We take a look at a scam barbeque quiz that asks "winners" to send a lot of WhatsApp messages to qualify.
The post WhatsApp spam offers up “B&Q Father’s Day Contest 2022” appeared first on Malwarebytes Labs.

Father’s Day in the UK (June 19) is almost upon us, and scammers are taking advantage of it—and the fractional possibility of some nice weather—using a barbeque-themed lure.

**A mysterious WhatsApp message**

The barbeque bait arrives out of the blue, from a somebody who has your number, as a random message bringing word of a supposed “B&Q Father’s Day Contest” with what looks like a very nice barbeque set up for grabs. What could go wrong? (B&Q is a British multinational DIY / home improvement company and exactly the kind of place someone in the UK might buy a nice barbeque set from.)

The message is plausible, and the only clue that something is amiss, other than it being unsolicited, is the Russian .ru domain name.

Would you spot the .ru domain?

Regular readers would know to steer clear of this missive, perhaps even ask the sender via other means if they _meant_ to send the message. The problem with this one is that they probably _did_ intend to send it (you’ll see why later).

**If your name’s not down, you’re not coming in**

The linked site really does _not_ like you visiting from anything other than a mobile browser. Try to access from a desktop, and you’ll be told “Access Denied”. Firing up VPNs or Tor Browser, designed to help keep your online activities anonymous, seem to have a similar end result. All they want you to do is click the original link from your mobile.

As it happens, there _is_ a reason for this. It wouldn’t be cost-effective for promotions to allow non-mobile visitors onto a mobile themed offering. This is because said mobile offerings want to take advantage of something your desktop won’t have. It could be a feature specific to Android or iPhone, or perhaps they have a certain app in their sights.

Click the link on your mobile from the correct geographic region and you’ll make it to the landing page. If not, you’ll probably be turned away.

**The Father’s Day Contest landing page**

Visitors are greeted by what appears to be a B&Q-themed page.

The “B&Q Father’s Day Contest”

The site says

> Welcome to the B&Q Father’s Day Contest!
> 
> Take the quiz, find the hidden prize and win the new Weber gas barbeque

The Weber is a fancy bit of kit, retailing for around $1,200. Small wonder that people would be happy to take the quiz. The quiz itself is a collection of 4 questions including:

*   Do you know of B&Q?
*   How old are you?
*   How would you rate B&Q?

With these out of the way, it’s competition time.

**Best out of 3?**

Visitors are presented with 9 gift boxes, and have 3 chances to select the correct one.

Oops!

Sadly I failed on my first box opening, but hit the barbeque-shaped jackpot on my second attempt. Do I get my barbeque set? Not yet:

“Tap continue and claim your gift”

First, the scammers tell you to “share with 5 groups / 20 friends on WhatsApp” to claim your gift, with the offer only being valid for 500 seconds. This is why you get the message from a friend, and this is how it spreads.

Try as I might, the site wouldn’t let me progress past this stage. If you refresh the page, the number of gifts resets to the original amount of 250 and then stops at a low number. Just enough to make you think there’s a few left. Does anybody _really_ think they’re giving away around $300,000 of barbeque equipment every few minutes?

There’s also multiple Facebook-style comments at the bottom of the page, complete with inactive Like and Reply options underneath each one of the other supposed winners.

Based on how these things usually go, you probably have to hand over personal information to an advertiser. There’s no FAQ, EULA, competition rules, or privacy policy on the landing page; merely a copyright notice at the bottom listed as “Advertorial”.

As tempting an offer as this sounds, we’d advise anyone looking for a gift this Father’s Day to keep shopping around.

WhatsApp spam offers up “B&Q Father’s Day Contest 2022”

Here are four big threats to cloud storage security that SMBs should be ready to address to help prevent cloud data breaches.
The post Cloud data breaches: 4 biggest threats to cloud storage security appeared first on Malwarebytes Labs.

Just about anywhere you look, organizations are using the cloud in some form—and they’re not all large enterprises.

Small and medium businesses (SMBs) are also reaping the many benefits that the cloud offers over on-premise software, especially the lowered IT costs, increased scalability, and large storage capacity that come along with it. No doubt, with a cloud provider like AWS or Azure taking the wheel of some (or all) of your infrastructure, you have less to worry about.

But cloud services are delivered online, which can make it easier for threat actors to get a hold of sensitive data—and SMBs are wary of their cloud storage security as a result.

In this post, we’ll break down the four big threats to cloud storage security that SMBs should be ready to address.

**1\. File-based malware**

Most cloud storage providers today feature file-syncing, which is when files on your local devices are automatically uploaded to the cloud as they’re modified.

File-syncing is great for businesses since it allows for a “central hub” of files for teams across different devices to access and work on. But it’s great for file-based malware for the same reason.

Cloud storage providers like OneDrive or DropBox are mounted to a local folder on your computer, and files stored in the cloud are synchronized with it. As far as your device is concerned, those cloud folders are just like any other folder. So, if you download a malicious file on your local device, there’s a route from there to your business’ cloud—where it can access, infect, and encrypt company data.

This kind of ransomware attack is also known as “Ransomcloud”. Check out our “File-sharing and cloud storage sites: How safe are they?” article for tips to keep you safe.

**2.   Weak IAM policies**

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because cloud workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom”.

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology.

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that IAM misconfigurations cause 65% of detected cloud data breaches, with the runners up being weak password usage (53%) and allowing password reuse (44%).

**3.   Insecure APIs**

Many businesses use Application Programming Interfaces (APIs) to connect applications and data to the cloud. At a high level, APIs allow different applications to communicate with each other over a network.

Since APIs provide a means of querying, accessing, and modifying important data, cloud threat actors are constantly searching for vulnerabilities in them. And lo and behold: In a 2021 analysis of its impacted clients, IBM’s X-Force IR team found that two-thirds of cloud data breaches were caused by misconfigured APIs.

**4.   Misconfiguration**

In VMware’s 2021 State of Cloud Security report, 1 in 6 companies surveyed experienced a cloud data breach due to a misconfiguration in the past year. Researchers elsewhere found that, of all cloud services, cloud storage has one of the highest misconfiguration rates.

Given this, it’s not surprising that there have been many cloud storage data breaches in recent years.

Just last year, misconfigured Amazon S3 buckets exposed more than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US. Microsoft Azure hasn’t fared much better: In 2021, misconfigured Azure storage accounts exposed millions of files containing sensitive information.

**Cloud storage security remains a top concern for SMBs**

While there’s no denying that the pros of the cloud generally outweigh the cons, businesses still have many cloud threats to address. The good thing is that we don’t need to reinvent the wheel to lessen our chances of a cloud data breach.

For example, anything as simple as employee phishing education can help prevent file-based malware. Similarly, good “password hygiene” and multi-factor authentication can improve weak IAM policies. Lastly, conducting regular vulnerability assessments and patching can help you find and address weak points before threat actors do.

To learn more about privacy and security best practices, read our tips to protect your data, security, and privacy from a hands-on expert.

Cloud data breaches: 4 biggest threats to cloud storage security

A review of what's changed in malware in 2022, and what hasn't, based on Adam Kujawa's talk at RSAC 2022.
The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs.

Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.

We are now halfway through 2022 and Malwarebytes’ Security Evangelist Adam Kujawa has been updating attendees at this year’s RSA Conference on what the report contains, and what’s happened since it was published.

This is what he had to say about how the trends in detections and email threats have changed in the months since the Threat Review data was compiled.

**The “Covid bounce”**

The 2022 Threat Review detailed the remarkable rebound in detection numbers for malware, adware and Potentially Unwanted Programs (PUPs) in 2021.

Detections of all three went down during 2020, as pandemic restrictions created a huge increase in the number of people working from home. As cybercriminals adapted and restrictions eased, detection numbers surged again in 2021, on Windows business machines and home computers, and on Macs.

Windows malware detections 2019-2021, showing the “Covid bounce”

Kujawa has now updated the chart to include the first five months of 2022, and it shows that the trend of the last year has broadly continued into this one. Business detections are currently on course to be slightly ahead of 2021’s numbers, and consumer detections slightly behind, perhaps reflecting a reduction in working from home and an increase in office work.

Windows malware detections from January 2019 to May 2022

Looking in detail at what’s been detected this year further strengthens the idea that 2021’s patterns are extending into 2022. After a radical shake up in 2020, the types of malware being detected have settled down somewhat, with only small changes in the ten most commonly detected threats in the first half of 2022.

Top 10 Windows malware detection categories 2021

Top 10 Windows malware detection categories from January 2022 to May 2022

**Dramatic change in email detections**

Last year saw a significant evolution in email threat detections, and that change has accelerated dramatically in the first half of 2022.

At the end of the last decade, the email threat landscape was dominated by vast numbers of Emotet, TrickBot, and Dridex detections—complex and sophisticated threats with multiple tools designed to attack corporate networks. All three were banking trojans that were later used to deploy ransomware.

In each year from 2018-2020, these malware families accounted for between 75 percent and 90 percent of all email detections.

Email threat detections 2018-2020

That picture changed in 2021. The pandemic restrictions introduced in 2020 had seen an enormous rise in working from home, necessitating a switch in tactics by threat actors. The dominant trio of Emotet, TrickBot, and Dridex were less widely used, perhaps because they were a poor fit for home networks.

Between them, they made up just 42 percent of detections in 2021, and the space they vacated was filled by six other malware families operating at a similar scale.

One of the newcomers was AsyncRat, a Remote Access Trojan (RAT) that hadn’t featured at all in previous years but made up 13 percent of detections in 2021.

Email threat detections 2021

In the first half of 2022 AsyncRat accounted for a massive 62 percent of malicious email detections, with Dridex the next most prevalent at 12 percent, Trickbot at six, and Emotet at just two.

Email threat detections in the first half of 2022

It appears that the “changing of the guard” first identified in the 2022 Threat Review is now complete.

ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat

We take a look at a large-scale Facebook phishing operation, reputedly generating millions in ill-gotten gains.
The post Facebook users targeted in massive phishing campaign appeared first on Malwarebytes Labs.

Facebook is once again the launchpad for a large-scale phishing campaign, according to researchers at PIXM. The campaign, which first shows signs of life back in September 2021, has generated millions of page views and ad referral revenue “estimated to be millions of USD at this scale of operation”.

**Credential harvesting on a grand scale**

Researchers claim the threat actors stole one million credentials in four months to help achieve the above potential level of revenue. Aspects of the phish campaign are fairly typical of what you can expect to see from a Facebook phish, and the tactics used to spread bogus links are not particularly original. What matters most of all is that it _works_. When basic phishing tactics pull in so many accounts and clicks, there’s no need to overcomplicate things.

One of the scam pages from 2021 attracted no fewer than 2.7 million users, with the number rising to about 8.5 million in 2022. This is a huge ramp-up of already significant numbers, and also perhaps a little surprising that the site avoided being taken down for abuse.

This is one phishing campaign that isn’t messing around.

**How the phish worked**

Unfortunately specifics are absent in a few areas, but it works as follows.

A Facebook user receives a notification in Messenger. This is, at its most basic, a rogue link. There’s no information around whether a message accompanies it, and if so, what it says. However, something as simple as the below messages are routinely used in Facebook scams:

*   Seen this?
*   Is this you in the photo?
*   Guess who died?
*   Check this out!

The link is shortened to help bypass any Facebook spam filters. The shortening services used are commonplace, popular and entirely legitimate. This makes it trickier for Facebook to figure out if the link is potentially good or bad.

The link takes potential victims to a variety of sites but a phishing page will be the primary destination. Once phished, the victim is sent elsewhere. It could be a promotion, a survey scam, or pretty much anything else that’s ad-centric. There’s also the mention of potential malvertising pages, on top of the threat of being phished. All these links have ad trackers and other ad-related forms of revenue generation buzzing away in the background.

**Current state of play**

According to PIXM, the campaign is still alive and kicking. Many of the sites involved have been taken down, and one website listed in the landing page code has been “seized” in relation to an investigation. What that investigation is, and who is doing it, isn’t clear.

What is clear, is that without dedicated resources and probable law enforcement involvement, something like this will never fully go away. It’s simply too easy to keep creating spam domains, signing up as an affiliate, and generating endless shortened URLs. The (potentially exaggerated) claims of $150 for every thousand visits from the US alone from the threat actor is all the incentive they need to keep doing it. As researchers note, this figure would result in a theoretical revenue of $59M from the end of 2021 to now.

**Tips to avoid Facebook phishing**

*   Be wary of messages which don’t follow the natural flow of a conversation. Messages sent at unusual hours or out of the blue with a link should be treated with caution.
*   If you’re presented with a “Login to view content” box, take a deep breath before going any further. If you’re already logged in, there should be no reason why you’d be asked to login again. Check the URL. Are you on Facebook.com, or an unrelated website?
*   If you’re able to, ask the sender about their message away from Facebook. Their Facebook account may have be compromised, but you probably don’t have to worry about sending them a text.
*   Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. Keep in mind that some phishing sites will also try to steal your 2FA codes.
*   Add login alerts to your Facebook account. If someone does compromise your login credentials and access your account, you’ll be notified by Facebook as soon as this happens.

Facebook users targeted in massive phishing campaign

BlackBasta, a newish ransomware group that is somehow linked to Conti, has a new Linux variant of its malware that targets VMware ESXi virtual machines.
The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.

BlackBasta, an alleged subdivision of the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linux servers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VM is a bare-metal hypervisor software. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

**On Linux: BlackBasta 101**

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communities associate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .basta is appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

Contents of the readme.txt ransom note dropped in every subfolder in volumes. (Source: Uptycs)

A section of the ransom note reads:

    Your data are stolen and encrypted
    The data will be published on TOR website if you do not pay the ransom
    You can contact us and decrypt one file for free on this TOR site
    (you should download and install TOR browser first https://torproject.org)
    {URL redacted}

**Protect your Linux ESXi VM against ransomware attacks**

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

*   Harden the SSH (Secure Shell) access to allow only a specific user to use it.
*   Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
*   Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

BlackBasta is the latest ransomware to target ESXi virtual machines on Linux

After dragging their feet for months Owl Labs has released a patch for vulnerabilities that were publicly disclosed a week ago. The company denies the seriousness of the vulnerabilities.
The post Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices appeared first on Malwarebytes Labs.

After a decent amount of pressure, Owl Labs has finally released updates for vulnerabilities in Meeting Owl, and Whiteboard Owl cameras. The vulnerabilities were reported to Owl Labs in January,

One of the vulnerabilities, CVE-2022-31460 has been added to the Known exploited vulnerabilities catalog by the Cybersecurity & Infrastructure Security Agency (CISA) and needs to be updated by June 22, 2022.

**Owl Labs**

Owl Labs makes 360-degree video conferencing equipment for classrooms and boardrooms. It produces several pieces of hardware, including the Meeting Owl Pro, a speaker fitted with cameras, microphones and an owl-like face, and a whiteboard camera for hybrid meetings.

**The research**

Researchers at modzero examined the Meeting Owl and found serious defects in the built-in security mechanisms.

And these vulnerabilities were not minor. By exploiting the vulnerabilities an attacker could find registered devices, their data, and owners from around the world. Attackers could also access confidential screenshots of whiteboards or use the Owl to get access to the owner’s network.

The researchers found the existence of at least four different ways to bypass the PIN protection (passcode), which protects the Owl from unauthorized use.

**The vulnerabilities**

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below you will find the CVEs assigned to the vulnerabilities:

*   CVE-2022-31460: Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded credentials. The tethering mode turns the Owl into an access point (AP) by creating a new Wi-Fi network while staying connected to the existing Wi-Fi. This basically allows any authorized user to turn the Owl into a rogue access point. A rogue access point by definition constitutes a wireless access point installed on a secure network without explicit authorization from a local network administrator. Hard-coded credentials is where embedded authentication data, like user IDs and passwords, are included the source code of the device.

**Passcode bypasses**

*   CVE-2022-31463: Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. To extend the range of devices and provide remote control by default Owl Labs uses the Bluetooth functionality. The vulnerability makes it possible for an attacker in proximity to control the devices to the extent that they can disable any set passcode.
*   CVE-2022-31462: Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password which can be found in Bluetooth broadcast data. A hardcoded backdoor passcode exists which depends on the serial number of the device. This hardcoded passcode is the SHA-1 hash representation of the devices’ software serial number. The hash is broadcasted as the name of the Owl over Bluetooth Low Energy (BLE). So an attacker in close proximity can simply get hold of the hardcoded backdoor passcode. Also, it is possible to generate all existing serial numbers by a script.
*   CVE-2022-31461: Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain message from the companion app. An attacker would have to be close enough to the Owl to communicate over BLE to exploit this vulnerability.
*   CVE-2022-31459: Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the SHA1 hash of the passcode over BLE. It is possible to brute-force the passcode from the hash in seconds since it consist only of digits. An attacker with knowledge of the BLE endpoint can use this knowledge to control any Meeting Owl in their proximity.

**What is Bluetooth Low Energy (BLE)?**

BLE is a Bluetooth protocol which launched in 2010, especially designed to achieve low power consumption and latency, while at the same time accommodating the widest possible interoperable range of devices. The BLE protocol also does not require paring between the sender and receiver and it can send authenticated unencrypted data.

For those interested, a full disclosure report by modzero is available online.

**Slow pokes**

Another worrying factor in the report is the timeline of disclosure which gives the impression of an uninterested attitude and unwillingness to fix on the part of Owl Labs. Given the seriousness of the vulnerabilities and the nature of Owl Labs’ clients one might have wished it was treated with more urgency.

The researchers shifted the time of disclosure several times until they were finally fed up with the unresponsiveness of Owl Labs. And only after the vulnerabilities had been disclosed Owl Labs came up with patches for the vulnerabilities. On June 6, 2022, Owl Labs stated that all high-security issues had been addressed, and said it was in the process of implementing a few additional updates. Earlier Owl Labs said that the likelihood that its customers were affected by these issues is low.

**Mitigation**

Meeting Owl Pro and Whiteboard Owl will automatically send over the air software updates to Owls that are connected to Wi-Fi and plugged into power over night.

To determine what version of software is on your Owl, follow these steps.

If your Owl’s software is out of date, please follow these instructions for how to update your Owl’s software.

We are pretty sure this owl will have a tail and will keep you updated about any developments here.

Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices

Apple aims to fix the password problem forever with a single-tap sign in approach known as the passkey. Will it work?
The post Apple’s passkeys attempt to solve the password problem appeared first on Malwarebytes Labs.

The recent Apple Worldwide Developers Conference (WWDC) revealed another teasing of what has been referred to as “the end of passwords forever”.

Passkeys are a “new biometric sign-in standard”. Biometrics in security circles are used for things like identity cards, building access, and so on. This typically involves scans of your fingerprints, or face. Either of these may be physically used on a device or through a readable card scanned into a system.

Every so often, they’re hailed as a possible replacement to the passwords you’re likely using on websites and systems right this very second. One of their biggest benefits is that they’re totally unique to you. The _downside_ of this is that they’re…totally unique to you. A big argument against biometrics for security purposes is that once they’re stolen, your biometrics are out there forever. You can’t exactly change them, but then not having to change them is a key selling point in the first place.

With this caveat out of the way: Passkeys aren’t about tying your biometrics to an ID card. You’re not going to do anything you aren’t _already_ doing with biometrics via your Apple devices. If you’re already happy with using biometrics for everyday activities on your iPhone, this probably won’t be a concern.

Let’s take a look at what Apple is doing with its passkeys.

**Pass the passkey**

Some of Apple’s primary concerns about the kind of passwords we use currently:

*   Difficult to use correctly
*   Easily phished/reusable
*   The trade-off between security versus convenience

The new system uses Keychain, Touch ID, and passkeys to help you log in with a minimum of fuss.

Using a passkey involves signing in to a service you normally use, and then selecting the “Create passkey” option. The passkey is saved to your iCloud Keychain, and is then available to sign in on all of your devices. A few taps has given you “a unique, cryptographically strong key pair” for your account. All you need is to be running macOS Ventura and iOS 16.

It’s designed to work across as many platforms as possible. It also allows you to login on other people’s machine via your phone and a QR code. Want to share a passkey with people you trust? Airdrop can do that for you. Apple wants this working across, and with, as many of their services and features as possible.

**Breaking up the password flow**

Eventually, the idea is to exist as a replacement for passwords. The passkey option being added into the username field as an additional popup option seems to be the goal. No password entering, no username entering: just the passkey.

Of course, not everyone is going to be using this feature. Not all sites and services will make the leap. Traditional passwords can’t exactly just vanish any time soon, so this is realistically an addition to password flows for the time being.

**How secure is the passkey?**

When you sign in with a password, it is (hopefully) hashed and salted. These are encryption processes which make it more difficult for people to compromise your details should a data breach occur. The obfuscated output is sent to, and stored on, the server. When you visit the service at a later date and produce the same hashed salted value, it grants you access.

With Apple’s new creation, instead of a single typeable string the passkey is a pair of related keys generated by your devices. They’re unique for every account. One key is stored on the server and is public. The other, private key, is stored on your device and the server is never actually told what it is. From the Apple support document:

> “_On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible._“

On top of all this, Apple IDs using iCloud Keychain require two-factor authentication. There’s also protection against rogue devices accessing a Keychain via syncing identities and their “circle of trust“.

**All hail the single-tap sign in?**

Anything promising to combine good security with actual convenience is always a strong sales pitch. Google and Microsoft are also eager to solve the password problem forever. Support for the FIDO standard of passwordless sign-ins is definitely the direction passwords are headed in.

What remains to be seen is the buy-in rate from sites, services, and apps. Apple spends quite a bit of time explaining to developers how easy it is to integrate passkeys into their sites. We just have to hope that, as with all the passwordless proposals, developers will listen.

Apple’s passkeys attempt to solve the password problem

We catch up with some old acquaintances that just aren't ready to hang up the towel just yet.
The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.

**FakeUpdates (SocGholish) lookalike**

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through a similar malvertising campaign involving the RIG exploit kit.

**MakeMoney connection**

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.

Security researcher @na0\_sec saw the “MakeMoney gate”, named after the domain makemoneywithus\[.\]work (**188.225.75.54**), redirect the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime\[.\]xyz (**185.220.35.26)**.

Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime\[.\]xyz was hosted on the same server (185.220.35.26) as makemoneyeazzywith\[.\]me. Staying with the MakeMoney theme, we see makemoneywith\[.\]us on 188.225.75\[.\]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery\[.\]xyz.

There is also activity on **185.220.33.3**, **185.230.140.210** and **188.225.75.54** hosting a number of impersonation hostnames such as magicpropeller\[.\]xyz (PropellerAds), magicpopcash\[.\]xyz (PopCash).

We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.

We don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.

**Indicators of Compromise**

**IP addresses (malvertising domains, gates)**

185.220.35.26  
188.225.75.54  
185.220.33.3  
185.230.140.210

**IP addresses (fake template)**

188.227.107.121  
188.227.107.92

**Domains (malvertising domains, gates)**

adcashtds2\[.\]xyz  
adcashtdssystem\[.\]site  
adsinside\[.\]xyz  
adsterramagic\[.\]me  
adstexx\[.\]xyz  
allmagnew\[.\]xyz  
alltomag\[.\]xyz  
an-era\[.\]shop  
ankgomag\[.\]xyz  
anklexit\[.\]online  
ankltrafficexit\[.\]xyz  
ankmagicgo\[.\]xyz  
blackexit\[.\]xyz  
ccgmaining\[.\]life  
ccgmaining\[.\]live  
ccgmaining\[.\]work  
clickadusweep\[.\]vip  
clickadusweeps\[.\]vip  
clickadutds\[.\]xyz  
clicksdeliveryserver\[.\]space  
clicktds2\[.\]xyz  
cryptomoneyinside\[.\]xyz  
cryptomoneyinsider\[.\]biz  
cryptomoneyinsider\[.\]link  
cryptomoneyinsider\[.\]site  
cryptomoneyinsider\[.\]work  
cryptomoneyinsiders\[.\]com  
cryptomoneyinsiders\[.\]site  
cryptomoneyinsiders\[.\]work  
cryptomoneytds\[.\]xyz  
cryptopaycard\[.\]shop  
cryptosuite\[.\]pro  
cryptosuitetds\[.\]com  
cryptotraffic\[.\]vip  
cryptotraffictds\[.\]online  
cryptotraffictdss\[.\]xyz  
cryptozerotds\[.\]xyz  
daiichisankyo-hc\[.\]live  
earncryptomoney\[.\]info  
exitmagall\[.\]xyz  
extradeliverytraffic\[.\]com  
extramoneymaker\[.\]vip  
familylabs\[.\]xyz  
fujimi\[.\]fun

gettime\[.\]xyz  
hilldeliveryexit\[.\]xyz  
hillex\[.\]xyz  
hilllandings\[.\]xyz  
hillmag\[.\]xyz  
hillmagnew\[.\]xyz  
hilltopmagic\[.\]xyz  
hilltoptds\[.\]xyz  
hilltoptdsserver\[.\]xyz  
hilltoptdsservers\[.\]fun  
hilltoptrafficdelivery\[.\]com  
hilltoptrafficdelivery\[.\]xyz  
jillstuart-floranotisjillstu\[.\]art  
k-to-kd\[.\]me  
keitarotrafficdelivery\[.\]com  
keitarotrafficdelivery\[.\]xyz  
lahsahal\[.\]site  
magcheckall\[.\]me  
magicadss\[.\]xyz  
magicadsterra\[.\]xyz  
magicclickadu\[.\]xyz  
magickhill\[.\]xyz  
magickpeoplenew\[.\]xyz  
magicpopcash\[.\]xyz  
magicpropeller\[.\]xyz  
magicself\[.\]xyz  
magiczero\[.\]xyz  
makemoneyeazzywith\[.\]me  
makemoneynowwith\[.\]me  
makemoneywith\[.\]us  
makemoneywithus\[.\]work  
mizuno\[.\]casa  
money365\[.\]xyz  
myallexit\[.\]xyz  
myjobsy\[.\]com  
nawa-store\[.\]com  
newallfrommag\[.\]xyz  
newzamenaadc\[.\]xyz  
newzamenaclick\[.\]xyz  
newzamenaself\[.\]xyz  
newzamenazero\[.\]xyz  
nippon-mask\[.\]site  
northfarmstock\[.\]xyz  
offers\[.\]myjobsy\[.\]com

offersstudioex\[.\]live  
openphoto\[.\]xyz  
partners\[.\]usemoney\[.\]xyz  
prelandingpages\[.\]xyz  
promodigital\[.\]me  
propellermagic\[.\]xyz  
sberbank\[.\]hourscareer\[.\]com  
sberjob\[.\]hourscareer\[.\]com  
selfadtracker1\[.\]online  
selfadtrackerexit\[.\]xyz  
selftraffictds\[.\]xyz  
selfyourads\[.\]xyz  
shop\[.\]mizuno\[.\]casa  
supersports\[.\]fun  
surprise\[.\]yousweeps\[.\]vip  
tracker\[.\]usemoney\[.\]xyz  
traffic\[.\]selfadtracker1\[.\]online  
traffic\[.\]usemoney\[.\]xyz  
trafficdeliveryclick\[.\]xyz  
trafficdeliveryoffers\[.\]com  
trafficdeliverysystem\[.\]world  
traffictrackerself\[.\]xyz  
tryphoto\[.\]xyz  
trytime\[.\]xyz  
usehouse\[.\]xyz  
usemoney\[.\]life  
usemoney\[.\]xyz  
ymalljp\[.\]com  
yousweeps\[.\]vip  
zamenaad\[.\]xyz  
zamenaclick\[.\]xyz  
zamenahil\[.\]xyz  
zamenazer\[.\]xyz  
zapasnoiadc\[.\]xyz  
zapasnoiclick\[.\]xyz  
zapasnoiself\[.\]xyz  
zapasnoizero\[.\]xyz  
zermag\[.\]xyz  
zernewmagcheck\[.\]xyz  
zerocryptocard\[.\]shop  
zeroexit\[.\]xyz  
zerok2exit\[.\]xyz  
zeroparktraffic\[.\]xyz  
zeroparktrakeroutside\[.\]shop  
zerotdspark\[.\]space  
zerotracker\[.\]shop

**References**

https://twitter.com/MBThreatIntel/status/1483235125827571715  
https://twitter.com/MBThreatIntel/status/1361824286499950601  
https://twitter.com/malware\_traffic/status/1412128664721014785  
https://twitter.com/malware\_traffic/status/1357513424566124548  
https://twitter.com/FaLconIntel/status/1351739449932083200  
https://twitter.com/tkanalyst/status/1226125887256416256  
https://twitter.com/david\_jursa/status/1346562997305696262  
https://twitter.com/nao\_sec/status/1334289601125445633  
https://twitter.com/FaLconIntel/status/1298661757943087105  
https://twitter.com/nao\_sec/status/1294871134001799168  
https://twitter.com/david\_jursa/status/1232996830520193024  
https://twitter.com/david\_jursa/status/1229354505583628288  
https://twitter.com/nao\_sec/status/1211975197219151876

MakeMoney malvertising campaign adds fake update template

The creation of a foul-mouthed chat bot called GPT-4chan re-triggered the discussion about how we want to use and regulate AI and ML.
The post Awful 4chan chat bot spouts racial slurs and antisemitic abuse appeared first on Malwarebytes Labs.

> _“A robot may not injure a human being or, through inaction, allow a human being to come to harm”_

Science fiction readers, and many others, will recognize Asimov’s first law of robotics. After reading about a bot called GPT-4chan I was wondering whether we should include:

> _“A bot may not insult a human being or, through interaction, allow a human being to be discriminated”_

GPT-4chan was based on an AI instance trained using 3.3 million threads from 4chan’s infamously toxic Politically Incorrect /pol/ board. Once trained, the creator released the chat bot back onto 4chan. And, no surprise here, the AI behaved just as vile as the posts it was trained on, spouting racial slurs and engaging with antisemitic threads.

While many outside the industry may have found the experiment interesting, serious AI researchers commented that this did not qualify as a serious experiment, but as an unethical one.

**Déjà vu**

Reading the above may cause some people to think they have seen this before. What you may remember reading about is a Microsoft Twitter AI chat bot that went rogue in less than 24 hours. The more someone chats with Tay (the name of the chat bot), said Microsoft, the smarter it gets, learning to engage people through casual and playful conversation.

However, quickly Twitter users proved that artificial intelligence (AI) and machine learning (ML) adhere to the “garbage in, garbage out” law in computer science. Twitter users managed to turn Tay into a racist and misogynist in less than a day.

**GPT-3**

The name GPT-4chan was partly based on the Generative Pre-trained Transformer 3 (GPT-3) language model that uses deep learning to produce human-like text. In January 2022, OpenAI introduced a new version of GPT-3, which should do away with some of the most toxic issues that plagued its predecessor.

Large language models like GPT-3 use vast bodies of text for training. Often these texts originate from the internet. In these texts they encounter the best and worst of what people put down in words. As such, the training material includes toxic language as well as falsehoods. Filtering out offensive language from the training set can make models perform less well, especially in cases where the training data is already sparse. In its new InstructGPT model, OpenAI tries to align language models with user intent on a wide range of tasks by fine-tuning with human feedback.

**Accidental bias**

Despite the obvious potential, recent events have exposed how automated systems can both intentionally and unintentionally lead to bias. For example, women see fewer advertisements about entering into science and technology professions than men do. Not because companies are preferentially targeting men, but as a result derived from the economics of ad sales.

Simply put, when an advertiser pays for digital ads, including postings for jobs in science, technology, engineering and mathematics,  it is more expensive to get female views than male ones. So the algorithm targets men to enhance the number of eyeballs per spent dollar.

Another well-known example is an algorithm that selected new candidates for a job based on the current population of employees. By doing this, the algorithm amplified the outdated model that says some jobs are predominantly done by men, or women.

As AI becomes a mandatory strategic tool across multiple industries, companies using AI as part of their strategies need to accept their roles and responsibilities in reducing the risk and impact of bias inherent in their products and services.

**Regulation**

As you may have guessed, my call for regulation was not a novel idea. In 2020, Google CEO Sundar Pichai stated he felt that AI needed regulation in order to prevent the potential negative consequences of tools including deepfakes and facial recognition. In his mind, this was not a conversation to save for tomorrow while the building and implementing of AI tools is happening today. But by nature, laws and regulations are mostly created as a response to abuse, rather than as a visionary approach of what could go wrong.

**An ongoing discussion**

The responses to the GPT-4chan experiment are another step in an ongoing discussion to determine whether AI and ML are here to save the world or whether they will destroy what’s left of it. This discussion seems pointless. The focus should not be on the product, but on the way in which we use it. As with every new development, we obtain a new tool, which we can wield for good, for evil, or just for profit.

As we pointed out in our 2019 Labs report “When artificial intelligence goes awry: separating science fiction from fact”,

> _“There’s a crucial period in artificial intelligence’s development—in fact, in any technology’s development—where those bringing this infant tech into the world have a choice to develop it responsibly or simply accelerate at all costs.”_

To some, one of the biggest issues of artificial intelligence and machine learning is the impact on the climate. The big issue is that many high-profile ML advances just require a staggering amount of computation.

On that note, at best the GPT-4chan experiment was a waste of energy producing the kind of garbage that humanity, unfortunately, does not need help with.

Don’t be like GPT-4chan!

Awful 4chan chat bot spouts racial slurs and antisemitic abuse

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.

There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.

But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.

**1.   Cloud Snooper**

In early 2020, researchers found something weird going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.

**How it works**

The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan which can steal sensitive data from the servers.

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.

It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.

**2.   QNAPCrypt**

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.

**How it works**

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .**encrypt** extension being appended to affected files.

According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).

**3.   Cheerscrypt**

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.

**How it works**

Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .**Cheers** extension.

The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.

**4.   HiddenWasp**

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.

**How it works**

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence of the trojan. The trojan, in turn, helps the rootkit remain operational.

From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.

**5.   Mirai**

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.

**How it works**

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants including Hajime, SYLVEON, and SORA.

**Stop Linux malware from getting a hold on your organization**

It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.

With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.

Learn more about Malwarebytes EDR.

Read the data sheet.