Oddbean new post about | logout

Notes by 657d6ebf | export

 ya wanna know whats cool? Cisco and CISA telling you "the Chinese are backdooring your old Cisco routers. They use a magic packet to trigger the backdoor, but fuck it, we're not going to tell you what the trigger packet is." 
 #CyberSecurityAwarenessMonth 

Information stealers have lead to some pretty significant breaches in recent years.

In most cases, once you realize you've been had, its already too late.

Avoiding information stealers is, as always, sticky business. Most of the time they are delivered through Malicious search engine ads, SEO poisoning, phishing e-mails, download links via social media, youtube, etc.

The best advice I can offer is always download software from the official source. An ISO image sent to you in an e-mail isn't an official source. 

If friends send you links to sketchy looking sites, reach out them to make sure they actually sent you that message/attachment.

A lot of information stealers bank on you saving your credentials and session cookies to your browser indefinitely, and are designed to steal not only your passwords, but your session cookies as well. Even if I don't have your password, even if you have two-factor authentication turned on, If I have an active, valid session token, for all intents and purposes I can become you and access everything on your account.

It might be slightly inconvenient, but consider setting your browser to delete your cookies and browser history when the browser windows are closed.

to that effect: shut down your PC when you're not using it. Its not the 90s or early 2000s anymore. Just about every modern PC has an SSD, and will boot in like 10 seconds. 

Use a password manager that is not the integrated one that comes with the browser. I use KeePassXC, since its free and runs on all of the major desktop operating systems, but some others swear by bitwarden. 

If its a company-issued laptop, keep it stowed when not in use, and ensure it is shut down, not on standby/hibernate. You might be tek saavy, but your kid wants 200 vbucks, and the comment on a youtube video told them to download a vbucks generator (totally_legit_not_an_infostealer.exe) to get 200 vbucks for free.

If you suddenly observe a burst of traffic to discord or telegram and you or others in your household don't use either of those services, you need to find out why. There are a lot of infostealers that use both services to upload stolen data.

good luck 
 Other good advice I've seen offered: Use Adblockers

There are a lot of people out there who are trying to guilt you into accepting ads in order to deliver you content. That its their business model, and how you get things for free.

But then you tell them how its their ad delivery networks that are delivering malware and fake updates then they just shrug. The fact is, if you end up the victim of an infostealer, or ransomware, or whatever, that they won't care, help you, or say sorry. Use adblocking software.

uBlock origin is considered the most trustworthy adblocking software on the planet, and it works for firefox, and chrome-based browsers (yes, that includes microsoft edge): https://ublockorigin.com/

You might want to access the Filter Lists settings and enable some of the other filters as well -- such as annoyances, malware protection, and multi-purpose categories. I generally enable everything except the international options. 
 Ayy, Proofpoint published the blog on ZenRAT.

https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm

Big thanks to @8e8df11a for her steadfast guidance, our reverse engineers for putting in the work to tell us more about this RAT's capabilities, and everyone else responsible for getting this work published.

I can't forget to say thanks to @1261d7a8 as well for his collaboration on this endeavor. 
 @2232cabb FYI, I do Snort/Suricata rules at Emerging Threats. I can promise you that I'll be submitting DNS rules for the domain. they'll be present in today's rule releases for Snort 2.9, Suricata4, and Suricata5+

Just want you to know I saw it, and I'm doing what I can.