While we have heard less about web skimming attacks, attacks are still going on, but more quietly than before.
The post Client-side Magecart attacks still around, but more covert appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

We have seen and heard less buzz about ‘Magecart’ during the past several months. While some companies continue to rehash the same breaches of yesteryear, we have been wondering if some changes took place in the threat landscape.

One thing we know is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.

We followed the trail on two recent reports that proved to be worthwhile. It allowed us to make a connection to a previous campaign and identify new pieces of a pretty wide infrastructure.

For now we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.

**Newly reported domains linked with ‘anti-VM’ skimmer**

On June 12, @rootprivilege tweeted about a hacked stored injected with the host js.staticounter\[.\]net that looked highly suspicious. When originally captured, the JavaScript appeared to be clean but it was confirmed to be malicious by @AffableKraut who posted a screenshot of the skimmer code.

A few days before @rootprivilege posted about this skimmer, @Sansec tweeted about another new skimmer domain at scanalytic\[.\]org. Comparing the two which are both on the same ASN (AS29182), we concluded that they are related.

We were able to connect these 2 domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It’s unclear why the threat actors removed it, unless perhaps it caused more issues than benefits.

There are other differences with the newest skimmer sample from @rootsecdev such as different naming schemes for important input fields. As you can see, in the former case these are explicitly referenced (i.e. CcNumber) while in the later iteration the names are generic web terms, making them less obvious.

**Additional infrastructure**

Using the urlscan.io service, we were able to discover additional infrastructure related to this ongoing campaign. We started our search with any recent submissions that made contact with an IP address belonging to AS29182.

The table below shows hostnames, their IP address and the date they were first seen on urlscan.io. Most of those were previously unknown to us until we recently started this investigation. You can click on the hyperlinks to load the corresponding sandbox pages, but note that a majority of them do not contain the actual skimmer code. This is most likely because the malicious infrastructure detected that urlscan.io’s sandbox was not using genuine residential IP addresses.

**Hostname**

**IP address**

**First seen**

app\[.\]nomalert\[.\]org

185.253.32.64

Nov 30, 2021

cdn\[.\]base-code\[.\]org

185.253.32.59

Jan 30, 2022

web\[.\]dwin-co\[.\]jp

185.253.32.44

Feb 3, 2022

dwin1\[.\]org

185.253.33.40

Feb 22, 2022

trustedport\[.\]org

185.253.32.50

March 4, 2022

h\[.\]lookmind\[.\]net

185.253.32.42

March 17, 2022

web\[.\]speedstester\[.\]com

185.253.33.191

March 25, 2022

search\[.\]global-search\[.\]net

185.253.33.188

April 13, 2022

static\[.\]clarlity\[.\]com

185.253.33.179

April 20, 2022

static\[.\]newrelc\[.\]net

185.63.190.207

April 22, 2022

static\[.\]druapps\[.\]org

185.63.190.183

May 26, 2022

js\[.\]imagero\[.\]org

185.63.190.144

May 27, 2022

common\[.\]quatserve\[.\]com

185.63.190.118

May 30, 2022

static\[.\]lookmetric\[.\]com

185.63.190.163

June 3, 2022

cdn\[.\]boxsearch\[.\]org

185.63.190.205

June 11, 2022

**Validating skimmer activity**

For the domains that are still responding, we can use information collected by urlscan.io and replay the attack using a genuine residential IP address and mimicking a real shopper’s experience. The image below shows the difference between a crawler session via VPN and one done manually with real network settings.

This allows us to confirm beyond doubt that the domains are indeed malicious, although their ASN should already be enough to proactively block them.

**Connection with previous skimmer activity**

Based on one hash, we can connect these skimmers to past activity going back to at least May 2020. One of the hostnames from our previous blog on the anti-vm skimmer, con\[.\]digital-speed\[.\]net, was loading this resource as well.

We can see 3 different themes used by the threat actor to hide their skimmer, named after JavaScript libraries:

*   hal-data\[.\]org/gre/code.js (Angular JS)
*   hal-data\[.\]org/data/ (Logger)
*   js.g-livestatic\[.\]com/theme/main.js (Modernizr)

**Less skimmer activity or simply more covert?**

There are likely many more skimmer domains on the infrastructure we detailed above, and it is a good idea to keep a close eye on it. Having said that, we have generally seen less skimming attacks during the past several months. Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level.

As Ben Martin over at Sucuri showed, WordPress with the WooCommerce plugin is outpacing Magento in terms of attacks. In addition, we (as several other companies) can only observe client-side attacks and as such we are oblivious to what happens server-side. Only a handful of researchers who do website cleanups have the visibility into PHP-based skimmers.

While stealing credit cards is still a good business, there are other types of data considerably more worth it. Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them. For an example of a client-side attack via JavaScript draining crypto assets, check out this blog from Eliya Stein over at Confiant.

Malwarebytes customers are protected against this campaign.

**Indicators of Compromise**

**Skimmer domains**

abtasty\[.\]net  
accdn\[.\]lpsnmedia\[.\]org  
amplify\[.\]outbrains\[.\]net  
apis\[.\]murdoog\[.\]org  
app\[.\]iofrontcloud\[.\]com  
app\[.\]nomalert\[.\]org  
app\[.\]purechat\[.\]org  
app\[.\]rolfinder\[.\]com  
cdn\[.\]accutics\[.\]org  
cdn\[.\]alexametrics\[.\]net  
cdn\[.\]alligaturetrack\[.\]com  
cdn\[.\]base-code\[.\]org  
cdn\[.\]boxsearch\[.\]org  
cdn\[.\]cookieslaw\[.\]org  
cdn\[.\]getambassador\[.\]net  
cdn\[.\]hs-analytics\[.\]org  
cdn\[.\]jsdelivr\[.\]biz  
cdn\[.\]nosto\[.\]org  
cdn\[.\]pinnaclecart\[.\]io  
cdn\[.\]speedcurve\[.\]org  
cdn\[.\]tomafood\[.\]org  
clickcease\[.\]biz  
common\[.\]quatserve\[.\]com  
con\[.\]digital-speed\[.\]net  
content\[.\]digital-metric\[.\]org

css\[.\]tevidon\[.\]com  
demo-metrics\[.\]net  
dev\[.\]crisconnect\[.\]net  
dwin1\[.\]org  
epos\[.\]bayforall\[.\]biz  
feedaty\[.\]org  
graph\[.\]cloud-chart\[.\]net  
h\[.\]lookmind\[.\]net  
hal-data\[.\]org  
img\[.\]etakeawaymax\[.\]biz  
js\[.\]artesfut\[.\]com  
js\[.\]g-livestatic\[.\]com  
js\[.\]imagero\[.\]org  
js\[.\]librarysetr\[.\]com  
libsconnect\[.\]net  
listrakbi\[.\]io  
lp\[.\]celebrosnlp\[.\]org  
m\[.\]brands-watch\[.\]com  
m\[.\]sleeknote\[.\]org  
marklibs\[.\]com  
nypi\[.\]dc-storm\[.\]org  
opendwin\[.\]com  
pepperjams\[.\]org  
px\[.\]owneriq\[.\]org

r\[.\]klarnacdn\[.\]org  
rawgit\[.\]net  
rolfinder\[.\]com  
s1\[.\]listrakbi\[.\]org  
sdk\[.\]moonflare\[.\]org  
search\[.\]global-search\[.\]net  
shopvisible\[.\]org  
sjsmartcontent\[.\]org  
snapengage\[.\]io  
st\[.\]adsrvr\[.\]biz  
stage\[.\]sleefnote\[.\]com  
stat-analytics\[.\]org  
static\[.\]clarlity\[.\]com  
static\[.\]druapps\[.\]org  
static\[.\]lookmetric\[.\]com  
static\[.\]mantisadnetwork\[.\]org  
static\[.\]newrelc\[.\]net  
static\[.\]opendwin\[.\]com  
t\[.\]trackedlink\[.\]org  
troadster\[.\]com  
trustedport\[.\]org  
web\[.\]dwin-co\[.\]jp  
web\[.\]livechatsinc\[.\]net  
web\[.\]speedstester\[.\]com  
web\[.\]webflows\[.\]net

  
**Skimmer IPs**

185.253.32.174  
185.253.32.42  
185.253.32.44  
185.253.32.50  
185.253.32.59  
185.253.32.64  
185.253.33.179  
185.253.33.188  
185.253.33.191  
185.253.33.40  
185.63.188.59  
185.63.188.70  
185.63.188.71  
185.63.188.79  
185.63.188.85  
185.63.190.118

185.63.190.144  
185.63.190.163  
185.63.190.183  
185.63.190.205  
185.63.190.207  
185.63.190.212  
194.87.217.195  
194.87.217.197  
194.87.217.91  
212.109.222.225  
77.246.157.133  
80.78.249.78  
82.146.50.89  
82.146.50.132  
82.202.160.10  
82.202.160.119

82.202.160.123  
82.202.160.137  
82.202.160.29  
82.202.160.54  
82.202.160.8  
82.202.160.9  
82.202.161.77  
89.108.109.14  
89.108.109.167  
89.108.109.169  
89.108.116.123  
89.108.116.48  
89.108.123.168  
89.108.123.169  
89.108.123.28  
89.108.126.50  
89.108.127.16

Client-side Magecart attacks still around, but more covert

Vacationing has never been more welcome. But as you plan your itinerary, make sure your devices are secure and your data stays private.
The post Internet Safety Month: 7 tips for staying safe online while on vacation appeared first on Malwarebytes Labs.

Going on vacation has never been more talked about and anticipated. I mean—for many of us, it’s been a while.

But before you get lost in dreamy thoughts of sun, sea, and sand, you might want to set aside some time to plan on how to keep your devices, and your data, safe while you are relaxing

**Your devices need some prepping, too**

Before anything else, know which devices you’ll bring and which ones you’ll leave at home. Then make backups of the files in them.

This is also the perfect time to look deeper into what’s on your devices, especially if you haven’t done any spring cleaning due to busyness. So update those apps that need updating and uninstall those that waste space; scan your devices with a trusty malware scanner, and change any duplicate passwords. Then follow these tips:

**7 security and privacy tips that fit in your pocket**

**Ensure your devices have the “Find My Device” feature enabled.** This feature isn’t just limited to Apple products, and can really help if you lose your device. You can remotely wipe a device if you lose it or even put a message on the screen with contact details in case it is found.

**Be mindful of seasonal scams.** Such scams may arrive via email, SMS, or social media. If a service offers rates that are too good to be true, asks for an upfront fee, or demands payments to be wired, avoid it.

**Use 2FA.** Make sure you lock your accounts behind two-factor authentication (2FA). This additional security measure makes them harder to compromise should someone get hold of your login details.

**Turn off Bluetooth connectivity.** Many people forget Bluetooth is there. As a rule of thumb, remove it if you don’t use it. But if you can’t, disable it when it’s not in use.

**Leave your device in the hotel’s safe.** Hotel safes are there to keep anything of value safe. This includes your devices. When you’re not using a device, keep it in the safe—and remember the pin code!

**Refrain from posting on social media about your vacation.** This is good practice _before_ you leave as well. You don’t want people knowing that your home will be empty, so save posting about your getaway until you are back home.

**Feel free to use a VPN.** Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust. Malwarebytes has one.

Internet Safety Month: 7 tips for staying safe online while on vacation

Matthew Gatrel has been found guilty of three counts of computer-related crime. His partner in crime, Juan "Severon" Martinez, pleaded guilty before the trial.
The post DDoS-for-hire service provider jailed appeared first on Malwarebytes Labs.

Matthew Gatrel, a 33-year-old man from St. Charles, Illinois, has been sentenced to two years in prison for running websites that provide powerful distributed denial-of-service (DDoS) attacks against internet users and websites. This sentencing resulted in the seizure of his websites, making the internet a little safer from DDoS attacks.

Gatrel was the administrator and owner of DownThem.org and AmpNode.com, two DDoS-for-hire websites with thousands of clients which launched attacks against more than 200,000 targets. He was convicted of three charges, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyberattacks on behalf of hundreds of customers,” prosecutors wrote in a sentencing memorandum. More from that memorandum:

> “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Prosecutors said that DownThem.org was a subscription-based service that allowed paying customers to launch DDoS attacks at targets of their choice.

AmpNode.com was a “bulletproof” server hosting service provider “with an emphasis on ‘spoofing’ servers that could be pre-configured with DDoS attack scripts and lists of vulnerable ‘attack amplifiers’ used to launch simultaneous cyberattacks on victims”.

Gatrel’s services helped launch attacks against targets worldwide, including homes, schools, universities, financial institutions, and local government websites. Many clients of AmpNode also operated DDoS-for-hire services.

This website seizure splash screen appears when you visit DownThem.

Prosecutors also said that Gatrel offered expert advice and guidance to clients of both services, ranging from different methods to “down” different types of computers to bypassing DDoS protection services. To get potential clients to buy in, he used DownThem to launch a DDoS attack against these clients’ intended victims and provide proof that their internet connection had been severed.

Juan “Severon” Martinez from Pasadena, California, Gatrel’s co-defendant and criminal partner, pleaded guilty to the unauthorized impairment of a protected computer. He was sentenced to five years’ probation.

DDoS-for-hire service provider jailed

The FBI has issued a warning about cryptocurrency scams on LinkedIn. We see what the scammers are up to and how you can avoid them.
The post LinkedIn scams are a “significant threat”, warns FBI appeared first on Malwarebytes Labs.

Digital currency fraud is a growing issue on social media, and LinkedIn is no different. In fact, according to according to Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento, California, field offices, cryptocurrency scams are big business on LinkedIn.

> “It’s a significant threat. This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims.”

**How cryptocurrency scams work on LinkedIn**

Aspects of LinkedIn cryptocurrency scams share similar traits with fraud attempts on other platforms:

*   Someone messages you out of the blue. They begin with small talk, and eventually work their way up to cryptocurrency conversation. They claim that, yes, they can help you make big money from certain investments.
*   LinkedIn is generally seen as a trusted platform, reinforced by people’s perception as the go-to place for business related dealings. This is one advantage it has over less formal sites.
*   Victims are directed to genuine cryptocurrency investment portals. Though no further details are provided in the article, this can go one of two ways. Either the victim invests with their own cash, or the scammer sends them some funds to get started.
*   Weeks or months down the line, the scammer has the victim transfer funds to a site controlled by the scammer. At this point, funds are drained and the cash disappears along with the con-artist.

**Scammers take the well-worn path to riches**

The FBI notes that this type of fraud is on the rise, and draws a parallel with romance scams. In both cases, the end result is the same: loss of funds. However, this style of cryptocurrency fraud has its origins elsewhere and the connection to romance fraud is quite relevant.

This style of attack is called the “pig butcher” scam. It involves a so-called “fattening up” of the pig (target) with messages of affection. Eventually, the same jump-off into cryptocurrency investment takes place. The money, as always, vanishes. One of the key features of this attack is the pretence of accidental communication. Golf is popular, as are messages about luggage and airports.

The tactics used on LinkedIn almost certainly match up in various ways. If they can just get you to the investment site and have you deposit some funds: they’ve got you.

**Linkedin take fraudsters to task**

The team at LinkedIn point out that 96% of detected fake accounts and 99.1% of spam and scams are caught and removed by automated defences. That’s somewhere in the region of 70 million scam messages removed between July to December in 2021. For comparison, LinkedIn removed around 60 million between January and June of 2019. It also hit a peak of removals between July to December of 2020, with a massive 91 million scams given a time out.

Additionally, 11.9 million fake accounts were stopped at registration between July and December of 2021. Around 4.4 million were restricted proactively, and 127k further accounts were restricted once members reported them.

**How to spot a scam on LinkedIn**

With regard to cryptocurrency scams themselves, LinkedIn offers the following advice. Be wary of:

*   **People asking for money who you don’t know in person**. This may include sending cash directly, cryptocurrency, gift cards, prizes, and other winnings.
*   **Job postings which sound too good to be true**. Mystery shoppers, personal assistants, company impersonators are all potential red flags. Steer clear of anything which demands money from you up front.
*   **Romantic gestures on a business-centric platform**. This is especially dubious if tied to a brand new account with few or no connections. Keep in mind that established accounts can also be compromised, and used for any of the scam attempts listed above.

Should you experience LinkedIn content you’re not sure about, don’t worry. You can report it directly to LinkedIn to investigate. Stay safe out there!

LinkedIn scams are a “significant threat”, warns FBI

The most important and interesting computer security stories from the last week.
The post A week in security (June 13 – June 19) appeared first on Malwarebytes Labs.

**RELATED ARTICLES**

June 13, 2022 - We take a look at the latest batch of vulnerabilities in Chrome requiring an update.

May 30, 2022 - Posts from the last week on Malwarebytes Labs describing all the latest news, exploits, scams, and more.

May 26, 2022 - ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?

May 25, 2022 - Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.

May 17, 2022 - A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.

A week in security (June 13 – June 19)

This week on Lock and Code, we speak with Kim Lewandowski about what steps we can take to secure the software supply chain. 
The post Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13 appeared first on Malwarebytes Labs.

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the “supply chain.” Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain.

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies.

This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.

> “Our software supply chains are as brittle and sort of filled with weaknesses, similar to a physical supply chain. When you think about every step of the path from when a developer starts writing software all the way to where it’s pushed to production, or where end user is using it, there’s different attack vectors across that entire path.”
> 
> Kim Lewandowski, founder, head of product, Chainguard Inc.

Tune in to hear about why the software supply chain is so difficult to secure, what is at stake if we continue to ignore the problem, and what steps we can take today—and tomorrow—to ensure that future software builds are secure and trustworthy.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

****Show notes, resources, and credits**_:_**

Kubernetes diagram:

https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13

ALPHV, also known as BlackCat, created a leak site on the regular web, betting it can squeeze money out of victims faster than a dark web site.
The post ALPHV squeezes victim with dedicated leak site for employees and customers appeared first on Malwarebytes Labs.

Eyebrows were raised this week when the ALPHV ransomware group created a leak site dedicated to just one of its victims. The site was aimed at the employees and guests of a hotelier that had been attacked, and allowed them to see if their personal details had been leaked. The new tactic seems to be designed to create further pressure on the victim to pay the ransom.

The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat and Noberus, is currently one of the most active. In our recent May ransomware review, only BlackBasta and the prolific LockBit accounted for more known attacks in the last month.

ALPHV ransomware is used by affiliates who conduct individual attacks, beaching organizations using stolen credentials or, more recently by exploiting weaknesses in unpatched Microsoft Exchange servers. During the attacks data is stolen and encrypted, and the victim is asked to pay a ransom for both a decryption tool, and to prevent the stolen data being leaked.

Although affiliates perform the attacks, the ransom negotiations and data leaks are typically coordinated from a single ALPHV website, hosted on the dark web.

But in this case neither of those two things were true.

Instead of hosting the stolen data on a site that deals with all the gang’s victims, the victim had a website dedicated to them. Bolder still, the site wasn’t on the dark web where it’s impossible to locate and difficult to take down, but hard for many people to reach. Instead it was on the regular world wide web, where we (and law enforcement) could easily discover things like where it was located and what company was hosting it. It was even indexed by Google.

The ransomware leak site was indexed by Google

The aim seems to have been to make it as easy as possible for employees and guests to find their data, so that they would put pressure on the hotelier to pay up.

A message on the site makes it clear that this is about ramping up pressure:

Inaction endangers both your employees and your guests ... We strongly advise you to be proactive in your negotiations; you do not have much time. 

The 112GB of stolen data included personally identifiable information (PII) belonging to 1,500 employees and guests. The gang is reported to have created “data packs” for each employee, containing files related to their hotel employment.

Employees and guests could check if their data was part of the leak

Ransomware groups use the dark web for their leak sitesm, rather than the regular web, because it makes it almost impossible for them to be taken down, or for their operators to be traced.

So, wouldn’t this make the site easy to take down, and leave the operators vulnerable?

Because this is unlike anything ALPHV has done before, it’s possible that this is being done by an affiliate, and it may turn out to be a mistake. However, it’s likely the accounts for the site’s name and hosting were created using stolen data. Equally, it may be that this was simply an experiment and that ALPHV were using the media to spread word of the site and weren’t expecting it to be around for very long.

Sure enough, the site disappeared from the web yesterday.

ALPHV squeezes victim with dedicated leak site for employees and customers

Hertzbleed is a new side-channel attack that can recover sensitive information from a targeted system by applying CPU timing.
The post Hertzbleed exposes computers’ secret whispers appeared first on Malwarebytes Labs.

Hertzbleed is the name for a vulnerability that can be used to obtain cryptographic keys and other secret data from Intel and AMD CPUs, remotely. It works by monitoring changes in power consumption, which can be deduced by the careful timing of known workloads, thanks to a processor power saving feature called dynamic voltage and frequency scaling (DVFS).

**A remote DVFS side channel**

DVFS describes the adjustment of power and speed settings on a computer’s various processors, controller chips, and peripheral devices. By throttling the speed of the chips, DVFS can prolong battery life and reduce cooling costs.

When CPUs process data, transistors are switched on and off depending on the data being processed. Switching transistors uses energy. Consequently, running the same workload with different data may change the CPU’s power consumption.

Those differences trigger changes in the frequency set by DVFS. Which means the same program will run at a different frequency if the input is different—even if it is just slightly different. Those frequency changes can be deduced by monitoring the time it takes for a server to respond to specific, carefully made queries.

This allows an attacker with a stopwatch and enough datapoints to perform a “side-channel” attack and infer the data the CPU was processing. (A side-channel attack is an attack based on information that can be observed because of the way a computer protocol or algorithm is implemented.)

**Vulnerability or feature?**

DVFS is a useful feature of modern processors. But like some other useful features of modern processors, it turns out to have a security downside. In this case, the downside has been assigned two CVEs:

*   CVE-2022-23823: A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.
*   CVE-2022-24436: Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

Hertzbleed affects all Intel and several AMD processors. Other processor vendors which also implement frequency scaling in their products may be affected.

**Should I worry?**

As with many threats, the risk you are running very much depends on your threat model. If you are working with highly confidential data, and there is reason to believe that advanced threat actors might be after that data, then you may have a reason to worry about it. For anyone else, it’s something to be aware of, but not necessarily something you need to act upon.

It is a known fact that threat actors can extract secret cryptographic data from a chip by measuring the power it consumes while processing cryptographic keys and other secret data. But the means for exploiting power-analysis attacks against microprocessors has always been limited because the threat actors had few viable ways to remotely measure power consumption while processing the secret material.

Hertzbleed reduces the requirements. Making power side-channel attacks into timing attacks that can be done remotely. But it will still take many hours and some level of proximity to recover a full cryptographic key. For example, the proof-of-concept attack took 36 to 89 hours to recover a full secret key from a system on the same network.

Most cybercriminals aren’t going to bother with Hertzbleed and will continue to rely on phishing, Word macros, skimmers, and other well worn tricks, but that doesn’t mean that advanced, well-resourced threat actors won’t.

According to Intel, who held the research results under embargo but decided not to deploy any patches:

> “While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.”

**Mitigation**

There are ways to disable the features that make Hertzbleed possible, but it will come at a price: Your system will be considerably slower. You would have to disable what Intel calls “Turbo Boost”, and AMD calls “Turbo Core” or “Precision Boost”. For more information, you can read the official security advisories by Intel and AMD.

The preferable way to mitigate is to deal with the vulnerability in the code of programs that handle cryptographic ciphers and other confidential data. Hertzbleed shows that current industry guidelines for how to write constant-time code (such as Intel’s) are insufficient to guarantee constant-time execution on modern processors. So improvements in that field will be necessary.

Stay safe, everyone!

Hertzbleed exposes computers’ secret whispers

Interpol's annual First Light project has gone global for the second time. We take a look at the results, findings, and trends.
The post Interpol’s First Light operation smashes crime on a global scale appeared first on Malwarebytes Labs.

A large-scale Interpol operation has resulted in arrested and ill-gotten gains seizures galore. Operation First Light took place between March and May of this year. It involved 76 countries taking social engineers and telecommunications fraudsters to task, with multiple wins for those involved.

**Taking the fight to the scammers**

The operations focused on several popular scams in play from criminals the world over, including telephone scams, romance, email deception (Business Email Compromise, which targets business), and related aspects of financial crime.

All around the world, law enforcement collected huge hauls of ill-gotten gains and electronic devices. Cash and forged official documents were seized in Hong Kong. Multiple national call centres suspected of telecommunications fraud were also raided. The haul in Portugal included dozens of laptops, mobile devices of all varieties, and stacks of counterfeit official documents. These results are just the tip of the iceberg.

**When an operation gets results**

First Light occurs annually and has been in operation since 2014. This year, it was funded by China’s Ministry of Public Security. Originally the project focused on Southeast Asia, and this is the second time the operation has gone global. Here’s some of the preliminary findings by Interpol, with numbers subject to change as more details are confirmed:

*   1,770 locations raided worldwide
*   Some 3,000 suspects identified
*   Around 2,000 operators, fraudsters and money launderers arrested
*   Roughly 4,000 bank accounts frozen
*   Some USD 50 million worth of illicit funds intercepted

At this stage, there are only a few examples of arrests and backgrounds to specific crimes available. Some notable examples have been given, however:

> Based on intelligence exchanged in the framework of the operation, the Singapore Police Force rescued a teenage scam victim who had been tricked into pretending to be kidnapped, sending videos of himself with fake wounds to his parents and seeking a EUR 1.5 million ransom.
> 
> A Chinese national wanted in connection with a Ponzi scheme estimated to have defrauded nearly 24,000 victims out of EUR 34 million was arrested in Papua New Guinea and returned to China via Singapore.

Interpol also mentions 8 suspects arrested in Singapore for “Ponzi-like” job scams. In the example given, victims were lured with the promise of high-paying online marketing jobs. Small initial earnings led to situations where they had to recruit more members to earn commissions.

**Trends and concerns**

Some of the most pressing observations from the forces working this operation are as follows:

*   the way money mule herders are laundering money through the personal bank accounts of victims;
*   how social media platforms are driving human trafﬁcking, entrapping people into forced labour, sexual slavery, or captivity in casinos or on fishing vessels;
*   an increase in vishing fraud with criminals pretending to be bank officials to trick victims into sharing online log-in details;
*   a growth in cybercriminals posing as INTERPOL officials to obtain money from victims believing themselves to be under investigation.

Impersonation of law enforcement and other official entities is a mainstay of email fraud and extortion scams. It’s also popular where scams involving visas are concerned. There can’t be many people who have yet to experience a fake banking SMS at this point. Social media has also been a problem where trafficking and forced labour are concerned for some time now.

Money muling and bogus jobs are big business, and makes regular appearances on Malwarebytes Labs. Much of this ties into fake job opportunities. It can also occur as the result of email and social media outreach. If you’re really unlucky, you could be sucked into bogus NFT art projects which eventually offer up some malware. You may even be caught out by fake postings on legitimate job hunting portals.

For scammers, the sky’s the limit. It is, however, nice to see globally coordinated law enforcement operations making some sort of dent in proceedings. It’s up to us to pay attention to upcoming criminal trends, and do what we can to avoid falling for them.

Interpol’s First Light operation smashes crime on a global scale

TheTruthSpy is an app programmed to siphon out photos, locations and more from smartphones.
The post Photos of kids taken from spyware-ridden phones found exposed on the internet appeared first on Malwarebytes Labs.

A stalkerware\-type app that boasts “the best free phone spying software on the market,” has exposed the data it snooped on from the phones it was installed in. The data exposed by TheTruthSpy included GPS locations and photos on victims’ phones, and images of children and babies.

This news, first reported by Motherboard, is the latest in a lengthening list of spyware brands breached due to their poor cybersecurity hygiene. And TheTruthSpy is hardly the first of its kind to put kids’ data at risk.

The images exposed by TheTruthSpy were available to anyone who visited a particular URL on TheTruthSpy’s website. The photos included those of a young boy looking at the camera, a baby’s soiled diaper, a pet cat, and photos of the inside of someone’s home.

TheTruthSpy can be downloaded from the Google Play and Apple App stores. According to its website, it has 15+ features, including monitoring multiple communication apps, recording ambient voice, siphoning of photos, keylogging, and managing spying activities via a control panel. Any data retrieved from the target’s device is then uploaded to TheTruthSpy’s server, where clients can log in and view all collected data.

TheTruthSpy is maintained by 1Byte, a Vietnam-based company that handles multiple stalkerware-type apps. According to a Techcrunch exposé back in February, 1Byte was found exposing data from apps it manages due to a vulnerability in the app. It appears TheTruthSpy is suffering from the same flaw.

**Stalkerware**

Stalkerware is malicious in that it surreptitiously runs in the background while spying on people, usually without their knowledge.

Unlike other malware, it is also publicly available. Anyone with the means and intent can buy and use TheTruthSpy—all they need to do is download and install it onto target phones.

**Not its first rodeo**

This is the second time TheTruthSpy has had its data exposed. In 2018, a hacker going by the initials L.M. revealed to Motherboard his exploits in successfully infiltrating the stalkerware-type app’s servers to steal client data, and then later on losing it after it updated its servers.

“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy,” L.M. said at that time, criticizing TheTruthSpy for being untrue to its clients.

Source

Malwarebytes