The criminals only targeted cars that use keyless entry and start systems and stole them after exploiting their keyless technology to unlock the doors and start the engines without having to use the key fobs.

To do that, they used a fraudulent tool promoted online as an automotive diagnostic solution to replace the stolen cars' software and bypass the vehicles' keyless system to enter and steal them.

The cyberspace command of the French National Gendarmerie (FNG) also seized the domain for the fraudulent software used to hack the cars' keyless tech. Still, Europol's press release doesn't mention the URL of the website or the domain where it was hosted.

"As a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over EUR 1 098 500 in criminal assets seized," Europol said.

"Among those arrested feature the software developers, its resellers and the car thieves who used this tool to steal vehicles."

While Europol didn't provide any details on how the attacks managed to hack the keyless vehicles, remote keyless entry (RKE) systems are vulnerable to various there are

The investigation was started by the French Gendarmerie's Cybercrime Centre (C3N), with the French authorities also opening a case at Eurojust in September 2022.

The European Union judicial cooperation agency facilitated the cross-border judicial coordination between the French, Latvian, and Spanish national authorities involved in the joint operation.

Europol has also supported the investigation since March 2022 by providing intelligence and analysis support to the countries targeted by this criminal ring.

BleepingComputer reached out to Europol requesting more information but did not receive a reply before this article was published.

Source

This flaw enables attackers to prevent Windows from applying (MotW) labels on files extracted from ZIP archives downloaded from the Internet.

Windows automatically adds MotW flags to all documents and executables downloaded from untrusted sources, including files extracted from downloaded ZIP archives, using a special 'Zone.Id' alternate data stream.

These MotW labels tell Windows, Microsoft Office, web browsers, and other apps that the file should be treated with suspicion and will cause warnings to be displayed to the user that opening the files could lead to dangerous behavior, such as malware being installed on the device. 

Will Dormann, a senior vulnerability analyst at ANALYGENCE, who first spotted ZIP archives not properly adding MoTW flags, reported the issue to Microsoft in July.

Although Microsoft opened and read the report more than two months ago, in August, the company hasn't yet released a security update to fix the flaw.

"Attackers therefore understandably prefer their malicious files not being marked with MOTW; this vulnerability allows them to create a ZIP archive such that extracted malicious files will not be marked," Kolsek said.

"An attacker could deliver Word or Excel files in a downloaded ZIP that would not have their macros blocked due to the absence of the MOTW (depending on Office macro security settings), or would escape the inspection by Smart App Control."

Free micropatches until Microsoft releases a fix

Since the zero-day was reported to Microsoft in July, it has been detected as exploited in attacks to deliver malicious files on victims' systems.

Until Microsoft releases official updates to address the flaw, 0patch has developed free patches for the following affected Windows versions:

1. Windows 10 v1803 and later
2. Windows 7 with or without ESU
3. Windows Server 2022
4. Windows Server 2019
5. Windows Server 2016
6. Windows Server 2012
7. Windows Server 2012 R2
8. Windows Server 2008 R2 with or without ESU

To install the micropatches on your Windows device, register a 0patch account and install its agent.

They will be applied automatically after launching the agent without requiring a system restart if there are no custom patching policies to block it.

You can see 0patch's Windows micropatches in action in the video below.

Source

Medibank Private Limited is one of Australia's largest private health insurance providers, covering over 3.7 million people and having 4,000 employees.

In a new statement by the company, CEO David Koczkar apologized for the temporary service outage, confirmed they suffered a ransomware attack, and informed customers that normal operations have resumed.

"Our ongoing investigation has found the unusual activity we detected in part of our IT network was consistent with a possible ransomware threat," details the statement.

While Koczkar states that the company suffered a ransomware attack, they claim that no systems were encrypted during the attack. Furthermore, while they continue to investigate the incident, no evidence has been uncovered that customer data has been stolen by the attackers.

The company first detected unusual activity on its network on Wednesday, October 12, and immediately shut down parts of its systems, including customer-facing services, to reduce the chances of data loss.

On Friday, Medibank sent out approximately 2.8 million emails and SMS to notify its customers about the security incident and provide an explanation for the outages.

The notices provided the first assurances about the safety of sensitive private data but underlined that the investigation was still ongoing.

Today's announcement hasn't changed anything on that front, so both customer data and IT system integrity appear unaffected by the cyberattack.

"As a further precaution, we've put in place additional security measures across our network, and we continue to work with external cybersecurity experts and the Australian Government's lead cyber agency, with our forensic investigation continuing," concludes Medibank's statement.

Australia's IT turmoil

Australia has had several high-profile cybersecurity incidents in the past couple of weeks, including:

• Hackers stole the data of 11 million customers of telecommunication provider Optus.
• The exposure of data belonging to employees of Telstra following a third-party breach.
• The leak of a Colombian government database exposing secret agent identities and operation details of the Australian Federal Police (AFP).

In response to these breaches, the Australian government is expected to introduce stricter data protection laws soon. The creation of a cyberattack prevention and response system is also being discussed.

You may recall that Linus Torvalds recently added support for Rust in the Linux kernel. One of the big reasons for adding Rust was to put an end to Linux code memory problems.

It can't come soon enough. Recently, five serious Linux Wi-Fi security holes were uncovered.

What did they all have in common? Go ahead, guess? Yes, each and every one was caused by a memory problem because of poorly written C code.

I'm shocked. Shocked, I tell you.

That was the bad news. The good news is they've all been patched.

The first hole was discovered by security researcher Soenke Huster from Germany's  Technical University of Darmstadt.

Huster e-mailed leading European Linux distributor SUSE with news that there was a nasty buffer overwrite in the Linux Kernel mac80211 Wi-Fi framework, which could be triggered remotely by misusing WLAN frames.

SUSE, in turn, delegated the issue to the kernel security crew, Huster, an Intel principal engineer, and the mac80211 main architect worked on fixing the problem. They also quickly found multiple other Wi-Fi security holes that could be exploited by an attacker over a Wi-Fi network connection.

Whoops.

So, how bad are these? Bad. As one commenter on the Linux Weekly News (LWN) site, the site for serious Linux users and developers, put it, "Basically, it's just anybody who uses Wi-Fi."

Most of these vulnerabilities were introduced into Linux in the first quarter of 2019. So, they were introduced into the Linux 5.1 and 5.2 kernels.

That, in turn, means that any Linux distro you're running today is vulnerable to attacks on these holes.

For example, Red Hat Enterprise Linux (RHEL) 8 and 9 could both be successfully attacked. Such an assault would be a nasty one.

The original bug, a buffer overflow flaw labeled CVE-2022-41674, would. Red Hat reports that this "flaw allow an attacker to crash the system or leak internal kernel information." With a Red Hat Common Vulnerability Scoring System (CVSS) score of 7.3, Red Hat considers it to be of "Moderate Impact."

I think, when you put all the holes together, it's much worse than that. The real nasty piece, as far as I'm concerned, is that these holes are triggered by "Beacon frames." Wi-Fi Access Points (AP) constantly transmit these, so any device scanning for a network will pick them up.

In other words, with a malicious AP, an attacker would automatically attack any Linux device in the area that was scanning for networks. A firewall wouldn't stop it. Neither would a VPN. There's no need to phish the user. Just turn on your laptop or what have you, and, ta-da, instant crash.  

The good news is the patches are in. They were pushed out to the stable kernels on October 13th. The newest, safe Linux kernel is the just-released 5.10.148. Linus Torvalds added them to the forthcoming Linux kernel 6.1. I expect all major Linux distros will have them in place for your working Linux systems by early this week.

Android and Internet of Things (IoT) Linux distros may have more trouble. Their developers often take their own sweet time with patching security problems. Ironically, many of these distros may be safe because they're using kernels, which are too old to be affected by this security hole. Specifically, phones running Android 12 or earlier are safe.

Brand new devices with Android 13, however, are another story. These include flagship phones such as the Google Pixel 4 and newer; Asus Zenfone 8; and the Samsung S22, S21, and S20. The good news is that all major companies are much better at updating their operating systems than second-tier smartphone vendors. With luck, no one will get to experience their phone crashing simply because some jerk is getting giggles from running a trouble-making Wi-Fi AP.

Source

Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers.

Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core malware masquerading as a PDF document supposedly containing details about a marketing project.

The malware targeted information stored in browsers, focusing on Facebook Business account data, and exfiltrated it to a private Telegram channel that acted as a C2 server. These stolen credentials are then used for financial fraud or to conduct malicious advertising.

Zscaler now reports spotting signs of new activity involving a refreshed Ducktail campaign that uses a PHP script to act as a Windows information-stealing malware.

A PHP information-stealing malware

Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP.

Most of the fake lures for this campaign are related to games, subtitle files, adult videos, and cracked MS Office applications. These are hosted in ZIP format on legitimate file hosting services.

When executed, the installation takes place in the background while the victim sees fake 'Checking Application Compatibility' pop-ups in the frontend, waiting for a fake application sent by the scammers to install.

The malware will ultimately be extracted to the %LocalAppData%\Packages\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools, as shown below.

Ducktail's PHP information-stealing malware - Source: BleepingComputer

 

The PHP malware achieves persistence by adding scheduled tasks on the host to execute daily and at regular intervals. At the same time, a generated TMP file runs a parallel process to launch the stealer component.

New Ducktail attack flow (Zscaler)

 

The stealer's code is an obfuscated (Base64) PHP script, which is deciphered directly on memory without touching the disk, minimizing the chances of being detected.

The stealer's code (Zscaler)

 

The targeted data includes extensive Facebook account details, sensitive data stored in browsers, browser cookies, cryptocurrency wallet and account information, and basic system data.

The collected information isn't exfiltrated to Telegram anymore but instead stored in a JSON website that also hosts account tokens and data required to perform on-device fraud.

Expanding the targeting scope

In the previous campaign, Ducktail targeted employees of organizations working in the financial or marketing department of companies who would likely have permission to create and run advertising campaigns on the social media platform.

The goal was to take control of those accounts and direct payments to their bank accounts or run their own Facebook campaigns to promote Ducktail to more victims.

In the latest campaign, however, Zscaler noticed that the targeting scope has been broadened to include regular Facebook users and to siphon whatever valuable information they may have stored in their accounts.

Still, if the account type is determined to be a business account, the malware will attempt to fetch additional information about payment methods, cycles, amounts spent, owner details, verification status, owned pages, PayPal address, and more.

Targeting Facebook details (Zscaler)

 

Ducktail's evolution and attempt to evade subsequent monitoring by security researchers indicates that the threat actors aim to continue their profitable operations.

Users are advised to be watchful with instant messages on LinkedIn and treat file download requests with extra caution, especially cracked software, game mods, and cheats.

Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

Linuxct told BleepingComputer that the threat actors gained access to a victim's corporate network through the Windows Remote Desktop protocol.

Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.

How Venus encrypts Windows devices

When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:

wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg. Venus.

Files encrypted by the Venus Ransomware - Source: BleepingComputer

 

In each encrypted file, the ransomware will add a 'goodgamer' filemarker and other information to the end of the file. It is unclear what this additional information is at this time.

The ransomware will create an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is finished encrypting the device.

As you can see below, this ransomware calls itself "Venus" and shares a TOX address and email address that can be used to contact the attacker to negotiate a ransom payment. At the end of the ransom note is a base64 encoded blob, which is likely the encrypted decryption key.

Venus Ransomware ransom note - Source: BleepingComputer

 

At this time, the Venus ransomware is fairly active, with new submissions uploaded to ID Ransomware daily.

As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall.

Ideally, no Remote Desktop Services should be publicly exposed on the Internet and only be accessible via a VPN.

The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.

According to the cybersecurity company Kaspersky, various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.

Kaspersky told BleepingComputer that they detected at least 876 servers being compromised by sophisticated attackers leveraging the vulnerability before it was widely publicized and received a CVE identifier.

Under active exploitation

Last week, a Rapid7 report warned about the active exploitation of CVE-2022-41352 and urged admins to apply the available workarounds since a security update wasn’t available then.

On the same day, a proof of concept (PoC) was added to the Metasploit framework, enabling even low-skilled hackers to launch effective attacks against vulnerable servers.

Zimbra has since released a security fix with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible.

However, the exploitation had picked up the pace by then, and numerous threat actors had already started launching opportunistic attacks.

Volexity reported yesterday that its analysts had identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells.

Used by advanced hacking groups

In private conversations with cybersecurity firm Kaspersky, BleepingComputer was told that an unknown APT leveraging the critical flaw had likely pieced together a working exploit based on the information posted to the Zimbra forums.

The first attacks started in September, targeting vulnerable Zimbra servers in India and some in Turkey. This initial wave of attacks was likely a testing wave against low-interest targets to evaluate the effectiveness of the attack.

However, Kaspersky assessed that the threat actors compromised 44 servers during this initial wave.

As soon as the vulnerability became public, the threat actors shifted gears and began to perform mass targeting, hoping to compromise as many servers worldwide as possible before admins patched the systems and shut the door to intruders.

This second wave had a greater impact, infecting 832 servers with malicious webshells, although these attacks were more random than the previous attacks.

ZCS admins who haven’t applied the available Zimbra security updates or the workarounds need to do so immediately, as exploitation activity is in high gear and will likely not stop for some time.

Source

According to Mullvad's information, Android uses connectivity checks outside of the VPN tunnel when devices connect to wireless networks. What makes this even worse is that this happens even if the security feature Block connections without VPN is enabled on the device.

The data connections that happen outside of the boundaries of the VPN connection are done by purpose. Mullvad gives the example of captive portals on networks, which require that users authenticate before connectivity becomes available. Most Android users may want these checks, Mullvad notes.

The leaking of information raises privacy concerns for some. Users may believe that their connection is protected against leaks when they use VPNs on Android.  The entity that controls the connectivity check server and any entity that is monitoring networking traffic may obtain the data. The metadata includes the source IP address and may be used to "derive further information", according to Mullvad; this would require a "sophisticated actor" according to the company.

Android does not include user facing options to disable traffic that is happening outside the VPN tunnel. Mullvad published a guide on disabling connectivity checks on Android. It requires development tools and is technical in nature.

The company reported the issue to Google, which responded with a "won't fix" status for the issue, stating that it is intended behavior.

"We have looked into the feature request you have reported and would like to inform you that this is working as intended. We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this."

Google's main arguments are that other traffic is also exempt from this, that some VPN's might use the connectivity information, and that little data is revealed during these checks. Mullvad argues that the leaking of data matters to some users, and that these users should get an option to block any leaky traffic if they want to.

Android users who need full protections against leaks have only one option: to modify the device using Mullvad's guide to block these connections from happening.

Now You: do you use VPN connections on your mobile devices?

Mullvad: Android may leak information when connected to a VPN

The most interesting news this week is about the Dutch Police and Responders.NU working some trickery on the DeadBolt Ransomware operation that caused them to fork over 155 decryption keys for victims.

Other interesting research includes fake adult sites pushing data wipers, TTPs on Black Basta, info on a new Prestige Ransomware targeting Ukraine and Poland, and Magniber ransomware being installed via JavaScript files.

We also learned some information about some attacks that were made public recently.

Healthcare org CommonSpirit admitted this week that they suffered a ransomware attack. However, ADATA denies they suffered a recent attack by RansomHouse and says the data is being recirculated from a 2021 breach by RagnarLocker.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct, @MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk.

October 8th 2022

ADATA denies RansomHouse cyberattack, says leaked data from 2021 breach

Taiwanese chip maker ADATA denies claims of a RansomHouse cyberattack after the threat actors began posting stolen files on their data leak site.

Fake adult sites push data wipers disguised as ransomware

Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device.

October 10th 2022

New VoidCrypt variant

PCrisk found a VoidCrypt variant that appends the .solo extension and drops a ransom note named unlock-info.txt.

New Dharma variant

PCrisk found a new Dharma variant that appends the .dkey extension to encrypted files.

October 11th 2022

Microsoft Exchange servers hacked to deploy LockBit ransomware

Microsoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch Lockbit ransomware attacks.

FinCEN fines Bittrex $29 million

“For years, Bittrex’s AML program and SAR reporting failures unnecessarily exposed the U.S. financial system to threat actors,” said FinCEN Acting Director Himamauli Das. “Bittrex’s failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”

October 12th 2022

CommonSpirit confirms ransomware attack

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records. In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.

Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike

We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .powz and .pohj extensions.

October 13th 2022

Magniber ransomware now infects Windows users via JavaScript files

A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.

New Dharma variant

PCrisk found a new Dharma variant that appends the .CYBER extension to encrypted files and drops a ransom note named CYBER.txt.

October 14th 2022

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland

Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.

Police tricks DeadBolt ransomware out of 155 decryption keys

The Dutch National Police, in collaboration with cybersecurity firm Responders.NU, obtained 155 decryption keys from the DeadBolt ransomware gang by faking ransom payments.

Ransom Cartel Ransomware: A Possible Connection With REvil

In this report, we will provide our analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.

Why call police after a cyber attack? Because they're waiting for you

For example, after the RCMP seized cryptocurency held by Canadian Sebastien Vachon-Desjardins, an affiliate of the Netwalker ransomware gang, it tried returning the funds to Canadian victims. Some organizations refused to acknowledge being hit, she said.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - October 14th 2022 - Bitcoin Trickery

For nearly a month Iranians have been fiercely and relentlessly protesting against their government. Sparked by the death of a 22-year-old woman in the custody of the country’s “morality police,” who arrested her for “inappropriate attire,” the demonstrations have been led by young women who refuse to accept restrictive laws such as hijab requirements. Authorities have been suppressing the protests with violence, as well as less tangible techniques. Amir Rashidi is director of digital rights and security at Miaan Group, an Austin, Tex.–based advocacy organization working to improve human rights in Iran. Rashidi, an Iranian who left the country in 2010, told Scientific American how its government has been using technology such as facial recognition and Internet shutdowns against its citizens.

[An edited transcript of the interview follows.]

How is Iran’s government using facial-recognition technology?

During the pandemic, we became aware that Iran is doing facial recognition. The Minister of Health announced that, in collaboration with the traffic police, they were using cameras in the street to take a picture of people who are not wearing masks properly and find them. Then [more than] two weeks [before] the protests, [an official] mentioned the use of facial recognition during the pandemic, and he [essentially] said, “We’re going to do the same with women, taking pictures of those who are not wearing proper hijab and then finding them.”

Iranian government officials are proud of having this kind of technology, always talking about it, and people are sensitive. If you look at a couple of videos of the protesters, they were attacking cameras. There is a fear that [facial recognition has been] implemented and is working. Not only are protesters more careful to not look at the camera and put the camera behind them, wearing masks and things like that; also the media are very careful to blur all the faces.

Can any techniques prevent facial recognition from working?

Looking at the experience of other countries, there are other techniques: shirts that you can wear with some specific graphic that can make [visual] “noise” on cameras or other methods. But none of them can be really promising right now in Iran because of the lack of information. Because we don’t know what kind of algorithm [the government is] using, we don’t know which solution we can use. One thing that we know is: there is a collaboration between the Iranian and Chinese governments regarding technology. Based on that, I can imagine that Iran is relying on China a lot for facial recognition. The model of Internet censorship in Iran is very much like Chinese models, so I wouldn’t be surprised if China provided that technology to Iran.

What is that model of Internet censorship?

What Iran is doing with the Internet is quite unique but, again, follows the same model as China. But I think what Iran is doing is way more advanced than what China or Russia are doing. The main goal is having a local network. Iranian government officials call it the National Information Network, or NIN. Usually in regular conversation, we refer to it as a “national Internet.” It is literally an intranet: a local network that is providing connection among different services inside the country, being independent from the rest of the world. So when [authorities] shut down the Internet, this local network is operating, but you don’t have access to the [global] Internet. The Russian government passed a law to create such a network [in 2019], but so far we are not seeing implementation.

This infrastructure also needs more tools and components to be functional. For example, [it requires] data centers. On the application layer, it needs messaging apps, e-mail services, search engines. China’s doing the same: it has Baidu, WeChat—these [services and] apps are under a lot of surveilling censorship. The Iranian government has its own YouTube, its own national search engine, e-mail service, messaging app, data centers, all of these things that make [online] infrastructure functional without being connected to the Internet. And finally, Iran is also passing a lot of laws to establish different bodies [that will] dictate how to use this infrastructure and these tools to achieve the main goal that it has, which is information control. It’s very much like the Chinese model in terms of localization, but because of that infrastructure and those policy-making bodies, it’s more advanced—and more successful in terms of censorship and information control. But I want to be careful [about making that claim] because I’m not an expert on China or Russia.

Are people using this national network when the government shuts down Internet access?

One of the things that the Iranian government is doing during the shutdown is taking advantage of violating people’s rights by encouraging them to use the local services. The Minister of [Information and Communications Technology] was on the TV, looking like he was proud and essentially saying, “We blocked WhatsApp because they violate our laws, so if you are concerned about your business, you have to move onto the national messaging app.” One national application is called Rubika…. We call these kinds of applications [such as Rubika and the Chinese program WeChat] “super apps” because you can do everything: purchase tickets, pay your bills, do live streaming, watch TV. They are [using the app to do] mass surveillance, and it’s not something that they want to hide! There is video of the head of Rubika explaining how its AI machine is so good that it can catch sensitive content on a chat between two people, and it can immediately remove [that content] from the platform. This is concerning, obviously. And I would say that’s the last line of defense against the national Internet: So far people are not using it because they’re concerned about privacy and security. But if the government is successful....

[Iran is also] encouraging people to use local services [through a unique] violation of net neutrality: separating local and international traffic. If you’re using local services, you have access to the faster network and cheaper traffic, almost half the price. If you want to use international traffic, it is slower and more expensive. With all of these things together, there is a chance that people, in particular during this economic crisis, feel, “Yeah, let’s move on to those local services.”

Are there techniques for getting around the Internet shutdowns?

In Iran, there is no promising solution. There are lots of conversations around using satellite Internet, but when the government doesn’t want people to have access to the satellite Internet, that’s not a reliable solution. Another solution is not Internet; it’s “data casting,” which is [used in] a project by NetFreedom Pioneers, an organization based in Los Angeles. [The organization is] sending data over normal satellite TV. A user in Iran can just connect the USB to their receiver, download the data and build a special application to unpack the data. And in that package, there are news and all of these circumvention tools that we are recommending to people. So there are some solutions. Unfortunately, they are not reliable to be distributed in a massive scale. But we need to dedicate and find more resources in terms of manpower, technologies, and money to study and see how we can find a solution that can actually be usable on a massive scale.

We have to study this national network and see how we can bypass it. There are a lot of studies going on by different Internet freedom communities, and we are collaborating with them. We found some solutions—but one of the issues is: everyone’s paying attention to the Internet shutdown when it’s happening. When it’s over, everyone’s now going back to the normal life. And that’s not the kind of mentality we need to have. The most important thing we have to do for the Internet shutdown is being ready before the Internet shuts down.

What else is important to know about this situation?

The international community see this as an issue only for Iran. But the problem is: there are a lot of governments all around the world who want to violate our rights, and they learn from each other. What I’d like to see is people paying attention to what is happening as a threat to freedom, to the right to access to the Internet, and deal with it in that way. Because if tomorrow China and Russia implement the same infrastructure [as Iran], the Internet is not going to be the Internet that we know today. It would be in the shape of a bunch of isolated islands. And the philosophy behind the Internet—which is connecting people to each other—would be destroyed.

Source

The intrusion on IT infrastructure impacted "some of its IT systems," the company said in a filing with the National Stock Exchange (NSE) of India.

It further said it has taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access.

The Mumbai-based electric utility company, part of the Tata Group conglomerate, did not disclose any further details about the nature of the attack, or when it took place.

That said, cybersecurity firm Recorded Future in April disclosed attacks mounted by China-linked adversaries targeting Indian power grid organizations.

The network intrusions are said to have been aimed at "at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states."

The attacks were attributed to an emerging threat cluster Recorded Future is tracking under the name Threat Activity Group 38 (TAG-38).

The company further assessed that the targeting is intended to facilitate information gathering related to critical infrastructure assets or is likely a precursor for future activities.

China refuted the allegations that it was involved, stating "many of U.S. allies or countries with which it cooperates on cybersecurity are also victims of U.S. cyberattacks."

Source

Copyright Management Services Ltd, a UK-based company that helped front the BitTorrent piracy lawsuit factory known as Guardaley, is attempting to shut itself down, accounts overdue. After fronting controversial 'copyright troll' lawsuits all over Europe, CMS leaves behind an almost impenetrable matrix of companies, interlinked directors, and movie company partnerships.

Piracy Lawsuit Front Company Tries to Shut Down, Accounts Overdue

How a Microsoft blunder opened millions of PCs to potent malware attacks

On the contrary, the online detection and protection rates for the Microsoft product are among the best. In case you are wondering what the difference between protection and detection is, here's how AV-Comparatives defines the two:

The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution.

This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system.

You can find the full comparison of the various anti-malware solutions for offline and online detection rates, as well as the protection rates in the image below:

As you may have noticed above, Defender not only has one of the worst offline detections, it also suffers from a lot of false positive alarms. This is something Defender has been struggling with for a while, as we have had several instances of it recently. This is despite Microsoft openly expressing it wanted to improve in this aspect.

Thankfully for Microsoft, it also got compromised in just 1 out of 10,019 malware sample cases. Meanwhile, Trend Micro did worst of all, as it has 259 compromises. The products have been classified in clusters (either 1, 2, 3, or 4) depending on their protection rates:

Here is the full test results showing the breakdown of each of the percentage categories - compromised, user-dependent, blocked, and false positives:

Lastly, we have the final rankings of all the products. The rankings are based on how the anti-malware solutions have done with respect to their statistical clusters assigned (image above) and the total false positives detected.

Defender managed to score the ADVANCED+ award last time, but this time has to settle for ADVANCED. AV-Comparatives has, however, acknowledged that the very high number of false positives has affected this.

Source: AV-Comparatives

AV-Comparatives finds Windows Defender suffering from poor offline detection, false alarms

The next Ford Mustang won’t be easy to tune; blame cybersecurity

Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source.

However, the feature encrypts the data using the Electronic Code Book (ECB) mode, which allows inferring the plaintext message under certain conditions.

ECB mode issue

The main problem with ECB is that repetitive areas in the plaintext data have the same encrypted result when the same key is used, thus creating a pattern.

The issue was highlighted after the massive Adobe data breach in 2013 when tens of millions of passwords were leaked and researchers discovered that the company used ECB mode to encrypt the data, making it possible to obtain plaintext passwords.

This weakness was highlighted again in 2020 when it was discovered that the widely used teleconference application Zoom used  the same 128-bit key to encrypt all audio and video using the AES algorithm with ECB mode.

Harry Sintonen of WithSecure underlines that with Office 365 Message Encryption the content of the encrypted messages isn’t directly decipherable, but structural information about those messages can be captured.

An attacker able to collect multiple encrypted messages can look for patterns that could lead to parts of the message to become gradually readable without the need of an encryption key.

The researcher explains that a large database of messages allows inferring the entire content or just parts of it by looking at the relative locations of the repeated sections.

To demonstrate that this can be achieved, Sintonen revealed the content of an image protected by Office 365 Message Encryption.

No solution yet

Threat actors can analyze stolen encrypted messages offline, since organizations have no way to prevent this for already sent messages. Sintonen notes that the use of rights management feature does not mitigate the issue.

The researcher reported this finding to Microsoft in January 2022. The tech giant acknowledged the problem and paid a bug bounty but did not release a fix.

After repeated subsequent queries about the status of the vulnerability, Microsoft told WithSecure that “the issue does not meet the bar for security servicing, nor is it considered a breach,” and hence there will be no patch for it.

BleepingComputer also reached out to Microsoft about this and a company spokesperson said that "rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary."

The reason Microsoft still uses the ECB implementation is support for legacy applications. However, the company is working on adding an alternative encryption protocol to future product versions.

WithSecure recommends that until a more secure mode of operation becomes available, users and admins should stop using or trusting the Office 365 Message Encryption feature.

The suspects were arrested as part of 'Operation Jackal,' an international law enforcement operation between September 26 and 30, 2022, in South Africa.

Black Axe was founded in 1977 in Nigeria and is considered one of the world's most far-reaching and dangerous crime syndicates.

The crime syndicate first became involved with cybercrime in 2015, suspected of orchestrating numerous romance and "419 scams."

"Black Axe and similar groups are responsible for the majority of the world's cyber-enabled financial fraud as well as many other serious crimes, according to evidence analyzed by INTERPOL's Financial Crime and Anti-Corruption Centre (IFCACC) and national law enforcement," explains INTERPOL's statement on the operation.

These financial gains are reflected in the assets seized by law enforcement during the raids, including tens of thousands of USD in cash, expensive cars, luxury items, and 12,000 mobile SIM cards.

By analyzing the seized evidence, the police could freeze €1,200,000 in the suspects' bank accounts, identify and arrest another 75 individuals, and conduct 49 targeted property searches.

The arrests yielded 13 analytical reports, seven INTERPOL "purple notices" to detail the modus operandi of the criminals, and six INTERPOL "red notices" targeting internationally-wanted fugitives.

Interpol also highlights the success of its new anti-money laundering rapid response protocol mechanism (ARRP), which was deployed for the first time in 'Operation Jackal.'

"The ARRP is a game-changer in the fight against global financial crime, where speed and international cooperation are crucial to intercepting illicit funds before they disappear into the pockets of money mules abroad," said Rory Corcoran, Director of IFCACC.

"INTERPOL's Global Financial Crime Task Force has shown remarkable effectiveness in disrupting illicit financial flows, bringing together cyber and finance experts across sectors to track and cut off criminal money trails."

Last month, INTERPOL dismantled a sextortion ring operating from Singapore and Hong Kong, arresting 12 suspects for further investigation.

In June, the international police force seized $50 million and arrested thousands suspected of participating in business email compromise (BEC) scams.

In May, INTERPOL traced down three Nigerians in Lagos suspected of deploying remote access trojans (RATs) to steal account credentials and reroute financial transactions.

Source

RedEye is for both red and blue teams, providing an easy way to gauge data that leads to practical decisions.

Assessing attack campaigns

A joint project from CISA and DOE’s Pacific Northwest National Laboratory, RedEye can parse logs from attack frameworks (e.g. Cobalt Strike) to present complex data in a more digestible format.

The tool allows users to upload campaign data to view relevant information such as beacons and commands.

Historical records of each campaign logs loaded into RedEye can be viewed in a graphical representation that correlates servers and hosts involved.

Analysts can also explore key events in a selected campaign to discover payload activity and follow an attacker’s penetration path, such as lateral movement activity or the use of credentials to increase privileges on a machine.

RedEye tool - campaign playback

 

The features available in RedEye allow analysts to comment on the attacker’s activity for better collaboration and understanding of the attack path.

RedEye tool - comment and tags feature

 

Using the comments from analysts and the techniques used in the campaign, RedEye can also generate presentations that can be shared with stakeholders and clients.

All data collected from a campaign and the comments from analysts can be exported so clients can review

Blue teams can also use RedEye to understand easier the raw data received from an assessment, and view the attack path and the compromised hosts so they can take appropriate action.

RedEye tool - generate presentations

 

At the moment, RedEye can parse logs from the Cobalt Strike framework.

It has been tested to work on Linux (Ubuntu 18 and above, Kali Linux 2020.1 or newer), macOS (El Capitan and above), and Windows 7 or newer.

The tool is available on GitHub, in CISA’s repository.

CISA has also released a video, available below, going through the main features avaialble in RedEye:

RedEye is the latest in a set of tools that CISA released as open-source projects over the past few years.

Among them are Malcom - a network traffic analysis tool, ICS NPP - a tool for parsing Industrial Control Systems Network Protocols, Sparrow - a PowerShell script for detecting possible compromised accounts and apps in Azure and Microsoft 365 environments.

Source

The app, called ‘Yo WhatsApp’, was promoted through ads in other Android applications such as Snaptube, which allows users to download YouTube videos – promoting itself with features Meta’s own client does not such as the ability to customise the user experience or individual chat room blocking.

The fraudulent app was discovered by Kaspersky, who found that the app sent users’ WhatsApp access keys to the developer’s remote server.

This could allow attackers to see conversations and steal data that could be used for phishing or other cyberattacks. Moreover, the attackers could use this access to “add paid subscriptions without the user’s knowledge”.

A clone of that app, called “WhatsApp Plus”, also spread through the Vidmate app, with similar features and issues. Vidmate also lets users download YouTube, Instagram, Facebook, and TikTok videos.

Vidmate and Snaptube did not respond to The Independent’s request for comment before time of publication.

Kaspersky suggests that the distribution channels will be closed soon, and says it is likely the companies were unaware malware was being shared.

“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources, may still fall victim to them”, the Kaspersky researchers wrote.

“In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”

Kaspersky has been investigating the Trida malware in WhatsApp clones over the past year and is especially difficult to detect for two reasons: firstly, the malware modifies a core process in the Android OS that is used as a template for every application, called Zygote. When the Trojan gets into Zygote, it becomes a part of every app that is launched on the device.

Secondly, the app substitutes the phone’s system functions, concealing its modules from the list of the running processes and installed apps – which stops its processes being detected and thereby stays unknown.

Source

A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars.

The Magniber campaign, detailed by HP Wolf Security, is unusual for 2022 in the way it focuses on generating relatively small ransom payments from individual users, compared to what could be extorted by going after businesses and demanding large ransoms.

In many ways, it's a throwback to early ransomware campaigns that encrypted files on individual computers. However, Magniber is using innovative techniques that make it much more difficult to detect – especially for home users.

The attack chain begins when the user visits a website controlled by the attackers, designed to look like legitimate websites and services that victims are tricked into visiting in one of a number of ways.

"There are multiple ways the user can be directed to such a site. Either they register typo-squatted domains for common websites or infect websites with a malware that redirects the user to the final download site," Patrick Schläpfer, malware analyst at HP Wolf Security, told ZDNET.

"I also have a suspicion that the reason for the redirection could be a malicious browser extension, which is installed on the victim's device," he added.

The website suggests that the user needs to update their computer with an important software update – claiming that they're antivirus or Windows system needs it – and tricks users into downloading a JavaScript file that contains the ransomware payload.

Magniber being distributed via JavaScript files appears to be a new technique that has only emerged recently – previously it has been hidden inside MSI and EXE files.

By using a JavaScript file, the attack can use a technique called DotNetToJscript, allowing it to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. By doing this in memory, the attack bypasses detection and prevention tools – like antivirus software – that monitors files written to disk rather than memory.

It's this executable that runs the ransomware's code, which deletes shadow copies of files and disables Windows backup and recovery features before encrypting the victim's files. The ransomware also gains administrator privileges using an Account Control (UAC) bypass to run commands without alerting the user.  

By the time the user knows something is wrong, it's too late because their files have been encrypted and they've been presented with a ransom note telling them what's happened and providing them with a link to follow to negotiate a deal for a decryption key – and victims are told that if they attempt to restore their computer without paying a ransom, their files will be permanently wiped.

Researchers say the ransom demand can be up to $2,500. While that might not sound like a lot compared with the hundreds of thousands – or more – cyber criminals can make from infecting a large enterprise with ransomware, targeting home users via drive-by downloads is much less effort than spending weeks or months infecting a corporate network.

However, there are steps that individual users can take to help avoid falling victim to ransomware attacks.  

"Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach," said Schläpfer.

The most useful way to back up data would be to store it offline, so if a cyber criminal does encrypt your device, they can't reach the back ups too – allowing you to restore the device without paying a criminal.

Source

On October 7, 2022 Toyota, the Japanese-based automotive manufacturer, revealed they had accidentally exposed a credential allowing access to customer data in a public GitHub repo for nearly 5 years. The code was made public from December 2017 through September 2022. While Toyota says they have invalidated the key, any exposure this long could mean multiple malicious actors had already acquired access.

This incident adds Toyota to the list of companies that have had similar exposures; a list that includes Samsung, Nvidia, and Twitch, just to name a few. While this breach at Toyota is currently understood as fairly limited, compared to the 6,695 secrets exposed in the Samsung case, the growing number of companies experiencing such issues is still a very disturbing trend.

Data exposures on public Git repositories are a particularly troubling topic. Code intended for tightly controlled private repos are very often pushed to public repos owned by employees or contractors, outside the security control of their GitHub organizations.

What Happened

Toyota Data Breach Graphic

T-Connect

In 2014, Toyota introduced a new telematics service called T-Connect to customers, offering interactive voice response and allowing drivers to connect to third-party apps. Toyota advertises it as their “connected services that provide safe, secure, comfortable, and convenient services through vehicle communication.”

T-Connect enables features like remote starting, in-car Wi-Fi, digital key access, full control over dashboard-provided metrics, as well as a direct line to the My Toyota service app. The servers that control these options contain unique customer identification numbers and customer emails.
A Subcontractor And A Public Repo

In December 2017, while working with an unnamed (so far) subcontractor, a portion of the source code for T-Connect was uploaded to a public GitHub repository. Inside the repo there was a hardcoded access key for the data server that manages customer info. Anyone who found that credential could access the server, gaining access for 296,019 customers.

It was not until September 15, 2022, that anyone noticed this repo was public and that customer data was potentially exposed. Toyota has since made the repo private and has invalidated and replaced any affected connection credentials.  

How Bad Is this Security Breach?

While customer identification numbers and emails have potentially been exposed, customer names, credit card data, and phone numbers were not stored in the exposed database, and are therefore not at risk.  Toyota has begun outreach to affected customers. As part of this outreach, the company has set up a special form on its site to let customers check to see if their data was part of the exposure.  

As of now, there is no sign that this breach would allow bad actors to do more than just harvest emails and the associated customer management numbers.  Toyota has not been able to confirm any abuse or attacks have occurred using harvested data.

How can people protect themselves

Toyota does warn customers that although there has not been any unauthorized use of their personal information detected, all affected users should be on the lookout for spam emails and phishing attacks.  

The notice from Toyota states: “If you receive a suspicious e-mail with an unknown sender or subject, there is a risk of virus infection or unauthorized access, so please do not open the file attached to the e-mail and delete the e-mail itself immediately.”

This incident serves as a good reminder that with all emails it is important to only follow links in emails from trusted sources. When in doubt about the validity of an email, you should inspect the header to make sure the email domain is legitimate and use the hover preview for any link to ensure the URL is not redirecting you to a potentially dangerous site.  

Attackers can use context along with stolen emails to create more convincing phishing campaigns. For example, knowing they are a Toyota customer can make them appear more trustworthy.

How can devs prevent this from happening again?

There are two security missteps at the heart of this latest incident at Toyota:

1.     Code intended to be private was pushed to a public repository.
2.     A credential for a DB server holding customer data was hardcoded into the repo.

Git is an awesome version control system, used by over 93% of developers, and is at the heart of modern CI/CD pipelines. One of the benefits of Git is that everyone has a complete copy of the project they are working on. That full copy access also means each developer can, in turn, push their copy to unauthorized places, such as public repositories. While it might not be possible to prevent a contractor from pushing code wherever they want, it is possible to detect when code or IP has been pushed somewhere it should not be. This is a serious issue affecting the software industry that we have previously reported on.  

GitGuardian has made available a free tool, HasMyCodeLeaked, to help companies identify potential source code leaks. Our free tool can perform an exact lookup of code "fingerprints" in GitHub's public history, helping you quickly identify repositories that contain private code or data.

Hardcoding secrets is a serious issue affecting the software industry today. In 2021, we discovered over 6 Million secrets in public GitHub repos alone. As security in DevOps ‘shifts left’ on the shoulders of developers pressed for time, it is critical that they leverage tools and services that prevent secrets from ending up as parts of their repos. A company’s secrets that get hardcoded can be exposed in a number of ways, including pushed to public repos, but also if the code is leaked by a disgruntled employee or stolen by a malicious actor. This is a real blind spot for companies that do not have secrets detection in place.

Source

The incident came to light after the company reported that it had detected some unusual activity on its network although it claims it has found no evidence of customer data access or data loss so far. However, Medibank has assured it is taking all necessary steps to cover for the impact the incident may have caused, and as a precautionary measure, the bank will remove access to some customer-facing systems to reduce the possibility of damage to systems or data loss.

Medibank's official Twitter handle said:

Yesterday the Medibank Group detected unusual activity on its network

In response to this event, Medibank took immediate steps to contain the incident, and engaged specialised cyber security firms.

At this stage there is no evidence that any sensitive data, including customer data, has been accessed.

As part of our response to this incident, Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.

We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have on our customers, our people, and our broader ecosystem

Meanwhile, an information page has been put up on the Medibank website to provide the latest updates about the incident and help numbers have been issued to provide the latest updates about the incident. Medibank and ahm (Australian Health Management) customers who would like to have more information about the incident can contact via phone (1300 573 942 for ahm customers and 13 23 31 for Medibank customers).

Health insurer Medibank becomes the latest victim of cyberattack

When Microsoft fixes a security vulnerability in one of its products, they disclose details in the Security Update Guide (SUG).

Typically, Microsoft discloses new vulnerabilities twice a month, the bulk being the monthly Patch Tuesday and when Microsoft fixes vulnerabilities in Microsoft Edge.

However, if a new vulnerability is publicly disclosed before Microsoft can fix it and Microsoft believes it is important for customers to be aware, they will add new entries to SUG when releasing out-of-band advisories.

For example, last month, Microsoft added two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082 to the SUG.

While these bugs have not received any security updates yet, Microsoft did release mitigations that can help protect Internet-exposed servers, illustrating the need to stay aware of new security issues.

While email notifications for additions to the Security Update Guide, they require a user to create a Microsoft account to receive them and are not sent immediately.

Due to this, many customers have requested Microsoft add an RSS feed to the Security Update Guide so they can get immediate notifications when a new CVE is added.

"With regards to the RSS feed, we have received feedback from some of our customers that an RSS feed on the Security Update Guide (SUG) would be greatly appreciated," Microsoft said in today's announcement.

"A few customers have even asked for it to be the default form of communication. We heard your feedback, and you can now obtain SUG updates by pasting the URL of the RSS feed in any RSS reader."

The URL for the new RSS feed is now live at https://api.msrc.microsoft.com/update-guide/rss and is also shared in the SUG using an RSS icon, as shown below.

To use the new RSS feed feature, you need to install an RSS Feed reader, whether a desktop application, mobile app, or browser extension.

Once you subscribe to the feed, you will automatically receive notifications when Microsoft adds a new CVE to the Security Update Guide, helping keep you aware of the latest security risks.

Once you subscribe to the feed, you will begin to receive notifications when Microsoft adds a new CVE to the Security Update Guide, helping keep you aware of the latest security risks.

Microsoft adds new RSS feed for security update notifications

It was a multi-vector attack that lasted for about two minutes and consisted of UDP and TCP floods packets attempting to overwhelm the server and keep out hundreds of thousands of players, DDoS mitigation company Cloudflare says.

Two-minute attack against Minecraft server Wynncraft (Cloudflare)

 

The researchers say this was the largest bitrate attack they ever recorded and handled.

A DDoS attack this large occurred in 2017, in a campaign that lasted for six months from a nation-state actor, disclosed by Google in 2020.

Cloudflare’s 2022 Q3 DDoS report notes that multi-terabit DDoS attacks are now more frequent.

One of the largest DDoS attacks ever reported was in November 2021 and peaked at 3.47 terabits per second.

DDoS attack trends

In the third quarter of the year, Cloudflare mitigated more DDoS attacks compared to last year, with HTTP-based ones increasing by 111%. Layer 3 and 4 (L3/4) DDoS attacks also almost doubled year-over-year, their occurrence jumping by 97%.

The most notable region targeted by HTTP DDoS attacks was Taiwan, which saw an increase of 200% compared to the last quarter, while Japan was targeted 105% more quarter-over-quarter.

L3/4 DDoS attacks targeted mainly the gaming industry and their volume was inflated by a Mirai comeback that increased its activity by 405% compared to Q2 2022.

Another worrying DDoS trend seen in Q3 2022 is the abuse of the BitTorrent protocol, normally used for file sharing. This practice rose by over 1,200% QoQ.

Network-layer DDoS attack vector trends (Cloudflare)

 

“A malicious actor can spoof the victim’s IP address as a seeder IP address within [BitTorrent] Trackers and DHT (Distributed Hash Tables) systems,” details Cloudflare.

“Then clients would request the files from those IPs. Given a sufficient number of clients requesting the file, it can flood the victim with more traffic than it can handle.”

The countries most targeted HTTP DDoS attacks were the United States, China, and Cyprus, while network-layer attacks targeted mainly Singapore, the U.S., and China.

Size and duration

Cloudflare highlights a rise in the number of large-scaleDDoS attacks (over 100 Gbps) but underlines that these are still the outliers, accounting for only 0.1% of the total.

Network-layer DDoS attack sizes in Q3 2022 (Cloudflare)

 

The vast majority (97.3%) were attacks measuring under 500 Mbps, which Cloudflare characterizes as “cyber-vandalism”, attributing to the so-called “script-kiddies” that use readily available DDoS tools and direct attacks against small and poorly protected targets.

The duration of most (94%) attacks is brief, measuring below 20 minutes. However, there was a small rise of 8.6% and 3.2% in lengthy episodes lasting above an hour and three hours, respectively.

Source

Threat actors created in September websites that promoted fake antivirus and security updates for Windows 10. The downloaded malicious files (ZIP archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware.

A report from HP's threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.

In April 2022, Magniber was seen distributed as a Windows 10 update via a network of malicious websites. 

In January, the its operators used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).

Magniber's new infection chain

In previous campaign, the threat actor used MSI and EXE files. For the recent on, it switched to JavaScript files that had the following names:

• SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
• SYSTEM.Security.Database.Upgrade.Win10.0.jse
• Antivirus_Upgrade_Cloud.29229c7696d2d84.jse
• ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js

These files are obfuscated and use a variation of the "DotNetToJScript" technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host.

The .NET file decodes shellcode that uses its own wrapper to make stealthy syscalls, and injects it into a new process before terminating its own.

The shellcode deletes shadow copy files via WMI and disables backup and recovery features through "bcdedit" and "wbadmin." This increases the chances of getting paid as victims have one less option to recover their files.

To perform this action, Magniber uses a bypass for the User Account Control (UAC) feature in Windows.

It relies on a mechanism that involves creating of a new registry key that allows specifying a shell command. In a later step, the "fodhelper.exe" utility is executed to run a script for deleting the shadow copies.

VBScript that deletes shadow copies and disables restore functions (HP)

 

Finally, Magniber encrypts the files on the host and drops the ransom notes containing instructions for the victim to restore their files.

Magniber's new infection chain (HP)

 

HP's analysts noticed that while Magniber attempts to limit the encryption only to specific file types, the pseudohash it generates during the enumeration isn't perfect, which results in hash collisions and "collateral damage", i.e., encrypting non-targeted file types as well.

Home users can defend against a ransomware attack by making regular backups for their files and to keep them on an offline storage device. This allows recovery of the data onto a freshly installed operating system.

Before restoring the data, users should make sure tha their backups were not been infected.