Adaptive Health Integrations (AHI) has been breached. Sensitive information was accessed, but it took months to make the incident public.
The post US healthcare billing services group hacked, affecting at least half a million individuals appeared first on Malwarebytes Labs.

According to the US Department of Health and Human Services, Adaptive Health Integrations (AHI), a healthcare software and billing services firm in North Dakota, suffered a data breach that affected more than half a million individuals. According to the firm, the breach occurred in mid-October last year, but it only started notifying people last month.

The notification letter, a copy of which was posted on the Montana Attorney General’s website, states that the firm was made aware of the attack recently and immediately took action.

> “Upon learning of the issue, we contained the threat by disabling unauthorized access to our network and commenced a prompt and thorough investigation with assistance from external cybersecurity professionals. Through an extensive investigation and an internal review, which concluded on February 23, 2022, we determined that certain potentially accessed data contained personal information such as names, dates of birth, contact information, and Social Security numbers.”

The firm was quick to add that not all individuals were affected by the breach, and not all information about affected individuals was accessed.

The letter advises those affected on what they should do next. In it, individuals are encouraged to enrol in free, 12-month complimentary identity monitor services provided by a third party. Doing so opens up additional services to help clients, such as fraud consultation and identity theft restoration.

HIPAA Journal noted that the letter has no information about Adaptive Health Integrations or why it keeps people’s protected health information (PHI). Recipients of the letter also questioned its legitimacy because it used paper with a photocopied company logo, making it look dubious and unprofessional. After checking the website (screenshot below), some letter recipients thought it was a scam.

A couple of law firms, namely Murphy Law Firm in Oklahoma and Migliaccio & Rathod LLP in Washington, are conducting their own investigation on behalf of individuals affected by the breach. Both firms made their announcements days apart.

US healthcare billing services group hacked, affecting at least half a million individuals

We take a look at the popular tactics used in Airdrop phishing to steal access to cryptocurrency users' digital finances.
The post Airdrop phishing: what is it, and how is my cryptocurrency at risk? appeared first on Malwarebytes Labs.

Airdrop phishing is a really popular tactic at the moment. It emerged alongside the explosion of Web3/NFT/cryptocurrency popularity, and ensures scammers get a slice of the money pie. You may well have heard the term in passing, and wondered what an Airdrop is. Is your iPhone about to be Airdrop phished?

It doesn’t really help that the term tied up into lots of new forms of tech you might never have experienced directly. It’s one of those odd scams, doing weird things, to accounts you have no idea about.

Fret no more, because we’re going to walk you through an actual Airdrop phish example. No apes were harmed in the making of this documentary.

**What is an Airdrop?**

Confusingly, the term has multiple uses jostling for attention. The older, more familiar term is the one related to Apple devices. An Apple Airdrop is where Bluetooth is used to send files to other people. If you’re not an Apple user, it’s likely you’ve only ever seen Airdrop in relation to trolling. If you’re out and about, you may walk into an unintended crossfire of memes, and in the worst case scenario, it might be objectionable unsolicited images.

In terms of security concerns specifically, research has shown how it could potentially aid spear phishing in the right circumstances. Crucially, none of these things are related to the Airdrops we’re talking about _today_.

**What type of Airdrop are we talking about?**

The Airdrops of the moment are promotional tactics aimed at cryptocurrency/Web3 people. Airdrops typically reward early adopters of certain currencies or communities. This type of reward can also be given out as no strings attached freebies to anyone who wants in on the action, and they’re great ways to keep people emotionally invested in their Web3 activities. There’s a lot of real world examples listed here.

In terms of how you _receive_ the Airdrop, there are a few different ways. Those early adopters may find the free Airdrop distributed to their address automatically, assuming they have some level of investment in the service giving it away. A big red flag is when a supposed Airdrop asks for funds (for a freebie?), or even worse, your login/recovery phrase.

Nobody should _ever_ be asking for that.

Airdrops are very popular, and this is where phishing attacks come in.

**Common Airdrop phishing tactics**

Airdrop phish pages try to ensnare as many cryptocurrency users as possible. No matter how obscure your digital currency of choice is, or how unusual your wallet is, there’s a scam just waiting for you.

Our bogus site below is quite slick looking, complete with ticker at the top. “Claim reward bonus/Airdrop”, they implore.

_An Airdrop phish_

Hitting the button takes you to the select a wallet page. There is, quite simply, a ridiculous amount of wallets and services listed. MetaMask, Solflare, Binance, Digitex, Argent, the works. If you use any form of cryptocurrency wallet or service, there’s a good chance it’s on the list somewhere.

_Wallets galore_

Clicking any of the wallets results in you being informed that an error has occurred. Connecting manually is what you’re now asked to do. From here, you’re asked to send them your phrase, private key, or keystore.

Hitting connect pauses the site for a second, then dumps you onto a 404 Page not found containing “sent” in the URL. At this point, it’s probably a good idea to hope the 404 is genuine and nothing has been sent to the scammers.

Some sites target users of one wallet only. Here’s one targeting MetaMask users, asking for their recovery phrase:

_“Type your secret phrase…”_

As MetaMask’s official support says:

> To get support, open MetaMask and navigate to “Support” or “Get Help” within the dropdown menu. Do not trust anyone who has sent you a direct message. UNDER NO CIRCUMSTANCES should you ever give your Secret Recovery Phrase to anyone or input it into any site!
> 
> — MetaMask Support (@MetaMaskSupport) April 29, 2022

****The ape themed Airdrop phish****

Apes are, of course, the hottest draw in town where Airdrop phishing is concerned. Just recently, close to $3m worth of Ape NFTs were stolen via an Instagram compromise. Anything ape related is a giant dollar sign in the sky for fraudsters, and the variety of fake pages out there reflects this.

_All my apes soon to be gone_

This particular site asked visitors to claim up to 10 Bull & Ape NFTs, then asked for a variety of password/recovery phrases. The supposed T&C page leads to a 404, and the cookies and privacy policy pages go to pages from an unrelated wallet app. Does this _really_ sound like something you want to hand over your recovery phrase to?

**The “Connect your wallet” Airdrop phish**

This is where a scam site checks to see if you have a wallet installed, and if not, tells you to install one and then connect it to the site.

Here’s an account with 60k followers, claiming to be the Moonbirds project offering up an NFT airdrop:

_A fake Twitter account offering up bogus airdrops_

When people started calling out the tweet, they locked people’s ability to reply under the guise of “safety” so nobody else could highlight the scam.

_“We are worried about your safety…”_

This is the genuine Moonbirds account. Note the verified status, which the imposter lacks:

Below, you can see my already installed MetaMask extension opening in the top right corner when I click the “Connect Wallet” button on the fake Airdrop page.

_Connecting an extension to a scam site_

Connecting your wallet to Decentralised Applications (Dapps) is common. What you need to be careful of is connecting to rogue sites. If you start granting permissions, or signing transactions, you may find your wallet draining of funds. It’s up to you to ensure that you don’t simply say “yes” to everything a site asks you. From the MetaMask FAQ:

> _Be careful about which Dapps you connect to, and what permissions you give them._ 
> 
> _Certain types of transaction require granting a Dapp permission to access your funds–infinite amounts of your funds._
> 
> _In fact, there have been cases of Dapps being created specifically with the intent to defraud users and steal all of their funds once they’ve granted this kind of access._

**Where Airdrops are concerned: safety first, every single time**

Nobody needs the stress of losing all their digital currency because of phishing, no matter which form it arrives in. Whether it’s websites asking for recovery phrases or Dapp style sites connecting wallets, be very careful what you do with your wallet. You almost certainly won’t get a second chance if things go wrong.

Airdrop phishing: what is it, and how is my cryptocurrency at risk?

The US, EU member states, and other non-EU countries commit to this new internet declaration and encourage others to join.
The post Over 50 countries sign the “Declaration for the Future of the Internet” appeared first on Malwarebytes Labs.

Governments of the US, EU member states, and 32 other countries have announced the launch of the “Declaration for the Future of the Internet,” a “political commitment” among endorsers “to advance a positive vision for the internet and digital technologies.”

“We are united by a belief in the potential of digital technologies to promote connectivity, democracy, peace, the rule of law, sustainable development, and the enjoyment of human rights and fundamental freedoms,” the declaration began. “As we increasingly work, communicate, connect, engage, learn, and enjoy leisure time using digital technologies, our reliance on an open, free, global, interoperable, reliable, and secure Internet will continue to grow. Yet we are also aware of the risks inherent in that reliance and the challenges we face.”

The White House and the European Commission summarized the three-page proposition and invited other countries to sign. To date, the countries that endorse the declaration are Albania, Andorra, Argentina, Australia, Austria, Belgium, Bulgaria, Cabo Verde, Canada, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Estonia, the European Commission, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Jamaica, Japan, Kenya, Kosovo, Latvia, Lithuania, Luxembourg, Maldives, Malta, Marshall Islands, Micronesia, Moldova, Montenegro, Netherlands, New Zealand, Niger, North Macedonia, Palau, Peru, Poland, Portugal, Romania, Senegal, Serbia, Slovakia, Slovenia, Spain, Sweden, Taiwan, Trinidad and Tobago, the United Kingdom, Ukraine, and Uruguay.

The declaration is a “political commitment” among endorsers to “advance a positive vision for the Internet and digital technologies.” It is a reaffirmation for endorsers that they’re committed to respecting and preserving human rights online across digital ecosystems and committing to “a single global internet” that fosters the following principles:

*   Protect human rights and fundamental freedoms of all people; 
*   Promote a global Internet that advances the free flow of information; 
*   Advance inclusive and affordable connectivity so that all people can benefit from the digital economy; 
*   Promote trust in the global digital ecosystem, including through protection of privacy; and 
*   Protect and strengthen the multi-stakeholder approach to governance that keeps the Internet running for the benefit of all.

A single, global internet rejects the idea of restricted internet access—a “splinternet”—that regimes like Russia, China, and North Korea (all of whom did not sign the declaration) have implemented in their own countries. Splinternets are heavily regulated, and governments can pick and choose what they want their citizens to see and not see.

While every country is working towards the common goal of building a better internet and online experience for everyone, now and in the future, the Declaration allows member countries to be autonomous in creating their own laws and policies to uphold the above principles.

“We believe that the principles for the future of the Internet are universal in nature and as  
such we invite those who share this vision to affirm these principles and join us in the implementation of this vision,” the declaration concludes.

Over 50 countries sign the “Declaration for the Future of the Internet”

Get your cyberprotection on the right footing by steering clear of these three cultural pitfalls.
The post Watch out for these 3 small business cybersecurity mistakes appeared first on Malwarebytes Labs.

May 2 marks the start of National Small Business Week, a week that recognizes “the critical contributions of America’s entrepreneurs and small business owners”, and promises to “celebrate the resiliency and tenacity of America’s entrepreneurs.”

That sounds good to us: Small business are a vital economic engine, accounting for more than 99% of all businesses in the USA, and employing about half the US workforce. And, like any engine, they need preventative maintenance and careful running to keep them ticking over smoothly—which increasingly means ensuring they have good cybersecurity discipline.

That sounds like something we can help with, so if you want your small business purring and safe from cyberthreats, watch out for these three warning signs.

**1\. Thinking you are not a target**

Perhaps the most egregious cyber-error a small business can commit is believing it is too small to have to bother with cybersecurity, because it thinks it’s too small to be a target.

Life would be a lot easier if there were a minimum size limit on the businesses that cybercriminals care about, but sadly, there is not. Sure, there are some nation-state actors and big game ransomware gangs that might give you a swerve. But for every attacker trying to land a whale, there’s a countless multitude trying to catch minnows in drift nets.

The threat to small businesses is so serious that in 2021 it was discussed by the Senate Judiciary committee. Ranking member Senate Chuck Grassley described the problem in these terms:

> “Earlier this year, FBI Director Chris Wray compared the challenges of fighting ransomware to those we faced after 9/11. Estimates on the amount of ransoms paid in 2020 run into the hundreds of millions of dollars. Ransomware has targeted schools, local governments, and, during this pandemic, even hospitals and healthcare providers…An estimated three out of every four victims of ransomware is a small business.”
> 
> Senator Chuck Grassley

Believing you can add security later means avoiding the basics now. And that leads to critical mistakes like using old, unsupported versions of Windows and macOS; not updating third-party apps; giving everyone admin access to everything; turning on RDP when you don’t need it (and failing to secure it when you do); leaving unused, unnecessary, and unsafe ports open at the firewall; saving passwords in plain text; not enforcing minimum password complexity standards; not using multi-factor authentication (MFA); and using unpatched, on-premises versions of Exchange.

It is never too soon to do these things—the longer you leave it, the more expensive and difficult they become. Be in no doubt: Cybercriminals _will_ try to use your Exchange server to spread ransomware, they will try to brute force your RDP, they will try to inject skimmers into your website, they will try to exploit your browsers, they will try to fool you into downloading malware, they will try to phish your logins, and they will send you more malicious attachments than you’ve had hot dinners (and your employees will click them).

**2\. Waiting for bad things to happen**

Our second red flag to watch out for is a lack of proactivity in your security.

Last year I interviewed a number of small business IT people. For all of them, security was important, but it was typically one of many responsibilities being handled by a small staff. Most of their time was spent firefighting one IT problem or another, and so, outside of a weekly check, their endpoint protection montioring went largely unattended unless it too was (figuratively) ablaze.

According to Taylor Triggs, one of our Malware Removal Specialists, that seven day gap between checks is big enough for an attacker to drive their coach and horses through.

Ransomware attacks typically start with some kind of network breach. This is often followed by activity that escalates an attacker’s privileges, lateral movement through a network, and finally encryption of the victim’s data. Each step generates behavior or artefacts that can tip off sharp-eyed threat hunters to the presence of an attacker, before the ransomware gets to work.

Right now, Triggs says, the most common problem he’s seeing in small and medium-sized businesses is a combination of unpatched Exchange servers and those unattended alerts:

> “Many of the ransomware cases we have seen recently have started with Exchange servers still vulnerable to Hafnium. Customers with EDR had alerts showing that a Hafnium breach was the initial compromise before encryption occurred but they ignored the alerts.”

“Waiting for things to happen” is often a symptom of not hiring qualified IT staff, having too few IT staff, or not having the appropriate security skills and awareness among IT staff.

**3\. Assuming everything will be OK**

Any breach that goes unnoticed or is left unattended can lead to ransomware, and the target of modern ransomware operators is not a computer, it is your entire organization. That makes ransomware an existential threat. You might not get hit by an earthquake every day, but that doesn’t excuse you from planning for one if you’re at risk, and ransomware is an earthquake that can hit any small business.

Failing to plan is planning to fail, as they say, and the symptoms of failing to plan are:

*   Not having having an incident response plan
*   Not making backups
*   Not testing that your backups work
*   Not keeping backups beyond the reach of attackers

If the worst happens, you will wish you had planned your response in advance. You will wish you knew how to identify and isolate an attack; you will wish you had decided what data and assets you care about most, which you want to restore first, what that will take, and who will do it; and you will probably wish you had rehersed it all. You can read more about how to prepare for a ransomware attack by downloading our Ransomware Emergency Kit.

If you simply assume it won’t happen to you, or that you’ll be OK if it does, you may be left with no option but to pay an extortionate ransom for a criminal’s decryption tool, and you really want to avoid that. The tools frequently fail, and your willingness to pay will lead to repeat attacks.

If you want to know how it feels to be attacked by ransomware without actually having to go through it yourself, listen to our podcast interview with Ski Kacoroski below. Ski is a sysadmin who was brave enough to speak openly about his race against a real-life ransomware attack and his candid interview is a warning against the complacency of assuming everything will work out.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

Watch out for these 3 small business cybersecurity mistakes

The most important and interesting stories in security from the last seven days
The post A week in security (April 25 – May 1) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (April 25 – May 1)

Google has released an update for the Chrome browser that includes 30 security fixes. Edge and other Chromium-based browsers also need updating.
The post Update now! Critical patches for Chrome and Edge appeared first on Malwarebytes Labs.

Google has released an update for its Chrome browser that includes 30 security fixes. The latest version of the stable channel is now Chrome 101.0.4951.41 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

Microsoft advises Edge users—which is essentially a Microsoft-badged version of Chrome—to update as well, since it shares many of these vulnerabilities.

Seven of the vulnerabilities are rated as “high.” Five of those vulnerabilities are “Use after free” flaws, which, thanks to a memory relocation issue, can allow hackers to pass arbitrary code to a program. Which is another way of saying that attackers can do unauthorized things on your computer just by getting you to go to a malicious web page coded to exploit these problems.

**Use after free**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The use after free vulnerabilities that are listed with a high severity are:

*   **CVE-2022-1477**, a use-after-free vulnerability in the Vulkan graphics API.
*   **CVE-2022-1478**, a use-after-free vulnerability in the SwiftShader 3D renderer.
*   **CVE-2022-1479**, a use-after-free vulnerability in ANGLE a “graphics engine abstraction layer.”
*   **CVE-2022-1480**, is a use-after-free vulnerability in Device API. A remote attacker can reportedly create a specially crafted web page, trick the victim into visiting it, trigger the use-after-free error and execute arbitrary code on the target system.
*   **CVE-2022-1481**, is a use-after-free vulnerability in Sharing. This vulnerability can be reportedly be exploited by a remote non-authenticated attacker via the Internet, by luring the victim to a specially crafted web page.

**Other high severity vulnerabilities**

There are two other vulnerabilities listed as high severity issues:

*   **CVE-2022-1482**, is described as an “Inappropriate implementation in WebGL” in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise their system.
*   **CVE-2022-1483**, is a heap buffer overflow in WebGPU, a web API that exposes modern computer graphics capabilities for the Web. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, the two common areas that are targeted for overflows are the stack and the heap.

**How to update**

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

So you don’t have to track the version number, when Chrome is up to date it displays the message “Chrome is up to date”

After the updates Chrome should be at version 101.0.4951.41 and Edge should be at version 101.0.1210.32.

Stay safe, everyone!

Update now! Critical patches for Chrome and Edge

Microsoft claims Ukraine has been hit with hundreds of cyberattacks from well-known state-backed Russian hacking groups.
The post Russia continues digital onslaught against Ukrainian systems appeared first on Malwarebytes Labs.

According to Microsoft, at least six Kremlin-backed hacking groups have been attacking Ukraine in the digital space in an onslaught that began before the invasion in late February. The company counted more than 237 cyberattack operations against Ukrainian systems and critical infrastructure.

These attacks involve destructive malware that “threaten civilian welfare”, accompanied by intelligence gathering and reconnaissance.

APT28 (aka FancyBear), DEV-0586, Energetic Bear (aka Dragonfly), Gamaredon, Nobelium, Sandworm, and Turla are the nation-state actors carrying out the attacks.

“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Microsoft said. The company gave several examples to illustrate this correlation: “While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of ‘abandoning’ Ukrainian citizens.”

Russia was seen using various techniques in its attack to gain initial access. This includes phishing campaigns, vulnerability exploitation, and compromising upstream IT services. The country is also not shy about using wiper malware—destructive malware CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) highlighted in an updated alert initially released in late February.

HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper were deployed to Ukrainian networks in January 2022.

Microsoft believes that Russian cyberattacks will continue to escalate. Nation-state threat actors may also expand their destructive attacks outside Ukraine to retaliate against countries helping Ukraine or continuing to inflict punitive measures against Russia.

“We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey—all NATO member states actively providing political, humanitarian or military support to Ukraine.”

You can read more about Russian cyberattack activities against Ukraine in Microsoft’s Special Report: Ukraine.

Russia continues digital onslaught against Ukrainian systems

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

The top 5 most routinely exploited vulnerabilities of 2021

Scammers are targeting high-value verified accounts using sneaky Messages from other verified accounts, and realistic phishing sites.
The post Beware Twitter Messages claiming “Your blue badge Twitter account has been reviewed as spam” appeared first on Malwarebytes Labs.

Twitter verification is a two-edged sword. According to Twitter, it’s supposed to let people know “that an account of public interest is authentic.” That’s great, so long as the account is authentic, but what if, one day, it suddenly isn’t?

An attacker that can wrestle a verified account from its owner can cloak themselves in the real owner’s authenticity. And they can use that authenticity to pull off what NBC News reporter Kevin Collier described as “the best DM phishing attempt I think I’ve ever seen.” The attack, seen by Collier and attempted against author Miles Klee, used a compromised blue tick account to try to scam Klee out of his own verified account.

According to the compromised account’s bio, he is…

Support Team Officer Patrick Lyons. You will be informed of an important development regarding your account via this channel.

The account sends the intended victim a Direct Message that reads:

Hello, dear Twitter user!

Your blue badge Twitter account has been reviewed as spam by our Twitter team.

We understand how valuable the blue badge is to you.

Please appeal using the form below, otherwise your blue badge may be deleted.

{redacted URL}

Thanks
Twitter Team

**The phishing site**

The URL uses a realistic-looking domain (registered in November 2021), that displays a realistic login screen that uses the appropriate Twitter fonts and styling.

The fake Twitter login screen

Entering a user name and clicking the “Log in” button takes the user to a realistic-looking fake password reset page.

The fake password reset page.

This page asks users to reset their passwords, by entering both old and new. Entering your old password gives your password straight to the scammers, who already have your username. And whether you enter a valid password or not, you see the same message:

You entered your old password incorrectly, please check and try again. If you do not know your password, you can renew your password from your Twitter account.

At this point, your password is in the hands of the scammers, but the site does not ask for a second authentication factor. The “burner” account we tested the site with had two-factor authentication (2FA) enabled and it looks as if that is enough to blunt this attack.

**Don’t risk giving scammers your authority**

Messages sent from verified accounts appear more authentic, which is why they are such a prize for scammers. Right now, hijacked verified profiles are enormously popular for hawking NFT scams, for example. Verified account owners can give their security a huge boost, just by enabling 2FA.

Better yet, Twitter could give every verified account a huge security boost by making 2FA mandatory.

Remain vigilant, and stay safe!

Beware Twitter Messages claiming “Your blue badge Twitter account has been reviewed as spam”

Scammers are asking people to download a remote access app onto their phones so they can steal their savings.
The post Beware scammers disguised as fraud busters appeared first on Malwarebytes Labs.

Fraudsters like confusing and disorienting people. Successful ones avoid obvious lines of approach and try things you wouldn’t expect. A recent story highlights this, with a particularly devious method of parting someone from their money.

The Daily Record reports scammers running off with an $11,000 haul from a lady in Scotland. They did this by subverting expectations and drawing attention to a theft that never happened.

**Distraction and subterfuge**

Impersonation fraud is a huge problem. It weaves into several forms of cybercrime, such as phishing, fake customer support agents, fake deliveries, and even bogus charity donations.

One of the most interesting choices fraudsters make is to run a scam that specifically draws the victim’s attention to fraudulent activity, real or otherwise. It sounds counter-productive, but it’s the last thing people would expect.

Someone calling and claiming to be your bank will raise multiple red flags, even before asking for banking details. Getting a call from someone saying they blocked a potential thief from stealing your savings? That will set many people at ease, which fraudsters are hoping for.

**Borrowing from the tech support scam playbook**

A scam such as this usually follows a pattern. The attacker:

1.  Calls, claiming to have spotted an attempted fraud or stopped an unauthorized transaction.
2.  Asks if you can help with inquiries related to the non-existent attack.
3.  Requests banking information.

The attack against the Scots lady splits off from this pattern somewhat, incorporating tactics more commonly seen in tech support scams. Instead of asking for banking information, the attacker says they can help prevent future fraud attempts and advises the target to download Any Desk, a legitimate app that acts as a remote access tool to someone’s phone.

The end result is that the attacker used their access to steal a significant chunk of the victim’s life savings. Inspector Laura Hamill, a member of the Paisley community policing team, told the Daily Record that the victim “…was left understandably distressed after having a large sum of cash stolen from her account through the use of an app which she was convinced to download to her device.”

**How to deal with fraud support**

Banks tend to have strict rules about how their fraud team calls operate. Here are some things you can look out for when deciding if a call is genuine or not.

*   If fraud is detected, banks will try outreach after putting a hold on your card. There may be automated calls, texts, or voicemails. These usually ask you to call a dedicated number on the bank’s website.
*   Regardless of the outreach method, the bank never asks you for full passwords, PINS, security codes, passwords, or anything displayed on authenticator devices.
*   Banks don’t send fraud warnings via email. If you receive one, with or without a clickable link, don’t reply. Call your bank.
*   Your bank may have its own banking app for online mobile banking. They will never ask you to download remote access tools.
*   If you doubt the correct bank contact numbers, your bank should at least have a helpline number printed on the back of your card.

Source

Malwarebytes