A real-life Maze ransomware attack – “If at first you don’t succeed…”

By Paul Ducklin

You’ve probably heard terms like “spray-and-pray” and “fire-and-forget” applied to cybercriminality, especially if your involvement in cybersecurity goes back to the early days of spamming and scamming.

Those phrases recognize that sending unsolicited email is annoyingly cheap and easy for cybercrooks, who generally don’t bother running servers of their own – they often just rent email bandwidth from other crooks.

And those crooks, in turn, don’t bother running servers of their own – they just use bots, or zombie malware, implanted on the users of unsuspecting computers to send email for them.

Six years ago, when home networks were generally a lot slower than they are today, SophosLabs researchers measured a real-life bot sending more than 5 million emails a week from a single consumer ADSL connection, distributing 11 different malware campaigns as well as links to nearly 4000 different fake domains that redirected via 58 different hacked servers to peddle phoney pharmaceutical products. Best, or worst, of all – because outbound emails are mostly uploaded network packets – the bot barely affected the usability of the connection, making it unlikely that the legitimate user of the ADSL account would notice from traffic alone.

The theory was simple: the cost of failure was so low that the crooks could pretty much dial-a-yield by setting their spamming rates as high as needed to suit the campaign they were running.

So the “spray-and-pray” equation was simple: to get 100 people interested with a click-rate of one in a million, the crooks had to send 100 million emails.

And with a zombie network capable of doing more than 5 million emails per computer per week, you could spam out those 100 million emails in the course of a single hour with a 3000-strong botnet.

(Some notorious zombie networks have given their botmasters remote control over hundreds of thousands or millions of devices at the same time.)

What has all this got to do with contemporary targeted ransomware like Maze?

Read more at https://nakedsecurity.sophos.com/2020/09/18/a-real-life-maze-ransomware-attack-if-at-first-you-dont-succeed/

Zerologon – hacking Windows servers with a bunch of zeros

By Paul Ducklin

The big, bad bug of the week is called Zerologon.

As you can probably tell from the name, it involves Windows – everyone else talks about logging in, but on Windows you’ve always very definitely logged on – and it is an authentication bypass, because it lets you get away with using a zero-length password.

You’ll also see it referred to as CVE-2020-1472, and the good news is that it was patched in Microsoft’s August 2020 update.

In other words, if you practice proper patching, you don’t need to panic. (Yes, that’s an undisguised hint: if you haven’t patched your Windows servers yet from back in August 2020, please go and do so now, for everyone’s sake, not just your own.)

Nevertheless, Zerologon is a fascinating story that reminds us all of two very important lessons, namely that:

1. Cryptography is hard to get right.
2. Cryptographic blunders can take years to spot.

The gory details of the bug weren’t disclosed by Microsoft back in August 2020, but researchers at Dutch cybersecurity company Secura dug into the affected Windows component, Netlogon, and figured out a bunch of serious cryptographic holes in the unpatched version, and how to exploit them.

In this article, we aren’t going to construct an attack or show you how to create network packets to exploit the flaw, but we are going to look at the cryptographic problems that lay unnoticed in the Microsoft Netlogon Remote Protocol for many years.

After all, those who cannot remember history are condemned to repeat it.

Read more at https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/

Serious Security: Hacking Windows passwords via your wallpaper

By Paul Ducklin

Our cybersecurity antennae always start vibrating when we see warnings about attacks that involve a new type of file.

We’re sure you have the same sort of reaction.

After all, if a file type that you’ve treated for years as mostly harmless suddenly turns out to be possibly very dangerous, you’re faced with a double dilemma:

• How long will it take to unlearn an ingrained habit of trusting those files?
• How long will the crooks take to start abusing this new-found knowledge?

We’re all aware of the risks posed by unknown EXE files, for example, because EXE is the extension for native Windows programs – even the operating system itself is implemented as a collection of EXEs.

Most of us also known to be wary of DLLs, which are actually just a special type of EXE file with a different extension to denote that they’re usually used in combination with other programs, rather than loaded on their own.

We’ve learned to be wary of DOCs and DOCXs and all the other Office filetypes, too, because they can include embedded programs called macros.

We’re also aware of a range of risky script files such as JS (for JavaScript), VBS (Visual Basic Script), PS1 (Powershell) and many others that are plain old text files to the untrained eye, but are treated as a series of system commands when processed by Windows itself.

Read more at https://nakedsecurity.sophos.com/2020/09/11/serious-security-hacking-windows-passwords-via-your-wallpaper/

Fake web alerts – how to spot and stop them

By Sean Gallagher

Internet scammers are always looking for a better way to separate unwitting device users from their money. And as with all other endeavors, they’ve learned that it pays to advertise.

At SophosLabs we recently researched a collection of scams that exploit web advertising networks to pop up fake system alerts on both computers and mobile devices. The goal: to frighten people into paying for a solution—to a problem they don’t even have.

It’s not exactly a new trick. “Scareware” pop-ups have been used for years to prompt people into downloading fake virus protection and other malicious software, including ransomware.

But the latest variations find other ways to cash in on fake alerts: using them as the entry point to technical support scams or prompting their victims to purchase fraudulent apps or “fleeceware” off a mobile app store.

Browser developers have done a lot to limit the damage that can be done by malicious pop-up sites, including recent fixes by Mozilla that attempt to limit the ability of malicious web pages to slow down and lock up the Firefox web browser.

But even if the scammers don’t lock up your web browser, they can make it appear that something has gone terribly wrong—and that you need to do something immediately about it.

Read more at https://nakedsecurity.sophos.com/2020/09/09/fake-web-alerts-how-to-spot-and-stop-them/