The Privacy Sandbox for Android is a set of technologies Google introduced in February this year, aiming to limit the tracking of users while still providing advertisers with viable performance-measurement options.

Since then, Google has debated various design proposals with app developers and marketers, refining the system and readying its components for tentative deployment.

"Beginning early next year, we plan to roll out the initial Privacy Sandbox Beta to Android 13 mobile devices so that developers can take the next steps in testing these new solutions," mentions today's press release.

"We'll start with a small percentage of devices and increase over time."

"Note that Developer Previews will continue to be released, and this is where we'll first deliver the latest features for early feedback before being released on production devices."

App developers are invited to enroll to access the system's APIs and work on their integrations from early on while simultaneously helping Google in the next testing phase.

The Privacy Sandbox SDK Runtime testing will be more limited, so this will continue to be in closed beta.

Those interested in participating and prepared to dedicate significant resources to testing can declare it here.

Privacy Sandbox for Android

Privacy Sandbox for Android replaces cross-app identifiers and covert tracking with API systems like "Attribution Reporting", "Topics", and "FLEDGE."

The Topics API works as a classifier model that infers user interests from app usage and informs advertisers accordingly.

The user interests are computed weekly from on-device information, and the top 5 topics are selected from a list of thousands.

FLEDGE is another Privacy Sandbox subsystem encompassing the Ad Selection and Custom Audience APIs.

Ad Selection provides advertisers information about which ads performed well on a given device, allowing them to render the right one, while the latter offers publishers the option to designate target audiences based on interests.

Flow chart of Custom Audience and Ad Selection (Google)

 

All these APIs combined replace advertising IDs that have been used on Android for many years and can also be used for tracking users.

The SDK Runtime will isolate third-party advertising code, so the apps will no longer include it in their code. They will not have access to user interest indicators and other marketing-related data.

DuckDuckGo has criticized Privacy Sandbox as a pretentious system that merely introduces new names for what is essentially indirect user tracking.

Additionally, Brave has stated that Privacy System achieves modest privacy improvements at the expense of user choice while also imposing Google centralization.

Despite these voices, Google is moving forward with its plan to introduce the new system across all its products, including Chrome and Android.

At the same time, the tech giant promises to continue taking concerns and feedback into account, to address problems with targeted intervention.

The attackers (self-dubbed Team Montesano) are sending emails with “Your website, databases and emails has been hacked” subjects.

The emails appear to be non-targeted, with ransom demand recipients from all verticals, including personal bloggers, government agencies, and large corporations.

The scam is so widespread that our own reporter Ax Sharma and Have I Been Breached created Troy Hunt have also received these extortion attempts.

The spam messages warn that the hackers will leak stolen data, damage their reputation, and get the site blacklisted for spam if the targets don’t make a payment of $2,500.

Website reputation extortion email (Ax Sharma)

 

The full extortion message can be read below:

From extortion emails seen by BleepingComputer, the threat actors are currently using two bitcoin addresses.

• 3Fyjqj5WutzSVJ8DnKrLgZFEAxVz6Pddn7
• 3PmYSqtG5x5bGNrsYUy5DGtu93qNtsaPRH

nfortunately, the bitcoin transactions to the wallet 3Fyjqj5WutzSVJ8DnKrLgZFEAxVz6Pddn7 indicate that someone may have paid the extortion demand already.

Even though these emails can be scary to those website owners who receive them, it is important to remember that they are just scams.

They are being mass-emailed to many people and are just trying to scare people into making a payment. Instead, just mark them as spam and delete them.

Also, always search for the Bitcoin address embedded in the blackmail email you receive on the Bitcoin Abuse Database to find any reports of fraudsters actively using them.

Since the summer of 2018, when BleepingComputer started reporting on these scams, threat actors have been behind a wide assortment of email extortion scams.

The list includes scams that pretend to be bomb threats, hitman contracts, CIA investigations, threats of installing ransomware, as well ones containing threats to infect the targets' families with the SARS-CoV-2 virus.

Source

Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters.

On Friday, a threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data.

The company confirmed the cyberattack via statements on Russian media earlier this month but claimed that its IT experts had managed to thwart it successfully.

In a new statement shared with RIA Novosti today, Whoosh admits that there is a data leak and informs its user base they are working with law enforcement authorities to take all measures to stop the distribution of the data.

"The leak did not affect sensitive user data, such as account access, transaction information, or travel details," stated a Whoosh spokesperson.

"Our security procedures also exclude the possibility of third parties gaining access to full payment data of users' bank cards."

What's for sale

On Friday, a user on the 'Breached' hacking forums posted a database containing details about 7.2 millionWhoosh customers, including email addresses, phone numbers, and first names.

Sale of Woosh data on Breached forums (BleepingComputer)

 

The database also contained partial payment card details for a subset of 1,900,000 users.

The seller also claimed that the stolen data included 3,000,000 promo codes, which people can use to rent Whoosh scooters without paying.

The seller says they are selling the data to only five buyers for $4,200 each, or .21490980 bitcoins, and according to the SatoshiDisk platform used for the transaction, no one has yet to purchase the database.

SatoshiDisk sale stats (BleepingComputer)

 

In a separate sale of the data on Telegram, the threat actor claims it was stolen during a November 2022 attack on Whoosh.

Russian database leaks

According to an August 2022 report from Roskomnadzor, Russia's internet watchdog, there were 40 confirmed Russian company data breaches since the beginning of the year.

In September 2022, Group-IB published a report claiming to have observed 140 database sales stolen from Russian companies this summer alone, with the total number of exposed records reaching 304 million.

The most notable leak, in terms of its impact this year, was that of the food delivery app Yandex Food, which led to multiple collateral data exposures.

Source

Under the new rules, Ofcom will require all telephone networks to identify and block spoofed calls where technically feasible. It said that phone companies should ensure numbers meet the UK’s 10- or 11-digit format, they should block calls from numbers that are on Ofcom’s Do Not Originate list, and calls from abroad that spoof UK caller IDs should also be blocked.

TalkTalk has implemented these new rules voluntarily, and it has seen a 65% decrease in the number of scam call complaints from customers. Other phone companies that aren’t in compliance will have six months to make the necessary changes, the rules will start to be enforced from May 2023. Unfortunately, Ofcom has not provided details about the fines it will slap on companies that fail to implement the new guidelines.

While the move should make things better for people, individuals can take action against spam calls right now from their phone. In iOS 13 or later, you can silence unknown callers, so you’re not interrupted, the Phone app for Android has similar protections.

UK phone companies will have to identify and block spoofed calls

The settlement shows that the U.S. attorneys general discovered while investigating a 2018 Associated Press article that the search giant misled Android users and tracked their locations since at least 2014 even when they thought location tracking was disabled.

While Android users were misled into thinking disabling the "Location History" in the device's settings would disable location tracking, another account setting—turned on by default and named "Web & App Activity"—enabled the company to collect, store and use the customers' personally identifiable location data.

Today's settlement also requires Google to introduce more user-friendly account controls and limits the company's use and storage of some types of location data.

Google will also have to be transparent with its users regarding its location data tracking and collection practices, having to show additional information when location-related account settings are toggled and display detailed info about what data it harvests and how it's used.

"The company's online reach enables it to target consumers without the consumer's knowledge or permission," Michigan Attorney General Dana Nessel said on Monday.

"However, the transparency requirements of this settlement will ensure that Google not only makes users aware of how their location data is being used, but also how to change their account settings if they wish to disable location-related account settings, delete the data collected and set data retention limits."

The Australian Competition and Consumer Commission (ACCC) also announced in August that it fined Google $60 million for also misleading and collecting location data belonging to Australian Android users for almost two years, between January 2017 and December 2018, using the same approach.

As the ACCC revealed, Google has taken remedial steps to address the issues that led to these fines by 20 December 2018, with users no longer being shown misleading information suggesting that pausing location history stops collecting data about their location.

In January 2022, France's National Commission on Informatics and Liberty (CNIL) also fined Google $170 million for infringing on the freedom of consent of internet users by making it difficult to reject website tracking cookies with the option being hidden behind multiple clicks.

The company was also fined $11.3 million for aggressive data collection in November 2021, €220 million for favoring its services to the disadvantage of competitors in June 2021, $1.7 billion for anti-competitive practices in online advertising in March 2019, and $2.72 billion for abusing its dominant market position to tweak search results in June 2017.

The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China.

Its operations have been documented by multiple cybersecurity companies over the past six years [1, 2, 3].

Security researchers at Symantec say in a report today that Billbug, who they've been tracking since 2018, also targeted a certificate authority company, which would have allowed them to deploy signed malware to make it more difficult to detect or to decrypt HTTPS traffic.

New campaign, old tools

Symantec hasn’t determined how Billbug gains initial access to the target networks but they have seen evidence of this happening by exploiting public-facing apps with known vulnerabilities.

Like in previous campaigns attributed to Billbug, the actor combines tools that are already present on the target system, publicly available utilities, and custom malware. Among them are:

• AdFind
• Winmail
• WinRAR
• Ping
• Tracert
• Route
• NBTscan
• Certutil
• Port Scanner

These tools help hackers blend with innocuous daily activity, avoid suspicious log traces or raising alarms on security tools, and generally make attribution efforts harder.

A more rarely deployed open-source tool seen in recent Billbug operations is Stowaway, a Go-based multi-level proxy tool that helps pentesters bypass network access restrictions.

Symantec was able to pin the recent attacks to Billbug because the threat actor used two custom backdoors seen in some of their previous operations: Hannotog and Sagerunex.

Some functionalities of the Hannotog backdoor include changing firewall settings to enable all traffic, establish persistence on the compromised machine, upload encrypted data, run CMD commands, and download files to the device.

Hannotog changing firewall configuration (Symantec)

 

Sagerunex is dropped by Hannotog and injects itself in an “explorer.exe” process. It then writes logs on a local temp file encrypted using the AES algorithm (256-bit).

Sagerunex's encryption algorithm (Symantec)

 

The backdoor’s configuration and state are also stored locally and encrypted with RC4, with the keys for both being hardcoded into the malware.

Sagerunex connects to the command and command server via HTTPS to send a list of active proxies and files, and receives payloads and shell commands from the operators. Moreover, it can execute programs and DLLs using “runexe” and “rundll.”

Billbug continues to use the same custom backdoors with minimal changes over the past years.

Source

A Russian company offering data processing services for apps has deceived many international companies by presenting itself as a US entity.

The company is called Pushwoosh Inc., and its Russian origins were uncovered by Reuters.

A quick check of Pushwoosh's social media channels reveal a company claiming to be located in Washington, D.C. on Twitter, and Maryland on Facebook and LinkedIn. On the company's YouTube channel it boasts of 80,000 clients including Unilever, Deloitte, Coca-Cola, McDonald's, FIBA, Sport1, and SPAR.

US regulatory filings by the company don't mention Russia, this includes eight annual filings made in Delaware. It has also been confirmed that Pushwoosh's founder, Max Konev, is using the email address of a friend based in Maryland to handle business correspondance.

In reality, Pushwoosh is a Russian company with headquarters in Novosibirsk, Siberia. It employs around 40 people and revenue last year amounted to roughly $2.4 million. It's also registered to pay taxes to the Russian government, and is therefore subject to the same rules as other Russian companies—notably the sharing of user data with the Russian government upon request.

Most worrying of all is the company's association with US government agencies. A US Army app used as an informational portal at the National Training Center by troops contained Pushwoosh code, but was removed due to "security issues" earlier this year. The Centers for Disease Control and Prevention (CDC) admitted it thought Pushwoosh was a US company and has now removed the company's code from multiple public-facing apps. Others, including UEFA and Unilever, relied on third parties to create apps for them which ended up containing Pushwoosh code.

Legal experts talking to Reuters believe Pushwoosh could be violating FTC laws and this discovery may trigger sanctions. That would have a huge impact not only on the company, but the 8,000 apps its code is embedded in across Google Play and the iOS App Store.

Konev is claiming his company "has no connection with the Russian government of any kind" and that all data is stored in either the US or Germany. Currently there is no clear evidence the stored data is being shared with Russia, but that doesn't mean Pushwoosh couldn't be compelled to share by its government.

Source

How North Korea became a mastermind of crypto cybercrime

There will be no separate option to enable the Total Cookie Protection in Firefox for Android as it's going to be part of the Enhanced Tracking Protection setting. You'll just need to switch to the Custom or Strict setting from the Standard protection mode. The feature is designed to discourage tracking companies from using cookies to track your browsing preferences.

In 2015, the company rolled out an important anti-tracking measure called Tracking Protection, a feature that let people turn on protection by going into Private Browsing mode. Later in 2019, it added Enhanced Tracking Protection to actively protect users rather than expect them to protect themselves.

Proceeding in the same direction, the company has now enabled it for Android users. The feature mainly works by creating a separate ‘cookie jar’ for each website you visit. So, instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites.

That way, no other websites can access the cookie jars that are not assigned to it and find out what information other websites’ cookie jars have about you. This lessens the burden of invasive ads and the amount of information companies collect about you. You get all the necessary protections against tracking without compromising your mobile browsing experience.

Source: Mozilla Support via Ghacks| Image: Mozilla Blog.

Mozilla enables Total Cookie Protection Firefox feature for Android by default

• Google agreed to a $391.5 million settlement with 40 states over location tracking, Oregon Attorney General Ellen Rosenblum announced Monday.

• The settlement was led by Rosenblum and Nebraska Attorney General Doug Peterson along with 38 other state attorneys general.

Google agreed to a $391.5 million settlement with 40 states over its use of location tracking, Oregon Attorney General Ellen Rosenblum announced Monday.

Even when users thought they’d turned off location tracking in their account settings, Google continued to collect information regarding their whereabouts, Oregon’s AG office said. The settlement requires Google to be more transparent with users and provide clearer location tracking disclosures beginning in 2023.

Rosenblum led the settlement along with Nebraska Attorney General Doug Peterson. It’s the largest consumer privacy settlement ever led by a group of attorneys general, according to the release.

“Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said Google spokesperson José Castañeda in a statement.

A 2018 report from the Associated Press revealed the basis of the investigation.

“For years Google has prioritized profit over their users’ privacy,” Rosenblum said in the release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

Google settled a similar lawsuit with Arizona for $85 million last month, and the company faces additional location tracking lawsuits in Washington, D.C., Indiana, Texas and Washington state. The four AGs allege Google was using the location data for its ad business. The lawsuits ask the court to require Google to offload any algorithms created with the allegedly ill-gotten gains, alongside monetary profits.

Source

The big news is the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million.

Over the past few weeks, a threat actor has been trolling victims by distributing the Azov Ransomware and blaming its creation on cybersecurity researchers and journalists.

Unfortunately, this ransomware was later confirmed to be a data wiper that overwrites alternating '666' bytes of data with garbage, making it impossible to recover data.

Other reports have linked the Black Basta ransomware to FIN7 (Carbanak), warned that Venus ransomware is targeting healthcare, linked the Russian Sandworm hackers with Ukrainian ransomware attacks, and detailed how a threat actor is distributing LockBit through the Amdey botnet.

Finally, we learned more about ransomware attacks this week, with a REvil-linked gang claiming responsibility for Medibank, LockBit hitting the Continental automotive giant, and Black Basta behind Sobeys' business disruptions.

Contributors and those who provided new ransomware information and stories this week include @jorntvdw, @DanielGallagher, @Seifreed, @LawrenceAbrams, @struppigel, @malwareforme, @demonslay335, @Ionut_Ilascu, @fwosar, @FourOctets, @VK_Intel, @malwrhunterteam, @serghei, @PolarToffee, @BleepinComputer, @billtoulas, @LabsSentinel, @vinopaljiri, @_CPResearch_, @ahnlab. @jgreigj, @MsftSecIntel, and @pcrisk.

October 30th 2022

New Azov data wiper tries to frame researchers and BleepingComputer

A new and destructive 'Azov Ransomware' data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack.

November 3rd 2022

Black Basta ransomware gang linked to the FIN7 hacking group

Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak."

LockBit ransomware claims attack on Continental automotive giant

The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .bozq and .bowd extensions.

New Anon ransomware

PCrisk found a new 'Anon_by Ransomware' that appends the .anon_by and drops a ransom note named anon_by.txt.

November 4th 2022

New inlock ransomware

PCrisk found a new ransomware that appends the .inlock extension and drops a ransom note named READ_IT.txt.

November 7th 2022

Azov Ransomware is a wiper, destroying data 666 bytes at a time

The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims' data and infects other programs.

Ransomware gang threatens to release stolen Medibank data

A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month's ransomware attack against Australian health insurance provider Medibank Private Limited.

New Dharma Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .bDAT extension.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .zate and .zatp extensions.

New Xorist variant

PCrisk found a new Xorist variant that appends the .CrySpheRe extension and drops a ransom note named КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt.

November 8th 2022

LockBit affiliate uses Amadey Bot malware to deploy ransomware

A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.

November 9th 2022

Medibank warns customers their data was leaked by ransomware gang

Australian health insurance giant Medibank has warned customers that the ransomware group behind last month's breach has started to leak data stolen from its systems.

November 10th 2022

Russian LockBit ransomware operator arrested in Canada

Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.

Russian military hackers linked to ransomware attacks in Ukraine

A series of attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October have been linked to an elite Russian military cyberespionage group.

U.S. Health Dept warns of Venus ransomware targeting healthcare orgs

The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks also target the country's healthcare organizations.

Popular UK motor racing circuit investigating a ransomware attack

One of the most popular motor racing circuits in the United Kingdom is investigating a ransomware attack after a gang added it to its list of victims this week.

November 11th 2022

Canadian food retail giant Sobeys hit by Black Basta ransomware

Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - November 11th 2022 - LockBit feeling the heat

Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn't take more than a few minutes.

Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.

Accidental finding

Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, entered his PIN wrong three times, and recovered the locked SIM card using the PUK (Personal Unblocking Key) code.

To his surprise, after unlocking the SIM and selecting a new PIN, the device didn't ask for the lock screen password but only requested a fingerprint scan.

Android devices always request a lock screen password or pattern upon reboot for security reasons, so going straight to fingerprint unlock wasn't normal.

The researcher continued experimenting, and when he tried reproducing the flaw without rebooting the device and starting from an unlocked state, he figured it was possible to bypass the fingerprint prompt, too, going straight to the home screen.

The impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that haven't updated to November 2022 patch level.

Physical access to a device is a strong prerequisite. However, the flaw still carries severe implications for people with abusive spouses, those under law enforcement investigations, owners of stolen devices, etc.

The attacker can simply use their own SIM card on the target device, disable biometric authentication (if locked), enter the wrong PIN three times, provide the PUK number, and access the victim's device without restrictions.

Google's patching

The issue is caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in the dismiss calls impacting the stack of security screens that run under the dialog.

When Schütz entered the correct PUK number, a “dismiss” function was called twice, once by a background component that monitors the SIM state, and once by the PUK component.

This caused not only the PUK security screen to be dismissed but also the next security screen in the stack, which is the keyguard, followed by whatever screen was next queued in the stack.

If there's no other security screen, the user would directly access the home screen.

Schütz reported the flaw to Google in June 2022, and although the tech giant acknowledged the reception and assigned a CVE ID of CVE-2022-20465, they didn’t release a fix until November 7, 2022.

Google’s solution is to include a new parameter for the security method used in every “dismiss” call so that the calls dismiss specific types of security screens and not just the next one in the stack.

In the end, although Schütz's report was a duplicate, Google made an exception and awarded the researcher $70,000 for his finding.

Users of Android 10, 11, 12, and 13 can patch this flaw by applying the November 7, 2022, security update.

Giving a short press conference without taking questions, AFP Commissioner Reece Kershaw said the force was “undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL,” as part of its investigation.

“This is important because we believe that those responsible for the breach are in Russia,” Kershaw said, explaining that the AFP’s “intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.”

Australian Prime Minister Anthony Albanese, who has confirmed that he himself is a Medibank customer, said he had authorized the AFP to confirm where the cybercriminals were based.

“We know where they’re coming from, we know who is responsible, and we say that they should be held to account,” said Albanese, adding: “The nation where these attacks are coming from should also be held accountable for the disgusting attacks and the release of information — including very private and personal information.”

Medibank, which is one of Australia’s largest health insurance providers, stated last week that it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad.

All of the data which the criminals accessed “could have been taken,” the company said. This includes sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.

Specialist investigators under the name Operation Guardian are “scouring the internet and dark web to identify people who are accessing this personal information and trying to profit from it,” said the commissioner.

At the time of Medibank’s announcement regarding the ransom payment, Clare O’Neil, the Australian minister for home affairs and cybersecurity, welcomed the company’s decision to not pay as “consistent with Australian government advice” and warned that doing so would directly undermine the country’s security.

It is not clear which ransomware group attempted to extort Medibank, although the company has now been listed on the extortion site formerly operated by REvil. It is not known who the current operators are.

In January, Russian officials with the Federal Security Service conducted 25 raids on homes owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions. Eight people allegedly involved in the ransomware gang were later hit with charges by a court in Moscow.

However researchers observed the gang’s leak site appeared to become operational again in May. Digital Shadows Senior Cyber Threat Intelligence Analyst Chris Morgan tied the group’s return to a dispute between officials in Russia and the U.S., who officially closed off a channel of communication dedicated to cybersecurity issues following the Russian invasion of Ukraine.

On Friday, the AFP’s Kershaw said: “We believe we know which individuals are responsible but I will not be naming them. What I will say is that we will be holding talks with Russian law enforcement about these individuals.”

Kershaw stressed that Russia “benefits from the intelligence-sharing and data shared through INTERPOL, and with that comes responsibilities and accountability.”

He said that the AFP was leading the investigation under the name Operation Pallidus and explained the ransomware ecyosystem’s business model: “These cyber criminals are operating like a business with affiliates and associates, who are supporting the business,” said Kershaw, adding that “some affiliates may be in other countries.”

The commissioner declined to take questions, saying he wanted to provide as much information as he could “without putting at risk the criminal investigation.”

“I know Australians are angry, distressed and seeking answers about the highly-sensitive and deeply personal information that is being released,” he added.

“This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business,” he said, describing the cyberattack as “an unacceptable attack on Australia… [deserving] a response that matches the malicious and far-reaching consequences that this crime is causing.”

He said he had a direct message to the criminals: “We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.”

Source

According to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job application offers or copyright infringement notices.

The LockBit 3.0 payload used in this attack is downloaded as an obfuscated PowerShell script or executable form, running on the host to encrypt files.

Amadey Bot activity

The Amadey Bot malware is an old strain capable of performing system reconnaissance, data exfiltration, and payload loading.

Korean researchers at AhnLab have noticed increased Amadey Bot activity in 2022 and reported finding a new version of the malware in July, dropped via SmokeLoader.

The latest version added antivirus detection and auto-avoidance capabilities, making intrusions and dropping payloads stealthier.

In the July campaign, Amadey dropped various information-stealing malware, such as RedLine, but the more recent campaign loads a LockBit 3.0 payload instead.

Infection chains

AhnLab researchers noticed two distinct distribution chains, one relying on a VBA macro inside a Word document and one disguising the malicious executable as a Word file.

In the first case, the user has to click on the "Enable Content" button to execute the macro, which creates an LNK file and stores it to "C:\Users\Public\skem.lnk". This file is a downloader for Amadey.

Malicious document initiating the infection chain (AhnLab)

 

The second case, seen in late October, uses email attachments with a file named "Resume.exe" (Amadey) that uses a Word document icon, tricking recipients into double-clicking.

Both distribution paths lead to Amadey infections that use the same command and control (C2) address, so it's safe to assume the operator is the same.

Amadey to LockBit 3.0

At first launch, the malware copies itself to the TEMP directory and creates a scheduled task to establish persistence between system reboots.

Next, Amadey connects to the C2, sends a host profiling report, and then waits for the reception of commands.

The three possible commands from the C2 server order the download and execution of LockBit, in PowerShell form ('cc.ps1' or 'dd.ps1'), or exe form ('LBB.exe').

Obfuscated PowerShell version of LockBit (AhnLab)

 

The payloads are again dropped in TEMP as one of the following three:

• %TEMP%\1000018041\dd.ps1
• %TEMP%\1000019041\cc.ps1
• %TEMP%\1000020001\LBB.exe

From there, LockBit encrypts the user's files and generates ransom notes demanding payment, threatening to publish stolen files on the group's extortion site.

Sample of the generated ransom notes (AhnLab)

 

In September 2022, AnhLab observed another two methods of LockBit 3.0 distribution, one using DOTM documents with malicious VBA macro and one dropping ZIP files containing the malware in NSIS format.

Earlier, in June 2022, LockBit 2.0 was seen distributed via fake copyright infringement emails dropping NSIS installers, so it all appears to be the evolution of the same campaign.

The attackers, linked to the REvil cybercrime gang, have leaked a wide range of information so far, including Medibank customers' private and health data and, according to WhatsApp screenshots, negotiation chats with the health insurer's security operations team and CEO David Koczar.

Medibank said that there's no evidence the cybercriminals have gained access to financial information (credit card and banking details), health claims data for extras services (like dental, physio, optical, and psychology), or primary identity documents (e.g., driver's licenses).

It also alerted its customers today that the threat actors have published online files "believed to have been stolen" from its network, adding that it expects the extortionists to continue releasing stolen data on their dark web leak website.

"This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data," the company said.

"The files appear to be a sample of the data that we earlier determined was accessed by the criminal. We expect the criminal to continue to release files on the dark web."

Today's warning comes after Medibank said in a press release published on Monday, November 7, that it would not pay a ransom demand made by the attackers.

"Today, we've announced that no ransom payment will be made to the criminal responsible for this data theft," Medibank said.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published."

Data of millions of customers likely stolen

On October 26, the health insurance provider revealed that the hackers accessed some of its customers' data, even though it initially said it had no evidence of customer info accessed or stolen by the attackers.

On Monday, before the cybercriminals started leaking data to back their claims and force Medibank into negotiating a deal, the company also disclosed that millions of customers had their information accessed by the hackers.

The data Medibank believes was exposed in last month's breach includes the following:

• Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives
• Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers
• Passport numbers (but not expiry dates) and visa details for international student customers 
• Health claims data for roughly 480,000 Medibank, ahm, and international customers
• Health provider details, including names, provider numbers, and addresses

However, according to Medibank "given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal."

Customers warned to pay attention online

"We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do," the insurer said on Wednesday.

"Medibank is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police. The Australian Federal Police is investigating this cybercrime."

As Medibank warned, customers should be vigilant online and take the following measures to block any attack attempts:

• Being alert for any phishing scams via phone, post, or email
• Verifying any communications received to ensure they are legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with 'strong' passwords, not re-using passwords, and activating multi-factor authentications on any online accounts where available
• Medibank will never contact customers asking for passwords or sensitive information

Medibank is one of the largest private health insurers in Australia, providing private health insurance and services to more than 3.9 million people.

Source

The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.

The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.

Phony Q&A site promoted by this campaign (Sucuri)

 

The campaign likely primes these sites for future use as malware droppers or phishing sites, as even a short-term operation on the first page of Google Search, would result in many infections.

An alternative scenario, based on the existence of an 'ads.txt' file on the landing sites, is that their owners want to drive more traffic to conduct ad fraud.

Targeting WordPress sites

Sucuri reports that the hackers are modifying WordPress PHP files, such as 'wp-singup.php', 'wp-cron.php', 'wp-settings.php', 'wp-mail.php', and 'wp-blog-header.php', to inject the redirects to the fakes Q&A discussion forums.

In some cases, the attackers drop their own PHP files on the targeted site, using random or pseudo-legitimate file names like 'wp-logln.php'.

Malicious code in one of the infected files (Sucuri)

 

The infected or injected files contain malicious code that checks if the website visitors are logged in to WordPress, and if they're not, redirects them to the https://ois.is/images/logo-6.png URL.

However, browsers will not be sent an image from this URL but will instead have JavaScript loaded that redirects users to a Google search click URL that redirects users to the promoted Q&A site.

Code to generate the fake Google Search event (Sucuri)

 

Using a Google search click URL is likely to increase performance metrics on the URLs in the Google Index to make it appear as if the sites are popular, hoping to increase their ranking in the search results.

Furthermore, redirecting through Google search click URLs makes the traffic look more legitimate, possibly bypassing some security software.

The exclusion of logged-in users, as well as those standing at 'wp-login.php,' aims to avoid redirecting an administrator of the site, which would result in the raising of suspicion and the cleaning of the compromised site.

The PNG image file uses the 'window.location.href' function to generate the Google Search redirection result to one of the following targeted domains:

• en.w4ksa[.]com
• peace.yomeat[.]com
• qa.bb7r[.]com
• en.ajeel[.]store
• qa.istisharaat[.]com
• en.photolovegirl[.]com
• en.poxnel[.]com
• qa.tadalafilhot[.]com
• questions.rawafedpor[.]com
• qa.elbwaba[.]com
• questions.firstgooal[.]com
• qa.cr-halal[.]com
• qa.aly2um[.]com

The threat actors use multiple subdomains for the above, so the complete list of the landing domains is too long to include here (1,137 entries). Those interested in reviewing the complete list can find it here.

Most of these websites hide their servers behind Cloudflare, so Sucuri's analysts couldn't learn more about the campaign's operators.

As all of the sites use similar website-building templates, and all appear to have been generated by automated tools, it is likely they all belong to the same threat actors.

Sucuri couldn't identify how the threat actors breached the websites used for redirections. However, it likely happens by exploiting a vulnerable plugin or brute-forcing the WordPress admin password.

Hence, the recommendation is to upgrade all WordPress plugins and website CMS to the latest version and activate two-factor authentication (2FA) on admin accounts.

Source

The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims' systems.

According to a new Trend Micro report, Earth Longzhi has similar TTP (techniques, tactics, and procedures) as 'Earth Baku,' both considered subgroups of the state-backed hacking group tracked as APT41.

Earth Longzhi's older campaign

Trend Micro's report illustrates two campaigns conducted by Earth Longzhi, with the first occurring between May 2020 and February 2021.

During that time, the hackers attacked several infrastructure companies in Taiwan, a bank in China, and a government organization in Taiwan.

Timeline of first campaign (Trend Micro)

 

In this campaign, the hackers used the custom Cobalt Strike loader 'Symatic,' which features a sophisticated anti-detection system including the following functions:

• Remove API hooks from 'ntdll.dll,' get raw file content, and replace the in-memory ntdll image with a copy not monitored by security tools.
• Spawn a new process for process injection and masquerade the parent process to obfuscate the chain.
• Inject a decrypted payload into the newly created process.

For its primary operations, Earth Longzhi used an all-in-one hacking tool that combined various publicly available tools under a single package.

This tool can open a Socks5 proxy, perform password scans on MS SQL servers, disable Windows file protection, modify file timestamps, scan ports, launch new processes, perform RID spoofing, enumerate drives, and execute commands with 'SQLExecDirect.'

2022 campaign

The second campaign observed by Trend Micro lasted from August 2021 until June 2022, targeting insurance and urban development firms in the Philippines and aviation firms in Thailand and Taiwan.

Timeline of the second campaign (Trend Micro)

 

In these more recent attacks, Earth Longzhi deployed a new set of custom Cobalt Strike loaders that used different decryption algorithms and additional features for performance (multi-threading) and effectiveness (decoy documents).

Different loaders used in the recent campaign (Trend Micro)

 

The injection of the Cobalt Strike payload into a newly created process running in memory remains the same as in Symatic, never touching the disk to avoid risking detection.

One variant of the BigpipeLoader follows a very different payload loading chain, using DLL sideloading (WTSAPI32.dll) on a legitimate app (wusa.exe) to run the loader (chrome.inf) and inject Cobalt Strike on memory.

Latest loader variant used in Earth Longzhi attacks (Trend Micro)

 

After Cobalt Strike runs on the target, the hackers use a custom version of Mimikatz to steal credentials and use the 'PrintNighmare' and 'PrintSpoofer' exploits for privilege escalation.

To disable security products on the host, Earth Longzhi uses a tool named 'ProcBurner,' which abuses a vulnerable driver (RTCore64.sys) to modify the required kernel objects.

"ProcBurner is designed to terminate specific running processes," explains Trend Micro in the report.

"Simply put, it tries to change the protection of the target process by forcibly patching the access permission in the kernel space using the vulnerable RTCore64.sys."

ProcBurner functional diagram (Trend Micro)

 

Notably, the same MSI Afterburner driver is also used by BlackByte ransomware in Bring Your Own Vulnerable Drive (BYOVD) attacks that abuse it to bypass over a thousand security protections.

ProcBurner first detects the OS, as the kernel patching process changes depending on the version. The tool supports the following releases:

• Windows 7 SP1
• Windows Server 2008 R2 SP1
• Windows 8.1
• Windows Server 2012 R2
• Windows 10 1607, 1809, 20H2, 21H1
• Windows Server 2018 1809
• Windows 11 21H2, 22449, 22523, 22557
•  

A second protection-negating tool, ' AVBurner,' also abuses the vulnerable driver to unregister security products by removing their kernel callback routine.

Commodity + custom

APT groups increasingly rely on commodity malware and attack frameworks like Cobalt Strike to obscure their trace and make attribution difficult.

However, the sophisticated hackers still develop and use custom tools for stealthy payload loading and to bypass security software.

By following these tactics, Earth Longzhi has managed to stay undetected for at least 2.5 years now, and following this exposure by Trend Micro, they are likely to switch to new tactics.

Source

The two defendants, Jonathan and Diana Toebbe, however, tried selling restricted information (such as printouts, digital media files containing technical details, and operations manuals) to an undercover FBI agent.

While working as a Navy nuclear engineer, Jonathan Toebbe had access to naval nuclear propulsion information, including military-sensitive design elements, performance characteristics, and other restricted data for nuclear-powered warship reactors.

He served as a nuclear engineer assigned to the Naval Nuclear Propulsion Program of the Department of the Navy, which gave him access to restricted naval nuclear reactors data, given that he also held an active national security clearance through the U.S. Defense Department.

"Naval nuclear engineer Jonathan Toebbe was entrusted with our nation's critical secrets and, along with his wife Diana Toebbe, put the security of our country at risk for financial gain," said U.S. Attorney Cindy Chung on Wednesday.

"Their serious criminal conduct betrayed and endangered the Department of the Navy's loyal and selfless service members. The seriousness of the offense in this case cannot be overstated."

The Toebbes pleaded guilty in February 2022 after being arrested by the FBI and the Naval Criminal Investigative Service (NCIS) on October 9, 2021.

Undercover agents and encrypted emails

The attempted exchange of restricted nuclear warship data began with a package sent to a foreign government on April 1, 2020, containing "U.S. Navy documents, a letter containing instructions," and an SD card with contact instructions via an encrypted communication platform.

The FBI attaché in the unspecified country informed the FBI, which initiated contact with Jonathan Toebbe in December 2020 via encrypted ProtonMail email through an undercover agent posing as a representative of the undisclosed country, according to court documents.

In the following email exchanges between April and June 2021, the FBI convinced the defendant to deliver additional confidential U.S. Navy information to a "dead drop" location in Jefferson County, West Virginia, after agreeing to pay for it in Monero cryptocurrency.

"The samples will be encrypted using GnuPG symmetric encryption with a randomly generated passphrase," the defendant told the undercover agent via encrypted email. "I am very aware of the risks of blockchain analysis of BitCoin and other cryptocurrencies, and believe Monero gives both us excellent deniability."

Ironically, he also expressed concern in communications with the FBI that he might not be communicating with a foreign power agent before agreeing to deliver the encrypted documents at the dead drop location.

"I am sorry to be so stubborn and untrusting, but I can not agree to go to a location of your choosing. I must consider the possibility that I am communicating with an adversary who has intercepted my first message and is attempting to expose me," he said.

"Would not such an adversary wish me to go to a place of his choosing, knowing that an amateur will be unlikely to detect his surveillance? If you insist on my physically delivering the package, then it must be a place of my choosing."

Peanut butter sandwiches and chewing gum packages

On June 26, 2021, Jonathan Toebbe placed an SD card concealed in half a peanut butter sandwich at a pre-arranged dead drop location, with his spouse acting as a lookout.

"On Aug. 28, Jonathan Toebbe made another 'dead drop' of an S.D. card in eastern Virginia, this time concealing the card in a chewing gum package. After making a payment to Toebbe of $70,000 in cryptocurrency, the FBI received a decryption key for the card," a Department of Justice press release says.

They were both arrested after he delivered a third SD card at a pre-arranged "dead drop" at another location in West Virginia.

"If not for the remarkable efforts of FBI agents, the sensitive data stolen by Mr. Toebbe could have ended up in the hands of an adversary of the United States and put the safety of our military and our nation at risk," said U.S. Attorney William J. Ihlenfeld II.

"The Toebbes were willing to compromise the security of the nation by selling information related to naval nuclear propulsion systems, they are now being held accountable for their actions," FBI Special Agent in Charge Mike Nordwall added.

Source

This behavior deviates from most info-stealers, which attempt to steal data from various data sources, including browsers, cryptocurrency wallet apps, cloud gaming apps, the clipboard, etc.

The previously unknown malware was discovered by analysts at DCSO CyTec, who report that they first saw it in the wild in early November 2022, targeting Spanish-speaking users.

Polyglot file infection

StrelaStealer arrives on the victim's system via email attachments, currently ISO files with varying content.

In one example, the ISO contains an executable ('msinfo32.exe') that sideloads the bundled malware via DLL order hijacking.

In a more interesting case seen by the analysts, the ISO contains an LNK file ('Factura.lnk') and an HTML file ('x.html'). The x.html file is of particular interest because it is a polyglot file, which is a file that can be treated as different file formats depending on the application that opens it.

Diagram of the infection process - Source: DCSO CyTec

 

In this case, x.html is both an HTML file and a DLL program that can load the StrelaStealer malware or display a decoy document in the default web browser.

When the Fractura.lnk file is executed, it will execute x.html twice, first using rundll32.exe to run the embedded StrelaStealer DLL and another time as HTML to load the decoy document in the browser, as shown in the image below.

LNK file loading the DLL and decoy image from x.html - Source: BleepingComputer

 

Once the malware is loaded in memory, the default browser is opened to show the decoy to make the attack less suspicious.

StrelaStealer details

Upon execution, StrelaStealer searches the '%APPDATA%\Thunderbird\Profiles\' directory for 'logins.json' (account and password) and 'key4.db' (password database) and exfiltrates their contents to the C2 server.

For Outlook, StrelaStealer reads the Windows Registry to retrieve the software's key and then locates the 'IMAP User', 'IMAP Server', and 'IMAP Password' values.

The IMAP Password contains the user password in encrypted form, so the malware uses the Windows CryptUnprotectData function to decrypt it before it's exfiltrated to the C2 along with the server and user details.

Finally, StrelaStealer validates that the C2 received the data by checking for a specific response and quits when it receives it. Otherwise, it enters a 1-second sleep and retries this data-theft routine.

Since the malware is spread using Spanish-language lures and focuses on very specific software, it may be used in highly targeted attacks. However, DCSO CyTec couldn't determine more about its distribution.

The suspect was arrested in Ontario, Canada, last month following an investigation led by the French National Gendarmerie with the help of Europol's European Cybercrime Centre (EC3), the FBI, and the Canadian Royal Canadian Mounted Police (RCMP).

"One of the world's most prolific ransomware operators has been arrested on 26 October in Ontario, Canada," Europol said today.

"A 33-year old Russian national, the suspect is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and large industrial groups across the world."

Law enforcement agents also seized eight computers and 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect's home, 

Europol added that this LockBit operator "was one of Europol's high-value targets due to his involvement in numerous high-profile ransomware cases," and he is known for trying to extort victims with ransom demands between €5 to €70 million.

While Europol describes the suspect as an 'operator' of the LockBit ransomware, he is likely an affiliate rather than a manager of the cybercrime operation.

Furthermore, the public-facing LockBit representative known as 'LockBitSupp' was posting in hacker forums as recently as yesterday.

Charged for participation in LockBit ransomware attacks

The U.S. Department of Justice (DOJ) said in a press release published today that the 33-year-old suspect's name is Mikhail Vasiliev, a dual Russian and Canadian national from Bradford, Ontario, Canada. 

According to the criminal complaint, in an August 2022 search of his home, Canadian law enforcement also found screenshots of Tox exchanges with 'LockBitSupp,' instructions on how to deploy the LockBit's Linux/ESXi locker and the malware's source code, as well as "photographs of a computer screen showing usernames and passwords for various platforms belonging to employees of a LockBit victim in Canada, which suffered a confirmed LockBit attack in or about January 2022."

He is now awaiting extradition to the United States for his alleged participation in the LockBit global ransomware campaign.

Vasiliev was charged with conspiracy to transmit ransom demands and to intentionally damage protected computers. He faces a maximum of five years of incarceration if convicted.

"This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world," Deputy Attorney General Lisa O. Monaco said today.

"It is also a result of more than a decade of experience that FBI agents, Justice Department prosecutors, and our international partners have built dismantling cyber threats." 

Stream of ransomware operator arrests

This arrest follows a similar action in Ukraine in October 2021 when a joint international law enforcement operation involving the FBI, the French police, and the Ukrainian National Police led to the arrest of two of his accomplices.

While announcements from Europol and the Ukrainian police described the suspects as members of a top-tier ransomware gang, Europol told BleepingComputer at the time that they could not name the group for operational reasons.

"Both these individuals were part of the same group which focused not only on ransom attacks, but also laundered criminal funds," Europol said.

Both suspects were arrested in Kyiv, Ukraine, with one of them described as a 25-year-old male "hacker."

Last year, the Ukrainian police also arrested other suspects believed to be members of the Clop and Egregor ransomware operations.

Europol also announced in October 2021 that law enforcement agencies apprehended 12 suspects in Ukraine and Switzerland believed to be linked to LockerGoga, MegaCortex, and Dharma ransomware attacks that affected more than 1,800 victims in 71 countries.

Update November 10, 12:13 EST: Added more info from DOJ press release and criminal complaint.

Source

As the Moscow-based company informed on its Russian blog earlier this week, the shutdown of the VPN service will be staged, so that impact on customers remains minimal.

Purchases of the paid version of Kaspersky Secure Connection will remain available on both the official website and mobile app stores until December 2022.

Customers with active subscriptions will continue to enjoy the product's VPN service until the end of the paid period, which cannot go beyond the end of 2023 (one-year subscription).

Russian-based users of the free version of Kaspersky Secure Connection will not be able to continue using the product after November 15, 2022, so they will have to seek alternatives.

BleepingComputer emailed Kaspersky questions regarding its decision to stop offering VPN products in Russia, but a spokesperson has declined to provide more information.

A hostile environment for VPNs

There are few trustworthy legal VPN alternatives left for Russians to choose from.

The country's telecommunications watchdog, Roskomnadzor, announced VPN bans in June 2021 and then again in December 2021, prohibiting the use of NordVPN, Express VPN, ProtonVPN, VyprVPN, Opera VPN, PrivateTunnel, and others.

The reason for banning 15 VPNs in the country was because their vendors refused to connect their services to the FGIS database, which would apply government-imposed censorship in VPN connections, and would also make user traffic and identity

subject to state scrutiny.

Ever-increasing controls are strangling VPN usage in Russia. On Tuesday, the Ministry of Digital Transformation requested all state-owned companies to declare what VPN products they use, for what purposes, and in what locations.

In August, Roskomnadzor announced a plan to introduce an AI-based internet scanner by December 2022 to analyze every new information that appears online.

This system will further motivate Russians to use VPNs, so the pressure on VPN providers to stop offering tools that can hide the poster's identity may have risen.

The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, enhancing the tool’s functionality and introducing a multi-stage delivery chain.

The discovery of the Nim-based malware came in June 2022 by Fortinet, when IceXLoader was in version 3.0, but the loader was missing key features and generally appeared like a work-in-progress.

Minerva Labs published a new post on Tuesday, warning that the latest version of IceXLoader marks a departure from the project’s beta development stage.

For a malware loader so aggressively promoted on the cybercrime underground, any development of this kind is significant and could lead to a sudden uptick in its deployment.

Current delivery chain

The infection begins with the arrival of a ZIP file via a phishing email containing the first-stage extractor.

The extractor creates a new hidden folder (.tmp) under “C:\Users\<username>\AppData\Local\Temp” and drops the next-stage executable, ‘STOREM~2.exe.’

Then, depending on the extract settings selected by the operator, the infected system may be rebooted, and a new registry key will be added to delete the temp folder when the computer restarts.

The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file which is the IceXLoader payload.

After decrypting the payload, the dropper performs checks to ensure it’s not running inside an emulator and waits 35 seconds before executing the malware loader to evade sandboxes.

Finally, IceXLoader is injected into the STOREM~2.exe process using process hollowing.

New IceXLoader

Upon the first launch, IceXLoader version 3.3.3 copies itself into two directories named after the operator’s nickname and then collects the following information about the host and exfiltrates it to the C2:

• IP address
• UUID
• Username and machine name
• Windows OS version
• Installed security products
• Presence of .NET Framework v2.0 and/or v4.0
• Hardware information
• Timestamp

To ensure persistence between reboots, the malware loader also creates a new registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.”

For evasion, it uses a method of in-memory patching in AMSI.DLL, bypassing the Microsoft Windows Antimalware Scan Interface used by Windows Defender and other security products.

The commands supported by the loader are the following:

• Stop execution
• Collect system info and exfiltrate to C2
• Display dialog box with specified message
• Restart IceXLoader
• Send GET request to download a file and open it with “cmd/ C”
• Send GET request to download an executable to run it from memory
• Load and execute a .NET assembly
• Change C2 server beaconing interval
• Update IceXLoader
• Remove all copies from the disk and stop running

Minerva reports that the threat actors behind this campaign aren’t interested in securing the stolen data, as the SQLite database holding stolen information is accessible in the C2 address.

The exposed database contains records corresponding to thousands of victims, containing a mix of home PC and corporate PC infections.

The security researchers have informed the affected companies of the exposure, but the database is updated with new entries daily.

Source

Uyghurs, a regional Muslim minority of roughly 13 million people, have suffered extreme oppression from the central Chinese government due to their cultural deviation from typical eastern Chinese values.

The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.

After further analysis by Lookout, the malware was found to be new spyware using the same infrastructure seen in 2020 campaigns against Uyghurs by the state-backed hacking group APT15 (aka "Pitty Tiger).

Additionally, Lookout observed a second campaign using new variants of 'Moonshine,' a spyware discovered by CitizenLab in 2019 while deployed against Tibetan groups.

BadBazaar details

The BadBazaar spyware has used at least 111 different apps since 2018 to infect Uyghurs, promoting them on communication channels populated by the particular ethnic group.

The impersonated apps cover a wide range of categories, from dictionaries to religious practice companions and from battery optimizers to video players.

Lookout has found no evidence of these apps ever reaching Google Play, Android's official app store, so they are likely distributed via third-party stores or malicious websites.

Interestingly, there's a single case of an iOS app on the Apple App Store that communicates with the malicious C2, yet it doesn't feature spyware functionality, only sending the device UDID.

BadBazaar's data-collecting capabilities include the following:

• Precise location
• List of installed apps
• Call logs with geolocation data
• Contacts list
• SMS
• Complete device info
• WiFi info
• Phone call recording
• Take pictures
• Exfiltrate files or databases
• Access folders of high-interest (images, IM app logs, chat history, etc.)

Looking into the C2 infrastructure, which exposes some of the admin panels and the GPS coordinates of test devices due to errors, Lookout analysts found connections to the Chinese defense contractor Xi'an Tian He Defense Technology.

New Moonshine variants

Starting in July 2022, Lookout researchers noticed a new campaign using 50 apps that push new versions of the 'Moonshine' spyware to victims.

These apps are promoted on Uyghur-speaking Telegram channels, where rogue users suggest them as trustworthy software to other members.

The newer malware version is still modular, and its authors have added more modules to extend the tool's surveillance capabilities.

The data Moonshine steals from compromised devices include network activity, IP address, hardware info, and more.

The C2 commands supported by the malware are:

• Call recording
• Contact collection
• Retrieve files from a location specified by the C2
• Collect device location data
• Exfiltrate SMS messages
• Camera capture
• Microphone recording
• Establish SOCKS proxy
• Collect WeChat data

Lookout has found evidence that the authors of the new Moonshine version are Chinese, as both code comments and server-side API documentation are written in simplified Chinese.

This report indicates that surveillance of Chinese minorities continues unabated despite the outcry from international human rights protection organizations.

Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.

In a press release published Monday, Sobeys' parent company Empire revealed that while its grocery stores were still open, some services were impacted by this company-wide IT issue.

"The Company's grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay," the retailer revealed.

"In addition, certain of the Company's pharmacies are experiencing technical difficulties in fulfilling prescriptions. The Company however remains committed to the continuity of care of all its pharmacy patients."

The company also added that it's working on resolving the issues affecting its IT systems to reduce store disruption.

In a separate statement published on Sobeys' official website with "important information" regarding the retailer's store services, Sobeys added that all stores remained open and were "not experiencing significant disruptions."

However, according to employee reports, all computers were locked out in affected Sobeys stores, with point-of-sale (POS) and payment processing systems still online and working since they're set up to work on a separate network.

Sobeys is yet to reply to requests for comment after BleepingComputer reached out earlier this week.

BleepingComputer reached out to Sobeys with a request for comment on Sunday but is yet to receive a reply.

IT issues caused by a Black Basta ransomware attack

While the company is yet to disclose any information linking this ongoing outage to a cyberattack, local media reported that Canadian provincial privacy watchdogs from Quebec and Alberta have confirmed receiving "confidentiality incident" notifications from the retailer.

As the Quebec watchdog told The Canadian Press, such alerts are only sent following incidents where personal information has been accessed in a breach.

Furthermore, based on ransom notes and negotiation chats BleepingComputer has seen, the attackers deployed Black Basta ransomware payloads to encrypt systems on Sobeys' network.

BleepingComputer was told by multiple sources that the attack occurred late Friday/early Saturday morning.

Photographs shared by Sobeys employees online also show in-store computers displaying a Black Basta ransom note.

Black Basta ransomware was first spotted in attacks in mid-April 2022, with the operation quickly ramping up its attacks against companies worldwide in the coming months.

Although the gang's ransom demands likely differ in size between victims, BleepingComputer knows of at least one incident where the victim received a demand of more than $2 million for a decryptor to avoid having stolen data leaked online.

By June 2022, Black Basta was already seen deploying payloads on systems previously compromised by Qbot (QuakBot) operators.

Even though details are scarce regarding this ransomware gang, this is likely not a new operation but a rebrand given their negotiating style and ability to quickly breach new victims.

Some researchers believe that Black Basta is linked to the Conti ransomware but BleepingComputer has not been able to confirm this.

Source

Once Mobile Network Protection is toggled, MDE will provide protection and alerts when rogue Wi-Fi-related threats and certificates (the primary attack vector for Wi-Fi networks) are detected.

Threats this feature can spot include rogue hardware like Hak5 Wi-Fi Pineapple devices used by both pen-testers and cybercriminals to capture data shared within networks.

Users will also be alerted to switch networks if MDE detects suspicious or unsecured networks and will receive push notifications when open Wi-Fi networks are discovered.

"As the world continues to make sense of the digital transformation, networks are becoming increasingly complex and provide a unique avenue for nefarious activity if left unattended," the company said in June when it announced the public preview.

"To combat this, Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence."

Even though Mobile Network Protection is enabled by default on enrolled mobile devices, Microsoft also provides detailed info on how to configure it on Android and iOS devices using the Microsoft Endpoint Manager Admin center.

Endpoint security platform covering all major OSs

Defender for Endpoint's capabilities have slowly been expanded to protect devices across all major platforms and to enable security teams to defend network endpoints using a unified security solution.

MDE on iOS was updated with zero-touch onboarding capability in February to help admins silently and automatically install Defender for Endpoint on all enrolled devices in an enterprise network.

Microsoft also announced that MDE threat and vulnerability management support for Android and iOS reached general availability one month later.

Vulnerability management lets admins decrease Android and iOS mobile endpoints' surface attack, thus increasing their organization's resilience against attack attempts targeting mobile devices.

"With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization - spanning workstations, servers, and mobile devices," Microsoft said.

Earlier this year, Redmond also revealed that MDE is now allowing admins to "contain" unmanaged Windows devices on their network if they were compromised and is better at blocking ransomware on Windows 11.

Source