What's new in macOS Ventura 13.0.1, iOS 16.1.1 and iPadOS 16.1.1

The Cupertino company has credited three security researchers of the Google Project Zero team for discovering the vulnerabilities. According to the release notes published on Apple's website, both issues are related to libxml2, which is a library that is used for parsing XML and HTML files. So these vulnerabilities affect other operating systems as well, including Linux distros.

The first issue, which has been identified as CVE-2022-40303, could allow a remote user attackers to terminate an app or execute arbitrary code. Apple says it fixed the issue by addressing an integer overflow through improved input validation.

The other issue, filed as CVE-2022-40304, could have a similar impact, i.e. an attack can cause an unexpected app termination or remote code execution. The vulnerability was mitigated by improving some checks. You can find the original reports by the security experts here: 1 and 2.

Usually, when such vulnerabilities have been exploited by threat actors, Apple mentions it in the security update documentation to educate users about potential risks. These two security issues, however, don't have that warning, which means that no known attacks have been reported. That doesn't mean you should skip the update,

macOS 13.0.1 is the first update that has rolled out since macOS Ventura was released a few weeks ago. The firmware build number is 22A400. If you haven't updated to the new operating system yet, you may want to read our previous articles to learn about the new features in macOS 13. For those who are still finding their way around the new System Settings, you can check for updates manually by going to the General > Software Update page.

The iOS 16.1.1 update is available for the iPhone 8 and later, while the iPadOS 16.1.1 update is available for all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and the iPad Mini 5th generation and later.

Apple is yet to patch the vulnerabilities for devices that are running on iOS 15, iPadOS 15, macOS Big Sur and Monterey. This is not unusual, the company releases security updates for legacy devices a few days after patching the current versions of the operating systems. You can keep an eye on Apple's security updates page to see if an update is available for your iPhone, iPad or Mac. You will also find the release notes for iOS 16.1.1, iPados 16.1.1, along with the change log for macOS 13.0.1 on the same page.

I noticed a minor bug in the Settings app's Software Update section, it showed that the macOS 13.0.1 update is about 606 MB in size. But, the actual download size that was reported by the updater was more than double of that, at around 1.46 GB. I haven't come across any other issues in macOS Ventura, and I've been using it since the first Dev build was released.

That said, Apple seems to have improved the installation process for the updates, it's noticeably faster now. My MacBook Air was ready to use in a few minutes after a restart to complete the process.  That's quite impressive, as it usually took 10-20 minutes even for minor updates to be installed on macOS Monterey.

Have you updated your device?

Apple releases macOS Ventura 13.0.1, iOS 16.1.1 and iPadOS 16.1.1 to patch two security issues

Chrome desktop installations should receive the update automatically over the coming days and weeks. Administrators may speed up the upgrade by updating the browser manually.

To do that, it is necessary to open chrome://settings/help in the browser's address bar (you may also reach the internal page via Menu > Help > About Google Chrome). Chrome displays the current version and runs a check for updates. The browser should pick up the update at this point and install it automatically.

Chrome is up to date if the following version is listed on the page (it depend on the operating system)

• Mac: 107.0.5304.110
• Linux: 107.0.5304.110
• Windows: 107.0.5304.106/.107

The new Chrome release fixes 10 different security issues in the browser. Google discloses externally reported vulnerabilities only to the public. For this particular update, six of the ten vulnerabilities are listed by Google. These are:

1. [$21000][1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
2. [$10000][1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
3. [$7000][1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
4. [$7000][1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
5. [$TBD][1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
6. [$TBD][1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01

All six security vulnerabilities have a severity rating of high, second only to vulnerabilities rated as critical. Google does not mention that any of the vulnerabilities are exploited in the wild at the time of releasing the update. Still, most administrators may want to update the browser as soon as possible to protect it from potential attacks.

Google released an update for the Android version of Chrome as well. The Android release includes the same security fixes as the desktop update according to Google. There has been no mention of an update for Chrome's Extended Stable channel.

Expect other Chromium-based browser developers to release updates for their browsers as well in the coming days.

Now You: do you run Google Chrome or another Chromium-based browser?

Google Chrome 107 Stable out with 10 security fixes

Frontpaged:   Google Chrome 107.0.5304.107

Among others, the latest November Patch Tuesday fixes a Spectre Variant 2 like AMD CPU vulnerability tracked under ID "CVE-2022-23824" which affects almost all AMD Ryzen, EPYC, and Athlon desktop, notebook and server processor SKUs. The latest Zen 4-based Ryzen 7000 chips however are not affected.

In an advisory published earlier today, AMD has described the new security flaw:

AMD is aware of a potential vulnerability affecting AMD CPUs where the OS relies on IBPB to flush the return address predictor. This may allow for CVE-2017-5715 (previously known as Spectre Variant 2) attacks based on RET predictions in cases where the OS relies on IBPB without the use of additional software mitigations, to flush the return address predictor.

CVE-2022-23824

IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

Hence, users running an AMD system, barring the latest Ryzen 7000 chips, are advised to update their Windows PCs. You can either use Windows Update in Settings to automatically download the update or manually grab the standalone updates from the Microsoft Update Catalog website. Find the links in the articles below:

• Windows 11
• Windows 10
• Windows 8.1/7

Here are all the AMD CPU families affected:

Desktop

• AMD Athlon™ X4 processor
• AMD Ryzen™ Threadripper™ PRO processor
• 2nd Gen AMD Ryzen™ Threadripper™ processors
• 3rd Gen AMD Ryzen™ Threadripper™ processors
• 7th Generation AMD A-Series APUs
• AMD Ryzen™ 2000 Series Desktop processors
• AMD Ryzen™ 3000 Series Desktop processors
• AMD Ryzen™ 4000 Series Desktop processors with Radeon™ graphics

Mobile

• AMD Ryzen™ 2000 Series Mobile processor
• AMD Athlon™ 3000 Series Mobile processors with Radeon™ graphics
• AMD Ryzen™ 3000 Series Mobile processors or 2nd Gen AMD Ryzen™ Mobile processors with Radeon™ graphics
• AMD Ryzen™ 4000 Series Mobile processors with Radeon™ graphics
• AMD Ryzen™ 5000 Series Mobile processors with Radeon™ graphics

Chromebook

• AMD Athlon™ Mobile processors with Radeon™ graphics

Server

• 1st Gen AMD EPYC™ processors
• 2nd Gen AMD EPYC™ processors
• 3rd Gen AMD EPYC™ processors

Alongside the CPU vulnerability, AMD has also shared details about several security flaws affecting its graphics too. The company released graphics drivers and AGESA updates to fix the issue in its GPUs and integrated graphics, respectively.

In case of the Radeon RX 5000 and RX 6000 series GPUs, the issue is patched with the Radeon 22.5.2 driver. If you are already on a newer driver, you need not have to worry. For PRO series cards, you can grab the AMD Software: PRO Edition 22.Q2 or any newer driver. For AGESA firmware updates, you can head over to AMD's official website to find more details.

Latest Patch Tuesday mends Spectre V2 vulnerability affecting AMD Ryzen Windows PCs

Lenovo has published a security advisory about the vulnerabilities explaining how they work:

The following vulnerabilities were reported in Lenovo Notebook BIOS.

CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVE-2022-3431: A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVE-2022-3432: A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Lenovo has asked users of the affected models to update the firmware:

For CVE-2022-3430 and CVE-2022-3431, update system firmware to the version (or newer) indicated for your model in the product Impact section.

For CVE-2022-3432, the Ideapad Y700-14ISK has reached end of development support and no fixes will be released. Lenovo recommends customers adopt secure computing practices, including active system lifecycle management.

You can find the full list of affected models as well as the firmware which patch the vulnerabilities on Lenovo's official website here.

Source: ESET research (Twitter)

ESET found Lenovo Windows 11 and 10 laptops have Secure Boot vulnerability, BIOS update out

Despite being called "VPN by Google One," the service is slightly different from your regular virtual private network providers, such as NordVPN or Private Internet Access (PIA). One of the reasons people buy VPN services (or use free, which is sometimes worse than not using a VPN at all) is to use geo-locked content and access various websites from different countries. This feature is not available for Google One users, but the service still lets you hide your IP address and mask the traffic.

Another thing worth mentioning is that the VPN is not available for all Google One subscribers. Only those subscribed to the 2TB plan can access Google's virtual private network, which costs $10/mo and allows sharing it with five people.

You can download Google's VPN client from the official webpage. The company provides apps for Android, iOS, macOS, and Windows, but the latter lacks 32-bit and ARM support, which means no luck for those using machines with 32-bit Windows 10 or the latest Surface Pro 9 with the SQ3 processor (or similar Windows on ARM machines). Confusingly, users with Apple Silicon-based Macs can use the app without issues.

VPN by Google One is available in Austria, Australia, Belgium, Canada, Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Japan, Mexico, Netherlands, Norway, South Korea, Spain, Switzerland, Taiwan, the United Kingdom, and the United States. You can learn more about the service on Google's official support website.

Google One VPN is now available on Windows and Mac

Stolen health records for millions of Australians have been publicly released on the dark web following a threat by hackers 24 hours earlier to do precisely that. Last month, the unknown hackers demanded a ransom from Medibank, a private insurance provider in Australia, which the company refused to pay.

The hackers, who claimed to have spent a month rummaging around Medibank’s systems, have posted what they’ve called “naughty” and “nice” lists of health records, with the “naughty” list including people who’ve sought treatment for things like addiction and eating disorders. And they claim they’ve only started releasing the stolen information.

Medibank while negotiating over the ransom. The emails, if they’re authentic, show the hackers refusing to name themselves except to say they’re with an “affiliate group.” Security researchers have dubbed the group BlogXX, which is a partial name of the onion address where the stolen data has been published. Oddly enough, the domain used to be run by the Russian-based REvil ransomware gang, though it’s not clear if some of the hackers are the same.

In one of the email exchanges published by the hackers, a representative from Medibank asks how they know the hackers will actually delete the data if they pay the ransom.

“We are doing business, even if it is not legal, and we are worried about our reputation. This is the key to payments,” the response from the hackers reads.

“We are interested in getting money, not destroying your company,” the hackers continue.

Whatever their intention, these hackers have now put out information that could be used to destroy the lives of regular people who may be struggling with any range of mental health and addiction issues. Medibank declined to comment on the authenticity of the images posted by the hackers in an email to Gizmodo on Wednesday morning.

To make things even more perplexing, Medibank didn’t have cyber insurance, despite being an insurance company. The company is on the hook to lose tens of millions of dollars, according to some estimates, and there are already lawsuits being prepared.

The thieves first published a threat in October to release sensitive data, including detailed health information, that would include notable people in Australia, including politicians, actors, and activists. The threat was in broken English, leading many people to assume the hackers are not from an English-speaking country. The hackers even spell the city of Sydney as “Sidney” in their email exchange with Medibank.

While Medibank has about 3.9 million current customers, the hacked data includes information on about 10 million victims because it also includes former customers, according to Australia’s ABC News. The data hasn’t made its way to the open web yet, with the only way to access the information being the so-called dark web.

“Like millions of other Australians, my family was caught up in the Medibank breach & today we’re learning our personal data is on the dark web. Our worst data breach nightmares are playing out in real time, as our existing laws & data protection systems are no match for hackers,” David Shoebridge, a Senator with the Australian Greens political party, tweeted on Wednesday.

Medibank has received criticism for its slow response to the hack, even initially announcing that while there may have been a breach, the insurance company didn’t believe hackers were able to steal sensitive information. That turned out to be horribly wrong.

The dark web site hosting stolen Medibank data with a message from the hackers (redactions made by Gizmodo)
Screenshot: BlogXX

Australia is a wealthy country with plenty of resources for things like cybersecurity, but folks down under have struggled with protecting sensitive data for years now, partially due to a brain drain in the tech sector that sees skilled workers head overseas for better pay. This year has been particularly bad for Australia, with other high-profile data thefts like the recent breach of telecom giant Optus.

“I just want to thank @medibank. So far I have not had a single piece of advice or information from them about the hacking of my family’s private health data. We’ve been paying their exhorbitant premiums for 20 years FFS. Worse than @Optus and that’s saying something,” one customer wrote on Twitter.

Australian Federal Police (AFP), the rough equivalent of the FBI in the U.S., held a press conference on Wednesday about what’s it’s dubbed Operation Guardian, encouraging anyone who may be contacted in the future with blackmail threats to come forward.

“To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” AFP assistant commissioner for Cyber Command, Justine Gough, said in a statement published online.

“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.

Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” Gough continued.

Source

Last month, a threat actor began distributing malware called 'Azov Ransomware' through cracks and pirated software that pretended to encrypt victims' files.

However, instead of providing contact info to negotiate a ransom, the ransom note told victims to contact security researchers and journalists to frame them as the developers of the ransomware.

As there was no contact info, and the listed contacts had no way of helping victims, we assumed that the malware was a data wiper.

A diabolical data wiper

Last week, Checkpoint security researcher Jiří Vinopal analyzed the Azov Ransomware and confirmed to BleepingComputer that the malware was specially crafted to corrupt data.

The malware included a trigger time that would cause it to sit dormant on the victim's devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device.

Vinopal says it would overwrite a file's contents and corrupt data in alternating 666-byte chunks of garbage data. The number 666 is commonly associated with the biblical 'Devil,' clearly showing the malicious intent of the threat actor.

"Each cycle exactly 666 bytes are being overwritten with random (uninitialized data) and the next 666 bytes are left original," Vinopal told BleepingComputer.

"This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666bytes of garbage, 666 bytes original, etc…"

To make matters even worse, the data wiper will infect, or 'backdoor,' other 64-bit executables on the Windows device whose file path does not contain the following strings:

:\Windows
\ProgramData\
\cache2\entries
\Low\Content.IE5\
\User Data\Default\Cache\
Documents and Settings
\All Users

When backdooring an executable, the malware will inject code that will cause the data wiper to launch when a seemingly harmless executable is launched.

"Backdooring of the files works in a polymorphic way, which means the same shellcodes used to backdoor files are every time encoded differently," explained Vinopal.

"(ex. if the same file A would be backdoored 2 times to file B1 and B2, B1 and B2 shellcode parts are different so B1 and B2 are also different on the disk) - this is used probably to avoid static AV detection."

Today, the threat actor continues distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites.

At the time of this writing, there are already pages of submissions of this malware to VirusTotal for today alone, showing how many victims have been affected by this malware over the past two weeks.

It is unclear why the threat actor is spending money to distribute a data wiper. However, theories range from it being done to cover up other malicious behavior or simply to 'troll' the cybersecurity community.

Regardless of the reason, victims who are infected with Azov Ransomware will have no way of recovering their files, and as other executables are infected, they should reinstall Windows to be safe.

Furthermore, as Smokeloader is being used to distribute the Azov data wiper, it is likely also installed with other malware, such as password-stealing malware. Therefore, it is essential to reset any passwords to email accounts, financial services, or other sensitive information.

Finally, while the ransomware is named after the Ukrainian 'Azov' military regiment, this malware is likely not affiliated with the country and is just using the name as a false flag.

Source

The 40-year-old Nigerian's real name is Ramon Olorunwa Abbas, and was ordered to pay restitution of $1,732,841 to two confirmed victims, a law firm in the U.S. and a businessperson in Qatar.

While not all scams succeeded in defrauding the targets, the U.S. Department of Justice says Abbas admitted to prosecutors that over 18 months, between 2019 and 2022, he conspired to launder over $300 million.

"Ramon Abbas, a.k.a. 'Hushpuppi,' targeted both American and international victims, becoming one of the most prolific money launderers in the world," stated Don Alway, the Assistant Director in Charge of the FBI's Los Angeles Field Office.

In some cases, the money launderer provided his services to North Korean hackers, who attempted to steal money from European banks.

The proceeds Abbas obtained from this activity helped him build a persona on Instagram showing off a lavish lifestyle, where he gained influencer status, further aiding social engineering attacks against targets.

Abbas was eventually arrested in Dubai, UAE, in June 2020 and pleaded guilty to money laundering charges in April 2021.

The DoJ announcement illustrated several examples of Abbas' attempted scams, summarized below:

• January 2019 – offered to launder $14.7 million stolen by North Korean hackers in a Maltese bank cyberheist, directing the amount through accounts in Romania and Bulgaria.
• May 2019 – laundered millions of pounds stolen from a professional football (soccer) club in the UK, using Mexican bank accounts.
• October 2019 – tricked a New York-based law firm into sending $922,857 to an account under the control of a co-conspirator.

Abbas was involved in other schemes, including fake multi-million loans targeting business people in Qatar. In one case, Abbas tricked a man into paying $330,000 supposedly needed for the approval of the loan.

Abbas' co-conspirator in many of the above schemes, Ghaled Alaumary, pleaded guilty to money laundering crimes in November 2020 and is currently serving a 140-month imprisonment sentence.

Alaumary was ordered to pay over $30,000,000 in restitution, indicating that he held a more central role in the schemes, being the primary recipient of the stolen funds.

Source

Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims' networks since at least September 2022.

Microsoft confirmed they were actively abused in attacks on September 30, saying it was "aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. We are working on an accelerated timeline to release a fix," the company added.

The company later released mitigation measures to allow defenders to block incoming ProxyNotShell attacks but had to update the guidance twice after researchers showed that attackers could still bypass them.

Admins warned to patch

Today, as part of the November 2022 Patch Tuesday, Microsoft finally released security updates to address the two vulnerabilities.

"Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks," the Exchange Team warned.

"These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment."

Tracked as CVE-2022-41082 and CVE-2022-41040, the two security bugs affect Microsoft Exchange Server 2013, 2016, and 2019.

They enable attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution.

"The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution," Microsoft added in the CVE-2022-41082 advisory.

"As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call."

The ProxyNotShell security flaws can only be exploited remotely by authenticated threat actors, however, in low-complexity attacks that don't require user interaction. 

Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution to help desk and IT staff remotely access and troubleshoot devices in real time from the Workspace ONE console.

The flaws are tracked as CVE-2022-31685 (authentication bypass), CVE-2022-31686 (broken authentication method), and CVE-2022-31687 (broken authentication control) and have received 9.8/10 CVSSv3 base scores.

Non-authenticated threat actors can exploit them in low-complexity attacks that don't require user interaction for privilege escalation.

"A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application," VMware describes the three security bugs.

Fixed in Workspace ONE Assist 22.10

The company patched them today with the release of Workspace ONE Assist 22.10 (89993) for Windows customers.

VMware also patched a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688) that enables attackers to inject javascript code in the target user's window and a session fixation vulnerability (CVE-2022-31689) that allows authentication after obtaining a valid session token.

All vulnerabilities patched today have been found and reported to VMware by Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers of REQON IT-Security.

In August, VMware warned admins to patch another critical authentication bypass security flaw in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, enabling unauthenticated attackers to gain admin privileges.

One week later, the company revealed that proof-of-concept (PoC) exploit code was released online after the researcher who discovered and reported the vulnerability shared a PoC exploit.

In May, VMware patched an almost identical critical vulnerability, another authentication bypass (CVE-2022-22972) found by Bruno López of Innotec Security in Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

Source

Zhong pled guilty to money laundering crimes on Friday, November 4, for exploiting a "withdrawal processing flaw" that allowed him to withdraw many times more Bitcoin than he deposited on the dark web marketplace.

The DoJ announcement also provides more details about the seizure of 51,351.9 Bitcoin, valued at over $3.3 billion at the time of the action, that occurred in November 2021. 

James Zhong used to be a member of the notorious dark net marketplace 'Silk Road,' a now-defunct illicit goods market that operated between 2011 and 2013, having over 100,000 members.

As the defendant confessed, in September 2012, he stole 50,000 bitcoin from Silk Road by exploiting a flaw in the market's transaction system.

Zhong funded nine different accounts with an initial deposit of 200 to 2,000 bitcoin and then triggered 140 withdrawal transactions in rapid succession.

The hacker exploited a lag in the market's transaction system allowing someone to withdraw their own escrow multiple times.

This way, Zhong tricked the system into releasing 50,000 bitcoin, which he then moved to various wallets to obscure the money trace.

In 2017, after Bitcoin split into Bitcoin Cash and Bitcoin SV, Zhong received 50,000 Bitcoin cash. The Bitcoin Cash was converted into 3,500 Bitcoins, bringing Zhong's total to 53,500 Bitcoin linked to Silk Road.

"For almost ten years, the whereabouts of this massive chunk of missing Bitcoin had ballooned into an over $3.3 billion mystery," commented U.S. Attorney Damian Williams.

"Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds."

Today's Department of Justice announcement explains that the seizure occurred on November 9, 2021, when law enforcement authorities holding a search warrant located the following on Zhong's residence:

• 50,491 Bitcoin hidden in an underground floor safe and on a single-board computer submerged under blankets in a popcorn tin inside a bathroom closet.
• 11.12 Bitcoin
• $661,900 in cash
• 25 Casascius coins (physical Bitcoin) valued at 174 Bitcoin
• Four 1-ounce silver bars
• Four 10-ounce silver bars
• Three 1-ounce gold bars
• One gold coin

In addition to the above, the cybercriminal also forfeited all property, including investments in real estate and additional digital assets not linked to the criminal proceedings.

In March 2022, Zhong voluntarily surrendered an additional 825.4 Bitcoins to the authorities, and in May 2022, he gave up another 35.5 Bitcoin.

Zhong is scheduled to hear his sentence on February 22, 2023, with the maximum potential penalty for wire fraud being 20 years in prison.

Source

Up until now, WhatsApp users could block others from seeing the "last seen" information. While that blocked anyone from knowing when a user was last online on the site, it did not prevent others from accessing the online status.

Users who set the last seen preference to nobody will notice that their online status preference is set to everybody, meaning that anyone may check that value.

The online status reveals if a user is online at the time. The feature has been introduced in the beta version of the client in September 2022, but is now also available in the latest stable version of WhatsApp.

Here is how you configure the last seen / online status privacy on WhatsApp:

1. Make sure you run the latest version of WhatsApp. On Android, you may need to check for app updates on Google Play to find out if an update is available.
2. Open the WhatsApp client and select Menu > Settings.
3. Go to Privacy  > Lat seen and online.

There you have the following options:

• Set the last seen status to "everyone", "my contacts", "my contacts except", or "nobody".
• Set the online status to "everyone" or "same as last seen".

You may want to switch the online status to same as last seen, as this prevents others from seeing when you are online. There are services available on the Internet that allow anyone to check the online status of any phone number. If you want to prevent this from happening, you need to set the online status preference to same as last seen, and select any value for that preference, except everyone.

Note: if you limit visibility for either of the preferences, you will also limit your visibility in this regard. If you switch the two settings to your contacts, you will continue to see the last seen and online status of your contacts, but you won't be able to do so for anyone not in the contacts.

WhatsApp should consider changing the defaults of the setting from everybody to another option to improve privacy for all users. For now, it is necessary to make the changes manually.

Now You: do you use WhatsApp? (via Caschy)

How to hide your WhatsApp Online status

Medibank is one of Australia's largest private health insurers, covering over 3.9 million people and having 4,000 employees.

While until now, the attack on Medibank hasn't yet been attributed to a specific ransomware group, the company did confirm that the malicious activity observed on its network matches ransomware activity.

The ransomware gang threatened today in a new entry added to its data leak website that it would leak data allegedly stolen from Medibank's systems within 24 hours.

The gang is yet to reveal how much data it exfiltrated out of Medibank's network and hasn't shared any proof to verify these claims.

A Medibank spokesperson was not available for comment when contacted by BleepingComputer earlier today to confirm the ransomware gang's claims.

An REvil relaunch?

The original REvil ransomware gang shut down in October 2021 after its Tor servers were hijacked, reportedly by law enforcement, followed by Russia arresting some of the gang's members.

However, in April 2022, the operation's original Tor websites mysteriously began redirecting visitors to new websites for what is called the 'BlogXX' operation. In private negotiations with victims, these threat actors call themselves Sodinokibi, a name previously used by the original REvil operation.

Furthermore, security researchers have confirmed that the new operation's encryptor was based on the source code of REvil's encryptor.

Due to the website redirects and code similarities, the new operation is considered by some to be a relaunch of the REvil operation, either by the developers or other members.

However, security researcher MalwareHunterTeam believes this group is BlogXX, a new operation linked to REvil.

Medibank refuses to pay the ransom

Although Medibank is yet to confirm what hacking group is behind this attack, the company said in a press release published today that it refused a ransom demand made by the attackers.

"Today, we've announced that no ransom payment will be made to the criminal responsible for this data theft," Medibank said.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published."

The health insurer added that paying the attackers would also likely motivate them to go after customers affected by the data breach.

Furthermore, a ransom payment will encourage others to attack Australian organizations, putting more people at risk.

"There is a strong chance that paying puts more people in harm's way by making Australia a bigger target," the company added. "This decision is consistent with the position of the Australian Government."

Attackers accessed the data of millions of customers

Initially, the insurer said it had no evidence of any customer info being accessed or stolen. The company later revealed that the hackers accessed some of its customers' data.

Today, before the ransomware gang starts leaking the allegedly stolen data to back their claims and attempt to force Medibank's hand into negotiating a deal, the company revealed the attackers gained access to sensitive information belonging to millions of customers.

The complete rundown of data Medibank believes was exposed in the breach includes the following:

• Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives
• Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers
• Passport numbers (but not expiry dates) and visa details for international student customers 
• Health claims data for roughly 480,000 Medibank, ahm, and international customers
• Health provider details, including names, provider numbers, and addresses

Medibank added that it also believes the cybercriminals behind the October attack have not gained access to financial information (credit card and banking details), primary identity documents (e.g., driver's licenses), or health claims data for extras services (like dental, physio, optical and psychology).

"Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal," Medibank added.

"Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly."

H/T AlvieriD

Ransomware gang threatens to release stolen Medibank data

Highlighting findings of the firm's investigation to date, Medibank confirmed that name, date of birth, address, phone number, and email addresses for around 9.7 million current and former customers were accessed in the data theft.

Cyber security issues in Australia have seen a sharp rise in recent times, with a government report suggesting there is one attack every seven minutes.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Medibank CEO David Koczkar said.

Koczkar added that paying a ransom could encourage the hacker to extort customers directly, hurting more people. The insurer reiterated that business operations remained normal during the time of the cyberattack, with customers continuing to access health services.

Medibank warned its customers must be vigilant as the criminal may leak the data online or attempt to contact customers directly.

Corporate Australia has seen a string of attacks in just the last couple of weeks, with Singapore Telecommunications' unit Optus disclosing a breach of up to 10 million customer accounts, and Woolworths revealing that data of millions of customers using its bargain shopping website had been compromised.

Medibank said it will commission an external review to learn from the cyberattack whilst expanding its Cyber Response Support Program.

(Reporting by Roushni Nair in Bengaluru; Editing by Daniel Wallis)

Source

GitHub Copilot, released in June 2022, is an AI-based programming aid that uses OpenAI Codex to generate real-time source code and function recommendations in Visual Studio.

The tool was trained with machine learning using billions of lines of code from public repositories and can transform natural language into code snippets across dozens of programming languages.

Clipping authors out

While Copilot can speed up the process of writing code and ease software development, its use of public open-source code has caused experts to worry that it violates licensing attributions and limitations.

Open-source licenses, like the GPL, Apache, and MIT licenses, require attribution of the author's name and defining particular copyrights.

However, Copilot is removing this component, and even when the snippets are longer than 150 characters and taken directly from the training set, no attribution is given.

Some programmers have gone as far as to call this open-source laundering, and the legal implications of this approach were demonstrated after the launch of the AI tool.

"It appears Microsoft is profiting from others' work by disregarding the conditions of the underlying open-source licenses and other legal requirements," comments Joseph Saveri, the law firm representing Butterick in the litigation.

To make matters worse, people have reported cases of Copilot leaking secrets published on public repositories by mistake and thus included in the training set, like API keys.

Apart from the license violations, Butterick also alleges that the development feature violates the following:

• GitHub's terms of service and privacy policies,
• DMCA 1202, which forbids the removal of copyright-management information,
• the California Consumer Privacy Act,
• and other laws giving rise to the related legal claims.

The complaint was submitted to the U.S. District Court of the Northern District of California, demanding the approval of statutory damages of $9,000,000,000.

"Each time Copilot provides an unlawful Output it violates Section 1202 three times (distributing the Licensed Materials without: (1) attribution, (2) copyright notice, and (3) License Terms)," reads the complaint.

"So, if each user receives just one Output that violates Section 1202 throughout their time using Copilot (up to fifteen months for the earliest adopters), then GitHub and OpenAI have violated the DMCA 3,600,000 times. At minimum statutory damages of $2500 per violation, that translates to $9,000,000,000."

Harming open-source

Butterick also touched on another subject in a blog post earlier in October, discussing the damage that Copilot could bring to open-source communities.

The programmer argued that the incentive for open-source contributions and collaboration is essentially removed by offering people code snippets and never telling them who created the code they are using.

"Microsoft is creating a new walled garden that will inhibit programmers from discovering traditional open-source communities," writes Butterick.

"Over time, this process will starve these communities. User attention and engagement will be shifted [...] away from the open-source projects themselves—away from their source repos, their issue trackers, their mailing lists, their discussion boards."

Butterick fears that given enough time, Copilot will cause open source communities to decline, and by extension, the quality of the code in the training data will diminish.

BleepingComputer has contacted both Microsoft and GitHub for a comment on the above, and we received the following statement from GitHub.

"We’ve been committed to innovating responsibly with Copilot from the start, and will continue to evolve the product to best serve developers across the globe." - GitHub.

Source

"This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh said in a Thursday analysis.

The cybersecurity company said the advanced persistent threat group has also conducted low-volume credential harvesting attacks in which rogue websites masquerading as official Indian government portals were set up to lure unwitting users into entering their passwords.

Transparent Tribe, also known by the monikers APT36, Operation C-Major, and Mythic Leopard, is a suspected Pakistan adversarial collective that has a history of striking Indian and Afghanistan entities.

The latest attack chain is not the first time the threat actor has set its sights on Kavach (meaning "armor" in Hindi), a mandatory app required by users with email addresses on the @gov.in and @nic.in domains to sign in to the email service as a second layer of authentication.

Earlier this March, Cisco Talos uncovered a hacking campaign that employed fake Windows installers for Kavach as a decoy to infect government personnel with CrimsonRAT and other artifacts.

One of their common tactics is the mimicking of legitimate government, military, and related organizations to activate the killchain. The latest campaign conducted by the threat actor is no exception.

"The threat actor registered multiple new domains hosting web pages masquerading as the official Kavach app download portal," Singh said. "They abused the Google Ads' paid search feature to push the malicious domains to the top of Google search results for users in India."

Since May 2022, Transparent Tribe is also said to have distributed backdoored versions of the Kavach app through attacker-controlled application stores that claim to offer free software downloads.

This website is also surfaced as a top result in Google searches, effectively acting as a gateway to redirect users looking for the app to the .NET-based fraudulent installer.

The group, beginning August 2022, has also been observed using a previously undocumented data exfiltration tool codenamed LimePad, which is designed to upload files of interest from the infected host to the attacker's server.

Zscaler said it also identified a domain registered by Transparent Tribe spoofing the login page of the Kavach app that was only displayed when accessed from an Indian IP address, or else redirected the visitor to the home page of India's National Informatics Centre (NIC).

The page, for its part, is equipped to capture the credentials entered by the victim and send them to a remote server for carrying out further attacks against government-related infrastructure.

The use of Google ads and LimePad points to the threat actor's continued attempts at evolving and refining its tactics and malware toolset.

"APT-36 continues to be one of the most prevalent advanced persistent threat groups focused on targeting users working in Indian governmental organizations," Singh said. "Applications used internally at the Indian government organizations are a popular choice of social engineering theme used by the APT-36 group."

Source

Using a $20 off-the-shelf drone, researchers at the University of Waterloo in Ontario have created what is effectively an airborne scanning device that can triangulate the location of every WiFi-connected device in your house. Yikes.

Researchers Ali Abedi and Deepak Vasisht, who recently presented their findings at the 28th Annual International Conference on Mobile Computing and Networking, call this contraption “Wi-Peep,” which is a deceptively cute name for a project with such horrifying implications. Wi-Peep engages in what researchers call a “location-revealing privacy attack” that can manipulate the data in WiFi networks and use it to “see through walls,” or, rather, approximate the location of devices via sneaky scanning.

How does the attack work?

Researchers say their device exploits security deficiencies in IEEE 802.11—a longstanding wireless protocol for local access networks that has a history of problems with data interception and eavesdropping. The program deploys what is known as a “time-of-flight” technique (ToF), which uses a data manipulation trick to measure the physical distance between a signal and an object.

This is all possible due to a security “loophole” in most WiFi networks which the researchers have dubbed “polite WiFi.” In essence, all smart devices are primed to automatically respond to “contact attempts” from other devices in their area, even if the network is secured via password protection. To manipulate this vulnerability, Wi-Peep emits a ToF signal that attempts to make contact with local devices and subsequently allows for the “surreptitious localization” of specific WiFi-powered devices within a particular building or area. The nature of the device can be assessed via information culled from its MAC address—the unique identifier given out to devices within a particular network. Obviously, this means stuff like your Smart TV, Amazon Echo, cell phone, laptop, or any other “smart” device would all be visible to the sneaky little spy.

Researchers imagine some pretty creepy scenarios involving Wi-Peep’s clandestine collection of data. Abedi and Vasisht worry that a hacker armed with this device could potentially “infer the location of home occupants, security cameras and even home intrusion sensors.”

Taking it one step further, they imagine an intruder:

 A burglar could use this information to locate valuable items like laptops and identify ideal opportunities when people are either not at home or away from a specific area (e.g., everyone is in the basement) by tracking their smartphones or smartwatches.

During his presentation, Abedi further hypothesized that the tool could be used to “track the movements of security guards inside a bank by following the location of their phones or smartwatches. Likewise, a thief could identify the location and type of smart devices in a home, including security cameras, laptops, and smart TVs, to find a good candidate for a break-in. In addition, the device’s operation via drone means that it can be used quickly and remotely without much chance of the user being detected.”

Abedi and Vasisht say they hope their research leads to the development of better protections for WiFi protocols, so that future iterations aren’t as vulnerable to attack as the current ones. “We hope that our work will inform the design of next-generation protocols,” the researchers write.

Source

The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.

"These activities cover any internet-accessible system that is hosted within the UK and vulnerabilities that are common or particularly important due to their high impact," the agency said.

"The NCSC uses the data we have collected to create an overview of the UK's exposure to vulnerabilities following their disclosure, and track their remediation over time."

NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231).

The agency says that all vulnerability probes are tested within its own environment to detect any issues before scanning the UK Internet.

"We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," NCSC technical director Ian Levy explained.

"We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)."

How to opt out of vulnerability probes

Data collected from these scans includes any data sent back when connecting to services and web servers, such as the full HTTP responses (including headers).

Requests are designed to harvest the minimum amount of info required to check if the scanned asset is affected by a vulnerability.

If any sensitive or personal data is inadvertently collected, the NCSC says it will "take steps to remove the data and prevent it from being captured again in the future."

British organizations can also opt out of having their servers scanned by the government by emailing a list of IP addresses they want to be excluded at scanning@ncsc.gov.uk.

In January, the cybersecurity agency also started releasing NMAP Scripting Engine scripts to help defenders scan for and remediate vulnerable systems on their networks.

The NCSC plans to release new Nmap scripts only for critical security vulnerabilities it believes to be at the top of threat actors' targeting lists.

Source

Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank.

Cloudflare immediately blacklisted the platform’s frontend and backend, abruptly stopping ongoing phishing campaigns from cybercriminals paying a subscription for using the PhaaS platform.

A new report from IronNet warns of the return of Robin Banks and highlights the measures its operators have taken to better hide and protect the platform from researchers.

Among the new features are bypassing multi-factor authentication (MFA) and a redirector that helps avoid detection.

Robin Banks reloaded

To get their service back online, Robin Bank’s operators turned to DDoS-Guard, a Russian internet services provider with a long history of controversial business exchanges, some of its customers being Hamas, Parler, HKLeaks, and, more recently, Kiwi Farms.

To prevent outsiders from accessing the phishing panel, Robin Banks has now added two-factor authentication for customer accounts.

Additionally, all discussions between core administrators are now done through a private Telegram channel.

New redirector

One of the new features that IronNet’s analysts discovered in Robin Banks is the use of ‘Adspect,’ a third-party cloaker, bot filter, and ad tracker.

PhaaS platforms use tools like Adspect to direct valid targets to phishing sites while redirecting scanners and unwanted traffic to benign websites, thus evading detection.

Adspect functional diagram (adspect.ai)

 

IronNet comments that Adspect does not advertise itself as a phishing aid; however, its services are promoted on several dark web forums and on Telegram channels dedicated to phishing.

MFA bypassing

Robin Banks developers have also implemented the ‘Evilginx2’ reverse proxy for ‘adversary-in-the-middle’ (AiTM) attacks and steal cookies containing authentication tokens.

Evilginx2 is a reverse-proxy tool that establishes communication between the victim and the real service’s server, forwarding login requests and credentials and capturing the session cookie in transit.

This helps the phishing actors bypass the MFA mechanism because they can use the captured cookies to log into an account as if they were the owner.

Robin Banks sells this new MFA-bypassing feature separately, and advertises that it works with Google, Yahoo, and Outlook 'phislets'.

Promoting the new cookie-stealing feature (IronNet)

 

The fact that Robin Banks persists by relying exclusively on readily available tools and services proves that PhaaS platforms can be built by anyone determined enough.

The wide availability of these platforms opens the door to less technical cybercriminals, allowing them to launch powerful phishing attacks and bypass MFA to steal valuable accounts.

Source

"The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States," Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.

The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.

This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chromе.Uрdatе.zip,

Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, Oper.Updte.zip) via fake update alerts.

"Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners," Proofpoint's Threat Insight team revealed today in a Twitter thread.

"By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish."

Malicious JavaScript file obfuscated contents (BleepingComputer)

 

In total, the malware has been installed on sites belonging to more than 250 U.S. news outlets, some of them being major news organizations, according to security researchers at enterprise security firm Proofpoint.

While the total number of impacted news organizations is currently unknown, Proofpoint says it knows of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, D.C., and more.

"TA569 has previously leveraged media assets to distribute SocGholish, and this malware can lead to follow-on infections, including potential ransomware," DeGrippo also told BleepingComputer.

"The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation."

Link to ransomware attacks

Proofpoint has previously observed SocGholish campaigns using fake updates and website redirects to infect users, including, in some cases, ransomware payloads.

The Evil Corp cybercrime gang also used SocGholish in a very similar campaign to infect the employees of more than 30 major U.S. private firms via fake software update alerts delivered via dozens of compromised U.S. newspaper websites.

The infected computers were later used as a stepping point into the employers' enterprise networks in attacks attempting to deploy the gang's WastedLocker ransomware.

Luckily, Symantec revealed in a report that it blocked Evil Corp's attempts to encrypt the breached networks in attacks targeting multiple private companies, including 30 U.S. corporations, eight of them Fortune 500 companies.

SocGholish has also recently been used to backdoor networks infected with the Raspberry Robin malware in what Microsoft described as Evil Corp pre-ransomware behavior.

Source

Laplas is different from other malware of the same kind, which are typically just add-ons of info-stealing malware. The new clipper is a feature-rich tool that gives hackers more granular control and better insight into the efficiency of their operations.

The tool is provided under a subscription model, the most expensive tier being $549 for a year's access to the web-based panel that allows operators to monitor and control their attacks.

Laplas promoted on Russian-speaking darknet forums - courtesy of KELA

 

In about a week, the number of Laplas Clipper samples spotted in the wild grew from less than 20 a day to 55 at the end of last month, security researchers at Cyble note in a report.

Currently, Laplas is distributed through the Smoke Loader and the Raccoon Stealer 2.0, showing that it has attracted the attention of the cybercrime community.

The Laplas approach

Standard clipboard stealers, also called clippers, monitor the Windows clipboard and activate when they detect a cryptocurrency wallet address that users typically copy as the destination for a payment.

When this happens, the clipper changes that address with one belonging to the cybercriminals, thus diverting the payment to the attacker.

To counter this risk, many crypto holders today check if the address in the clipboard is the intended one by comparing a few characters, which makes most clippers less effective.

The developers of Laplas came up with a new approach to deceive keen-eyed crypto users by using addresses that closely resemble the one the victim copied.

Basic wallet generation settings - source: BleepingComputer

 

It is unclear how the hackers obtain the similar addresses. In tests BleepingComputer made, we were able to generate an address similar to the original input as fast as five seconds.

However, this is significantly more than what it takes an average user to copy and paste, which could raise the suspicions.

One theory is that the hackers pre-generated a massive number of addresses in advance for Laplas to pick the ones that are similar to what the victim used.

Cyble notes that this process happens on the attacker's server so the exact mechanism remains unknown. Identifying an address that is similar to what the victim pasted in the clipboard is done using regular expressions.

Laplas replacing clipboard address with the hacker's address - source: Cyble

 

Cyble shared with BleepingComputer that their research showed that Laplas retrieved a Bitcoin address that matched the first and last few characters of the one pasted in the clipboard.

However, in the case of Ethereum the address fetched from the attacker's server looked nothing like the original it tried to spoof. 

The clipper supports wallet address generation for Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, Ripple, Zcash, Dash, Ronin, Tron, Tezos, Solana, Cardano, Cosmos, Qtum, and Steam Trade URLs.

Wallet addresses supported by Laplas - source: BleepingComputer

 

According to the author’s promotional post on the dark web, the new addresses are generated in less than a second and are added to the web panel along with the balance they currently hold.

Generated wallets are stored in the database for three days, but operators can send the access keys to their Telegram accounts to assume control of the wallets later.

Users can also use Telegram to receive real-time notifications about any of the clipper’s actions in compromised hosts, like stealing a significant amount.

Defining Telegram to receive alerts - source: BleepingComputer

 

Keep safe

Users should avoid downloading executables from obscure websites or running attachments received over email.

It is recommended to spend an extra moment and validate the recipient's address before making a cryptocurrency transaction.

Storing wallet seeds in encrypted form should also make it more difficult for cybercriminals to obtain access to the cryptocurrency funds, even if they get the info.

When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.

Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks.

Background

FIN7 is a Russian-speaking, financially motivated hacking group that has been active since at least 2015, deploying POS malware and launching targeted spear-phishing attacks against hundreds of firms.

In 2020, the group started exploring the ransomware space, and by October 2021, it was revealed that it had set up its own network intrusion operation.

A 2022 Mandiant report explained that FIN7 was working with various ransomware gangs, including Maze, Ryuk, Darkside, and BlackCat/ALPHV, apparently carrying out the initial compromise.

Black Basta is a ransomware operation launched in April 2022, showing signs of previous experience by immediately announcing multiple high-profile victims and convincing many analysts it was a Conti rebrand, or at least contained members from the now-shutdown operation.

The new ransomware operation has kept a closed profile, not promoting itself as a ransomware-as-a-service or recruiting affiliates, indicating it may be a private group.

FIN7 developer

Starting from June 2022 and onwards, Black Basta was observed deploying a custom EDR evasion tool used exclusively by its members.

By digging deeper into this tool, Sentinel Labs found an executable, "WindefCheck.exe," that displays a fake Windows Security GUI and tray icon that gives users the illusion that Windows Defender is working normally.

In the background, though, the malware disables Windows Defender, EDR, and antivirus tools, ensuring that nothing will jeopardize the data exfiltration and encryption process.

This tool is illustrated below, where the top image shows the fake Windows Security screen, with various security settings appearing to be enabled and protecting the device. 

However, the screen underneath shows the actual status of these security settings being disabled.

Tool showing fake Windows security screen, with real one underneath (Sentinel Labs)

 

The analysts retrieved more samples linked to that tool and found one packed with an unknown packer, which was identified as ‘SocksBot,’ a backdoor that FIN 7 has been using and developing since at least 2018.

Furthermore, the backdoor connects to a C2 IP address belonging to "pq.hosting," a bulletproof hosting provider FIN7 trusts and uses regularly.

“We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups,” explains the report by Sentinel Labs.

Additional evidence of a connection between FIN7 and Black Basta concerns FIN7’s early 2022 experimentation with Cobalt Strike and Meterpreter C2 frameworks in simulated malware-dropping attacks.

Cobalt Strike beacon and SocksBot sample packed with the same packer (Sentinel Labs)

 

The same activity using the exact custom tools, plugins, and delivery methods was observed many months later in actual attacks by Black Basta.

While these technical similarities point to Fin7 members being part of the Black Basta operation, it is still unclear whether they are just devs for the group, operators, or affiliates using their own tools during attacks.

For those interested in learning more about Black Basta's TTPs, researcher Max Malyutin also published a report on Monday detailing how QBot infections and AV evasion are linked to the ultimate deployment of the group's ransomware.

Source

Email services at the observatory are currently limited, and IT specialists are working toward restoring the affected systems.

The organization informed the public about the security incident on Twitter yesterday, saying that at this time, given the nature of the episode, it is impossible to estimate a date for a return to normal operations.

The observatory also clarified that the attack did not compromise the ALMA antennas or any scientific data, indicating that there are no signs of unauthorized data access or exfiltration.

BleepingComputer has contacted ALMA Observatory in an attempt to learn more about the security incident, and a spokesperson shared the following comment:

"We cannot further discuss the details as there is an ongoing investigation.

Our IT team was prepared to face the situation and had the proper infrastructure, although there is no flawless defense against hackers.

We are still working hard on the full recovery of services. Thanks for your understanding." - ALMA Observatory.

The ALMA observatory is comprised of 66 high-precision radio telescopes of 12 m diameter arranged in two arrays, located at an elevation of 5,000 m (16,400 ft) at the Chajnantor plateau.

The project cost $1.4 billion, making it the world’s most expensive ground telescope, and it was developed thanks to a multi-national effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile.

Since 2013 when ALMA entered normal operational status, it has aided pioneering comet and planetary formation studies, participated in the Event Horizon project to photograph a black hole for the first time in history, and detected the biomarker ‘phosphine’ in the atmosphere of Venus.

The observatory is used by scientists of the National Science Foundation, the European Southern Observatory, the National Astronomical Observatory of Japan, and other groups from around the world, so any halt in its operations impacts multiple science teams and ongoing projects.

For now, users are advised to keep an eye out for status updates on NRAO’s website or ALMA Observatory’s social media channels.

Observers can use this online portal to receive support from the organization.

Between 2018 and 2022, the hackers launched more than 35 successful attacks, about a third of them carried out in 2020.

Analysts at Group-IB, working with the CERT-CC department at Orange, have been tracking OPERA1ER since 2019 and noticed that the group changed its techniques, tactics, and procedures (TTPs) last year.

Concerned about losing the threat actor's tracks, the cybersecurity company waited for the group to resurface to publish an updated report. This year, Group-IB observed that the hackers were active once again.

Overview of OPERA1ER's activity (Group-IB)

 

OPERA1ER attack details

 

The hacker group is formed of French-speaking members believed to operate from Africa. Apart from targeting companies in Africa, the gang also hit organizations in Argentina, Paraguay, and Bangladesh.

OPERA1ER relies on open-source tools, commodity malware, and frameworks like Metasploit and Cobalt Strike to compromise company servers.

They obtain initial access through spear-phishing emails leveraging popular topics like invoices or postal delivery notifications.

The emails have attachments that deliver the first-stage malware, among them Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT. Group-IB also says that the hackers distributed password sniffers and dumpers.

According to the researchers, OPERA1ER can spend between three to twelve months inside the compromised networks, and sometimes they attack the same company twice.

The researchers say that after getting access to a victim network, the hackers may also use the infrastructure as a pivot point to other targets.

Group-IB says that the threat actor creates “high-quality” spear-phishing emails that are written in French. Most of the times, the messages impersonate either the government tax office or a hiring agent from the Central Bank of West African States (BCEAO).

One of the phishing emails used by the hackers - source: Group-IB

 

Using stolen credentials, OPERA1ER accesses email accounts and performs lateral phishing, studies internal documentation to understand money transfer procedures and protection mechanisms, and carefully plans the final, cashing out step.

Typically, the hackers targeted operator accounts that controlled large amounts of money and used stolen credentials to transfer the funds into Channel User accounts, eventually moving them into subscriber accounts under their control.

OPERA1ER's cashing out procedure (Group-IB)

 

In a report today, Group-IB explains that the gang withdraws the cash via a network of ATMs.

Usually, the cashing out event took place on a holiday or over the weekend to minimize the chances of the compromised organizations responding to the situation in time.

On victimized banks, OPERA1ER targeted the SWIFT messaging interface software that communicates all details for financial transaction, and siphoned key information about the anti-fraud systems they needed to bypass.

For the complete list of the indicators of compromise (IoCs) and technical details for attacks attributed to OPERA1ER, Group-IB’s has published a 75-page technical report.

Source

LockBit also allegedly stole some data from Continental's systems, and they are threatening to publish it on their data leak site if the company doesn't give in to their demands within the next 22 hours.

The gang has yet to make any details available regarding what data it exfiltrated from Continental's network or when the breach occurred.

Ransomware gangs commonly publish data on their leak sites as a tactic to scare their victims into negotiating a deal or into returning to the negotiation table.

Since LockBit says that it will publish "all available" data, this indicates that Continental is yet to negotiate with the ransomware operation or it has already refused to comply with the demands.

Continental entry on Lockbit's data leak site (BleepingComputer)

 

Breached in an August cyberattack

 

Continental's VP of Communications & Marketing, Kathryn Blackwell, didn't confirm LockBit's claims and would not share any details regarding the attack when BleepingComputer reached out but, instead, linked to a press release from August 24 regarding a cyberattack that led to a breach of Continental's systems.

"Please see the statement we have issued on this topic. Unfortunately, I cannot provide you with any further details," Blackwell told BleepingComputer.

According to the press release, the company detected a security breach in early August after attackers infiltrated parts of its IT systems.

"Immediately after the attack was discovered, Continental took all necessary defensive measures to restore the full integrity of its IT systems," Continental said.

"With the support of external cybersecurity experts, the company is conducting an investigation into the incident. The investigation is ongoing."

The automotive multinational is yet to share its findings. Blackwell also refused to link the August cyberattack to LockBit's claims and told BleepingComputer that she "cannot provide any further detail at this time."

Continental reported sales of €33.8 billion in 2021, and it employs more than 190,000 people across 58 countries and markets.

The LockBit ransomware gang

LockBit ransomware first surfaced in September 2019 as a ransomware-as-a-service (RaaS) operation. It relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware groups were banned on cybercrime forums [1, 2].

In February, the FBI released a flash alert containing LockBit indicators of compromise and asking organizations breached by the gang to report any incidents urgently.

Several months later, in June, LockBit released 'LockBit 3.0' and introduced Zcash cryptocurrency payment options, new extortion tactics, as well as the first ransomware bug bounty program.

Earlier this year, LockBit also claimed ransomware attacks on the Italian Internal Revenue Service and digital security giant Entrust. In 2021, Fortune 500 company Accenture also confirmed it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.

However, LockBit's claims that they breached Mandiant were dismissed by the cybersecurity company and proved to be nothing more than an attempt to distance itself from the Evil Corp cybercrime gang following a Mandiant report linking the two.