Who is the Network Access Broker ‘Wazawaka?’

Read Time:7 Minute, 40 Second

In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene.

Wazawaka has been a highly active member of multiple cybercrime forums over the past decade, but his favorite is the Russian-language community Exploit. Wazawaka spent his early days on Exploit and other forums selling distributed denial-of-service (DDoS) attacks that could knock websites offline for about USD $80 a day. But in more recent years, Wazawaka has focused on peddling access to organizations and to databases stolen from hacked companies.

“Come, rob, and get dough!,” reads a thread started by Wazawaka on Exploit in March 2020, in which he sold access to a Chinese company with more than $10 billion in annual revenues. “Show them who is boss.”

According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias “Uhodiransomwar” can be seen posting download links to databases from companies that have refused to negotiate after five days.

“The only and the main principle of ransomware is: the information that you steal should never be sold,” Uhodiransomwar wrote in August 2020. “The community needs to receive it absolutely free of charge if the ransom isn’t paid by the side that this information is stolen from.”

Wazawaka hasn’t always been so friendly to other cybercrooks. Over the past ten years, his contact information has been used to register numerous phishing domains intended to siphon credentials from people trying to transact on various dark web marketplaces. In 2018, Wazawaka registered a slew of domains spoofing the real domain for the Hydra dark web market. In 2014, Wazawaka confided to another crime forum member via private message that he made good money stealing accounts from drug dealers on these marketplaces.

“I used to steal their QIWI accounts with up to $500k in them,” Wazawaka recalled. “A dealer would never go to the cops and tell them he was selling stuff online and someone stole his money.”

WHO IS WAZAWAKA?

Wazawaka used multiple email addresses and nicknames on several Russian crime forums, but data collected by cybersecurity firm Constella Intelligence show that Wazawaka’s alter egos always used one of three fairly unique passwords: 2k3x8x57, 2k3X8X57, and 00virtual.

Those three passwords were used by one or all of Wazawaka’s email addresses on the crime forums over the years, including wazawaka@yandex.ru, mixseo@mail.ru, mixseo@yandex.ru, mixfb@yandex.ru.

That last email address was used almost a decade ago to register a Vkontakte (Russian version of Facebook) account under the name Mikhail “Mix” Matveev. The phone number tied to that Vkontakte account — 7617467845 — was assigned by the Russian telephony provider MegaFon to a resident in Khakassia, situated in the southwestern part of Eastern Siberia.

DomainTools.com [an advertiser on this site] reports mixfb@yandex.ru was used to register three domains between 2008 and 2010: ddosis.ru, best-stalker.com, and cs-arena.org. That last domain was originally registered in 2009 to a Mikhail P. Matveyev, in Abakan, Khakassia.

Mikhail Matveev is not the most unusual name in Russia, but other clues help narrow things down quite a bit. For example, early in his postings to Exploit, Wazawaka can be seen telling members that he can be contacted via the ICQ instant message account 902228.

An Internet search for Wazawaka’s ICQ number brings up a 2009 account for a Wazawaka on a now defunct discussion forum about Kopyovo-a, a town of roughly 4,400 souls in the Russian republic of Khakassia:

MIKHAIL’S MIX

Also around 2009, someone using the nickname Wazawaka and the 902228 ICQ address started posting to Russian social media networks trying to convince locals to frequent the website “fureha.ru,” which was billed as another website catering to residents of Khakassia.

According to the Russian domain watcher 1stat.ru, fureha.ru was registered in January 2009 to the email address mix@devilart.net and the phone number +79617467845, which is the same number tied to the Mikhail “Mix” Matveev Vkontakte account.

DomainTools.com says the mix@devilart.net address was used to register two domains: one called badamania[.]ru, and a defunct porn site called tvporka[.]ru. The phone number tied to that porn site registration back in 2010 was 79235810401, also issued by MegaFon in Khakassia.

A search in Skype for that number shows that it was associated more than a decade ago with the username “matveevatanya1.” It was registered to a now 29-year-old Tatayana Matveeva Deryabina, whose Vkontakte profile says she currently resides in Krasnoyarsk, the largest city that is closest to Abakan and Abaza.

It seems likely that Tatayana is a relative of Mikhail Matveev, perhaps even his sister. Neither responded to requests for comment. In 2009, a Mikhail Matveev from Abaza, Khakassia registered the username Wazawaka on weblancer.net, a freelance job exchange for Russian IT professionals. The Weblancer account says Wazawaka is currently 33 years old.

In March 2019, Wazawaka explained a lengthy absence on Exploit by saying he’d fathered a child. “I will answer everyone in a week or two,” the crime actor wrote. “Became a dad — went on vacation for a couple of weeks.”

One of the many email addresses Wazawaka used was devdelphi@yandex.ru, which is tied to a more recent but since-deleted Vkontakte account for a Mikhail Matveev and used the password 2k3X8X57. As per usual, I put together a mind map showing the connections referenced in this story:

A rough mind map of the connections mentioned in this story.

Analysts with cyber intelligence firm Flashpoint say Wazawaka’s postings on various Russian crime forums show he is proficient in many specializations, including botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, selling databases for spam operations, and launching DDoS attacks.

Flashpoint says it is likely Wazawaka/Mix/M1x has shared cybercriminal identities and accounts with multiple other forum members, most of whom appear to have been partners in his DDoS-for-hire business a decade ago. For example, Flashpoint points to an Antichat forum thread from 2009 where members said M1x worked on his DDoS service with a hacker by the nickname “Vedd,” who was reputedly also a resident of Abakan.

STAY  TRUE, & MOTHER RUSSIA WILL HELP YOU

All of this is academic, of course, provided Mr. Wazawaka chooses to a) never leave Russia and b) avoid cybercrime activities that target Russian citizens. In a January 2021 thread on Exploit regarding the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka seems already resigned those limitations.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his own personal mantra.

Which might explain why Wazawaka is so lackadaisical about hiding and protecting his cybercriminal identities: Incredibly, Wazawaka’s alter ego on the forum XSS — Uhodiransomware — still uses the same password on the forum that he used for his Vkontakte account 10 years ago. Lucky for him, XSS also demands a one-time code from his mobile authentication app.

The second step of logging into Wazawaka’s account on XSS (Uhodiransomwar).

Wazawaka said NetWalker’s closure was the result of its administrator (a.k.a. “Bugatti”) getting greedy, and then he proceeds to preach about the need to periodically re-brand one’s cybercriminal identity.

“I’ve had some business with Bugatti,” Wazawaka said. “The guy got too rich and began recruiting Americans as affiliate partners. What happened now is the result. That’s okay, though. I wish Bugatti to do some rebranding and start from the beginning As for the servers that were seized, they should’ve hosted their admin panels in Russia to avoid getting their servers seized by INTERPOL, the FBI, or whatever.”

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

If you liked this post, you may also enjoy Who Is the Network Access Broker “Babam”?

Read More

The Dark Web: A Definitive Guide

Read Time:13 Minute, 20 Second

The internet has opened up wonderful new possibilities in our world, making life easier on many levels. You can pay your bills, schedule your next family vacation, and order groceries with the click of a button. While the internet offers many positive benefits, it also has some negatives. Although not entirely used for illicit purposes, the dark web is one part of the internet that can be used by criminals for illegal purposes, like selling stolen personal information.

But just what is the dark web? Basically, it’s a part of the internet that isn’t indexed by search engines. As an average internet user, you won’t come across the dark web since you need a special browser to access it. It’s certainly not something you need to stress about in your day-to-day browsing, and you shouldn’t let it scare you off the internet. Unless you actively seek it out, you’ll likely never have any contact with the dark web in your lifetime.

A better understanding of what the dark web is and the possible threats it contains can help you protect yourself, though. This guide provides the essential information you need, explaining the different levels of the web and revealing how you can stay safe. With this knowledge, you can continue to browse online with confidence. Find out more below.

What is the dark web?

The “dark web” refers to websites that aren’t indexed by search engines like Google and Bing. This might seem strange since most people want their websites to be found through specific searches. Practices like search engine optimization (SEO) are specifically implemented to help websites perform well and rank higher in search engine results.

So, why would someone not want their website to be picked up by a search engine? The primary purpose is to preserve privacy and anonymity. The individuals and organizations on the dark web often engage in illegal activities and want to keep their identities hidden — something that is difficult to do with an indexed website.

It’s important to note that the dark web should not be confused with the deep web, which is a part of the internet individuals access regularly. Although the terms are sometimes used interchangeably, they actually refer to different things. Deep web content — which isn’t picked up by search engines, either — includes pages that typically require additional credentials to access. Your online banking accounts and email accounts, for instance, are examples of deep web content.

Different levels of the web

The internet is home to billions of websites — an estimated 1.7 billion to be exact, although that number changes every day as new sites are made and others are deleted. Your daily internet activity likely falls within the publicly available and readily accessible portion of the internet (otherwise known as the surface web). However, there are additional “levels” of the internet beyond that top level. Read on to learn more.

Surface web

The internet you use to search for more information is referred to as the surface web or open web. This is the readily visible part of the internet anyone can access with an internet connection and a normal web browser like Safari, Mozilla Firefox, or Google Chrome. Other terms for the surface web include the visible web, lightnet, or indexed web.

Examples of content you’ll find on the surface web include:

Open media websites and news sites like those affiliated with blogs, newspapers, magazines, and other publications. An example would be the home page of a newspaper like The New York Times or a media company like BuzzFeed.
Business websites for everything from major corporations to smaller local businesses. An example could be the website for a huge corporation like Bank of America or one for a smaller business like a local bakery.
Mainstream social media platforms like Facebook, Instagram, LinkedIn, and Twitter. Although you likely use these tools via an app, they all have dedicated websites.
E-commerce sites used for buying goods and services, like Amazon, Walmart, Target, apparel retailers, and beyond. Any company that sells products online can be considered an e-commerce site.

Basically, the sites you use daily — from your favorite news site to a local restaurant — are part of the surface web. What makes these websites part of the surface web is that they can be located via search queries and have recognizable endings like .com, .edu, .gov, or .org. You are able to find websites on the surface web because they are marked as “indexable,” meaning search engines can index and rank them. The sites are readily available on the search engine results pages (SERPs).

Interestingly, the surface web only makes up around 4% of the total internet, meaning the internet is a lot more than what you see on the surface. Think of it as an ocean — there’s the top layer of water you can see and then there’s the vast world beneath. The remainder of the internet is what’s below the surface.

Deep web

The deep web refers to any page on the internet that isn’t indexed by search engines as described above. The deep web is the first level beneath the “surface” of the visible web — and it’s significantly larger than the surface web, accounting for an estimated 96% to 99% of the entire internet.

It’s important to note that just because this type of content isn’t on the surface doesn’t mean it’s nefarious or has ill intent. A lot of the time, this content isn’t indexed because it includes pages that are meant to be hidden to protect consumer privacy, such as those that require login credentials.

Here are some examples of content on the deep web:

Fee-based content like news articles that are behind a paywall or membership-only content requiring login credentials are considered part of the deep web. For example, if you pay to access members-only content in a content creator’s fan club, you are using fee-based content.
Databases containing protected files that aren’t connected to other areas of the internet. These could be public or private files, like those from government entities or private educational institutions.
Intranets for educational institutions, corporate enterprises, and governments are used for exchanging and organizing internal information. Some of it is sensitive and not meant for public dissemination. Intranets usually require a login and are part of the deep web.
Secure storage platforms like Dropbox or Google Drive also require you to log in to upload and download files and photos. There are also proprietary data storage solutions used by companies that frequently handle sensitive data, such as law firms, financial institutions, and health care providers. An example might be a patient portal via a hospital or doctor’s office, where you can access your personal medical records.

Essentially, any webpage that requires a login is part of the deep web. That said, deep web content doesn’t necessarily have to fall into any of these categories. Any page that is non-indexable is technically also considered part of the deep web. It doesn’t have to require a login or contain sensitive data. Website creators and managers can mark pages as non-indexable if desired.

It’s worth noting that sometimes a single organization’s website will include elements of both the surface web and the deep web. Take a college or university website, for example. Most schools have a comprehensive website providing information about the school’s history, campus location, student body, available programs of study, extracurricular activities, and more.

However, many schools also have an intranet — sometimes linked from the main university page — that’s accessible only for students or staff. This is where students might sign up for classes and access their school email, for example. Since this is sensitive information and requires a unique login, it doesn’t need to be made publicly available via search engines.

In fact, it’s better in the interest of privacy that these pages aren’t readily visible. It helps to protect the user’s data. From this example, you can see that the “deep web” doesn’t have to be scary, illicit, or illegal. It serves a legitimate and useful purpose. You shouldn’t be afraid of the deep web. It’s further important to distinguish the deep web from the dark web — as the next section explains.

Dark web

As mentioned, the deep web and the dark web sometimes get confused. However, they are distinct. Technically, the dark web is a niche or subsection within the deep web. It consists of websites that aren’t indexable and can’t be readily found online via web search engines. However, the dark web is a carefully concealed portion of the deep web that people go out of their way to keep hidden.

What makes the dark web distinct from the broader deep web is the fact that dark web content can only be accessed via a special browser. The Tor network is often used to access the dark web.

Additionally, the dark web has a unique registry operator and uses security tools like encryption and firewalls, further making it inaccessible via traditional web browsers. Plus, the dark web relies on randomized network infrastructure, creating virtual traffic tunnels. All of these technical details serve to promote anonymity and protect dark web users’ privacy.

Is it illegal to browse the dark web?

The short answer is no, it’s not illegal to browse the dark web. In fact, there are instances where individuals can use it for good. Whistleblowers, for instance, can find the anonymity available through the dark web valuable when working with the FBI or another law enforcement organization.

That said, while it’s not illegal to browse the dark web, it’s also not completely void of criminal activity. Putting yourself in close proximity with illegal activities is rarely a good idea and could heighten your risk of being targeted by a criminal yourself. It’s often best to leave that part of the deep web alone.

There are also many technological threats on the dark web. Malicious software, also known as malware, is a critical concern and can affect unsuspecting users. Even simply browsing the dark web out of curiosity can expose you to such threats, like phishing malware or keyloggers. While an endpoint security program can identify such threats if they end up on your computer, it’s ideal to avoid them altogether.

Further, if you try to buy something on the dark web — even if it’s not illegal — there’s a chance you’ll be scammed. Dark web criminals use a variety of tricks to con people. For example, they may hold money in escrow but then shut down the e-commerce website and take off with the money. Due to the anonymous nature of the dark web, it’s very difficult for law enforcement to find such perpetrators.

How do criminals use the dark web?

Given its anonymous nature, the dark web clearly has an obvious appeal for cybercriminals. But just what do they use it for? The most obvious type of internet activity is the buying and selling of black market goods and services, from illegal drugs to illegal content. Cybercriminals may also run scams when selling such items, for example by taking a person’s money and not delivering the required product.

There are dark websites dedicated to the purchase and sale of illegal products or services (usually using untraceable cryptocurrencies like bitcoin) including:

Financial information like cloned credit cards with PIN, credit card details, online bank account logins, and more. People can then use these details to make legitimate purchases, negatively impacting your financial status and ruining your credit score in the process.
Account details for hacked accounts like email accounts, eBay accounts, social media accounts, streaming services, and more. For example, a person may buy a reputable eBay seller’s login details and then use their real account to make fake sales, pocketing the money and ruining the seller’s reputation in the process.
Personal data that can be used to steal someone’s identity, such as their name, address, Social Security number, and more. Identity theft is a serious problem that can negatively impact everything from your credit score to your private medical data.
Illegal services like people claiming to be able to fix credit scores for a fee. Many of these “services” are scams. They may also be law enforcement masquerading as criminals in an attempt to catch people who are up to no good.
Illegal goods like unregistered firearms and drugs. Law enforcement is increasingly cracking down on cybercriminals and the dark web.

Browsers like Tor, an open-source and free software, allow people to access dark websites where these goods are available, like a digital marketplace. These websites may look similar to any other surface or deep website you’d encounter. However, they differ in their domain suffix, ending in “.onion” instead of more obvious options like “.com” (Tor is actually short for The Onion Router, which is also where the term “onion routing” comes from — referring to anonymous communication on the dark web).

Onion sites often use scrambled names that make their URLs difficult to remember, minimizing the odds of being reported to authorities. It’s possible to search the dark web using specialized dark web search engines like Grams or link lists like The Hidden Wiki. However, these sources tend to be slow and unreliable, just like the dark web itself.

Some of this information can be extremely valuable on darknet forums. For example, while a Social Security number might go for $2, email credentials could sell for as much as $120,000. Hackers can make a lot of money and do so with less worry that they might get caught. Thanks to the Tor browser’s layers of encryption and IP scrambling, it’s difficult to track people down on this part of the web.

How to protect yourself online

Again, although the dark web isn’t inherently bad, you should still be proactive in preventing your personal information from falling into the wrong hands. Here are a few ways you can help keep you and your family safe online:

Protect your devices with passwords and antivirus software: One of the first lines of defense is to protect your devices. With passwords, ensure they’re unique and strong across accounts and keep them in one place, like a password manager. It’s also important to have antivirus software installed on your browsing devices to protect them from malware and other threats (you can even take this a step further by using a virtual private network or VPN).
Think before oversharing on social: Social media keeps us connected with our family and friends, but before you click “share,” make sure you’re not revealing any personal information like your home address or something else that could be compromising.
Sign up for a monitoring service: Whether it’s reviewing your credit report or an identity protection plan with 24/7 monitoring, additional trusted eyes on your accounts will help them stay protected.

Get a personalized protection plan today

The dark web might sound scary. The fact is, an everyday internet user like yourself likely won’t have any contact with this level of the internet. That said, it’s still important to take as many precautions as you can to keep your family and your technology safe.

McAfee provides everyday internet users with the tools they need to surf safely and confidently. Our award-winning antivirus software protects against threats like phishing, malware, and ransomware, and we also offer identity protection plans that come with a personalized Protection Score to check the health of your online information. Start browsing with confidence by using McAfee.

The post The Dark Web: A Definitive Guide appeared first on McAfee Blogs.

Read More

What to Do If Your Identity Has Been Stolen

Read Time:9 Minute, 4 Second

We live online these days, sharing everything from vacation pictures to what we eat for breakfast on the internet. The internet is also useful for daily activities, like buying groceries or paying bills.

While it’s convenient to connect with people and complete tasks online, cybercriminals are eager to use the internet to steal financial or personal data for their personal gain — otherwise known as identity theft. This is a criminal act and can affect your credit score in a negative way and cost money to fix. It can also affect employment opportunities since some employers conduct a credit check on top of drug testing and a criminal history check. Identity theft victims may even experience an impact to their mental health as they work to resolve their case.

The good news is that being able to recognize the signs of identity theft means you can act quickly to intervene and minimize any effects in case it happens to you. You can also protect yourself by using preventive measures and engaging in smart online behavior. This article provides essential information about identity theft, giving you the tools you need to become an empowered internet user and live your best life online.

5 steps to take if your identity has been stolen

The internet is a great place to be, but identity thieves hope to catch you off-guard and seek access to your personal information for their benefit. This could include private details like your birth date, bank account information, Social Security number, home address, and more. With data like this, an individual can adopt your identity (or even create a fake identity using pieces of your personal profile) and apply for loans, credit cards, debit cards, and more.

You don’t have to be kept in the dark, though. There are several signs that your identity has been stolen, from a change in your credit score to receiving unfamiliar bills and debt collectors calling about unfamiliar new accounts. If you suspect that you’ve been affected by identity fraud, you can act fast to minimize what happens. Here’s what to do.

File a police report

Start by contacting law enforcement to file a report. Your local police department can issue a formal report, which you may need to get your bank or other financial institution to reverse fraudulent charges. An official report assures the bank that you have been affected by identity fraud and it’s not a scam.

Before going to the police, gather all the relevant information about what happened. This could include the dates and times of fraudulent activity and any account numbers affected. Bringing copies of your bank statements can be useful. Also, make note of any suspicious activity that could be related. For example, was your debit card recently lost or your email hacked? The police will want to know.

Notify the company where the fraud occurred

You should also notify any businesses linked to your identity theft case. Depending on the type of identity theft, this could include banks, credit card companies, medical offices, health insurers, e-commerce stores, and more. For example, if someone used your credit card to make purchases on Amazon, alert the retailer.

Medical identity theft is another good example. In this case, a fraudster may assume your identity to gain access to health care services, such as medical checkups, prescription drugs, or pricey medical devices like wheelchairs. If someone uses your health insurance to get prescription drugs from a pharmacy, for instance, make sure to alert the pharmacy and your insurer.

File a report with the Federal Trade Commission

The Federal Trade Commission (FTC) is a government body that protects consumer interests. You can report identity theft via their portal, IdentityTheft.gov. They’ll then use the details you provide to create a free recovery plan you can use to address the effects of identity theft, like contacting the major credit bureaus or alerting the Internal Revenue Service (IRS) fraud department. You can report your case online or by calling 1-877-438-4338.

Ask credit reporting agencies to issue a fraud alert

A common consequence of identity theft is a dip in the victim’s credit score. For example, a cybercriminal may take out new lines of credit in the victim’s name, accrue credit card debt, and then not pay the balance. For this reason, contacting the credit monitoring bureaus is one of the most important steps to take in identity theft cases.

There are three main agencies: TransUnion, Equifax, and Experian. You can get a free credit report from each agency every 12 months via AnnualCreditReport.com. Check the report and note all fraudulent activity or false information and flag it with the relevant bureau’s fraud department. You should also initiate a fraud alert with each agency.

A fraud alert requires any creditors to verify your identity before opening a new line of credit. This adds an extra layer of security. An initial fraud alert lasts for 90 days. Once this expires, you can prolong your protection via an extended fraud alert, which will remain valid for seven years. You can notify one of the big three bureaus to set it up. They are then required to notify the other two bureaus.

A credit freeze is another smart move, which you can do through each of the three major credit bureaus. You can either call them or start the process online. This prevents people from accessing your credit report. Lenders, creditors, retailers, landlords, and others may want to see your credit as proof of financial stability. For example, if someone tries to open a phone contract under your name, the retailer may check the credit report. If there is a credit freeze in place, they won’t be able to view it and won’t issue the contract. If you need to allow someone access to your credit report, you can temporarily lift the freeze.

Change passwords to all of your accounts

Identity theft is often linked with leaked or hacked passwords. Even if you aren’t sure whether your passwords have been compromised, it’s best to play it safe. Change passwords to any affected accounts. Make sure to use strong passwords with a mix of numbers, letters, and symbols. Further, if there’s a chance to activate two-factor authentication on your accounts, this can provide added protection going forward.

Is it possible to prevent identity theft?

Ideally, you’ll never become the victim of identity theft, but things can happen. Cybercriminals work hard, but you can stay one step ahead by taking a few preventative measures. These include:

Learn how to recognize common scams. ID theft comes in many forms, from email phishing scams to social media snooping, device hacking, and data breaches. Learn the signs of a scam. For example, phishing emails are often poorly written and frequently follow certain formats, like claiming that an account of yours has been suspended.
Activate fraud alerts. Most financial institutions provide alerts about suspected fraudulent transactions, sending you a notification via phone call, text, or email if they notice suspicious activity on your account. The bank may also freeze an account automatically until any potentially unauthorized charges are clarified and confirmed by the account owner.
Protect your devices with strong passwords. Your devices, including your phone, tablet, and laptop, should all be password-protected. In case one of your tech tools is stolen, it will be harder for fraudsters to gain access to your personal data. Set strong passwords with a mix of letters, numbers, and symbols. Make sure they don’t include information a person could figure out easily, like your home address or birthday.
Use different passwords for different accounts. Any online accounts you use, from your banking app to your email, should be password-protected. Follow the same rules for setting strong passwords, but don’t duplicate passwords. If a hacker cracks the code for one account, they can easily guess their way into your other accounts. A password manager can help you stay on top of your passwords by encrypting them and storing them safely for easy tracking. McAfee Identity Protection includes a password manager that can secure your account credentials across devices.
Protect your documents. Protect hard copies of sensitive documents, like your Social Security card and birth certificate, by keeping them locked away. Also, dispose of documents with personal data by shredding them. This ensures that dumpster divers can’t access your information. Documents to shred might include invoices, bank statements, medical records, canceled checks, and junk mail with your name, phone number, and address.
Don’t overshare on social media. Social media is a great way to connect with friends and family, but it can also be a goldmine for identity thieves. Avoid sharing details like your kids’ or pets’ names, which are often used in passwords. Sensitive information, like a home address or birthday, can also be used to build a fake identity. You may want to set your social media accounts to private in addition to limiting what you share.
Review your credit report. You have the right to one free copy of your credit report every 12 months, which you can request via AnnualCreditReport.com. This provides you with a report from each of the three major credit bureaus. Review the report, verifying personal information, account details, and public records (like bankruptcies or liens) to ensure there isn’t anything suspicious.
Follow the news. When major corporations are targeted by hackers, they’re required to alert affected consumers. These breaches are also often reported in the media. To take a more proactive approach, though, check out the McAfee blog, which reports on breaches. If a business you use has been affected, change your passwords.

You can further protect yourself with antivirus software like McAfee’s Total Protection plan. This can help protect your devices against spyware and viruses. You can also enhance your network security with a firewall and virtual private network (VPN). A firewall controls traffic on your internet network based on predefined security parameters, while a VPN hides your IP address and other personal data.

Sign up for a protection plan today

Don’t let concerns about identity fraud keep you from enjoying all the conveniences and perks the internet offers. McAfee’s identity theft protection services can help you stay connected while keeping you safe. Tailor your package to your household’s needs to get the safeguards you want, like ID theft coverage, VPN, and 24/7 monitoring. Our Total Protection plan also comes with $1 million in identity theft coverage to cover qualifying losses and hands-on support to help you reclaim your identity.

With McAfee by your side, you can stay online confidently.

The post What to Do If Your Identity Has Been Stolen appeared first on McAfee Blogs.

Read More

Multiple Vulnerabilities in Adobe Products could allow for Arbitrary Code Execution.

Read Time:44 Second

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for Arbitrary Code Execution.

Acrobat and Reader is a family of application software and Web services mainly used to create, view, and edit PDF documents.
Illustrator is a vector graphics editor and design program.
Bridge is a digital asset management application.
Adobe InCopy is a professional word processor.
InDesign is an industry-leading layout and page design software for print and digital media.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

A Vulnerability in Citrix Workspace App for Linux Could Allow for Local Privilege Escalation

Read Time:18 Second

A vulnerability has been discovered in Citrix Workspace App for Linux, a virtual desktop application. Successful exploitation of this vulnerability could allow for local privilege escalation. A privilege escalation enables the attacker to obtain root privileges within the system which will enable them to install programs; view, change, or delete data; or create new accounts with full user rights.

Read More

‘Wormable’ Flaw Leads January 2022 Patch Tuesday

Read Time:3 Minute, 55 Second

Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.

Nine of the vulnerabilities fixed in this month’s Patch Tuesday received Microsoft’s “critical” rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.

By all accounts, the most severe flaw addressed today is CVE-2022-21907, a critical, remote code execution flaw in the “HTTP Protocol Stack.” Microsoft says the flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022.

“While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “Test and deploy this patch quickly.”

Quickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw was posted online.

Microsoft also fixed three more remote code execution flaws in Exchange Server, a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.

Microsoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target’s network somehow to exploit them. But Satnam Narang at Tenable notes Microsoft has labeled all three Exchange flaws as “exploitation more likely.”

“One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency,” Narang said. “Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.”

Security firm Rapid7 points out that roughly a quarter of the security updates this month address vulnerabilities in Microsoft’s Edge browser via Chromium.

“None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today,” Rapid7’s Greg Wiseman said. “This includes two Remote Code Execution vulnerabilities affecting open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.”

Wiseman said slightly less scary than the HTTP Protocol Stack vulnerability is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server.

“Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website,” he said. “Thankfully the Windows preview pane is not a vector for this attack.”

Other patches include fixes for .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and the Windows Remote Desktop Protocol (RDP). As usual, the SANS Internet Storm Center has a per-patch breakdown by severity and impact.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Update, Jan. 12, 9:02 a.m.: Apparently some of the updates Microsoft released yesterday — KB5009557 (2019) and KB5009555 (2022) — are causing something to fail on domain controllers, which then keep rebooting every few minutes. That’s according to this growing thread on Reddit (hat tip to @campuscodi).

Read More

Critical Patches Issued for Microsoft Products, January 11, 2022

Read Time:24 Second

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution

Read Time:38 Second

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR), and Thunderbird, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Multiple Vulnerabilities in WordPress Could Allow for SQL Injection

Read Time:29 Second

Multiple vulnerabilities have been discovered in WordPress, the most severe of which could allow for SQL injection. WordPress is an open source content management system (CMS) which assist in the creation and hosting of web applications. Successful exploitation of the most severe of these vulnerabilities could allow for SQL injection. Depending on the privileges associated with the service, an attacker could then read, extract, or write to the backend database. Services which are configured to have fewer rights on the system and the backend database could be less impacted than those who operate with administrative rights.

Read More

News, Advisories and much more

Exit mobile version