Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.

CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access helps administrators configure a suite of apps employees need in their work environments.

In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. Whereas before the hackers installed payloads that harvested passwords and collected other data, the new surge brought something else—specifically, ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in distributed denial-of-service attacks.

“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it,” Fortiguard Labs researcher Cara Lin wrote. Attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.

The Mirai sample Lin saw getting installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and relied on a command and control server at “cnc[.]goodpackets[.]cc. Besides delivering junk traffic used in DDoSes, the sample also attempted to infect other devices by guessing the administrative password they used. After decoding strings in the code, Lin found the following list of credentials the malware used:

In what appears to be a separate campaign, attackers also exploited CVE-2022-22954 to download a payload from 67[.]205[.]145[.]142. The payload included seven files:

•     phpupdate.exe: Xmrig Monero mining software
•     config.json: Configuration file for mining pools
•     networkmanager.exe: Executable used to scan and spread infection
•     phpguard.exe: Executable used for guardian Xmrig miner to keep running
•     init.ps1: Script file itself to sustain persistence via creating scheduled task
•     clean.bat: Script file to remove other cryptominers on the compromised host
•     encrypt.exe: RAR1 ransomware

In the event RAR1ransom has never been installed before, the payload would first run the encrypt.exe executable file. The file drops the legitimate WinRAR data compression executable in a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.

The payload would then start the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero currency. It has been active since 2020.

The attacks underscore the importance of installing security updates in a timely manner. Anyone who has yet to install VMware’s April 6 patch should do so at once.

Source

The FBI released an advisory warning that the Daixin ransomware gang is targeting U.S. Healthcare and Public Health (HPH) sector in multiple attacks.

This week, Medibank finally confirmed it was ransomware behind its recent cyberattack. We also saw an attack on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.

October 16th 2022

Venus Ransomware targets publicly exposed Remote Desktop services

Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

October 17th 2022

Ransomware attack halts circulation of some German newspapers

German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems.

Australian insurance firm Medibank confirms ransomware attack

Health insurance provider Medibank has confirmed that a ransomware attack is responsible for last week's cyberattack and disruption of online services.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .tury and .tuis extension.

New Escanor ransomware

PCrisk found the new ESCANOR Ransomware that appends the .ESCANOR and drops the HELP_DECRYPT_YOUR_FILES.txt ransom note.

October 18th 2022

Ransom Cartel linked to notorious REvil ransomware operation

Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations' encryptors.

Defenders beware: A case for post-ransomware investigations

In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.

New RONALDIHNO ransomware variant

PCrisk found a new RONALDIHNO ransomware that appends the .r7 extension and drops a ransom note named READ_THIS.txt.

New CMLocker ransomware variant

PCrisk found a new CMlocker ransomware that appends the .CMLOCKER extension and drops a ransom note named HELP_DECRYPT_YOUR_FILES.txt.

Darknet Diaries - EP 126: REvil

REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.

October 19th 2022

DeadBolt ransomware: nothing but NASty

The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample

New Dcrtr ransomware variants

PCrisk found new Dcrtr ransomware variants that append the .flash or .ash extensions to encrypted files.

October 20th 2022

OldGremlin hackers use Linux ransomware to attack Russian orgs

OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines.

Leading Ransomware Variants Q3 2022

Researchers at @Intel471Inc observed 455 #ransomware attacks in Q3 of 2022 with the most prevalent variants being #LockBit 3.0, #BlackBasta, #Hive, #ALPHV & #BlackCat. Our latest report analyzes the leading variants & the industries most impacted by them.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .eu extension and drops a ransom note named read_instruction.txt.

October 21st 2022

BlackByte ransomware uses new data theft tool for double-extortion

A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly.

Hackers exploit critical VMware flaw to drop ransomware, miners

Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.

US govt warns of Daixin Team targeting health orgs with ransomware

CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.

Playing Hide-and-Seek with Ransomware, Part 2

In Part 1, we explained what Intel SGX enclaves are and how they benefit ransomware authors. In Part 2, we explore a hypothetical step-by-step implementation and outline the limitations of this method.

NCC Group Monthly Threat Pulse – September 2022

Claiming the fourth most active spot, just behind BlackCat was new entrant Sparta. With 12 victims reported in one day and 14 over the course of the month, the group has emerged onto the ransomware scene with an explosive start. Observations suggest it is currently solely targeting Spain-based entities, suggesting it is a Spanish-speaking organised crime group.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - October 21st 2022 - Stop the Presses

Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor.

Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tools.

At the same time, other threat actors, like Karakurt, don't even bother to encrypt local copies, solely focusing on data exfiltration.

The Exbyte data exfiltration tool

Exbyte was discovered by security researchers at Symantec, who say that the threat actors use the Go-based exfiltration tool to upload stolen files directly to the Mega cloud storage service.

Upon execution, the tool performs anti-analysis checks to determine if it's running on a sandboxed environment and checks for debuggers and anti-virus processes.

The processes Exbyte checks are:

• MegaDumper 1.0 by CodeCracker / SnD
• Import reconstructor
• x64dbg
• x32dbg
• OLLYDBG
• WinDbg
• The Interactive Disassembler
• Immunity Debugger – [CPU]

Also, the malware checks for the presence of the following DLL files:

• avghooka.dll
• avghookx.dll
• sxin.dll
• sf2.dll
• sbiedll.dll
• snxhk.dll
• cmdvrt32.dll
• cmdvrt64.dll
• wpespy.dll
• vmcheck.dll
• pstorec.dll
• dir_watch.dll
• api_log.dll
• dbghelp.dll

The BlackByte ransomware binary also implements these same tests, but the exfiltration tool needs to run them independently since data exfiltration takes place before file encryption.

If the tests are clean, Exbyte enumerates all document files on the breached system and uploads them to a newly-created folder on Mega using hardcoded account credentials.

"Next, Exbyte enumerates all document files on the infected computer, such as .txt, .doc, and .pdf files, and saves the full path and file name to %APPDATA%\dummy," explains the report by Symantec.

"The files listed are then uploaded to a folder the malware creates on Mega.co.nz. Credentials for the Mega account used are hardcoded into Exbyte."

BlackByte is still going strong

BlackByte launched operations in the summer of 2021, and by February 2022, the gang had breached many private and public organizations, including critical infrastructure in the United States.

Symantec analysts report that recent BlackByte attacks rely on exploiting last year's ProxyShell and ProxyLogon flaw sets in Microsoft Exchange servers.

Moreover, the intruders use tools such as AdFind, AnyDesk, NetScan, and PowerView to move laterally.

Recent attacks employ version 2.0 of the ransomware, removing Kernel Notify Routines to bypass EDR protections, as Sophos analyzed in an October report.

Like other ransomware operations, BlackByte deletes volume shadow copies to prevent easy data restoration, modifies firewall settings to open up all remote connections, and eventually injects itself in a "scvhost.exe" instance for the encryption phase.

BlackByte's commands to configure firewall on host (Symantec)

 

According to an Intel 471 report published yesterday, in Q3 2022, BlackByte targeted primarily organizations in Africa, likely to avoid provoking Western law enforcement.

The company's IT team is currently investigating the incident with the help of external experts to discover the cause of this ongoing outage.

IT outages have been affecting stores in Austria, Germany, and France since at least October 17, according to a report from Günter Born.

"METRO/MAKRO is currently experiencing a partial IT infrastructure outage of several technical services," the wholesaler revealed in a note on its website. "METRO's IT team has immediately started a thorough investigation together with external experts to identify the cause of the interruption of services."

Even though its stores are still operating, METRO says that it was forced to set up offline payment systems and that online orders are delayed.

"While METRO stores are operating, and services are regularly available disruptions and delays may occur," the company said. "Online orders through the web app and online store are being processed but delays need to be expected, as well."

The company has notified the authorities regarding this security incident and will cooperate with any investigations linked to the attack.

METRO store notification regarding IT issues (Günter Born)

 

METRO is an international wholesale company for customers in the HoReCa (hotel, restaurants, and catering) industry, operating in over 30 countries and employing more than 95,000 people worldwide.

It operates 661 wholesale stores (as of September 30, 2022) under the METRO and MAKRO brands.

At the moment, the company shared no information on the nature of this cyberattack, but IT infrastructure outages are usually linked to ransomware attacks.

"We will continue intensive analysis and monitoring and provide updates as required. METRO sincerely apologizes for any inconvenience the incident is causing for any of its customers and business partners," the wholesaler added today.

When contacted by BleepingComputer earlier today, a METRO spokesperson said the company couldn't share additional info on the incident due to the ongoing investigation.

Source

The federal agencies also shared indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) in a joint advisory issued today to help security professionals detect and block attacks using this ransomware strain.

"The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022," the advisory revealed.

Since June, Daixin Team attackers have been linked to multiple health sector ransomware incidents where they've encrypted systems used for many healthcare services, including electronic health records storage, diagnostics, imaging services, and intranet services.

They're also known for stealing patient health information (PHI) and personal identifiable information (PII) and using it for double extortion to pressure victims into paying ransoms under the threat of releasing the stolen information online.

The ransomware gang gains access to targets' networks by exploiting known vulnerabilities in the organizations' VPN servers or with the help of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off.

Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to move laterally through the victim's networks.

Daixin Team ransom note (CISA/FBI/HHS)

 

To deploy the ransomware payloads, they escalate privileges using various methods, such as credential dumping.

This privileged access is also used to "gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment" with the same goal of encrypting the systems using ransomware.

"According to third-party reporting, the Daixin Team's ransomware is based on leaked Babuk Locker source code," the federal agencies added. 

"This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/." 

Before encrypting their victims' devices, they use Rclone or Ngrok to exfiltrate stolen data to dedicated virtual private servers (VPS).

U.S. health organizations are advised to take the following measures to defend against Daixin Team's attacks:

• Install updates for operating systems, software, and firmware as soon as they are released.
• Enable phishing-resistant MFA for as many services as possible.
• Train employees to recognize and report phishing attempts.

In August, CISA and the FBI also warned that attackers known for mainly targeting the healthcare and medical industries with Zeppelin ransomware might encrypt files multiple times, making file recovery more tedious.

Source

Google Play apps with >20M downloads depleted batteries and network bandwidth

There’s a side to Apple most iPhone owners don’t know. There's Apple the hardware company, the one that has spent the past several weeks showing off new phones, a more rugged Apple Watch and some confusing new iPads. Then there’s the other, quieter Apple, focused on something of a dirty word: advertising. And that part of Apple is getting bigger by the day.

Apple has sold ads inside Apple News and the App Store since 2016 but in recent months has shown a new determination to muscle into an industry dominated by Google, Meta, and Amazon. In June, Apple expanded the ways companies could pay to get in front of its customers’ eyeballs, allowing them to buy ads on the front page of the App Store. In August, Apple job postings suggested it was building a self-service platform for businesses to book ads to be served to customers through Apple products. This month, reports surfaced that Apple was courting potential buyers for ads on Apple TV+. What form those ads would take, such as pre-roll spots like those on YouTube or traditional TV commercials, is unclear.

Those moves all suggest Apple’s users will begin to see more ads inside its services and that the company will shift into more direct competition with ad-supported rivals such as Google and Meta. “Everybody’s been letting Google and then Facebook take all this money,” says Michael Cusumano, a professor at MIT Sloan School of Management. “For Apple to step in and say ‘I want a piece of this too’ kind of makes sense.”

With smartphone innovation barely budging and sales slowing, it also makes sense that Apple would chase alternative sources of revenue. The company’s expanding subscription business in news, video streaming, and fitness scratch the same growth-hungry corporate itch. Cusumano believes Apple may have been partly inspired by the success of Amazon’s ad business, which displays adverts for products alongside search results. It has grown more than tenfold since 2016, reaching $31 billion in revenue in 2021. Insider Intelligence, a market research firm, estimates that Apple brings in $4 billion a year from ads.

Apple’s ad adventure risks irking loyal customers. Pushing paid messages on people is a break from the company’s usual pact with consumers, who have been trained over decades to pay steep prices for Apple products that present a refined, if closed-off, experience. CEO Tim Cook has previously argued that ad-driven business models are inherently invasive of privacy, seemingly in reference to Google and Meta.

Apple’s recent interest in ads has also drawn antitrust scrutiny, due to a privacy feature added to iOS that has damaged digital ad revenues at its Big Tech rivals. Apple’s App Tracking Transparency, or ATT, introduced in April last year, requires people to opt in to sharing data that companies such as Meta use to track users online. One third-party estimate believes that Meta has lost $13 billion in ad revenue as a result of the changes. German regulators are investigating the feature as potentially anticompetitive, because Apple’s personalized ads, which can be targeted by age and gender, aren’t subject to the same rules.

Apple spokesperson Shane Bauer declined to answer WIRED’s questions on how the company’s business is changing, the role of advertising in that, or whether ATT was related to its ad plans. “A user’s data belongs to them, and they should get to decide whether to share their data and with whom,” Bauer says. ATT’s rules apply equally to all developers, including Apple, he says, and the company “never tracks users.”

That doesn’t mean Apple's existing ad revenue won't keep growing. “It definitely could become a significant part of their business,” says Peter Newman, director of forecasting at Insider Intelligence, who specializes in tracking Apple. “They want to make themselves significantly less dependent on pure hardware sales.”

Newman points to monthly subscription services such as Apple Music and Apple TV+ as places that would comfortably accommodate ads. The company’s video streaming service is notable, he says, because after Netflix’s launch of an ad-supported tier, Apple is now one of the only major video streaming services without an ad-supported version. (In April, Apple signed a deal that would serve ads on Major League Baseball coverage through the streaming service, though those ads were sold by MLB, not Apple).

How big Apple’s ad business could become is far from certain. Newman sees plenty of room for growth but can’t see the company rivaling the largest digital ad giants. “I can see Apple becoming something on the level of Microsoft, maybe a little larger, but significantly behind the likes of Google and Meta,” he says. That would mean ad revenue in the tens rather than hundreds of billions. Microsoft says its ad revenue is about $10 billion a year; Google, the world’s top digital ads platform, made nearly $210 billion last year, with Meta in second place with $115 billion.

Newman says that while Apple’s devices and services provide plenty of potential ad inventory, they don’t provide the scale or lucrative opportunities of Google’s search engine, Meta’s billions of social app users, or Amazon’s everything store. Though if persistent rumors Apple is building its own alternative to Google search prove true, the project could open lucrative new ad opportunities.

And the company’s privacy pledges could limit how far it can go with ad targeting. Investment bank Evercore ISI estimates Apple will have a $30 billion ad business by 2026. That’s about the size of iPad sales in 2021, or a bit under half the company’s services revenue.

Apple is hiring lots of people in pursuit of advertising riches. A job ad for an ad tech engineering manager cites the company’s “complex and ever-growing platform needs that help deliver highly optimized advertising content to consumers.” As of September, Apple had around 250 employees working on its ad platforms, according to an analysis of LinkedIn data by the Financial Times, with job listings suggesting plans to nearly double that number.

Apple seems sensitive to how being seen to meddle too much in digital ads could tarnish its brand or attract regulatory pressure. It paid for a study, published in April, by a Columbia Business School professor that threw cold water on the idea that ATT helped it compete with the internet’s ad giants.

But Reinhold Kesler, a researcher at the University of Zurich in Switzerland, has found that ATT has helped Apple. The feature led some app developers to shift business models from being free but with ads to paid models, sometimes including in-app payments. That was to the benefit of Apple, which takes a 30 percent cut of such payments, though it’s understood that some companies have negotiated better rates.

Cusumano of MIT says Apple’s greatest challenge may be balancing its previous reputation for privacy against the data grab that digital ad businesses create. “Apple is a carefully manicured walled garden, not this advertisement-intense ecosystem like Google,” he says. Preserving that distinction while also growing ad revenue could be tricky. “Apple users are very loyal and forgiving,” says Kesler. “But if they push this to match their forecasts, I’ll be wondering whether users can overlook it.”

Apple Is an Ad Company Now

(May require free registration to view)

Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious

The spyware is deployed in a mass-surveillance operation that has been underway since at least 2016. In addition, multiple cybersecurity firms have reported on Domestic Kitten, which they believe is an Iranian state-sponsored hacking group.

The newest FurBall malware version was sampled and analyzed by ESET researchers, who report it has many similarities with earlier versions, but now comes with obfuscation and C2 updates.

Also, this discovery confirms that 'Domestic Kitten' is still ongoing in its sixth year, which further backs the hypothesis that the operators are tied to the Iranian regime, enjoying immunity from law enforcement.

New FurBall details

The new version of FurBall is distributed via fake websites that are visually clones of real ones, where victims end up after direct messages, social media posts, emails, SMS, black SEO, and SEO poisoning.

In one case spotted by ESET, the malware is hosted on a fake website mimicking an English-to-Persian translation service popular in the country.

In the fake version, there’s a Google Play button that supposedly lets users download an Android version of the translator, but instead of landing on the app store, they are sent an APK file  named ‘sarayemaghale.apk.’.

Depending on what permissions are defined in the Android app's AndroidManifest.xml file, the spyware is capable of stealing the following information:

• Clipboard contents
• Device location
• SMS messages
• Contact list
• Call logs
• Record calls
• Content of notifications
• Installed and running apps
• Device info

However, ESET says that the sample it analyzed has limited functionality, only requesting access to contacts and storage media.

These permissions are still powerful if abused, and at the same time, won't raise suspicions to the targets, which is likely why the hacking group restricted FurBall's potential.

If needed, the malware can receive commands to execute directly from its command and control (C2) server, which is contacted via an HTTP request every 10 seconds.

In terms of the new obfuscation layer, ESET says it includes class names, strings, logs, and server URI paths, attempting to evade detection from anti-virus tools.

Previous versions of Furball didn’t feature any obfuscation at all. Hence, VirusTotal detects the malware on four AV engines, whereas previously, it was flagged by 28 products.

The gang has Russian-speaking members that have been operating since at least March 2020 using self-made malware, focusing on Russian companies in the logistics, industry, insurance, retail, real estate, software development, and banking sectors.

Also known as TinyScouts, due to the names of the functions in the malicious code they use, OldGremlin is characterized by a small number of campaigns per year with million-dollar ransom demands.

In 2022, OldGremlin launched just five campaigns but they also demanded the highest ransom in the two and a half years of activity, $16.9 million, say researchers at Group-IB, a Singapore-based cybersecurity company.

OldGremlin demanded $16.9 million after encrypting Russian company - source: Group-IB

 

OldGremlin’s ransomware for Linux

 

Group-IB researchers have been tracking OldGremlin and their tactics, techniques, and procedures (TTPS) since the first attacks attributed to the group in March 2020.

During an incident response engagement this year, Group-IB found that OldGremlin targeted a Linux machine with a Go variant of the TinyCrypt ransomware the gang uses to encrypt Windows machines.

The researchers say that the Linux variant works in the same way as the Windows counterpart, using the AES algorithm with the CBC block cipher mode to encrypt files with a 256-bit key, which is encrypted using the RSA-2048 asymmetric cryptosystem.

The malware executable is wrapped using Ultimate Packer (UPX) and appends the .crypt extension to the encrypted files, among them being .RAW, .ZST, .CSV, .IMG, .ISO, SQL, TAR, TGZ, .DAT, .GZ, .DUMP.

Campaigns this year

Breaching the target is done through carefully prepared phishing emails that impersonate well-known organizations - RBC media group, consultant groups, developers of management systems, lobby groups, Minsk Tractor Works, a dental clinic, financial entities, law firms, a company in the metals and mining industry.

In campaigns this year, OldGremlin also started with a malicious email but changed the malware delivery method. Instead of distributing the initial stage payload directly through a malicious document, the attacker switched to tricking the victim into downloading the document from a file-sharing service.

The first payload is TinyFluff, a NodeJS backdoor that provides remote access to the system and the possibility to download additional payloads.

OldGremlin stays on the victim network for more than a month (49 days on average), collecting information that allows the discovery of high-value systems for encryption.

The group relies on a self-developed toolkit that includes the following:

• a reconnaissance tool
• malicious LNK files
• multiple backdoors (TinyPosh, TinyNode, TinyFluff, TinyShell)
• tool to extract data from Credential Manager
• tool to bypass antivirus software
• tool to isolate a device from the network
• TinyCrypt ransomware

The toolkit strongly suggests that OldGremlin is a highly skilled actor carefully preparing attacks to leave its victims with no other choice but to pay the ransom.

Apart from the custom tools, the attacker also uses open-source and commercial frameworks like PowerSploit and Cobalt Strike.

OldGremlin attacks this year come after a period of relative stagnation in 2021 when the group carried out just one phishing campaign and demanded $4.2 million from the victim.

The total number of attacks that researchers attribute to OldGremlin has now reached 16, most of them dating from 2020.

Although most ransomware gangs avoid targets in Russia and the countries in the Commonwealth of Independent States (CIS) region, Russian companies are still targeted for file-encrypting attacks.

Several groups do not align with this rule, which is followed by the letter by Russian cybercriminals, Dharma, Crylock, and Thanos being some of the most active in 2021.

Source

The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information.

Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.

However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.

This privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations.

In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the 'MyChart' portal, exposing 1.3 million patients.

The 'MyChart' patient portal is also used by AAH, along with another platform named 'LiveWell,' both of which had active Meta Pixel trackers.

AAH's data breach notification says that the following information may have been exposed via Meta Pixel:

• IP address
• Dates, times, and locations of scheduled appointments
• Proximity to an AAH location
• Medical provider information
• Type of appointment or procedure
• Communications between MyChart users, which may have included first and last names and medical record numbers
• Insurance information
• Proxy account information

AAH reported that the breach affected 3 million people to the U.S. Department of Health, which listed it on its breach report portal.

The healthcare provider has disabled the Pixel tracker on all systems and is implementing safeguards to prevent a similar exposure from happening again.

Patients are advised to use their web browsers' tracker-blocking features or use incognito mode when logging in on medical portals. Those with a Facebook or Google account should review their privacy settings.

AAH has also compiled a FAQ page to help patients find answers to common questions about the data breach.

Source

The Texas AG says that Google allegedly used products and services like Google Photos, Google Assistant, and Nest Hub Max to collect a vast array of biometric identifiers, including voiceprints and records of face geometry since 2015.

This would be a violation of the state's biometric privacy act (aka the Capture or Use of Biometric Identifier Act) which requires companies to get request the users' consent when collecting their biometric identifiers (i.e., "a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry").

"For more than a decade, Texas has prohibited companies from capturing Texans' biometric data—including the unique characteristics of an individual's face and voice—without their informed, advance consent," the petition reads [PDF].

"In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google's commercial ends."

Stream of lawsuits targeting Google's privacy violations and more

Paxton has filed other lawsuits against Google for invading Texans' privacy while using its products and services.

For instance, in January 2022, the Texas AG sued Google for violating the Texas Deceptive Trade Practices-Consumer Protection Act.

Less than a week later, Paxton filed another lawsuit over Google alleged deceptive tracking of its users' location without consent and the use of location data for targeted ads.

"Google’s indiscriminate collection of the personal information of Texans, including very sensitive information like biometric identifiers, will not be tolerated," Paxton added today. "I will continue to fight Big Tech to ensure the privacy and security of all Texans."

The Australian Competition and Consumer Commission (ACCC) fined Google $60 million in August for misleading Australian Android users regarding collecting and using their location data for almost two years, between January 2017 and December 2018.

In January, France's National Commission on Informatics and Liberty (CNIL) also fined Google $170 million for making it difficult to reject tracking cookies by hiding the option behind multiple clicks, an infringement of the freedom of consent of Internet users.

Previously, Google was fined $2.72 billion for abusing its dominant market position to tweak search results, $1.7 billion for anti-competitive practices in online advertising, €220 million for favoring its services to the disadvantage of competitors, and $11.3 million for aggressive data collection.

Source

A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality.

This change could indicate that the operators of the new version are focusing on distributing ransomware.

Codenamed “LDR4,” the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it's being distributed by the same actors that maintained the RM3 version of the malware over the past years.

New Ursnif campaign

The Ursnif LDR4 variant is delivered via fake job offer emails containing a link to a website that impersonates a legitimate company.

The tactic of posing as a job recruiters is not new for the Ursnif gang, who has has used this strategy before.

Visitors of the malicious site are requested to solve a CAPTCHA challenge to download an Excel document with macro code that fetches the malware payload from a remote resource.

The malicious Excel document used in the current campaign (Mandiant)

 

The LDR4 variant comes in DLL form (“loader.dll”) and is packed by portable executable crypters and signed with valid certificates. This helps it evade detection from security tools on the system.

Mandiant’s analysts dissecting LDR4 noticed that all banking features have been removed from the new Ursnif variant and its code has been cleaned and simplified.

Backdoor era

Upon execution, the new Ursnif collects system service data from the Windows registry and generate a user and a system ID.

Next, it connects to the command and control server using an RSA key available in the configuration file. Then it attempts to retrieve a list of commands to execute on the host.

POST request sent by Ursnif to the C2 server (Mandiant)

 

The commands supported by the LDR4 variant are the following:

• Load a DLL module into the current process
• Retrieve the state of the cmd.exe reverse shell
• Start the cmd.exe reverse shell
• Stop the cmd.exe reverse shell
• Restart the cmd.exe reverse shell
• Run an arbitrary command
• Terminate

The built-in command shell system that uses a remote IP address to establish a reverse shell isn’t new, but now it is embedded into the malware binary instead of using an additional module, as did the previous variants.

The plugin system has also been eliminated, as the command to load a DLL module into the current process can extend the malware’s capabilities as needed.

One example seen by Mandiant is the VNC (virtual network computing) module (“vnc64_1.dll”), which gives LDR4 the ability to perform “hands-on” attacks on compromised systems.

With the latest version, Ursnif LDR4 operators appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware.

Mandiant notes that ransomware operations is likely the direction the developers are heading to, as researchers identified on an underground hacker community a threat actor looking for partners to distribute ransomware and the RM3 version of Ursnif.

Source

But nearly 300 million people were affected by 1,862 corporate data breaches last year in the U.S. alone, according to the nonprofit Identity Theft Resource Center. Past studies from the University of Maryland show that hackers launch attacks roughly every 39 seconds.

Knowing how to repel those online “threat actors” before they gain access to your information and financial accounts starts with knowing how hackers think. That’s why some companies turn to Kevin Mitnick for cybersecurity advice.

Mitnick is a former hacker who spent five years in federal prison after being convicted of wire fraud and other crimes in 1995. For the past two decades, he’s been a computer security consultant whose firm, Mitnick Security Consulting, advises clients from government agencies to Fortune 500 companies like Microsoft.

Personal cybersecurity often boils down to “a balance between security and convenience,” Mitnick says. Most people are aware of some of the basic steps they should take to keep their data safe, but as soon as they inconvenient to regularly follow, people get sloppier — leaving a potential window of opportunity open for hackers.

“The more security a consumer wants, the more inconvenient it will be,” Mitnick tells CNBC Make It.

From simpler tactics, like getting a better handle on your laundry list of account passwords, to more advanced options — including one that Mitnick says could improve your chances of evading hackers by 98% — the cybersecurity expert lays out several tips for the average person looking to beef up their online security and avoid getting hacked.

Where to start: Manage your passwords

“For consumers who aren’t technical wizards or information security consultants, the first thing where people make mistakes is in constructing their passwords,” Mitnick says.

If you feel like you have an endless list of passwords to remember, you’re definitely not alone. The average person has more than 100 different online accounts requiring passwords, according to online password manager NordPass.

The simpler your passwords are for you to remember, the easier they are for hackers to guess, especially if you’ve ever had information leaked online in a data breach and you regularly reuse passwords for multiple different accounts.

That’s why using a free password manager app — he suggests LastPass or 1Password — “is an absolute must,” Mitnick says. The app can securely store all of your passwords, or even generate new ones, and can only be accessed by a single master password.

Given that, you should pick a master key that’s particularly difficult to crack. “That password for your master password to unlock should be at least 25 characters or more,” Mitnick says.

Try using a simple, full sentence, like “Today, I Went To The Beach,” with each word capitalized and spaces in between before ending with a punctuation mark and possibly a number. “It’s easy to remember,” Mitnick says. And, even more importantly, he adds, “it’s going to be very difficult for an attacker to compromise through brute force.”

Password managers can also remind you to stop reusing passwords for multiple accounts, a lazy practice that Mitnick says can give hackers a leg up in accessing your information.

“What attackers do is they find credentials in data breaches,” he says. “And, then because people tend to reuse passwords, the threat actors will try that password, or variations of it, because usually you can identify people’s patterns in choosing passwords and guess them that way.”

More advanced options: Multi-factor authentication and physical keys

Several big tech companies are working toward a passwordless future. Those include Apple, which has expanded its Passkeys feature so you can use a fingerprint or facial recognition to access apps and accounts on many Apple devices.

You may also be familiar with multi-factor authentication, which most financial institutions or tech companies already use in some form. That’s when your bank sends a code over text or email to verify your identity when you’re logging in.

That authentication processes can still be compromised, Mitnick says. Malware could let hackers see your texts and emails, and simple phishing attacks could help a hacker gain your trust, leading you to directly send them your account information.

For two-factor authentication that is not “phishable,” Mitnick recommends using encryption software like FIDO2 or WebAuthn. They can be paired with a physical security key, like a Yubikey, which resembles a USB drive that plugs into your computer. The encryption is unique to you and your device, and can only be unlocked with a PIN and the physical key itself.

Mitnick calls physical security keys “the highest security level” when it comes to signing into your online accounts. The option is already supported by a variety of major tech platforms and services — including Google, Amazon, Microsoft, Twitter, and Facebook.

Even so, it’s not always foolproof: Those platforms still typically allow you to log in through alternative methods, like multi-factor authentication, if you don’t have your security key on you.

An even more advanced option that ‘raises the bar 98%’

If you’re extremely serious about keeping your financial information safe from hackers, and you’re willing to spend additional time and money to do so, Mitnick suggests buying a separate computer or tablet specifically for logging into your financial accounts or other sensitive accounts and data. He also recommends using a separate password manager just for that device.

You can use a relatively cheap device, too: Chromebooks start at around $250 and are currently safer from malware and other viruses than most devices, Mitnick says.

All of this sounds extremely “inconvenient,” Mitnick admits. But these extreme steps do increase your chances of evading hacking attempts.

“You’re raising the bar like 98%,” he says.

Your best tool: Awareness

Your best defense against getting hacked might be your own ability to recognize when a malicious actor is trying to get you to send them your account information.

“The number one way that bad actors compromise targets is through phishing attacks. And they’re very clever,” Mitnick says.

Mitnick’s firm regularly performs simulated phishing attacks for corporate clients to ensure that employees are familiar with the latest and most prevalent tactics. Some common phishing scams claim to be from a bank or tech service you subscribe to, and which falsely claim you need to take some sort of urgent action or else face dire consequences. You might be asked to follow a link or enter in your account information and passwords, accidentally handing them over to a hacker.

Be vigilant and only click on links, or enter your information, when you’re absolutely sure it’s safe to do so, Mitnick says.

“The rules should be you never download anything unless you’re expecting it or you ordered a piece of software, and ... never click a link and put your username and password in something that you didn’t initiate,” he says. “That’s a simple rule set that people should have.”

Source

Trade in Medibank shares has been halted on the Australian Securities Exchange since Wednesday when police were alerted that the company had been contacted by what it described as a “criminal” who wanted to negotiate over the stolen personal data of customers.

Medibank, which has 3.7 million customers, said on Thursday the criminal had provided a sample of 100 customer policies from a purported haul of 200 gigabytes of stolen data.

Details included customer names, addresses, birth dates, national health care identification numbers and phone numbers.

Cybersecurity Minister Clare O’Neil said most concerning was that records of medical diagnoses and procedures had also been stolen.

“Financial crime is a terrible thing. But ultimately, a credit card can be replaced,” O’Neil told reporters.

“The threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act,” she added.

The thief had threatened to sell Medibank data to third parties and singled out records of 1,000 politicians, media personalities, actors, LGBTQ activists and drug addicts for exposure, Nine Network News reported.

Source

While VPNs can be used in your favor, your ISP, government, or even websites can build a wall by using a VPN block for various reasons. These reasons are likely to be government censorship, copyright, school and workplace restriction, and location restrictions. For example, internet providers in China perform Deep Packet Inspection for detecting and blocking VPN traffic.

VPN blocks are essentially tools that can detect VPN usage and deny access. It is a technique for blocking encrypted protocol tunneling. There are various methods for building a VPN block and even more for bypassing them.

Types Of VPN Block

Whether you want to use it across your corporate network or you are casually surfing on the Internet, a VPN block can either deny your access or help to restrict unwanted, unauthorized access. There are various reasons for VPN block usage.

Essentially, it is used as a prevention method for blocking access to certain restricted or banned endpoints across a network. And there are different types of constructing a VPN block to do so. The main methods of VPN blockage include IP blocks, Deep Packet Inspection (DPI), and Port blocking.

IP blocks restrict IP addresses that VPN providers use directly. So, certain VPNs are blocked straightforwardly. When an internet service provider or a website detects internet protocol addresses and identifies them as blocked ones, you cannot get access to restricted endpoints with a VPN whatsoever.

Another method of blocking a VPN is Deep Packet Inspection. DPI is a method of detailed packet filtering to examine the traffic of a network. While a regular packet inspection analyzes the headers of the data flow solely, a deep packet inspection analyzes the codes and details of data packets and determines what to do with them.

Additionally, DPI can detect applications, data usage behaviors, and even VPNs. So, the moment deep packet inspection detects certain codes and data of VPN usage, it blocks access or stops the activity.

Another method of VPN block is port blocking. As its name suggests, port blocking restricts certain ports from accessing to Internet. VPNs are using specific ports of UDP and TCP  when establishing an Internet connection. So basically, ports can be monitored for filtering out VPN connections.

Methods Of Bypassing VPN Blocking

Although VPNs are instruments to gain access to restricted areas on the Internet, internet service providers, the government, or even websites can block VPNs. While there are various methods to stop a VPN from accessing specific endpoints, numerous bypassing methods also exist.

Additionally, to guarantee VPN connections are undetected, the methods include getting a static IP address, using obfuscated VPN servers, port switching, changing VPN protocols, and simply changing servers.

1. Static IP Address

A static IP address is a unique address that identifies a device with a 32-bit number on the Internet. A static IP address is also known as dedicated IP or fixed IP address. This static IP helps users to ensure an encrypted and safe connection since it is for individual use.

Static IP addresses grant fixed addresses for individuals, so it doesn’t change according to the server. This helps you to pass IP address blocklists and ensure gaining connection as it attracts less attention.

2. Obfuscated VPN Servers

Obfuscated VPN servers use special encryption methods to conceal your identity and the data packets, making them seems like regular packet. So, it makes the user look like they are not using a VPN. These obfuscated servers are used for bypassing VPN blocks and firewalls especially. Note that not every VPN provider offers obfuscated servers, and each provider uses different methods to obfuscate the data.

3. Port Switching

Port switching is an alternative method for bypassing blocks. VPN providers use more than one port to establish an Internet connection. Sometimes internet providers or networks ban VPNs that use specific ports. When this is the case, it is possible to gain access by simply changing ports. But if your port switching is not in discretion, your ISP or the network can block each port you are using.

Sometimes applications offer port switching in their setting directly, but in case it doesn’t have an in-app option to do so, you have to manually switch ports that you are using the VPN on. Additionally, different VPN tunneling protocols each have default ports that they use. If you want to use other ports, again you need to switch them manually.

On top of these, you need to be aware of which tunneling protocols are compatible with the port you will be using. For example, L2TP (Layer 2 Tunneling Protocol) has a single port UDP reliance.

4. Changing VPN Protocols

One of the simpler methods includes switching VPN protocols in use. Sometimes firewalls of networks can block the use of certain VPN tunneling protocols. If that’s the case, the solution would include using different protocols for gaining access. You can do this by going to your VPN’s settings and changing your tunneling protocol there. So, using the latest and less-used VPN tunneling protocols like Wireguard can help you solve blocking issues.

For instance, L2TP (Layer 2 Tunneling Protocol) is a protocol that establishes secure tunneling for connections. Layer 2 tunneling protocol is often paired with IPsec to ensure data encryption and security. IPsec uses a 256-AES variant that makes data packets extremely difficult to read.

Wireguard is the latest VPN protocol developed. This tunneling protocol has tight encryption primitives and it offers secure tunneling for agile connections and roaming. It is widely used for helping users to bypass VPN blocks.

5. Changing Servers

Simply changing servers can do you wonders. VPN providers offer a ton of servers for establishing a connection. It is the easiest way to bypass a VPN block in the first place. If switching servers seem to not work, you can also switch your VPN provider and see if that works.

The parties that are blocking VPNs sometimes focus on specific more popular VPN options. So, switching VPNs and therefore servers might work in your favor as well. If not, you can resort to other methods to bypass restrictions and ensure encrypted connections.

Final Remarks

VPN blocks are tools preventing encrypted protocol tunneling that VPNs are using. While corporations use VPN blocks for productivity, governments and ISPs can use them for extreme measures or security reasons. After all, VPN blocks are used for various reasons, and there are numerous ways of bypassing them. Whatever the reason is, you need to understand its construction to bypass it.

Source : https://www.startupguys.net/what-is-a-vpn-block/

REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.

The REvil ransomware gang finally shut down in October 2021 following intense pressure from law enforcement. However, in January 2022, the Russian authorities announced arrests, money seizures, and charges against eight of the gang's members.

In December 2021, a new ransomware operation named ‘Ransom Cartel’ was launched that shared many code similarities to REvil’s malware.

A possible rebrand?

A new report from Palo Alto Network's Unit 42 sheds further light on the connection between the two cybercrime gangs, sharing similarities in techniques, tactics, and procedures (TTPs) and, most importantly, common ground in the code of their malware.

Because the source code of REvil's encrypting malware was never leaked on hacking forums, any new project using similar code is either a rebrand or a new operation launched by a core member of the original gang.

When analyzing encryptors for Ransom Cartel, the researchers found similarities in the structure of the configuration embedded in the malware, although the storage locations are different.

The samples analyzed by Unit 42 show that Ransom Cartel is missing some configuration values, meaning that the authors are either trying to make the malware leaner or that their basis is an earlier version of the REvil malware.

The encryption scheme is where the similarities become stronger, with Ransom Cartel's samples generating multiple pairs of public/private keys and session secrets, an REvil system that shined in the Kaseya attacks.

REvil's intricate secret generation mechanism also seen in Ransom Cartel malware (Unit 42)

 

"Both use Salsa20 and Curve25519 for file encryption, and there are very few differences in the layout of the encryption routine besides the structure of the internal type structs," explains the report by Unit 42 researchers Daniel Bunce and Amer Elsad.

An interesting finding is that the Ransom Cartel samples do not feature REvil's strong obfuscation, which might mean that the authors of the new malware don't possess REvil's original obfuscation engine.

Ransom Cartel operations

There are also similarities in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel, such as double-extortion attacks, large ransom demands, and a data leak site to pressure victims into paying a ransom.

However, one technique used by Ransom Cartel, and not seen in REvil attacks, is using the Windows Data Protection API (DPAPI) to steal credentials.

For this method, Ransom Cartel uses a tool named "DonPAPI," which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine.

These credentials are then used to compromise Linux ESXi servers and authenticate to their vCenter web interfaces.

Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn).

The existence of DonPAPI, a not commonly used tool, indicates that the operators of Ransom Cartel are experienced threat actors.

Another REvil-linked ransomware operation?

While there are strong connections between Ransom Cartel and REvil, they are not the only ransomware gang currently using REvil's code.

In April 2022, another ransomware operation we call 'BlogXX' was found, whose encryptors were almost identical to the REvil encryptors.

Researchers at the time told BleepingComputer that the BlogXX encryptor was not only compiled from REvil's source code but also included new changes.

"Yes, my assessment is that the threat actor has the source code. Not patched like "LV Ransomware" did," security researcher R3MRUM told BleepingComputer at the time.

AdvIntel CEO Vitali Kremez also told BleepingComputer that BlogXX's encryptors included a new 'accs' configuration option that contained account credentials for the targeted victim.

Furthermore, the new ransomware operation used identical ransom notes and called themselves 'Sodinokibi,' an alternate name for REvil, on their Tor payment sites.

BlogXX ransom note is identical to the one used by REvil - Source: BleepingComputer

 

However, unlike Ransom Cartel, BlogXX's history has an additional component that lends strong evidence that they are, in fact, the REvil rebrand.

After REvil’s shut down, the gang’s old Tor websites were revived, but this time redirected visitors to the BlogXX operation’s data leak site.

While these sites looked nothing like REvil's previous websites, the fact that the old Tor sites were redirecting to BlogXX's sites showed that the new operation had control of REvil's Tor private keys.

As only the original REvil operators would possess these Tor private keys, it showed a strong connection between the two gangs.

While irrefutable evidence that BlogXX or Ransom Cartel are rebrands of the REvil operation is yet to be found, it’s quite clear that at least some of the original members are behind these new ransomware operations.

Source

Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system.

When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service.

However, its cover was blown due to operational mistakes by the hackers, allowing SafeBreach analysts to access and decrypt commands sent by the attackers to execute on infected devices.

From job application to PowerShell backdoor

The attack begins with the arrival of a phishing email with an attached malicious document named "Apply Form.docm." Based on the file contents and metadata, it is likely themed after a LinkedIn-based job application.

The document lure containing the macro (SafeBreach)

 

The document contains malicious macros that drop and execute an 'updater.vbs' script that creates a scheduled task to impersonate a routine Windows update. 

The VBS script then executes two PowerShell scripts, "Script.ps1" and "Temp.ps1," both of which are stored inside the malicious document in obfuscated form.

When SafeBreach first discovered the scripts, none of the antivirus vendors on VirusTotal detected the PowerShell scripts as malicious.

VirusTotal returning clean scans on both scripts (SafeBreach)

 

"Script.ps1" connects to the attacker's command and control servers (C2), sends a victim ID to the operators, and then awaits a command received in AES-256 CBC encrypted form.

Based on the ID count, SafeBreach analysts concluded that the threat actor's C2 had logged 69 IDs before them, which is likely the approximate number of breached computers.

The "Temp.ps1" script decodes the command in the response, executes it, and then encrypts and uploads the result via a POST request to the C2.

SafeBreach took advantage of the predictable victim IDing and created a script that could decrypt the commands sent to each of them.

The analysts found that two-thirds of the commands were to exfiltrate data, with the others used for user enumerations, file listings, removal of files and accounts, and RDP client enumerations.

Unknown stealthy threats

This PowerShell backdoor is a characteristic example of unknown stealthy threats used in attacks on government, corporate, and private user systems.

Defenders need not only to be informed about the known or emerging threats but also to account for unknown vectors that may be capable of bypassing security measures and AV scans.

While some AV engines can heuristically detect malicious behavior in the PowerShell scripts, threat actors constantly evolve their code to bypass these detections.

The best way to achieve this is by applying security updates as quickly as possible, limiting remote access to endpoints, following the least privilege principle, and monitoring network traffic regularly.

To a great extent, it provides the same capabilities as DDoS Network Protection (previously known as DDoS Protection Standard), which is designed to help large enterprises and organizations to defend significantly larger resource deployments.

Essential capabilities bundled with this new SKU include L3/L4 automatic attack detection and mitigation, metrics and alerts, mitigation flow logs and policies tuned to customer applications.

The new SKU comes with Azure Firewall Manager, Microsoft Sentinel, and Microsoft Defender for Cloud integration.

Unlike the enterprise offering, DDoS IP Protection does not have support for DDoS rapid response support, cost protection, and discounts on WAF.

"With the DDoS IP Protection SKU, customers now have the flexibility to enable DDoS protection on individual public IP addresses," Microsoft Senior Product Manager for Azure Networking Amir Dahan said.

"SMB customers who have a few public IP addresses to protect will benefit from this cost-effective DDoS protection option."

How DDoS IP Protection works (Microsoft)

 

As further highlighted by Dahan, the list of DDoS IP Protection key features includes:

• Massive mitigation capacity and scale: Defend your workloads against the largest and most sophisticated attacks with cloud-scale DDoS protection backed by Azure's global network.
• Adaptive tuning: Protect your apps and resources while minimizing false negatives with adaptive tuning tuned to your application's scale and actual traffic patterns.
• Attack analytics, metrics, and logging: Monitor DDoS attacks near real-time and respond quickly to attacks with visibility into the attack lifecycle, vectors, and mitigation.
• Integration with Azure Firewall Manager: Centrally manage your DDoS protection across your environment alongside other network security services.
• Integration with Microsoft Sentinel and Microsoft Defender for Cloud: Strengthen your security posture with rich attack analytics and telemetry integrated with Microsoft Sentinel and security alerts and recommendations provided by Microsoft Defender for Cloud.

DDoS IP Protection is available in preview in select regions, and customers can only enable it on Public IP Standard SKU after enrolling.

You can configure the SKU in the Azure Preview Portal as part of the Azure DDoS Protection configuration workflow.

Billing for IP Protection will be effective starting February 1st, 2023, and you can find more pricing info on the Azure DDoS Protection pricing page.

UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.

While cybercriminals who want a license for this Windows bootkit have to pay $5,000, the threat actor says rebuilds would only set them back $200. 

The seller says BlackLotus features integrated Secure Boot bypass, has built-in Ring0/Kernel protection against removal, and will start in recovery or safe mode.

BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process.

Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC).

"The software itself and the Secure Boot bypass work vendor independent. A vulnerable signed bootloader is used to load the bootkit if Secure Boot is used," the threat actor explained when a potential "customer" asked if it would work with a particular firmware.

"Patching this vulnerability by adding it to the UEFI revocation list is currently impossible, as the vulnerability affects hundreds of bootloaders that are still used today."

APT-level malware now more widely available

Kaspersky lead security researcher Sergey Lozhkin also spotted BlackLotus being advertised on criminal forums and warned that this is a significant move since this type of capability has commonly been available only to state-sponsored hacking groups.

"These threats and technologies before were only accessible by guys who were developing advanced persistent threats, mostly governments. Now these kinds of tools are in the hands of criminals all over the forums," Kaspersky lead security researcher Sergey Lozhkin said last week.

Other security analysts tagged BlackLotus' wide availability for any cybercriminal with deep enough pockets as a leap toward wider availability of APT-level capabilities in off-the-shelf malware.

"I've reviewed its features and capabilities and right off the bat, these are the salient points that every blue team and red team alike should be full aware of," Eclypsium's Scott Scheferman also warned.

"Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we've made (e.g. Trickbot's Trickboot module), this represents a bit of a 'leap' forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction."

However, Scheferman said that until a sample is found, there is no way to determine if the feature-set is complete or if it is even production ready.

"It should be noted, too, that until we or someone obtains a sample of this malware and runs it on a close-to-production box in a lab, there is always the chance it isn't ready for show time yet, or certain aspects of its features aren't working right, or even the chance the entire thing is a scam," he added.

If confirmed, this would be a worrying trend seeing that BlackLotus can also be used to load unsigned drivers that could be used in Bring Your Own Driver (BYOVD) attacks.

In recent weeks, such attacks have been linked to a wide range of threat actors, including state-backed hacker groups, ransomware gangs, and unknown attackers.

Source

The threat actor has been using custom malware called Spyder Loader, which has been previously attributed to the group.

In May 2022, researchers at Cybereason discovered ‘Operation CuckooBees’, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe.

Symantec’s report notes that there are signs that the newly discovered Hong Kong activity is part of the same operation, and Winnti's targets are government agencies in the special administrative region.

Spyder Loader

In Operation CuckooBees, Winnti used a new version of the Spyder Loader backdoor. Symantec’s report indicates that the hackers continue to evolve the malware, deploying several variants on the targets, all with the same functions.

Some of the similarities Symantec found when compared to the version analyzed by Cybereason include:

• using the CryptoPP C++ library
• abuse of rundll32.exe for the execution of the malware loader
• compiled as a 64-bit DLL modified copy of the SQLite3 DLL for managing SQLite databases, sqlite3.dll, with a malicious export (sqlite3_extension_init)
•  

Used in the initial infection stage, Spyder Loader loads AES-encrypted blobs that create the next-stage payload, “wlbsctrl.dll.”

Activity and goals

Symantec analysts also observed the deployment of the Mimikatz password extractor in the latest campaigns, allowing the threat actor to burrow deeper into the victim network.

Additionally, the researchers saw "a trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control server, while the other would load a payload from the provided file name in the command line.”

Although Symantec couldn’t retrieve the final payload, it appears that the goal in APT41’s latest campaign was to collect intelligence from key entities in Hong Kong.

Symantec expects Winnti to continue to evolve its malware toolkit and introduce new payloads, as well as add more layers of obfuscation where possible.

According to a new report by Kaspersky, the DiceyF APT group does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft.

The DiceyF activity aligns with “Operation Earth Berberoka” reported by Trend Micro in March 2022, both pointing to the threat actors being of Chinese origin.

Targeting casinos

The attack framework used by the APT is named ‘GamePlayerFramework’, and is a C# rewrite of the C++ malware ‘PuppetLoader.’

The framework features payload downloaders, malware launchers, plugins, remote access modules, keyloggers, clipboard stealers, and more.

The most recent executables sampled by Kaspersky are 64-bit .NET files, but there are also 32-bit executables and DLLs in circulation.

The framework maintains two branches, namely “Tifa” and “Yuna,” which are developed separately and feature different levels of sophistication and complexity. “Yuna” is the more sophisticated of the two, also observed in the wild later.

The framework's loading process (Kaspersky)

 

After the framework is loaded on the target’s machine, it connects to the C2 server and sends XOR-encrypted heartbeat packets every 20 seconds, containing the victim’s username, user session status, size of collected logs, and current date and time.

The C2 can respond with a set of 15 commands that may order the framework to collect additional data, execute a command on “cmd.exe”, update the C2 configuration, and download a new plugin.

Any plugins downloaded from the C2 are loaded directly into the framework without touching the disk to minimize the likelihood of detection.

Their functions include stealing cookies from Chrome or Firefox, snatching clipboard contents, establishing virtual desktop sessions, snapping screenshots, performing port forwarding, and more.

Fake Mango app

Kaspersky has also discovered that DiceyF is using a GUI app that mimics a Mango Employee Data Synchronizer, which drops Yuna downloaders within the organization’s network.

The fake Mango app reaches employees of the casino firms as an installer of a security app, likely sent by the threat actors via phishing emails.

The fake app uses social engineering tactics like displaying the floor where the target organization’s IT department is housed to give the victim the illusion of legitimacy.

The fake GUI app used by DiceyF (Kaspersky)

 

The app connects to the same C2 infrastructure as the GamePlayerFramework, and exfiltrates OS, system, network data, and Mango messenger data.

“The code is under continuous incremental change, and its versioning reflects a semi-professional management of the codebase modifications,” explains Kaspersky.

“Over time, the group added Newtonsoft JSON library support, enhanced logging, and encryption for logging.”

Kaspersky comments that using a visible window doesn’t make it suitable only for tricking employees but also good against AVs, which generally treat GUI-based tools with less suspicion.

To make the tool even stealthier against security tools, the threat actors have signed it with a stolen valid digital certificate, the same one used for the framework too.

A stolen valid certificate that signs most DiceyF tools (Kaspersky)

 

In conclusion, DiceyF has demonstrated excellent technical capacity to adjust its tools to the oddities of each victim, transforming its codebase over time as the intrusion progresses.

While these attacks are not as sophisticated or effective as actual supply chain breaches, they can still be tough to detect and stop, especially when they target multiple employees in an organization.

He also pointed out that you can set new chats to disappear with the tap of a button so that your messages are impossible to pull up on your phone. Additionally, he said that WhatsApp has end-to-end encrypted backups. Mark mentioned that none of the aforementioned features are available to iMessage users, and therefore WhatsApp is more secure.

Mark’s post on Facebook was accompanied by a WhatsApp advertisement above Pennsylvania Station. The company announced back in August that it would be running a global ad campaign, starting in the UK, emphasizing the privacy-related features of its products to the public.

It’s too early to tell yet how the campaign will work out for Meta, but it will have its work cut out, as Meta hasn’t garnered the best reputation, especially while the company was still known as Facebook.

Zuckerberg claims WhatsApp is superior to iMessage in privacy and security

Currently, most TV shows and movies are final products once they have been released. There is no option to modify the content anymore. With Virtual Product Placement ads, this is a thing of the past, at least when it comes to streaming media.

Amazon presented its new Virtual Product Placement tool recently to advertisers. It allows advertisers to directly into streaming content after it has been filmed and product. Peacock's In-Scene advertisement is a similar product that advertisers may use to insert their products or messages into already produced content.

Product placement is a billion Dollar business. Sometimes, product placements are easily spotted by viewers, while at other times, it is more subtle. Up until now, the decision to advertise certain products in a movie or TV show had to be made during filming. The new technology allows advertisers to decide on placements after production.

Virtual Product Placement ads are not targeting individual viewers currently, but future iterations of the technology may allow just that. Streaming giants such as Amazon may use it to display targeted ads to each individual viewer. Amazon is in a prime position, as it already has lots of information about its customers thanks to its shopping site and other services.

There is also the chance that other changes are made to video streams without the viewer even knowing about them.

TechCrunch reports that Amazon is using the beta ad product already in some of its shows, including Bosch: Legacy, Bosch, Reacher, Leverage: Redemption and Tom Clancy's Jack Ryan. Prime Video and the ad-powered Frevee service use it.

It is not clear whether the new advertising product is used in all Prime markets or only in specific markets. Local legislation may prevent certain product placement types or require that companies display disclaimers.

Closing Words

Amazon's Virtual Product Placement ads technology is in beta currently. It remains to be seen how it evolves in the coming months and years, and whether it will launch in all markets or only select ones.

It will be interesting to see whether companies will use the advertising technology on their ad-free products, or if they will reserve these to ad-financed products only. Amazon seems intent to use it on Prime Video and Freevee.

Viewers have little options against this form of product placement, provided that the companies do not integrate an off-switch for these. Abstinence and the purchase of DVDs and Blu-Rays are the only working options in the worst case scenario.

Now You: do you use streaming services?

The future of streaming video is scary: Virtual Product Placement Ads incoming

On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend.

The regional publication has a circulation of about 75,000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month.

Editor-in-chief Uwe Ralf Heer said that the attack impacted the entire Stimme Mediengruppe media group, which includes the companies ‘Pressedruck’, ‘Echo’, and ‘RegioMail.’

Echo, which circulates 254,000 copies, was also affected by the cyberattack, and there were issues accessing its e-paper on the website. The online news portal Echo24.de, however, continues operations as normal.

Heer states that the attack was conducted by a well-known cybercriminal group that encrypted their systems on Friday night and left ransom notes behind. However, as of Saturday afternoon, no specific ransom demands have been made.

BleepingComputer has contacted Stimme Mediengruppe for more information about the attack, and we will update this post as soon as we know more.

Employees working from home

The newspaper’s editors were told to work from home on their personal computers, and new email addresses were assigned to them.

The media group is working with the police to find a way to resolve the technical issues as soon as possible, as well as to try to identify the perpetrators.

Cybersecurity experts from the state of Baden-Württemberg are also assisting in the remediation effort at the request of Interior Minister Thomas Strobl.

“We officially work together with the police, data protection, and external experts in order to be able to perform as quickly as possible with the usual quality,” reads the notice.

“However, we cannot currently foresee whether we will deliver a newspaper every day in the coming week.”

Until the printing systems return to normal operational status, Heilbronn Stimme will continue to print emergency editions via a third party in Karlsruhe.

Because the media group is also a distributor, the circulation of other popular newspapers like ‘Süddeutsche Zeitung’ and ‘Stuttgarter Zeitung’ in the district of Heilbronn (pop. 350,000) will also stop until further notice.

Source