Smart Tips for Staying Safer Online

Read Time:4 Minute, 24 Second

The recent WannaCry ransomware attack that infected more than 250,000 computers worldwide was a good reminder to everyone about staying vigilant when it comes to internet safety.

After all, many of us stay connected most of the time, whether it’s on our laptops or mobile devices, giving cybercriminals a wide range of opportunities to go after our personal and financial information, as well as our privacy.

The good news is that safeguarding your internet security, and preventing an attack like WannaCry, can be as simple as keeping your software up-to-date, and taking other preventative measures. The key is knowing which threats to look out for, and when you are taking potential risks.

Let’s start by talking about our mobile devices. Although many of us have been taught to look out for viruses and other threats on our computers, we don’t always realize that our mobile devices are just as vulnerable as our desktops.

The truth is dangerous links and downloads can be easily accessed using mobile browsers and email. And, our devices can open us up to new threats like malicious apps or text messages, designed to steal your information.

And if you think you’re protected from many online threats because you are an Apple user, think again. McAfee Labs found in its latest Quarterly Threat Report that malware exploiting the Mac operating system has grown exponentially.

Another instance where we often don’t realize we’re at risk is when we use technology while travelling or away from home. Connecting to public Wi-Fi networks can be dangerous because many of these networks do not take the necessary steps to protect your data from being accessed by cybercrooks. It’s just as risky to use public or shared computers since the bad guys will sometimes infect them with malware or spyware designed to steal your information.

Our heavy use of social media is another area where we face new threats. Although these sites are made for sharing, we tend to share too much of our private information, opening us up to identity theft, or even harassment. That’s why we need to safely guard information such as our home address, employer, phone number, and email. It’s also wise to change your social media privacy settings to “friends only.” When we open our networks up to people who we don’t know in real life, we also open the door to potential scammers.

These scammers love to distribute phishing attacks on social media and via email and text. Their goal is to trick you into revealing personal or financial information. Take, for instance, the recent “Google Docs” attack, in which scammers sent out fake emails that appeared to come from a trusted source, asking recipients to click on a link to open a Google document, with the hopes of gaining access to their email login and contact information.

Account login information is highly valuable to scammers, since it can potentially allow them to login into or guess your banking passwords, and other crucial financial or identity information. This is a good reason to opt for the highest security settings on all your accounts, such as multi-factor authentication. This security measure asks you to provide an additional piece of information other than your password to verify your identity, such as entering a unique code that is sent to your mobile phone.

There are a lot of threats that we all need to be aware of, but by taking basic precautions and staying vigilant about what you share online you will be much better protected from cybercrime.

Tips to keep you safe:

Keep on top of the latest threats so you know what to look out for.
Make sure you use comprehensive security software that protects both your computers and mobile devices, and keep the software up-to-date.
Turn on automatic updates on all your devices so your operating systems always have the latest security fixes.
Create unique, complex passwords using a combination of upper and lower case letters, numbers and symbols for all your critical accounts.
Turn on multi-factor authentication when available.
Never click on attachments or links sent by someone you don’t know. These often lead to malware or phishing scams.
Be careful when downloading mobile apps. Only download apps from an official app store, and read other users’ reviews first to make sure the app is safe.
Backup all your data on a regular basis, in case you need to wipe your device clean, or as a safeguard in response to ransomware. This way you can restore all of your information.
Be careful when posting on social networks. Never share key identity information, and select the highest security settings.
When away from home, avoid using public Wi-Fi and stick to websites that start with “HTTPS” instead of just “HTTP”, since they use extra security to protect your information. If you must use an unsecured network, protect your data by installing a personal VPN, which links you to a secure network over the internet.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Smart Tips for Staying Safer Online appeared first on McAfee Blog.

Read More

What is Spyware?

Read Time:2 Minute, 36 Second

No one likes the feeling that someone is looking over their shoulder when they work, shop or surf online. But this is just what crooks and scammers do without our knowledge using “spyware.”

Spyware is a piece of software that can covertly gather information on you. It can track the websites you visit and even record what you type on your keyboard, including passwords and credit card numbers.

So, now the bad guys don’t have to steal your wallet to get access to your personal and financial information. All they need to do is trick you into installing spyware on your computer or device. Or they could install it themselves on public or shared computers using a USB drive, or similar device.

One of the more common forms of spyware found on shared computers is called a “keylogger.” It can record everything you type and send it back to the cybercrook. That’s why you should avoid using shared computers in hotels or public libraries, since they can be easily compromised.
Most spyware masquerades as legitimate software, such as free games or mobile apps. In fact, researchers believe that over three years, 1 million Google Play users downloaded a single piece of spyware alone. It appeared to be an official “System Update” application, but actually monitored the users’ location information and text messages without their knowledge.

Spyware can also easily spread online in the form of dangerous links in emails, and on social media or torrent sites, which offer free access to online content. That’s why you need to be careful where you click.

Another common form of spyware is called “adware.” Adware is used to display advertisements on your computer, or redirect your search inquiries to an advertiser’s website. Although this isn’t as harmful as spyware designed to steal your information, it is still invasive and annoying.

Since spyware is so prevalent and potentially harmful, putting both your private information and privacy at risk, it’s important that you take steps to protect yourself.
Here are some tips to keep you safe:

Only visit trusted websites and be suspicious of sites offering “free” content or applications.
Be careful when downloading any software or mobile apps from the web. Read other users’ reviews first to make sure the product is safe. Also, read any licensing or service agreements carefully to see if the provider is accessing more information than it needs to.
Never leave your computer or devices unattended in public, since a cybercrook could potentially install spyware when you’re not looking.
Avoid clicking on online ads, since they could lead to adware.
Look out for anti-spyware scams. There are many phony “anti-spyware” tools online that offer free scans. They falsely detect multiple spyware programs on your computer to get you to buy their product.
Make sure you use comprehensive security software that includes spyware protection, and keep it up-to-date.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

 

The post What is Spyware? appeared first on McAfee Blog.

Read More

Microsoft help files repurposed to contain Vidar malware in new campaign

Read Time:29 Second

A new email campaign designed to spread the Vidar spyware package uses a novel technique involving Microsoft Compiled HTML help files, according to a blog post released today by Trustwave.

The help files, which use the suffix “CHM,” are packaged in an ISO along with the Vidar payload in what appears to be a Word document. If the attacker successfully hoodwinks the target into extracting the phony document, executing either file triggers the malicious package and compromises the system, Trustwave researcher Diana Lopera wrote in the post.

To read this article in full, please click here

Read More

USN-5321-3: Firefox regressions

Read Time:36 Second

USN-5321-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, bypass security restrictions, obtain sensitive information, or execute
arbitrary code. (CVE-2022-0843, CVE-2022-26381, CVE-2022-26382,
CVE-2022-26383, CVE-2022-26384, CVE-2022-26385)

A TOCTOU bug was discovered when verifying addon signatures during
install. A local attacker could potentially exploit this to trick a
user into installing an addon with an invalid signature.
(CVE-2022-26387)

Read More

ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help

Read Time:8 Minute, 38 Second

Private messages between Conti members uncover invaluable information about how the infamous ransomware group hijacks victims’ systems.

Leaked internal chats between Conti ransomware group members offer a unique glimpse into its inner workings and provide valuable insights, including details on over 30 vulnerabilities used by the group and its affiliates, as well as specifics about its processes after infiltrating a network, like how it targets Active Directory.

In this blog post, we’ll offer background into Conti – one of the more prolific ransomware groups in operation today – dig into the leaked information, and offer concrete advice on how to protect your organization against Conti’s attacks.

Background

The ContiLeaks began on February 27 – the work of an alleged member of the Conti ransomware group. This individual leaked a series of internal chats between members of the group to the general public. This isn’t the first time confidential information about the group has been leaked. In August 2021, an affiliate of Conti published a playbook of training materials given to affiliates, which provided our first insight into the ransomware group’s operation.

These leaks have allowed researchers to analyze more of the tactics, techniques, and procedures developing indicators of compromise associated with the group. Researchers at Breach Quest published an article on March 9 analyzing the ContiLeaks, which included a list of vulnerabilities the group appears to have been using to target organizations.

What is Conti?

First discovered in 2020 by researchers at Carbon Black, Conti is a ransomware group that operates a ransomware-as-a-service model to deploy the Conti ransomware.

Ransomware-as-a-Service (RaaS) is offered by ransomware groups and gives affiliates — cybercriminals looking to partner with RaaS groups — access to ransomware that is ready to be deployed, as well as a playbook to help guide their attacks. RaaS groups take a small cut of paid ransoms, providing the bulk of the profits to affiliates.

Conti has risen to prominence over the last two years, earning a reported $180 million in profits from its attacks, according to Chainalysis. It’s also gained notoriety for attacks against the healthcare sector, including at least 16 U.S. health and emergency networks. Most notable was Conti’s attack on the Ireland Health Service Executive (HSE) in May 2021 in which the group demanded a $20 million ransom, which the HSE refused to pay.

Conti’s focus on the healthcare sector isn’t surprising. In our 2021 Threat Landscape Retrospective report, we found that 24.7% of healthcare data breaches were the result of ransomware attacks, and ransomware itself was responsible for 38% of all breaches publicly disclosed last year.

Which vulnerabilities are Conti and its affiliates using?

Ransomware groups like Conti use a variety of tactics to breach the networks of prospective targets. These include phishing, malware and brute force attacks against Remote Desktop Protocol.

Conti has also been linked to EXOTIC LILY, an initial access broker (IAB) group. IABs are focused on obtaining malicious access to organizations for the purpose of selling that access to ransomware groups and affiliates. However, exploiting pre-and-post authentication vulnerabilities also play an important role in ransomware attacks.

As part of the leaked affiliate playbook, we’ve seen reports that Conti and its affiliates have been using the PrintNightmare and Zerologon vulnerabilities against targets. However, the ContiLeaks revealed an additional 29 vulnerabilities used by the group.

Additionally, there are reports that Conti and its affiliates have targeted vulnerabilities in the Fortinet FortiOS found in Fortinet’s SSL VPN devices to gain initial access to target environments.

The following is a breakdown of the types of vulnerabilities used by Conti and its affiliates:

Initial access vulnerabilities

CVE
Description
CVSS Score
VPR

CVE-2018-13379
Fortinet FortiOS Path Traversal/Arbitrary File Read Vulnerability
9.8
9.8

CVE-2018-13374
Fortinet FortiOS Improper Access Control Vulnerability
8.8
8.4

CVE-2020-0796
Windows SMBv3 Client/Server Remote Code Execution Vulnerability (“SMBGhost”)
10
10.0

CVE-2020-0609
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
9.8
8.4

CVE-2020-0688
Microsoft Exchange Validation Key Remote Code Execution Vulnerability
8.8
9.9

CVE-2021-21972
VMware vSphere Client Remote Code Execution Vulnerability
9.8
9.5

CVE-2021-21985
VMware vSphere Client Remote Code Execution Vulnerability
9.8
9.4

CVE-2021-22005
VMware vCenter Server Remote Code Execution Vulnerability
9.8
9.6

CVE-2021-26855
Microsoft Exchange Server Remote Code Execution Vulnerability (“ProxyLogon”)
9.8
9.9

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 24 and reflects VPR at that time.

Elevation of privilege vulnerabilities

CVE
Description
CVSS Score
VPR

CVE-2015-2546
Win32k Memory Corruption Elevation of Privilege Vulnerability
6.9
9.6

CVE-2016-3309
Windows Win32k Elevation of Privilege Vulnerability
7.8
9.7

CVE-2017-0101
Windows Elevation of Privilege Vulnerability
7.8
9.7

CVE-2018-8120
Windows Win32k Elevation of Privilege Vulnerability
7
9.8

CVE-2019-0543
Microsoft Windows Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-0841
Windows Elevation of Privilege Vulnerability
7.8
9.8

CVE-2019-1064
Windows Elevation of Privilege Vulnerability
7.8
9.2

CVE-2019-1069
Windows Task Scheduler Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1129
Windows Elevation of Privilege Vulnerability
7.8
8.9

CVE-2019-1130
Windows Elevation of Privilege Vulnerability
7.8
6.7

CVE-2019-1215
Windows Elevation of Privilege Vulnerability
7.8
9.5

CVE-2019-1253
Windows Elevation of Privilege Vulnerability
7.8
9.7

CVE-2019-1315
Windows Error Reporting Manager Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1322
Microsoft Windows Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1385
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
7.8
5.9

CVE-2019-1388
Windows Certificate Dialog Elevation of Privilege Vulnerability
7.8
8.4

CVE-2019-1405
Windows UPnP Service Elevation of Privilege Vulnerability
7.8
9.7

CVE-2019-1458
Win32k Elevation of Privilege Vulnerability
7.8
9.7

CVE-2020-0638
Update Notification Manager Elevation of Privilege Vulnerability
7.8
5.9

CVE-2020-0787
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
7.8
9.7

CVE-2020-1472
Windows Netlogon Elevation of Privilege Vulnerability (“Zerologon”)
10
10.0

CVE-2021-1675
Windows Print Spooler Remote Code Execution Vulnerability
8.8
9.8

CVE-2021-1732
Windows Win32k Elevation of Privilege Vulnerability
7.8
9.8

CVE-2021-34527
Windows Print Spooler Remote Code Execution Vulnerability (“PrintNightmare”)
8.8
9.8

We’re also aware that Conti and its affiliates have used CVE-2021-44228, also known as Log4Shell, as part of attacks beginning in late 2021.

Leveraging elevation of privilege vulnerabilities

When looking at the impact of the various vulnerabilities disclosed specifically within the ContiLeaks communications, an interesting pattern emerges: nearly three quarters of the vulnerabilities on the list are elevation of privilege flaws, which signifies that the group is largely using vulnerabilities that support post-exploitation activities.

Given that the group and its affiliates can find different entry points into an organization outside of vulnerabilities, but need to elevate privileges in order to wreak havoc, it is not surprising that most of their vulnerability toolkit is focused on elevation of privileges.

Conti and Active Directory

Through the ContiLeaks, we learned that Conti follows a set of processes once inside a network. To target Active Directory (AD), the group will seek out domain administrator privileges, as is common amongst ransomware. For ransomware groups, AD is a valuable tool to help achieve their intended goal of encrypting systems across an organization’s network.

Conti and its affiliates will try to leverage Zerologon to obtain domain admin privileges, or they will seek out “potentially interesting people” within an organization’s AD according to BreachQuest.

The group and its affiliates target AD through a variety of means including:

ADFind
BloodHound
Steal or Forge Kerberos Tickets (“Kerberoasting”)
OS Credential Dumping: NTDS

Solution

The majority of vulnerabilities used by the Conti ransomware group and its affiliates have been patched over the last few years. The oldest flaw on this list was patched six years ago in 2015.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

To enable our customers to identify all of the known vulnerabilities leveraged by the Conti ransomware group and its affiliates, we will be releasing scan templates soon, while dashboards for Tenable.io, Tenable.sc and Nessus Professional are available now.

ContiLeaks Scan Template

ContiLeaks Dashboard for Tenable.io

ContiLeaks Dashboard for Tenable.sc

ContiLeaks Report from Tenable.sc

For more information on the dashboards and reports, please refer to the following articles:

ContiLeaks Tenable.io Dashboard
ContiLeaks SC Dashboard
ContiLeaks SC Report Template

Indicators of Exposure view in Tenable.ad

For Tenable.ad customers, we have detection and prevention solutions in the form of Indicators of Exposure (IoE) and Indicators of Attack (IoA). IoEs are a preemptive way to find and address gaps within your AD infrastructure to eliminate attack paths for ransomware groups and other cybercriminals, while IoAs detect attacks in real time.

Example IOA alert for password spraying

The following is a list of IoEs and IoAs derived from the findings within the ContiLeaks:

Tactics
MITRE ATT&CK
Solutions
Type

Discovery (e.g. BloodHound)
T1087.001, T1087.002, T1106, T1069.001, T1069.002
Enumeration of local administratorsMassive computers reconnaissance
IoA

Privilege Escalation (Golden Ticket)
T1558.001
GoldenTicket
IoA

Privilege Escalation (Zerologon)
T1068
Unsecured configuration of Netlogon protocol
IoE

Credential Access (Bruteforce, Password Spraying)
T1110.001, T1110.002, T1110.003, T1110.004
Password GuessingPassword Spraying
IoA

Credential Access (Collection and decryption of GPP Passwords)
T1552.006
Reversible passwords in GPO
IoE

Credential Access (ntds.dit)
T1003.003
NTDS Extraction
IoA

Credential Access (Encrypted Passwords)
T1003.003
Reversible passwords
IoE

Credential Access (Kerberoasting)
T1558.003
Kerberoasting
IoA

Credential Access (Mimikatz)
T1003.001
OS Credential Dumping: LSASS Memory
IoA

Get more information

Conti ransomware gang chats leaked by pro-Ukraine member
The Conti Leaks | Insight into a Ransomware Unicorn

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More