by the threat actor have been contacted by HackerOne specifying what was accessed and when.

**Lessons learned**

HackerOne has been admirably transparent about the incident.

> Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to building a safer internet.

It says it has identified several areas it intends to improve. It believes that better logging could improve its ability to respond to similar incidents in the future, and it is going to add additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data.

Perhaps least surprisingly it says it will also look to improve its hiring screening. Insider threats are one of the most insidious in cybersecurity. Especially in the business model of a negotiator where mutual trust at two sides of the business is of the essence.

HackerOne insider fired for trying to claim other people’s bounties

This week on Lock and Code, we discuss the various laws that can be violated when good-faith hacking reveals security flaws. 
The post When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14 appeared first on Malwarebytes Labs.

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.

The fears are not entirely unfounded.

In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI’s recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.

Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today’s episode of Lock and Code, even the threat itself can destabilize a security researcher.

> “\[It\] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher.”
> 
> Harley Geiger

Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice’s recent decision to not prosecute hackers who are only hacking for the benefits of security.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14

Avaya, a communications company for SMBs, was left in the dark for years as insiders stole and sold its license keys.
The post Insider Threat: Employees indicted for stealing $88 million of license keys appeared first on Malwarebytes Labs.

Two insiders and an accomplice were indicted on Tuesday for multiple counts of fraud. According to documents unsealed by the Wester District of Oaklahoma, a grand jury charged Raymond Bradley Pearce (aka Brad Pearce), a former employee of Avaya; Dusti O. Pearce, his wife; and Jason M. Hines (aka Joe Brown, aka Chad Johnson, aka Justin Albaum), a former Avaya authorized reseller, with conspiracy to commit wire fraud and 13 counts of wire fraud. The court also charged the Pearces with one count of conspiracy to commit money laundering, and money laundering.

Avaya is a business-to-business (B2B) communications company catering to small- and medium-sized businesses. It sold a product called IP Office, a kind of telephone system, that depended on software licenses to fully use its features, such as voicemail or more telephones.

These licenses were generated within Avaya and sold via authorized distributors and resellers. Avaya required each software license to be linked to a physical flash memory card with a unique serial number. This card had to be plugged into a computer to activate the license.

Avaya introduced Avaya Cloud Office in 2020 and replaced IP Office. However, many businesses worldwide continue to use the latter through license renewals.

Per the indictment, Brad Pearce, a former Avaya customer service employee, abused his administrator privileges to create software license keys and sell them to Jason Hines, a de-authorized reseller, and other customers. They then sold the keys to other resellers and end-users globally.

Pearce also hijacked accounts of former Avaya employees to generate more license keys and draw suspicion away from him. He also used his privileges to conceal evidence that such accounts were generating keys, leaving Avaya in the dark for years.

Dani Pearce allegedly took the accountant and financial manager role in their illegal business operation.

Hines, who operated Direct Business Services International (DBSI), presumably sold the licenses at a much lower price than Avaya’s standard wholesale price. This caused an estimated $88 million in financial damage to Avaya.

All money the Pearces received went to multiple PayPal accounts, bounced to different bank accounts, and then routed to investment accounts. The document further revealed the couple invested in valuable items and large quantities of gold bullion.

According to the fourth installment of the annual insider threats report released by Proofpoint and the Ponemon Institute, insider threat incidents have increased in frequency and cost. Of the more than 6,000 incidents they looked into, 26 percent of them are criminal insiders, the category Pearce and Hines might belong to.

The report, if anything, paints a harrowing picture of the increased risk of insider threats. And non-enterprise organizations aren’t immune to it. More than ever, it is essential for companies of all sizes to take action to reduce this risk.

**Combatting insider threats**

Every organization should acquaint itself with the differet types of insider threats they might have to deal with. Controlling insider threats includes (but is not limited to):

*   Identifying risks that may be unique to your industry.
*   Assigning access rights according to the principle of least privilege.
*   Propper logging and auditing of user activity.

Lastly, organizations should also refer to the common sense guide to mitigating insider threats. A thorough but non-exhaustive list of insider threat references on the same site.

Stay safe!

Insider Threat: Employees indicted for stealing $88 million of license keys

To celebrate Independence Day we're drawing attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet. 
The post 5 pro-freedom technologies that could change the Internet appeared first on Malwarebytes Labs.

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to our freedom on the horizon.

It doesn’t have to be that way though, and it is not inevitable that the trend will continue. To celebrate Independence Day we want to draw your attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet.

The technologies are listed in a rough order of simplest, soonest, and most likely to happen, to most complex, furthest out, and least likely to happen.

**DNS encryption**

DNS encryption plugs a gap that makes it easy to track the websites you visit.

The domain name system (DNS) is a distributed address book that lists domain names and their corresponding IP addresses. When you visit a website, your browser sends a request to a DNS resolver, which responds with the IP address of the domain you’re visiting. The request is sent in plain text, which is the computer networking equivalent of yelling the names of all the websites you’re visiting out loud.

Anyone, or anything, on the same local network as you can see your DNS lookups, as can your ISP, which will happily sell your browsing history to the highest bidder. And any machine-in-the-middle (MitM) attackers between you and the DNS resolver—such as rogue Wi-Fi access points—can also silently change your plain text DNS requests and use them to direct you to malicious websites.

DNS encryption restores your privacy by making it impossible for anything other than the DNS resolver to read and respond to your queries. You still have to trust the resolver you send your requests to, but the eavesdroppers are out in the cold.

DNS encryption is new, and still relatively rare, but it is supported natively by modern versions of Windows, macOS, Android, and iOS, as well as a number of different DNS clients, proxies and applications, including the DNS Filtering module for the Malwarebytes Nebula platform. It’s ascendancy seems assured.

**Passwordless authentication**

Passwordless authentication could usher in a world where we no longer rely on passwords, and that could be an enormous, unabashed win for security and peace of mind. The trouble is, that has been true for a _very long time indeed_, and it hasn’t happened yet.

There is reason to hope that things are finally about change though.

Passwords are a great idea in theory that fail horribly in practice. Humans are poorly equipped to create and remember them, and demonstrably poor at building systems that handle them securely. And yet almost every Internet account requires one. The inevitable result is an epidemic of poor passwords and an entire criminal industry preying on them with relentless automated attacks.

For a long time, the successor to the password was widely presumed to be some form of biometric authentication—such as face or fingerprint recognition—but nobody could agree which one. With multiple novel, competing, costly, and incompatible alternatives, passwords remained the clear winner.

The solution to that gridlock was FIDO2.

FIDO2 is a specification that uses public key encryption for authentication. This allows users to log in to websites without sharing a secret that needs to be secured like a password. There is nothing for a programmer to secure, nothing for an attacker to guess, and nothing that can be stolen in a data breach.

The sensitive encrpytion work all happens on a device owned by the user, which can be a specialist hardware key, a phone, a laptop, or any other compatible device. FIDO2 doesn’t specify what the device is, or how it should be secured, only that a user must make a “gesture” to approve the authentication. This leaves device manufacturers free to use whatever “gesture” works best for them: PIN numbers, swipe patterns, and any and all forms of biometrics. The end result is a technology that allows you to log in to a website securely using Windows Hello, Apple’s Touch ID, and any number of other methods that exist now or could be created in the future.

Passwordless authentication is possible today but still extremely rare. However, it took a big step forward in May this year when Google, Microsoft, and Apple made simultaneous, coordinated pledges to increase their adoption of the FIDO2 standard.

**Onion networking**

Onion networking, the technology behind Tor and the “dark web”, has been around for twenty years, so it might seem an odd candidate for an emerging technology that could change everything—but what if that’s just because we’ve been thinking about it the wrong way?

Tor is a network of servers that allows software clients (like web browsers) and services (like websites) to communicate securely and anonymously. Although the software is extremely good at what it does, today it services a narrow niche of users who put privacy and security above all, and it has become strongly associated with ransomware, illegal drug markets, and other forms of unsavoury criminal activity.

According to security evangelist Alec Muffett, we are overlooking a very important aspect of this technology though. Muffett was previously a security engineer at Facebook, where he was responsible for putting the social network on Tor. Speaking to David Ruiz on a recent Malwarebytes Lock and Code podcast, he explained how he sees Tor as “a brand new networking stack for the Internet” that can “guarantee integrity, and privacy, and unblockability of communication.”

Every Tor address is also the cryptographic public key of the service you want to talk to. For example, the Facebook address is:

www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

Having the public key act as the address provides cryptographic assurance that you are talking to the service you want to talk to, bypassing several layers of the OSI model, and cutting out fundamental Internet vulnerabilities, such as BGP hijacking.

We should stop thinking about Tor as just an anonymity tool, says Muffet. It should be attractive to anyone who cares about the integrity of their brand and what it has to say:

> If you are in the position of providing a forum, a messenger service, or news to a mass public … where your brand name is a really important part of your value proposition, then onion networking is for you, because you can make sure that no one can mess with your traffic.
> 
> Alec Muffet speaking to Lock and Code.

Although mainstream organizations like The New York Times, Pro Publica, Facebook, and Twitter have already embraced Tor, having a .onion site is still very much the exception. In all likelihood, it will take something quite dramatic to change that, but that doesn’t mean it can’t happen.

In 2013, Edward Snowden’s revelations about pervasive Internet surveillance triggered a huge gobal effort to make encrypted web traffic the norm, rather than the exception.

A similar stimulus today could tip onion networking from its niche into the mainstream.

**Cryptocurrencies**

People may be surprised to see cryptocurrencies appearing in our list. If cryptotrading sites are naming stadia and buying superbowl ads then cryptocurrencies are already mainstream and hardly a technology for the future, surely.

Its presence near the bottom of our list tells you that isn’t how we see it.

Cryptocurrencies face a number of cyclone-force headwinds, starting with the current, across-the-board, price crash. The market cap of the biggest currencies, Bitcoin and Ether, is shrinking fast, and some cryptocurrencies have already disappeared completely; the free flow of venture capital money is likely to dry up; there are issues with scalability, scams, rug pulls, thefts from exchanges, and environmental damage; and the pseudo-anonymity blockchains provide is challenged by our ever-improving capacity to identify patterns in payments.

More importantly, from the perspective of _life, liberty, and the pursuit of happiness_, almost nobody is using these currencies as actual currencies—nobody is paid in Bitcoin, and nobody is using Ether to buy groceries. Remember, Bitcoin was supposed to be a peer-to-peer electronic cash system not a vehicle for speculative trading.

So why is it on our list at all?

For all the reasons to dislike them or write them off, cryptocurrencies are hard to ignore. At its core, the original cryptocurrency, Bitcoin, was supposed to be a trustless, borderless payment system that was built on top of the Internet.

> What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
> 
> “Satoshi Nakamoto”, from Bitcoin: A Peer-to-Peer Electronic Cash System

It was a vision of what freedom might look like in the digital age.

That desire for freedom propelled Bitcoin it in its early days, and the attractiveness of a private, peer-to-peer currency is undimmed, even if nobody has managed to actually build one that works yet.

The current crash will pass and the strongest ideas and technology will survive. We suspect that Satoshi’s original vision will be one of them, even if Bitcoin isn’t.

**Homomorphic encryption**

The cornerstone of digital privacy, security, and freedom is encryption, and the last item in our list is one of its holy grails: Encryption that never needs to be undone.

Encryption protects your data if your phone is stolen, and it makes your emails, credit card details, and WhatsApp messages tamper proof as they whizz around the Internet. And it’s what underpins all of the other things in our list.

And all of the examples above have something in common: They are either examples of encryption that’s used to protect data at rest, or data that’s in transit. Moving or storing data only gets you so far though, sooner or later it has to be used. It can’t be used unless it’s decrypted, and you need to trust whatever system has access to that decrypted data.

Homomorphic encryption algorithms allow mathematical operations to be performed on encrypted data, so that it doesn’t need to be decrypted at all, ever, even when it’s being used.

The result of performing a mathematical operation on the encrypted data is the same as if the data was decrypted, subject to a mathematical operation, and the answer encrypted.

This incredible act of needle threading needs to ensure that you can’t learn anything about the data from the ciphertext (the encrypted version of the data), and that you can’t learn anything at all about it by observing the mathematical operations performed on it.

If you had access to homomorphic encryption you wouldn’t have to trust anyone you share your data with, whether they are the vendors in your organization’s supply chain, or your favorite, data-hungry social network.

Almost unbelievably, homomorphic encryption algorithms already exist. The reason you don’t have access to their almost magical properties though is that they are prohibitively slow. It currently takes days for them to perform actions that we expect to take seconds.

Although slow, these algorithms are already millions of times quicker than they were just a few years ago. And while that rate of improvement will surely decelerate, the processing power of computers is still doubling every few years.

At some point in the not-too-distant future, when these two trends meet, it could change how we think about trust and freedom in the digital age completely.

5 pro-freedom technologies that could change the Internet

We take a look at a site claiming to offer "free" visa access to the UK via WhatsApp. All is not quite as it seems.
The post “Free UK visa” offers on WhatsApp are fakes appeared first on Malwarebytes Labs.

A student friend recently shared a WhatsApp message, unsure if it was scam. The message claims to offer an easy to route to free visas, housing, accommodation, and medicine access.

Here’s how we know it was a scam, and where it lead.

It read as follows:

> **UK GOVERNMENT JOB RECRUITMENT 2022**: This is open to all Individuals who wants to work in UK, Here is a great chance for you all to work conveniently in the UK. UK needs over 132,000 workers in 2022. Over 186,000 Jobs are Open for applying. THE PROGRAM COVERS: Travel expense. Housing. Accommodation. Medical facilities. Applicant must be 16 years or above. Can speak basic English. BENEFIT OF THE PROGRAM: Instant work permit. Visa application assistance. All nationalities can apply. Open to all individuals and students who want to work and study. Apply here \[url removed\]

As you might suspect, there’s multiple red flags in the above claims for anyone considering signing up.

**The bogus visa claim checklist**

The site gives the impression of being operated by UK Visas and Immigration, and repeats some of the errors and red flags from the WhatsApp message.

“We are hiring”

It said:

We are urgently looking for foreigners to apply for the thousands of jobs already available in the United Kingdom. This application is free and upon approval you will be given a work permit, visa, plane tickets and accommodation in the UK for free.

With even the most cursory of glances, the claims on this website simply don’t add up. Let’s dissect some of them:

1.  UKVI applications all begin here, on a gov.uk address. This scam site is not hosted on a gov.uk address.
2.  The Home Office does _not_ cover the cost of flights or accomodation for visa applicants coming to the UK.
3.  There is no free access to medical services in the UK. Visa holders pay an annual immigration health surcharge to access NHS services. This is paid upfront at visa application time.
4.  The minimum age requirement for a skilled work visa is 18, not “16 years or above”.
5.  In most cases, applicants need to be able to demonstrate English ability through one of several available qualifications, not just “can speak basic English”.
6.  You won’t get an “Instant work permit” without paying an additional fee to make use of same day / next day processing.

**It’s website quiz time**

The site posed two questions, including marital and employment status. It then asks for first and last name, email address, and phone number. No matter what I entered, or even if I left all the form elements blank, I always got the following message:

> After checking your applications, You have been approved to work in the United Kingdom 2022

I most certainly had not. It continued:

> –Your UK VISA FORM will be available immediately after you click the “Invite Friends/Group” button below to share this information with 15 friends or 5 groups on WhatsApp so That They Can Also be Aware of the PROGRAM.

Unlike other sites along the same lines, this one didn’t check if I really was sending the link to people on WhatsApp, so I faked it. Did I get my visa after “sharing” the scam?

No, I did not.

**A distinct lack of visa forms**

The clue is definitely in the title. Instead of the promised form, I was greeted by the following message:

No visas yet

> To facilitate the downloading of your UK VISA FORM you must complete this final step of Nationality Verification!
> 
> 1.Click the Continent you are from and complete the given tasks, verification is by phone number or downloading, registering e.t.c.
> 
> (Remember, this step is very important, add your phone number to verify)
> 
> Do not skip any step..

I think my favourite part about all of this is that they used the logo for VISA, the financial multinational corporation. At this point, why not?

**Of redirects and surveys**

Whether I choose “Africa” or “Other Continent”, I was directed to several sites selling drones and watches or asking for mobile numbers, alongside yet more quizzes. The visa forms? Not so much.

This is not what a visa form looks like

While digging around for more information on the site involved in this, I came across this article from the last day or so. Clearly, this site is doing the rounds in WhatsApp circles. There’s also some additional UK visa-related scams listed there too, one of which was bouncing around a few months ago. All in all, this is yet another “if it’s too good to be true” escapade and should be avoided.

“Free UK visa” offers on WhatsApp are fakes

A new bill proposes the strongest Federal data privacy protections yet for reproductive and sexual health data.
The post My Body, My Data Act would lock down reproductive and sexual health data appeared first on Malwarebytes Labs.

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data.

The “My Body, My Data Act of 2022” was announced in early June in response to a leaked draft of a Supreme Court opinion that reported to show the Court’s intentions to overturn a seminal decision from 1973 that guaranteed a Constitutional right to have a choice to an abortion. Congresswoman Sara Jacobs (D-CA), sponsor of the bill in the House of Representatives, said in a press release that she was focused on protecting reproductive health data in light of the new,  judicial threat.

“Since the Supreme Court leak, I’ve heard from so many people who are panicked about their personal reproductive health data falling into the wrong hands,” Jacobs said. “The My Body, My Data Act will protect that information, protect our privacy, and reaffirm our rights to make our own decisions about our bodies.”

The bill, which has 46 cosponsors in the House and 11 cosponsors in the Senate, would stop companies from collecting, using, retaining, and disclosing “personal reproductive or sexual health information” unless a company first receives express consent from a user or if a company is using such information to specifically deliver a service that a user has requested. The bill’s definition of “personal reproductive or sexual health information” is broad, including any information that could reveal a person’s attempts to “research or obtain” reproductive health services, any reproductive or sexual health conditions, such as pregnancy, menstruation, and whether a person is sexually active, and any information about procedures that a person has undergone related to reproductive or sexual health.

If passed, the bill would also extend new rights to consumers to access and delete personal reproductive or sexual health information from the companies that collect it.

Since the bill’s announcement last month, it has only gained more attention.

On June 24, the Supreme Court decided in the case _Dobbs v. Jackson Women’s Health Organization_ that the right to an abortion, which was guaranteed under a right to privacy as decided in 1973, was not “deeply rooted in this Nation’s history or tradition.” Voting 6 – 3, the Court overturned _Roe v. Wade_.

With the Court’s decision, immediate fear arose that reproductive health data could be requested by law enforcement only to be used as evidence to prosecute individuals seeking abortions—or even those who miscarried. The Digital Defense Fund responded to the Court’s decision by updating its resources on how individuals can keep their reproductive health decisions both private and secure. The group’s resources include a section on keeping reproductive health data out of the hands of “Big Tech.”

Further, several period-tracking apps independently announced efforts to anonymize user data so that even if law enforcement requested data about certain users, those companies could not respond in a meaningful way. Users have reportedly flocked to period-tracking apps that are making these promises, but as TechCrunch recently uncovered, one such company that announced new, pro-user plans last week—Stardust—was still sharing users’ phone numbers with third parties.

> “TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.”

TechCrunch also reported that Stardust’s efforts to bring “end-to-end encryption” were potentially faulty, as the company’s founder described a data transfer process that may only provide encryption for data in transit and for data that is stored on Amazon’s web servers.  

The period-tracking app morass is familiar, then: Once again, users in America of any number of services are left to independently manage their interactions with companies that could be sharing their data with an immeasurable number of third parties which, to most consumers, are entirely unknown.

The My Body, My Data Act could change that, requiring new restrictions not on how data is technologically stored, but on whether such data is ever collected in the first place.

The bill also includes what is called a “private right of action,” meaning that consumers who have had their privacy rights violated under the law could be able to sue individual companies for those violations. The inclusion of a private right of action is exceedingly rare in nearly any data privacy law that has been introduced in both statewide legislation and before the Federal government.

The bill is currently supported by Planned Parenthood, NARAL, National Abortion Federation, URGE, National Partnership for Women & Families, and Feminist Majority.

My Body, My Data Act would lock down reproductive and sexual health data

The most important and interesting computer security stories from the last week.
The post A week in security (June 27 – July 3) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (June 27 – July 3)

LockBit remained the most active threat in June, and “the costliest strain of ransomware ever documented” went dark while others surged.
The post Ransomware review: June 2022 appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In June, LockBit was the most active ransomware, just as it has been all year. The month was also notable for the disappearance of Conti, and the large number of attacks by groups alleged to have links with the disbanded group.

The service industry remained the hardest hit industry sector, and the USA the most attacked country. The number of attacks in the USA continued to dwarf other countries, with more known victims than Canada and all the European countries in our list combined.

Known ransomware attacks by group, June 2022

Known ransomware attacks by country, June 2022

Known ransomware attacks by industry sector, June 2022

**LockBit**

Without fanfare, LockBit has become the dominant force in ransomware this year. Although there were fewer victims on its leak site in June than in May, it was still far ahead of its competition.

While Conti—“the costliest strain of ransomware ever documented,” according to the FBI—has spent 2022 making noisy pronouncements and digging itself out of a hole of its own making with a hair-brained scheme to fake its own death, LockBit has been all business.

Like all the ransomware in our review, LockBit is offered in the form of ransomware-as-a-service (RaaS). Attacks are carried out by affiliates (“pen testers”) who pay the LockBit organization 20 percent of the ransoms they receive in return for using its software and services.

And while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think. Its affiliate page begins with a statement that seems designed to contrast it with its nosiy Russian rival:

> We are located in the Netherlands, completely apolitical and only interested in money.

Thereafter the page is peppered with people-pleasing language designed to signal the gang’s trustworthiness and willingness to listen. Affiliates are asked “if you do not find one of your favorite features, please inform us,” and told that “it is very important for us to know about all our strengths and weaknesses.” It says “we have never cheated anyone and always fulfill our agreements. Decrypter work, stolen data is deleted”

It is this combination of attractiveness to affiliates and an ability to avoid costly mistakes that seems to be behind its success this year.

This risk averse approach is nothing new. Out of an abundance of self interest, ransomware has always conspicuously avoided attacking targets in Russia and the Commonwealth of Indpednent States, for example. Attracting the attention of the three-letter agencies in Russia and the USA is simply bad for business.

Unusually, LockBit hit the headlines in June with some obvious publicity seeking. The gang launched LockBit 3.0, along with a new dark web site, and a bug bounty program promising rewards of up to $1 million for finding bugs in its website and software, submitting brilliant ideas, or successfully doxing the head of the gang’s affiliate program.

The LockBit 3.0 bug bounty page

> We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million.

Whether the group seriously intends to pay out these sums remains to be seen. If all it wanted from the announcement was to drum up some publicity, it has already succeeded. However, if it does intend to use bug bounties it improve its software and sharpen its approach then it could deprive law enforcement and security researchers of valuable tools and information.

**Conti**

As expected, the last public vestige of the Conti ransomware gang, its leak site, disappeared in June, after a few weeks of inactivity. As we reported in last month’s ransomware review, detailed research by Advintel in May suggested that the gang’s alignment with the Russian state in February had caused victims’ lawyers to warn against paying it ransoms, for fear of breaking sanctions.

When the group’s revenue dried up its leaders allegedly hatched a plot to retire the brand by dispersing its members into other ransomware gangs like BlackBasta, BlackByte, KaraKurt, Hive and ALPHV, and then faking its own death.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The leak site disappeared on June 22, 2022, and remains down.

The Conti leak site on June 22, 2022

The Conti shutdown has overlapped with the overnight arrival of BlackBasta in April and a big increase in activity (and the appearance of a new leak site) by KaraKurt in June. It may be a coincidence, but we note that last month the combined activity of BlackBasta, BlackByte, and KaraKurt reached Conti-like levels.

Known attacks involving Conti compared to known attacks involving alleged Conti “brands” BlackBasta, BlackByte, and KaraKurt

The resurgent KaraKurt extortion group has a new leak site

**Trends**

Most software, even malware, trends towards “feature completeness”—a point where adding new features adds little, if anything, to its usefulness. Ransomware has been more-or-less feature complete for a number of years, and most RaaS offerings have very similar capabilities.

Similarly, the way that ransomware is packaged and sold, and the ways that different affiliates break into networks and deploy ransomware vary little from one ransomware group to another, and evolve slowly.

The most active area of innovation in the last few years appears to be how gangs operate as a business, and in how they put pressure on victims to pay a ransom.

In June we saw some things we haven’t seen before: The LockBit gang offering bug bounties, and a leak site by the ALPHV group aimed at the staff and customers of a victim.

At least one ransomware gang has tried targeting executives at the top of companies in an effort to ramp up the pressure, but ALPHV’s targeting of employees and customers with a dedicated website is new. The site allowed guests and employees to explore the personal data ALPHV had stolen from them in the attack and, very unusually, the leak site was _not_ on the dark web.

A leak site dedicated to one victim, a hotelier, allowed guests and employees to explore the data about them that had been stolen

By putting the site on the regular web the gang made the infrmation much more accessible to non-technical users, but without the protection of Tor it only lasted a few days before being taken down. The gang would certainly have known this would happen, but presumably it only had to last long enough to gather the attention it needed in order to impact negotiations.

The experimental ALPHV leak site appeared on the regular world wide web and was even indexed by Google

Such innovation is nothing new—ransomware gangs experiment with new ideas all the time. The experiments that don’t work are forgotten and those that do are quickly copied by other gangs.

In this case the experiment appears to have been unsuccessful. The victim has since appeared on the main ALPHV dark web leak site, which normally indicates they have resisted the pressure to pay a ransom.

**Malwarebytes protection**

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Source

Malwarebytes