Microsoft Internet Information Services (IIS) is a web server that allows hosting websites and web applications. It’s also used by other software such as Outlook on the Web (OWA) for Microsoft Exchange to host management apps and web interfaces.

Like any web server, when a remote user accesses a webpage, IIS will log the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more.

These logs are typically used for troubleshooting and analytics, but a new report by Symantec shows that a hacking group is utilizing the novel technique of using IIS logs to send commands to backdoor malware installed on the device.

Malware commonly receives commands through network connections to command and control servers. However, many organizations monitor network traffic to find malicious communication.

On the other hand, web server logs are used to store requests from any visitor worldwide and are rarely monitored by security software, making them an interesting location to store malicious commands while reducing the chances of being detected.

This is somewhat similar to the technique of hiding malware in Windows Event Logs, seen in May 2022, used by threat actors to evade detection.

Researchers at Symantec who discovered this new tactic say it’s the first time they observed it in the wild.

For a group of skillful cyberspies like Cranefly, previously spotted by Mandiant spending 18 months in compromised networks, evading detection is a crucial factor in their malicious campaigns.

New trojan for new tricks

Symantec discovered a new dropper used by Cranefly, named "Trojan.Geppei," which installs "Trojan.Danfuan," a previously unknown malware.

Geppei reads commands directly from the IIS logs, looking for specific strings (Wrde, Exco, Cllo) that are then parsed to extract commands and payloads.

"The strings Wrde, Exco, and Cllo don't normally appear in IIS log files," explains the report by Symantec.

"These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine."

Depending on the string found in the IIS log, the malware will install additional malware ('Wrde' string), execute a command ('Exco' string), or drop a tool that disables IIS logging ('Cllo' string).

For example, if the HTTP request contains the "Wrde" string, Geppei drops a ReGeorg webshell or a previously undocumented Danfuan tool in a specified folder.

ReGeorg is a documented malware that Cranefly uses for reverse proxying, while Danfuan is a newly discovered malware that can receive C# code and compile it dynamically on the host's memory.

If the request contains the "Exco" string, the backdoor decrypts and launches an OS command on the server.

Finally, the "Cllo" string calls the clear() function that drops a hacking tool named "sckspy.exe," which disables event log logging on the Service Control Manager.

Cranefly uses this stealthy technique to maintain a foothold on compromised servers and silently gather intelligence.

This tactic also helps evade tracking by law enforcement and researchers, as the attackers can deliver commands through various means like proxy servers, VPNs, Tor, or online programming IDEs.

It is unknown how long the threat actors might have been abusing this method in their attacks or how many servers have been compromised. 

While many defenders are likely already monitoring IIS logs for signs of web shells, those routines may need to be tweaked to also search for the command strings used in this campaign.

Source

The platform had already gone offline in March 2022, with 16,000 registered users, 28,000 posts, and 72 high-volume sellers of prohibited goods, including weapons and drugs.

The suspect now faces criminal charges for operating an illicit trading platform, which incurs up to ten years of imprisonment.

Deutschland im Deep Web history

The original DiDW platform was launched in 2013 as a forum to discuss IT security and anonymization. At its peak in 2017, it reached 23,000 registered users and 6 million monthly hits.

However, the site was also used for selling illegal items such as weapons and drugs, using an escrow system for payments to protect members from fraudulent listings. This essentially made DiDW a darknet market under the guise of a forum.

BKA's announcement of the arrest mentions a characteristic example of a Munich shooter in 2016 who used the platform at the time to procure the murder weapon and ammunition.

In 2017, soon after that incident, the website was shut down by law enforcement, and its operator was arrested and sentenced to seven years in prison.

In 2018, two new versions of the platform appeared on the dark web, using the motto "No control, everything allowed," implying the new operators no longer cared about masking illegal activities on the site.

This second iteration of DiDW shut down on its own in 2019 without giving any reason, and only ten days later, a third version of the site appeared online as the official successor of the darknet market brand.

Eventually, after five years of investigation, the federal police managed to identify the alleged admin of the third version of DiDW, arresting him on October 25, 2022.

Identifying the operators of darknet platforms that have gone defunct for several years isn't uncommon, as cybercrime investigators work on these cases for extended periods.

On Tuesday, the U.S. Department of Justice arraigned a 34-year-old hacker suspected of operating the darknet market 'The Real Deal,' which shut down back in November 2016.

Aurubis is Europe's largest copper producer and the second largest in the world, with 6,900 employees worldwide, and produces one million tonnes of copper cathodes yearly.

In an announcement published on their website, Aurubis says they shut down various systems at their locations but that it has not impacted production.

"The production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained manually," comments Aurubis' announcement.

At this time, the company is still assessing the impact of the cyberattack, and is working closely with the authorities to speed up the process.

The priority now is to maintain the production volumes at normal levels and keep the raw material supply and the delivery of finished goods unruffled.

For this reason, some operations have turned to manual mode to keep the flow of incoming and outgoing goods adequate for as long as required until computer-assisted automation returns at the smelters.

Aurubis states that it's impossible to estimate how long it will take for all its systems to return to normal operations.

Until that happens, there's a plan to establish transitional solutions that will give the company and its customers an alternative communication channel. For now, the only way to reach Aurubis is via the phone.

While all the above carry the typical signs of a ransomware attack, Aurubis has not provided any details on its cyberattack.

However, Aurubis states that the attack "part of a larger attack on the metals and mining industry."

BleepingComputer has contacted the company to learn more about the incident, and we will update this post as soon as we receive a response.

The last time such a large metal producer was hit by ransomware was in March 2019, when LockerGoga forced aluminum giant Norsk Hydro to shut down its IT systems.

Source

Meet the Windows servers that have been fueling massive DDoSes for months

A scientist’s quest for an accessible, unhackable voting machine

ACL is an Australian healthcare company that operates 89 laboratories and performs six million tests annually, offering its services to 92 private and public hospitals across Australia.

While the firm says it’s not aware of any misuse of the stolen information, it is notifying all impacted clients individually of what data was exposed in the attack.

A data breach incident notification published today gives the following summary of leaked data:

• 128,608 Medicare numbers, along with full names.
• 28,286 credit card numbers, 12% of which include CVV code, and 55% expired.
• 17,539 individual medical and health records associated with pathology tests.

Australia’s Cyber Security Center (ACSC) and the Office of the Information Commissioner (OAIC) have already been notified about the incident earlier in the year, with ACSC initially warning MedLab that hackers posted their data to the dark web.

All impacted individuals will also be offered free-of-charge credit monitoring and identity theft protection services, while ACL will cover the costs of ID document replacements where needed.

Quantum ransomware

The ransomware gang that took responsibility for the attack on Medlab Pathology is Quantum, which uploaded all stolen files on its Tor site on June 14, 2022.

The threat actors leaked 86GB of data, including patient and employee details, financial reports, invoices, contracts, forms, subpoenas, and other private documents.

According to Quantum ransomware’s website, the data leak page for MedLab has been accessed 130,000 times.

Overly delayed disclosure

The disclosure of a cybersecurity incident nine months after it happened isn’t a rapid response, and ACL’s announcement includes a section that attempts to justify this delay.

When MedLab detected unauthorized access to its network in February 2022, the firm conducted a forensic investigation which they say didn’t reveal anything worrying.

In March 2022, ACSC contacted ACL after receiving intelligence that the incident they had suffered was a ransomware attack. In June 2022, the ACSC notified MedLab that the ransomware gang posted the stolen data to a data leak site.

So, according to the company, it took them roughly five months to even realize someone had exfiltrated files from their systems.

As for the four more months from that point until today’s disclosure, ACL says the data set was too complicated to quickly determine what customers were affected.

Sydney-based reporter Jeremy Kirk tweeted that sources examining the leaked data confirmed it was unstructured but not to the point of taking months to analyze.

Over the past two months, Australia has been hit with numerous data breaches and cyberattacks, including attacks on Optus, Medibank, MyDeal, and Vinomofo.

While hackers are likely not specifically targeting organizations in the country, the Australian government is proposing new data protection laws to provide greater insight into data breaches and to impose more significant fines on companies not adequately protecting data.

Source

Drinik has been circulating in India since 2016, operating as an SMS stealer, but in September 2021, it added banking trojan features that target 27 financial institutes by directing victims to phishing pages.

Analysts at Cyble have been following the malware and report that its developers have evolved it into a full Android banking trojan with screen recording, keylogging, abuse of Accessibility services, and the ability to perform overlay attacks.

Stealing credentials from real sites

The latest version of the malware comes in the form of an APK named 'iAssist,' which is supposedly India's Income Tax Department's official tax management tool.

Upon installation, it requests permissions to receive, read, and send SMS, read the user's call log, and read and write to external storage.

Next, it requests the user the allow the app to (ab)use the Accessibility Service. If granted, it disables Google Play Protect and uses it to perform navigation gestures, record the screen, and capture key presses.

Eventually, the app loads the actual Indian income tax site via WebView instead of phishing pages like past variants and instead steals user credentials by recording the screen and using a keylogger.

Loading the actual tax site and activating the screen recorder (Cyble)

 

Drinik will also check if the victim ended up on a URL that indicates a successful login to ensure that the exfiltrated details (user ID, PAN, AADHAR) are valid.

At this stage, the victim is served a fake dialogue box saying that the tax agency found they're eligible for a refund of Rs 57,100 ($700) due to previous tax miscalculations and are invited to tap the "Apply" button to receive it.

Code to display the fake refund message (Cyble)

 

This action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN.

Targeting banks

To target the eighteen banks, Drinik constantly monitors the Accessibility Service for events related to the targeted banking apps, such as their apps.

The keywords that activate Drinik's loggers (Cyble)

 

The targeted banks include SBI (State Bank of India), one of the largest banks in the world, serving 450,000,000 people via a massive network of 22,000 branches.

If there’s a match, the malware collects keylogging data that contain user credentials and siphons them to the C2 server.

During this attack, Drinik abuses the “CallScreeningService” to disallow incoming calls that may interrupt the login and, by extension, the data-stealing process.

Drinik evolving

While Drinik isn’t as sophisticated or advanced as other banking trojans, its authors appear determined to make it more powerful, constantly adding features that make it harder to detect.

Evolution of Drinik (Cyble)

 

Going after Indian taxpayers and banking customers means that Drinik has a massive targeting pool, so every new successful feature potentially translates to substantial financial gains for the malware’s operators.

To avoid this threat, always avoid APK downloads from outside the Play Store and enable biometric authentication, such as 2FA, for logging in to e-banking portals.

Caused by Windows security updates released during this month's Patch Tuesday, on October 11th, the issue has now also been fixed on Windows 11 22H2 systems.

On impacted Windows 11 devices, users see SEC_E_ILLEGAL_MESSAGE errors in applications when connections to servers experience issues.

"We address an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures," Microsoft said.

"For developers, the affected connections are likely to receive one or more records followed by a partial record with a size of less than 5 bytes within a single input buffer."

Since KB5018496 is an optional preview update, it doesn't contain any security fixes and will not be installed automatically.

You can install it on your device by going into Settings > Windows Update, clicking 'Check for Updates,' and then selecting the optional preview to download and install.

Out-of-band updates for older Windows versions

Microsoft has also released out-of-band standalone packages and cumulative updates to address the issue on older Windows versions:

• Cumulative updates:
  • Windows 11, version 21H2: KB5020387
  • Windows Server 2022: KB5020436
  • Windows 10, version 20H2; Windows 10, version 21H1; Windows 10, version 22H1; Windows 10 Enterprise LTSC 2021: KB5020435
  • Windows 10 Enterprise LTSC 2019; Windows Server 2019: KB5020438
  • Windows 10 2016 LTSB; Windows Server 2016: KB5020439
  • Windows 10 2015 LTSB; KB5020440

• Standalone Updates:
  • Windows 8.1; Windows Server 2012 R2: KB5020447
  • Windows Server 2012: KB5020449
  • Windows 7 SP1; Windows Server 2008 R2 SP1: KB5020448

These updates can't be installed via Windows Update, Windows Update for Business, or Windows Server Update Services (WSUS).

To install them, you must download them from the Microsoft Update Catalog and import them into WSUS and Microsoft Endpoint Configuration Manager.

You can find the complete list of fixes and improvements included with the KB5018496 preview update in this support bulletin.

Source

This blocklist (stored in the DriverSiPolicy.p7b file) is designed to block threat actors from dropping legitimate but vulnerable drivers on targets' systems in Bring Your Own Vulnerable Driver (BYOVD) attacks on HVCI-enabled Windows machines or those running Windows in S Mode.

The flawed drivers are then exploited to escalate privileges in the Windows kernel and execute malicious code, disabling security solutions and taking control of the device.

This is a well-known and popular attack technique amongst threat actors of all skill levels, from ransomware gangs to state-sponsored hacking groups.

Although Microsoft has been advertising its driver blocklist as capable of hardening Windows systems against vulnerable third-party drivers, ANALYGENCE security analyst Will Dormann found that wasn't the case.

As Dormann discovered, unlike Windows 11 devices, even up-to-date Windows 10 and Windows Server systems were being provided with an outdated list of vulnerable drivers from December 2019, exposing customers who thought they were protected to BYOVD attacks.

Microsoft reluctantly acknowledged his findings and promised to address this issue and update its misleading online support docs.

Driver blocklist sync finally fixed

More than a month after Dormann revealed that the list of vulnerable drivers wasn't kept up to date on Windows 10 and some Windows Server systems, Microsoft has now finally addressed this issue.

"The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions," a Microsoft spokesperson told BleepingComputer.

Unfortunately, this “gap” meant that the driver blocklist was not synced with any Windows 10 systems since 2019 even though Microsoft kept updating on their end, effectively breaking the feature.

"We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released."

Redmond has addressed the driver blocklist sync issue with the October 2022 preview update, ensuring that the blocklist is the same across Windows 10 and 11.

Starting with the Windows 11 2022 update (version 22H2), the blocklist is also enabled by default on all devices. Still, customers can disable it using the Windows Security app (only in Insider builds) by turning off HVCI (memory integrity) or disabling Windows in S Mode.

"Blocking drivers can cause devices or software to malfunction. In rare cases, it leads to a stop error," Microsoft warned on Tuesday. "There is no guarantee that the blocklist will block every driver that has weaknesses."

Update October 26, 15:10 EDT: The article was revised to make it clear that only Insiders can disable the blocklist using the Windows Security app.

Source

In an announcement published today, the companies warned that an internal investigation into the attack has shown that the threat actors had far greater access to customer data than initially thought.

More specifically, Medibank has confirmed that the following data was compromised:

• All ahm customers' personal data and significant amounts of health claims data.
• All international student customers' personal data and significant amounts of health claims data.
• All Medibank customers' personal data and significant amounts of health claims data.

While data access and data exfiltration are separate things, Medibank found evidence that, in some cases, the threat actors managed to remove some of the accessed data, so customers should assume that all of this data was stolen.

"As previously advised, we have evidence that the criminal has removed some of this data, and it is now likely that the criminal has stolen further personal and health claims data," explains the announcement.

"As a result, we expect that the number of affected customers could grow substantially."

Last week, Medibank assured its 2.8 million customers that there was no evidence of any customer data having been accessed or exfiltrated and claimed the hackers didn't encrypt anything before they were stopped.

However, many ransomware gangs steal corporate data before attempting to encrypt devices, which appears to have happened during this attack.

A few days after the company played down the impact of the security incident, the ransomware gang made contact to extort the company, providing a sample of 100 stolen files out of an alleged 200GB of data stolen during the attack.

Medibank soon realized that the threat actors had exfiltrated client data, so the internal investigation took a more targeted approach, eventually revealing a full-scale data breach.

Based on this development, Medibank now upgrades its response and support to customers by providing the following:

• Financial support for customers who are in a uniquely vulnerable position as a result of this crime.
• Free identity monitoring services for customers who have had their primary ID compromised
• Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.
• Specialist identity protection advice and resources from IDCARE.
• Medibank's mental health and wellbeing support line.

Australia responds to breaches

Meanwhile, following a series of high-profile and damaging data breaches that hit several Australian firms in the past couple of weeks, the government is working to introduce stricter data protection laws.

A proposal published by the Australian Government on Saturday for the new Privacy Legislation Amendment Bill 2022 aims to:

• Increase privacy breach penalties from $2.22 million AUD to $50 million AUD,
• or three times the value of any benefit obtained through the misuse of information, if greater,
• or 30% of a company's adjusted turnover in the relevant period, if greater.

The Bill will also give the Australian Information Commissioner greater powers to resolve privacy breaches and force companies to share all details about what was compromised with the agency.

It also establishes a data-sharing channel between the Commissioner and the Australian Communications and Media Authority.

Medibank now says hackers accessed all its customers’ personal data

This new system aims at relieving user anxiety and bolstering confidence that nobody can access or copy their personal data, even with physical access to the device.

"Our whole lives are on our phones, from credit card information to family photos," comments Samsung's VP and Head of Security, Seungwon Shin, in the announcement.

The new mode is available in Settings, under the "Battery and device care" menu. Once enabled, the mode is active after rebooting the device.

Doing so creates an auxiliary user account on the device, completely isolated from all applications the owner installed, the stored data, and the filesystem.

This makes photos, documents, and messages associated with the owner's account unavailable to the new user.

Samsung still recommends backing up valuable personal data to ensure make sure it can be recovered if the storage media or other component fails during servicing.

Maintenance Mode will allow service technicians to perform any action they need to carry out in the context of repair work, like testing device functions, running system apps, downloading software from the Galaxy Store, etc.

Once the device is returned to its owner and they enter their regular account password, the second account, data created, and apps installed during Maintenance Mode are automatically wiped.

Note that Maintenance Mode will not reach every Galaxy phone in the world immediately. Samsung is planning to roll out the new feature gradually.

The Korean tech giant has prioritized the Samsung Galaxy S21 and S22 series models running on One UI 5, so these will get the feature first.

The rollout will continue throughout 2023, expanding to more Galaxy models, but Samsung hasn't published a list of them yet.

Source

The operation relies on abusing the limited resources offered to free-tier cloud accounts to generate a tiny profit from each free account, which, when combined, becomes something more significant.

The threat actor behind the campaign, called 'Purpleurchin,' was observed performing over a million function calls daily, using CI/CD service providers such as GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts).

The use of those accounts is rotated and channeled through 130 Docker Hub images with mining containers, while obfuscation on all operational levels has kept Purpleurchin undetected until now.

Operation details

In a new report by Sysdig, researchers explain that the core of the operation is a linuxapp container ('linuxapp84744474447444744474') that acts as the command and control server (C2) and Stratum server, coordinating all active mining agents and directing them to the threat actor's mining pool.

A shell script ('userlinux8888') is used to automate the creation of GitHub accounts, create a repository, and replicate the workflow using GitHub actions. All GitHub actions are obfuscated using random strings for the names.

Purpleurchin uses OpenVPN and Namecheap VPN to register each account with a different IP address to evade GitHub's bot activity detection.

The GitHub actions launch over 30 instances of Docker images on each run, using pre-set arguments for the script to be executed, proxy IP and port to connect to, Stratum ID name, and max memory and CPU amounts to use.

Eventually, another script ("linuxwebapp88") will validate the configuration on the Stratum server, receive the Docker command contained in the GitHub repository, and start the miner container.

The campaign's operational diagram (Sysdig)

 

The miner uses a tiny part of the server's CPU power to stealthily mine a range of crypto coins such as Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb.

The mining process employs a custom Stratum mining protocol relay that hampers network scanners' ability to discover the outbound connections to mining pools.

This relay also obscures the threat actor's crypto wallet address, so Purpleurchin's profit remains an unanswered question for Sysdig's analysts.

Profit and damage

The cryptocurrency chosen by the threat actors to mine are marginally profitable, so Sysdig presumes the operation is either in an early experimental phase or attempting to take control of blockchains by creating a network control majority of 51%.

If the first scenario is true, the threat actor could soon switch to more profitable coins like Monero or Bitcoin.

In either case, the goal of Purpleurchin cannot be anything other than financial profit, but the ongoing freejacking operation might not be the direct channel to achieve that yet.

The damage for GitHub, however, is still significant and measurable, with Sysdig's analysts estimating it to be $15 per month per account. For Heroku and Buddy, the cost is between $7 and $10 per month per account.

Based on these calculations, it would cost the service provider over $100,000 for the threat actor to mine one Monero (XMR) via freejacking.

That's about ten times higher than the damage caused by normal cryptojacking operations, estimated to be roughly $11,000 per Monero.

While this isn't necessarily new information, since the group is known for using multiple ransomware strains in some attacks, Microsoft has also seen them use this tactic against organizations in the U.S. education sector between July and October 2022.

As Microsoft Security Threat Intelligence analysts shared in a report published today, Vice Society (tracked by Redmond as DEV-0832) has been swapping between BlackCat, QuantumLocker, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware.

Since September, they've shifted to a modified version of their payload dubbed RedAlert that adds the .locked file extension to encrypted documents, according to Microsoft’s analysts.

While Vice Society runs its own data leak site, it should be noted that the RedAlert and BlackCat operations have their own leak sites as well.

Vice Society leak site (BleepingComputer)

 

Besides the strains mentioned in the report, BleepingComputer is aware that the gang has also been deploying HelloKitty/Five Hands ransomware as part of their attacks.

Vice Society will also skip the ransomware deployment stage in some attacks, with the operators opting for stealing sensitive data from their victims' networks and extorting them under the threat of leaking the stolen files online.

"In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data," the company said.

"The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities."

Targets set on U.S. schools

Vice Society is a threat group active since at least early June 2021, known for deploying multiple ransomware strains on their victims' networks, such as Hello Kitty/Five Hands and Zeppelin ransomware.

They also exfiltrate data from compromised systems before encryption and use it for double extortion, threatening victims to leak it online if their ransom demands aren't met.

One of the group's most recent victims is Los Angeles Unified (LAUSD), the second-largest school district in the United States.

Another high-profile education sector victim is the Austrian Medical University of Innsbruck which had to reset all 3,400 students' and 2,200 employees' account passwords following severe IT service disruption.

In November, a group of U.S. Senators urged the Departments of Education and Homeland Security to strengthen cybersecurity protections at K-12 schools so that they can keep up with this ongoing wave of ransomware attacks.

Last month, the FBI and CISA also warned in a joint advisory that the Vice Society group disproportionately targets the U.S. education sector.

Source

According to PayPal, the new passkey technology will first be made available on iPhone, iPad, and Mac on PayPal.com before it’s expanded to other platforms. Commenting on today’s new, Doug Bland, SVP and GM, Head of Consumer, PayPal, said:

“Launching passkeys for PayPal is foundational to our commitment to offering our customers safe, secure and easy ways to access and manage their daily financial lives. We are excited to provide our customers a more seamless checkout experience that eliminates the risks of weak and reused credentials and removes the frustration of remembering a password. We are making it easier for customers to shop online.”

Once you log in to PayPal in the browser on a supported operating system, you’ll be given the option to “Create a passkey”. You can then use Apple Face ID or Touch ID to authenticate. Once the passkey is created it’ll be synced with your iCloud Keychain, and you’ll just need to authenticate to log in, rather than provide a password.

If you’re logging in on an unsupported device, you’ll be offered a QR code that you can scan with your iPhone, from there you can verify in the usual way to log in on the original device. PayPal says passkeys are now rolling out to customers in the United States and will be arriving in other countries in early 2023 and on other platforms as support for passkeys is added.

Source: PayPal

PayPal goes passwordless with support for passkeys

While observant Internet users may spot the fake site by looking at the domain name, many rely on visual elements of the site instead to judge its authentiticy.

The campaign uses at least over 200 typosquatting domains to impersonate 27 brands, including TikTok, Figma, PayPal, SnapChat, APK Pure, Google Wallet or Microsoft Visual Studio Code.

Originally detected by cyber-security firm Cyble, the company believed that the campaign was targeting Android primarily by creating fake sites to download Android APK files. Our colleagues over at Bleeping Computer discovered that the campaign extends beyond Android, as it targets brands in software, cryptocurrency and other niches as well.

Even popular open source programs, such as Notepad++, Thunderbird or Tor Browser, are among the impersonated brands. Some domain names look very similar to the original and most websites look like exact replicas of the original sites.

The campaign spreads different types of malware. Bleeping Computer found the info-stealing malware Vidar Stealer on a fake Notepad++ site, and the Agent Tesla keylogger and RAT on a site impersonating the Tor Project website.

The malicious sites are spread using various methods, including by email, by accidental typos from users, and other means, which may include via chat messages, social sites or by SMS.

Most sites should be blocked in modern web browsers by now. An attempt to open them in a browser should display a security warning. There is the chance, however, that new sites are created that are not yet blocked.

The main protection against these type of sites is to check the address of the site before interacting with it. It takes just a second or two to check the URL of the site and determine whether it is the real site or not. If users do not know the real domain, they may use search engines to find the right homepage. Sometimes, local data may also help in identifying the correct website.

It is also a good idea to avoid clicking on any links in emails and on social sites.

Source

Pendragon owns CarStore, Evans Halshaw, and Stratstone luxury car retailer, that sell brands cars for all budgets, from Jaguar, Porsche, Ferrari, Mercedes-Benz, BMW, Land Rover, or Aston Martin, to Renault, Ford, Hyundai, Nissan, Peugeot, Vauxhall, Citroen, DS, Dacia, and DAF.

Pendragon did not provide many details about the security incident and limited the information to saying that there is no impact on operations.

"We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident," Pendragon says in the security announcement.

However, in an interview for The Times publication on Friday, the company chief marketing officer, Kim Costello, pointed to LockBit rasnsomware gang as the culprit and said that the attack happened about a month ago.

According to Costello, the company has been in contact with the hackers and received stolen files as proof of the breach but did not engage in negotiations.

The hackers asked for "tens of millions of dollars before a deadline" under the threat of publishing stolen data, Costello added. According to the U.K. publication, the LockBit asked for a $60 million ransom.

The company spokesperson said that Pendragon stands firm on its decision to not pay the hackers.

After discovering the attack, Pendragon reported the incident to law enforcement in the U.K. as well as to the country's data protection office.

Pendragon's spokesperson also clarified that the company's IT team reacted immediately to the attack. Results from the investigation showed that the hackers stole only 5% of the database.

BleepingComputer contacted the company for more info about the stolen data and the impact it would have if the hackers leak it but received no response at publishing time.

LockBit's attack on Pendragon comes around the time the U.K. car dealer received a takeover offer of £400 million from the Sweden-based Hedin Mobility Group.

AEOI says an unauthorized party from a specific foreign country, which is not named, stole emails from the hacked server, which consisted of daily correspondence and technical memos.

The agency says it immediately took the necessary preventive measures to mitigate the results of this incident and informed all concerned parties and officials to be prepared for potential exploitation attempts.

AEIO says that the purpose of the breach and the data leak was to attract public attention and smear the image of AEOI in the media.

"It is obvious that the purpose of such illegal efforts, which are carried out out of desperation, is to attract public attention, create media atmospheres, and psychological operations, and lack any other value," reads the machine-translated AEOI statement.

'Black Reward' leak

The hacker group responsible for the attack calls itself 'Black Reward' and has leaked some of the stolen data on their Telegram channel.

There, Black Reward posted a 27GB 14-part collection of RAR archives allegedly containing 85,000 email messages characterized as "perfect for researchers."

The hackers claim to have scrutinized the collection before publication, removing all marketing messages and spam emails and keeping only the valuable content.

The leaked data includes alleged passports and visas of Iranian and Russians working with the agency, power plant status and performance reports, contracts, and technical reports.

The threat actors' message ends with an oblation to Mehsa Amini, the young woman who died in the custody of Iran's "moral" police force.

The event pushed the country's people into a month-long uprising against the ruling theocratic regime, which responded with violent crackdowns and censorship.

The hackers' message is signed "For women, life, freedom," giving the email server breach and data leak action the character of hacktivism.

Source

Apple revealed in an advisory today that it's aware of reports saying the security flaw "may have been actively exploited."

The bug (CVE-2022-42827) is an out-of-bounds write issue reported to Apple by an anonymous researcher and caused by software writing data outside the boundaries of the current memory buffer.

This can result in data corruption, application crashes, or code execution because of undefined or unexpected results (also known as memory corruption) resulting from subsequent data written to the buffer.

As Apple explains, if successfully exploited in attacks, this zero-day could have been used by potential attackers to execute arbitrary code with kernel privileges.

The complete list of impacted devices includes iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Apple addressed the zero-day vulnerability in iOS 16.1 and iPadOS 16 with improved bounds checking.

Patch your iPhones and iPads

While Apple has disclosed that it knows of active exploitation reports of this vulnerability in the wild, it has yet to release any information regarding these attacks.

This will likely allow Apple customers to patch their devices before more attackers develop additional exploits and start using them in attacks targeting vulnerable iPhones and iPads.

Even though this zero-day bug was most likely only used in highly-targeted attacks, installing today's security updates is strongly recommended to block any attack attempts.

This is the ninth zero-day fixed by Apple since the start of the year:

• In September, Apple addressed a flaw in the iOS Kernel (CVE-2022-32917).
• In August, it fixed two more zero-days in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
• In March, Apple patched two zero-day in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In February, Apple released security updates to address another WebKit zero-day bug exploited to target iPhones, iPads, and Macs.
• In January, Apple patched another pair of zero-days allowing code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594). 

Source

Because all these extensions offer color customization options and arrive on the victim's machine with no malicious code to evade detection, the analysts named the campaign "Dormant Colors."

According to the Guardio report, by mid-October 2022, 30 variants of the browser extensions were available on both the Chrome and the Edge web stores, amassing over a million installs.

More than hijacking

The infection begins with advertisements or redirects when visiting web pages that offer a video or download.

However, when attempting to download the program or watch the video, you are redirected to another site stating you must install an extension to continue, as demonstrated below.

However, when these extensions are first installed, they will redirect users to various pages that side-load malicious scripts that instruct the extension on how to perform search hijacking and on what sites to insert affiliate links.

"The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls," explains the Guardio report.

"Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a '#' separated list of strings and regexes and the last is a comma-separated list of 10k+ domains."

"To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup."

When performing search hijacking, the extension will redirect search queries to return results from sites affiliated with the extension's developer, thus generating income from ad impressions and the sale of search data.

Dormant Colors goes beyond this by also hijacking the victim’s browsing on an extensive list of 10,000 websites by automatically redirecting users to the same page but this time with affiliate links appended to the URL.

Once the affiliate tags are appended to the URL, any purchase made on the site will generate a commission for the developers.

Guardio has also shared a video demonstrating the affiliation hijacking component, shown below.

Potential for more

The researchers warn that using the same stealthy malicious code side-loading technique, the operators of Dormant Colors could achieve potentially nastier things than hijacking affiliations.

The researchers say it’s possible to redirect victims to phishing pages to steal credentials for Microsoft 365, Google Workspace, bank sites, or social media platforms.

Theoretical alternative attack (Guardia)

 

While there are no signs that the campaigns are performing this more malicious behavior, the researchers say it could be enabled simply by side-loading additional scripts.

The extensions and the websites listed in the report's IoCs section have been removed/taken offline, but the researchers warn that the operation is constantly renewed with new add-on names and domains.

The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers.  

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.  

The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information.

The agencies are warning health providers to secure VPN servers as this was how the group gained access to previous targets, including exploiting an unpatched flaw in the victim's VPN server. In another confirmed case, the actors used previously compromised credentials to access a legacy VPN server where multi-factor authentication (MFA) was not enabled. The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment.

After accessing the VPN, the group used remote protocols SSH and RDP to move laterally, then sought privileged accounts through credential dumping and 'pass the hash', where attackers use stolen password hashes to move laterally.      

The actors have also used privileged accounts to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Then they use SSH to connect to accessible ESXi servers and deploy ransomware on those servers, according to the advisory.

The Daixin group also exfiltrated data from victim systems.

Among several mitigations, the advisory says organizations must prioritize patching VPN servers, remote-access software, virtual-machine software, and CISA's known-exploited vulnerabilities. It also recommends locking down RDP and turning off SSH, as well as Telnet, Winbox, and HTTP for wide-area networks, and securing them with strong passwords and encryption when enabled. Organizations should also require MFA for as many services as possible.

Because lives can depend on these systems, providers in the sector are routinely targeted by cyber criminals. The FBI's Internet Crime Complaint Center (IC3) data indicates the health sector accounts for 25% of ransomware complaints of victim reports across all 16 critical infrastructure sectors.

Also, in IC3's 2021 annual report, the HPH Sector accounted for 148 ransomware reports. It was the largest source of ransomware complaints within the 649 ransomware reports made that year across 14 critical infrastructure sectors.

source

Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands.

The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss.

In terms of appearance, in most cases seen by BleepingComputer, the malicious websites are clones of the originals or at least convincing enough, so there's not much to give away the fraud.

Victims typically end up on these sites by mistyping the website name they want to visit in the browser's URL bar, which is not uncommon when typing on mobile.

However, users could also be led on these sites via phishing emails or SMS, direct messages, malicious social media and forum posts, and other ways.

A vast network of fake sites

Some of the malicious sites were discovered by cyber-intelligence firm Cyble, which published a report this week focusing on domains mimicking popular Android app stores like Google Play, APKCombo, and APKPure, as well as download portals for PayPal, VidMate, Snapchat, and TikTok.

Malicious site impersonating PayPal

 

Some of the domains used for this purpose are:

• payce-google[.]com – impersonates Google Wallet
• snanpckat-apk[.]com – impersonates Snapchat
• vidmates-app[.]com – impersonates VidMate
• paltpal-apk[.]com – impersonates PayPal
• m-apkpures[.]com – impersonates APKPure
• tlktok-apk[.]link – impersonates download portal for TikTok app

In all these cases, the malware delivered to users attempting to download the APKs is ERMAC, a banking trojan targeting banking accounts and cryptocurrency wallets from 467 apps.

Part of a much larger campaign

While Cyble's report focused on the campaign's Android malware, BleepingComputer found a much larger typosquatting campaign from the same operators, distributing Windows malware.

This campaign consists of over 90 websites created to impersonate over twenty-seven popular brands to distribute Windows malware, steal cryptocurrency recovery keys, and, as described above, push Android malware.

A notable example of one of these typosquat sites is for the very popular Notepad++ text editor. This fake site uses the domain "notepads-plus-plus[.]org", which is only a character away from the authentic at "notepad-plus-plus.org".

Fake Notepad++ site delivering Vidar Stealer

 

The files from this site install the Vidar Stealer information-stealing malware, which has had its size inflated to 700MB to evade analysis.

Another site discovered by BleepingComputer impersonates the Tor Project using the "tocproject.com" domain. In this case, the website drops the Agent Tesla keylogger and RAT.

Fake Tor site dropping Agent Tesla

 

By digging deeper into the long list of the domains, we've found several targeting popular software like:

• thundersbird[.]org – Impersonates the popular Thunderbird open-source email suite, dropping Vidar Stealer
• codevisualstudio[.]org – Impersonates Microsoft’s Visual Studio Code to drop Vidar
• braves-browsers[.]org – Impersonates the Brave web browser to drop Vidar

More fake sites dropping Windows malware

 

The variety in the malware families delivered to victims may indicate that the campaign operators experiment with various strains to see what works best.

Another portion of these sites target cryptocurrency wallets and seed phrases, a very profitable activity for threat actors.

For example, BleepingComputer found "ethersmine[.]com", which attempts to steal the visitor's Ethereum wallet seed phrase.

Site impersonating the Ethermine mining pool

 

Other sites in the campaign target cryptocurrency holders and digital asset investors impersonating popular crypto wallets, trading apps, and NFT sites.

Of course, the threat actors use multiple variants of each domain to cover as many mistypes as possible, so these domains are only a small sample of the entire network of domains used in the campaign.

Some browsers like Google Chrome and Microsoft Edge include typosquatting protection. However, in our tests, the browsers did not block any of the domains we tested.

To protect yourself from typosquatting domains, the best method to find a legitimate site is to search for a particular brand in a search engine.

However, you should avoid clicking on ads shown in search results, as there have been many cases where malicious ads are created to impersonate a real site.

Source

GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.

According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.

Data collection and analysis

The researchers analyzed a little over 47,300 repositories advertising an exploit for a vulnerability disclosed between 2017 and 2021 using the following three mechanisms:

• IP address analysis: comparing the PoC's publisher IP to public blocklists and VT and AbuseIPDB.
• Binary analysis: run VirusTotal checks on the provided executables and their hashes.
• Hexadecimal and Base64 analysis: decode obfuscated files before performing binary and IP checks.

Of the 150,734 unique IPs extracted, 2,864 matched blocklist entries, 1,522 were detected as malicious in antivirus scans on Virus Total, and 1,069 of them were present in the AbuseIPDB database.

The binary analysis examined a set of 6,160 executables and revealed a total of 2,164 malicious samples hosted in 1,398 repositories.

In total, 4,893 repositories out of the 47,313 tested were deemed malicious, with most of them concerning vulnerabilties from 2020.

The report contains a small set of repositories with fake PoCs that delivered malware. However, the researchers shared with BleepingComputer at least 60 other examples that are still live and in the process of being taken down by GitHub.

Malware in the PoC

By looking closer into some of those cases, the researchers found a plethora of different malware and harmful scripts, ranging from remote access trojans to Cobalt Strike.

One interesting case is that of a PoC for CVE-2019-0708, commonly known as "BlueKeep", which contains a base64-obfuscated Python script that fetches a VBScript from Pastebin.

The script is the Houdini RAT, an old JavaScript-based trojan that supports remote command execution via the Windows CMD.

In another case, the researchers spotted a fake PoC that was an info-stealer collecting system information, IP address, and user agent.

This was created before as a security experiment by another researcher, so finding it with the automated tool was a confirmation for the researchers that their approach worked.

One of the researchers, El Yadmani Soufian, who is also a security researcher at Darktrace, was kind enough to provide BleepingComputer with additional examples not included in the technical report, which are given below:

PowerShell PoC containing a binary encoded in base64 flagged as malicious in Virus Total.

Python PoC containing a one-liner that decodes a base64-encoded payload flagged as malicious on Virus Total.

Fake BlueKeep exploit containing an executable that is flagged by most antivirus engines as malicious, and identified as Cobalt Strike.

A script hiding inside fake PoC with inactive malicious components that could cause damage if its author wishes so.

How to stay safe

Blindly trusting a repository on GitHub from an unverified source would be a bad idea since the content is not moderated, so it falls on the users to review it before using it.

Software testers are advised to carefully scrutinize the PoCs they download and run as many checks as possible before executing them.

Soufian believes that all testers should follow these three steps:

1. Read carefully the code you are about to run on your or your customer's network.
2. If the code is too obfuscated and needs too much time to analyze manually, sandbox it in an environment (ex: an isolated Virtual Machine) and check your network for any suspicious traffic.
3. Use open-source intelligence tools like VirusTotal to analyze binaries.

The researchers have reported all the malicious repositories they discovered to GitHub, but it will take some time until all of them are reviewed and removed, so many still remain available to the public.

As Soufian explained, their study aims not just to serve as a one-time cleaning action on GitHub but to act as a trigger to develop an automated solution that could be used to flag malicious instructions in the uploaded code.

This is the first version of the team's research and they are working on improving their detector. Currently, the the detection tool misses code with stronger obfuscation.

Source

Clicker apps are a special category of adware that loads ads in invisible frames or in the background and clicks them to generate revenue for their operators.

The effect on the device may be a drop in performance, overheating, increased battery usage, and inflated mobile data charges.

All 16 apps have been removed from Google Play after McAfee reported them. However, they still amassed an install count of 20 million.

The nastiest of the bunch is DxClean, which was installed five million times before it being removed. It had a relatively positive overall user rating of 4.1 out of 5 stars.

DxClean posed as a system cleaner and optimizer, promising to detect causes of system slowdowns and stop advertisement annoyances while performing the exact opposite actions in the background.

Clicker app functions

After launch, the apps download their configuration from a remote location via an HTTP request and register an FCM (Firebase Cloud Messaging) listener to receive push messages.

These messages contain instructions for the clickers, such as which functions to call and what parameters to use.

“When an FCM message receives and meets some condition, the latent function starts working,” McAfee explains in the report.

“Mainly, it is visiting websites which are delivered by FCM message and browsing them successively in the background while mimicking user’s behavior,” the researchers add.

The auto-clicking function is handled by the ‘click.cas’ component, while the agent managing the hidden adware services is ‘com.liveposting’.

The two libraries supporting the clickers' operation - (McAfree)

 

McAfee analysts say that the liveposting SDK can operate on its own, too, possibly to create only ad impressions, but recent versions of the apps feature both libraries.

The victim never interacts with the opened websites and is unlikely to realize the underground processes that generate profit for the remote operators.

To stay below the user's radar, the malicious operation does not begin in the first hour after installing the app delays its start when the user is actively using the device.

Some ways to discover if apps of this kind are present on the device, users should check battery and internet usage. If the system stayed unused for a period, there is no justification for higher battery drainage and increased mobile data consumption.

For the complete list of the 16 clicker apps, check out the indicators of compromise section at the bottom of McAfee’s report.

Source

Last month, security researcher MalwareHunterTeam tweeted about a new extortion gang known as 'TommyLeaks.'

This hacking group claims to breach corporate networks, steal data, and demand a ransom not to leak data. Ransom demands seen by BleepingComputer range from $400,000 to $700,000.

TommyLeaks ransom note - Source: BleepingComputer

 

In October, MalwareHunterTeam discovered another new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal data and encrypt victims’ devices as part of their attacks.

SchoolBoys Ransomware Gang ransom note - Source: BleepingComputer

 

BleepingComputer later found a sample of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created using the leaked LockBit 3.0 builder.

SchoolBoys ransomware using LockBit's encryptor - Source: BleepingComputer

 

The threat actors steal data during their attacks but do not have a known public data leak site at this time.

While there was nothing linking the groups at the time, they both used the same Tor chat system for their negotiation sites.

TommyLeaks negotiation site - Source: BleepingComputer.com

Even more curious, this same chat system has only been used before by the Karakurt extortion group.

Two sides of the same coin

This week, BleepingComputer has confirmed that both TommyLeaks and the SchoolBoys Ransomware Gang are, in fact, the same extortion group.

In a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greet their victim as "TommyLeaks" in their attempts to coerce a ransom payment.

While it is unclear why they are utilizing two different names as part of their operation, they may be trying a similar approach to that taken by Conti and Karakurt.

Earlier this year, AdvIntel CEO Vitali Kremez told BleepingComputer that Karakurt was part of the Conti cybercrime syndicate.

When Conti's ransomware encryptor was blocked in attacks, the hackers extorted the victim using the already stolen data under the Karakurt name rather than the Conti brand.

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Source

A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.

The Mark-of-the-Web alternate data stream - Source: BleepingComputer

 

This 'Zone.Identifier' alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.

When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.

"While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software," reads the warning from Windows.

Windows security warning when opening files with MoTW flags - Source: BleepingComputer

 

Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.

Windows MoTW bypass zero-day flaw

The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.

To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.

The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

JavaScript file used to install the Magniber Ransomware - Source: BleepingComputer

 

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

Malformed signature in malicious JavaScript file - Source: BleepingComputer

 

When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.

Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.

Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

Mark-of-the-Web on Dormann's PoC exploits - Source: BleepingComputer

 

The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all. 

Dormann's PoC Exploits - Source: BleepingComputer

 

When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.

However, when double-clicking the 'calc-othersig.js,' which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

Demonstration of the Windows zero-day bypassing security warnings - Source: BleepingComputer

 

Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.

BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.

Dormann told BleepingComputer that he believes this bug was first introduced with the release of  Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

"This issue is in the new-as-of-Win10 SmartScreen feature.  And disabling "Check apps and files" reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures," Dormann told BleepingComputer.

"So that whole setting is unfortunately currently a tradeoff.  On one hand, it does scan for baddies that are downloaded."

"On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled."

The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.

Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.

However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.

Update 10/22/22

After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.

To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.

"Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is," explained Dormann.

Source