YoWhatsApp is a fully working messenger app that uses the same permissions as the standard WhatsApp app and is promoted through advertisements on popular Android applications like Snaptube and Vidmate.

The app includes additional features over the regular WhatsApp, such as the ability to customize the interface or block access to chats, making it enticing for users to install. 

However, it has now been discovered that YoWhatsApp v2.22.11.75 snatches WhatsApp keys, enabling the threat actors to control users' accounts.

Malicious modded WhatsApp

The YoWhatsApp campaign was discovered by threat analysts at Kaspersky, who have been investigating cases of the Triada Trojan hiding inside modified WhatsApp builds since last year.

According to a report published today, the modded app sends users' WhatsApp access keys to the developer's remote server.

Kaspersky says that these keys can be used in open-source utilities to connect and perform actions as the user without the actual client.

While Kaspersky has not stated whether these stolen access keys have been abused, they can lead to account takeover, disclosure of sensitive communications with private contacts, and impersonation to close contacts.

Like the real WhatsApp Android app, the malicious app requests permissions, like accessing SMS, which is also granted to the Triada Trojan that's embedded in the app.

Kaspersky says the trojan can abuse these permissions to register the victims to premium subscriptions without them realizing it and generate income for the distributors.

Spreading campaign

The modded YoWhatsApp is promoted via ads in Snaptube, a very popular video downloader that has suffered from malvertising in the recent past.

Kaspersky has informed Snaptube about cybercriminals pushing malicious apps through its ad platform, so this distribution channel should be closed soon.

The malicious app offers additional features like a customizable interface, individual chat room blocks, and other stuff not available on the WhatsApp client but many people would like to have.

Kaspersky also found a YoWhatsApp clone named "WhatsApp Plus," featuring the same malicious functionality, spread via the VidMate app, presumably without its authors knowing about it.

WhatsApp Plus app is the same as YoWhatsApp (Kaspersky)

 

This month, Meta sued several Chinese companies doing business as HeyMods, Highlight Mobi, and HeyWhatsApp for developing "unofficial" WhatsApp apps that stole over one million WhatsApp accounts.

Staying safe on WhatsApp

Although not all unofficial WhatsApp mods are malicious, avoiding them altogether would be wise if you want to minimize the chances of installing malware on your device.

In this case, the apps that promote the malicious WhatsApp versions can only be downloaded in the form of APKs outside the Google Play Store, which is also a practice to avoid.

Triada can use these keys to send malicious spam as a stolen account, taking advantage of people trusting their small circle of friends and family.

Therefore, be careful of direct messages from contacts promoting software or asking you to click on unusual links. When receiving messages like this, be sure to reach out directly to your friends and family to confirm they actually sent the texts.

Source

"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks," Google said today.

Passkey support for developers on Android and Chrome will enable key capabilities towards cross-platform passwordless logins, including:

• allowing users to create and use passkeys on Android devices (securely synced through the Google Password Manager)
• enabling developers to add passkey support on their websites with Chrome using the WebAuthn API, on Android and other platforms.

Passkeys are securely backed up and synced to the cloud to prevent lockouts if the device they were generated on is lost, and they can be used for signing into websites on an Android device or for signing into websites on another device using an Android phone.

Since they're built on industry standards, this works across different platforms and browsers, including Windows, macOS, iOS, and ChromeOS, with the same user experience.

Developers can try this today by enrolling in the Google Play Services beta and using Chrome Canary. The new capabilities features will roll out to stable channels later this year.

"Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps that are affiliated with the same domain, and vice versa," Google added.

"The native API will give apps a unified way to let the user pick either a passkey, if they have one, or a saved password. This shared experience for both types of users aids the transition to passkeys."

Passwordless sign-in push

Today's announcement is part of a broader effort to speed up the adoption of passkeys. It follows a May announcement of plans to support them as a common passwordless sign-in standard developed by the FIDO Alliance and the World Wide Web Consortium (W3C).

Microsoft and Apple also pledged their support for passkeys in May, which means that once implemented, these new Web Authentication (WebAuthn) credentials (aka FIDO credentials) will allow the three tech giants' users to log in to their accounts without using passwords.

"To sign into a website on your computer, you'll just need your phone nearby and you'll simply be prompted to unlock it for access," Sampath Srinivas, Google PM Director for Secure Authentication, said at the time.

"Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off."

The new capabilities will likely become available across leading platforms, devices, websites, and apps operated by Google, Microsoft, and Apple over the coming year.

Moving away from signing into accounts using passwords will make the web more secure since they're currently the most common point of entry used by attackers when attempting to hijack online identities.

Google simplifies sign-ins with Chrome, Android passkey support

Microsoft added this policy as they say Windows does not currently apply Account Lockout policies to "local administrators," allowing threat actors to repeatedly brute force passwords for these accounts.

"However, Windows devices currently do not allow local administrators to be locked out." - Microsoft.

The announcement comes after David Weston, Microsoft's VP for Enterprise and OS Security, said in July that the same Windows group policy is now enabled by default on the latest Windows 11 builds.

As a result, Windows 11 systems where the policy is toggled on automatically lock user accounts (including Administrator accounts) for 10 minutes after 10 failed sign-in attempts within 10 minutes.

"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors," he tweeted on July 21st.

"This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!"

Today, almost three months after Weston's announcement, Microsoft revealed that the same account lockout policy is now available on any Windows system where the October 2022 cumulative updates are installed.

"In an effort to prevent further brute force attacks/attempts, we are implementing account lockouts for Administrator accounts," Microsoft said today.

"Beginning with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts."

Admins who want to toggle on this additional defense against brute force attacks can find the "Allow Administrator account lockout" policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.

This group policy will be enabled by default on all new machines running Windows 11 22H2 or those where the October 2022 Windows cumulative updates were installed before the initial setup when the Security Account Manager (SAM) database that stores the users' passwords is first instantiated on the new machine.

Microsoft also announced today that it now requires local administrator accounts to use complex passwords that "must have at least three of the four basic character types (lower case, upper case, numbers, and symbols)."

This decision was taken as an extra defense against brute force attacks which are trivial to pull off using systems with modern CPUs and GPUs if the passwords are not long or complex enough.

Redmond is slowly shrinking the attack surface abused by ransomware operators to breach Windows systems, as shown by its recent decisions to also auto-block Office macros in downloaded documents and enforce multi-factor authentication (MFA) in Azure AD.

Update October 12, 10:24 EDT: Made it clearer that Microsoft says Windows didn’t apply lockout policies to “local administrators” before this change.

Source

Available in public preview at the moment, this new MDE feature will allow security admins to detect malware attempting to communicate with attacker-controlled servers at the network layer.

The C2 connections are detected by the Defender for Endpoint's Network Protection (NP) agent by mapping the outbound connection's IP address, port, hostname, and other values with data from Microsoft Cloud.

If the connection is evaluated as malicious by Microsoft's cloud-powered AI and scoring engines, MDE will automatically block the connection and roll back the malware binaries to a previous clean state.

After the malicious connection is detected, a "Network Protection blocked a potential C2 connection" alert will be added to the Microsoft 365 Defender portal, providing SecOps team members with details, including the severity level and the impacted assets, and the activity timespan.

More info, such as the attack flow and a full timeline, is available after opening the C2 connection alert, as shown in the screenshot below.

"SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs," MDE senior program manager Oludele Ogunrinde said.

"With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries."

The prerequisites include Microsoft Defender Antivirus with active real-time protection and cloud-delivered protection, MDE in active mode, network protection in block mode, and engine version 1.1.17300.4 or later installed.

It works with both consumer (Windows 10 version 1709 or later) and server (Windows Server 1803, Windows Server 2019 or later) platforms.

The new capability will be gradually and automatically applied in environments where Network Protection (NP) is enabled if you've already signed up for the public preview.

Last month, Microsoft also said tamper protection would soon be turned on by default in Microsoft Defender for Endpoint for better defense against ransomware attacks.

According to ESET, POLONIUM uses a broad range of custom malware against engineering, IT, law, communications, marketing, and insurance firms in Israel. The group's campaigns are still active at the time of writing.

Microsoft's Threat Intelligence team first documented the group's malicious activities in June 2022, linking POLONIUM threat actors in Lebanon with ties to Iran's Ministry of Intelligence and Security (MOIS).

The POLONIUM toolset

ESET reports that POLONIUM is solely interested in cyberespionage and does not deploy data wipers, ransomware, or other file-damaging tools.

Since September 2021, the hackers have used at least seven variants of custom backdoors, including four new undocumented backdoors known as 'TechnoCreep', 'FlipCreep', 'MegaCreep',, and 'PapaCreep.'

Some backdoors abuse legitimate cloud services, such as OneDrive, Dropbox, and Mega, to act as command and control (C2) servers. Other backdoors utilize standard TCP connections to remote C2 servers or get commands to execute from files hosted on FTP servers.

While not all backdoors have the same features, their malicious activity includes the ability to log keystrokes, take screenshots of the desktop, take photos with the webcam, exfiltrate files from the host, install additional malware, and execute commands on the infected device.

The most recent backdoor, PapaCreep, spotted in September 2022, is the first one in C++, whereas the hackers wrote older versions either in PowerShell or C#.

PapaCreep is also modular, breaking its command execution, C2 communication, file upload, and file download functions into small components.

The advantage is that the components can run independently, persist via separate scheduled tasks in the breached system, and make the backdoor harder to detect.

Besides the ‘Creepy’ variants, POLONIUM also uses various open source tools, either custom or off-the-shelf, for reverse proxying, screenshot taking, keylogging, and webcam snapping, so there’s a level of redundancy in the operations.

An elusive hacking group

ESET couldn't discover POLONIUM's tactics used to initially compromise a network, but Microsoft previously reported that the group was using known VPN product flaws to breach networks.

The threat actor's private network infrastructure is hidden behind virtual private servers (VPS) and legitimate compromised websites, so mapping the group's activities remains murky.

POLONIUM is a sophisticated and highly targeted threat whose crosshairs are fixed at Israel right now, but this could change any moment if the priorities or interests change.

In at least one such incident from July 2022, the attackers used a previously deployed web shell on a compromised Exchange server to escalate privileges to Active Directory admin, steal roughly 1.3 TB of data, and encrypt network systems.

As described by South-Korean cybersecurity firm AhnLab, whose forensic analysis experts were hired to help with the investigation, it took the threat actors only a week to hijack the AD admin account from when the web shell was uploaded.

AhnLab says the Exchange servers were likely hacked using an "undisclosed zero-day vulnerability," given that the victim received technical support from Microsoft to deploy quarterly security patches after a previous compromise from December 2021.

"Among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation," AhnLab explained.

"Therefore, considering that WebShell was created on July 21, it is expected that the attacker used an undisclosed zero-day vulnerability."

New Microsoft Exchange zero-days?

While Microsoft is currently working on security patches to address two actively exploited Microsoft Exchange zero-days tracked as CVE-2022-41040 and CVE-2022-41082, AhnLab added that the one used to gain access to the Exchange server in July might be different since attack tactics don't overlap.

"There is a possibility that the vulnerabilities of Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082) disclosed by GTSC, a Vietnamese security company, on September 28 were used, but the attack method, the generated WebShell file name, and subsequent attacks after WebShell creation," AhnLab says.

"It is presumed that a different attacker used a different zero-day vulnerability."

Although differences in the delivery method can't be considered enough evidence the attackers used a new zero-day and security experts are also not convinced this is the case, at least one more security vendor knows of three other undisclosed Exchange flaws and provides "vaccines" to block exploitation attempts.

Discovered by Zero Day Initiative vulnerability researcher Piotr Bazydlo and reported to Microsoft three weeks ago, they are tracked by cybersecurity software firm Trend Micro tracks as ZDI-CAN-18881, ZDI-CAN-18882, and ZDI-CAN-18932 after its analysts validated the issues.

The company has also added detection signatures for these Exchange zero-days (tagged as critical severity by Trend Micro) to its IPS N-Platform, NX-Platform, or TPS products since October 4, 2022.

"This filter protects against exploitation of a zero-day vulnerability affecting Microsoft Exchange," Trend Micro says in a Digital Vaccine support document.

Microsoft hasn't disclosed any information regarding these three security flaws since they were reported and is yet to assign a CVE ID to track them.

Microsoft didn't reply to an email requesting more info when BleepingComputer reached out earlier today.

Source

The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic.

This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation.

Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

VPNs on Android 

VPNs (virtual private networks) are protected network connections that encrypt internet traffic over public networks. When connected to a VPN, all your Internet connections will use the IP address of your VPN service rather than your public IP address.

This allows users to bypass censorship and throttling, and maintain privacy and anonymity while browsing the web, as the remote hosts will never see your actual IP address.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly.

Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features.

This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. 

"This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker.

"This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."

Unfortunately, a Google engineer responded that this is intended functionality for Android and that it would not be fixed for the following reasons:

• Many VPNs actually rely on the results of these connectivity checks to function, 
• The checks are neither the only nor the riskiest exemptions from VPN connections, 
• The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and highlighted the significant benefits of adding the option, even if not all issues will be addressed, and the case remains open.

Potential implications

The traffic that is leaked outside the VPN connection contains metadata that could be used to derive sensitive de-anonymization information, such as WiFi access point locations.

“The connection check traffic can be observed and analyzed by the party controlling the connectivity check server and any entity observing the network traffic,” explains Mullvad in the blog post.

“Even if the content of the message does not reveal anything more than "some Android device connected", the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”

While this isn't easy for unsophisticated threat actors, people who use VPNs to protect themselves from persistent attackers would still find the risk significant.

Furthermore, Mullvad explains that even if the leaks are not fixed, Google should at least update the documentation to correctly indicate that 'Connectivity Checks' would not be protected by the "Block connections without VPN" feature.

Mullvad is still debating the significance of the data leak with Google, calling them to introduce the ability to disable connectivity checks and minimize liability points.

Notably, GrapheneOS, Android-based privacy and security-focused operating system that can run on a limited number of smartphone models, provides this option with the intended functionality.

Source

As reported by Bleeping Computer, the service offers a way for cybercriminals to target individuals in order to obtain access to their Microsoft 365 accounts.

Researchers from cybersecurity company Mandiant released a report on Caffeine after uncovering it recently. They discovered the service following an investigation into a phishing campaign derived from Caffeine, which saw threat actors focusing Caffeine’s efforts on one of the firm’s clients.

Unlike other platforms, anyone interested can access Caffeine without the requirement of invites or referrals. Another trait that is common among such services is receiving approval from an admin on a Telegram group or hacking forum. However, this screening process is also not needed by Caffeine.

Although the majority of PhaaS platforms target western regions, the phishing templates for Caffeine in particular revolve around both Russian and Chinese platforms.

After a threat actor has created their account, they gain access to the Caffeine Store, a central hub featuring tools for setting up phishing campaigns. Of course, the service isn’t offered for free. A subscription license is priced at $250 per month, while the more premium options cost $450 (three months) and $850 (six months).

Image source: Mandiant/Bleeping Computer

The aforementioned prices are around three to five times higher than an average PhaaS subscription. That said, it delivers both anti-detection and anti-analysis systems, in addition to customer support.

Once the phishing campaign has been set up, the phishing kit itself — a Microsoft 365 login page — is launched, after which a phishing template has to be selected. A Python or PHP-based email management utility are other convenient tools that are also offered to distribute phishing emails to targets.

Mandiant has detailed how to detect phishing emails from Caffeine, but the fact remains that when additional templates are added to Caffeine, it’ll become an even more attractive platform for setting up phishing campaigns. When factoring in the automated aspect of the service, newcomers to PhaaS can launch their cyber attacks with ease.

Scammers have previously attempted to send out fake Microsoft Office USB sticks to infect a target’s system with ransomware.

Source

A malicious group known as LAPSUS$ is actively recruiting employees, partners or vendors to provide legitimate access to companies’ networks through a VPN or a remote desktop application. The recruiting notices are distributed via social media platforms.

More than 45,000 followers subscribe to LAPSUS$’s Telegram channel, which shows the level of interest in the recruitment offers.

A New Modus Operandi For Cyberattackers

LAPSUS$ came to cybersecurity experts’ attention toward the end of 2021 when the group made an extortion demand on Brazil’s Ministry of Health. LAPSUS$ is known to use ransomware to encrypt an organization’s data and hold it for ransom. The group may further extort the victim by demanding money in exchange for not publicly exposing stolen data.

As a recent target of one of the group’s attacks, Microsoft researchers published what they learned about the group. They mentioned that “DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation” and that “for a fee, the willing accomplice must provide their credentials” to enable the takeover of a legitimate account.

The fact that LAPSUS$ is apparently successful in recruiting insiders for their nefarious activities should be concerning for CISOs everywhere. The attackers gain access to a real user’s credentials as well as the means to access victims’ systems through an official VPN or remote desktop interface. This gives the bad actors the appearance of legitimacy in corporate systems.

Why Insider Attacks Are Notoriously Hard To Detect

Insider threats have been on the rise for years, increasing by 47% between 2018 and 2020. In fact, over 20% of security incidents are attributed to insiders. Such attacks are often more costly because an insider is able to linger on a network longer without raising suspicions and the identity has preapproved access to private information.

In many ways, catching the malicious insider is more challenging than keeping the malicious outsider out. Companies traditionally have focused more on deploying security tools that are designed to detect threats at the perimeter, or what’s left of it.

What can stop the attack? An insider is already past a perimeter firewall or intrusion detection system. An identity management system sees the credentials as legitimate. A data loss prevention tool might stop data exfiltration but not encryption by ransomware. Unfortunately, these types of security tools do little to stop the person who has already gained legitimate access to the network and its resources.

An insider attack is largely defined by the abuse of privileges to perform some act that the person isn’t entitled to do. It’s a matter of misbehavior on a scale that is damaging to the organization. Thus, the way to catch a malicious insider is to watch for and analyze irregular behaviors. This can be done through personal observations as well as with technology.

Factors That Make Employees Go Rogue

People don’t show up for work one day and suddenly decide to sabotage or steal from their employer. The Cybersecurity and Infrastructure Security Agency (CISA) points out that employees who commit or participate in an insider attack typically show personal indicators that they are under some sort of stress factor, such as having large debts or having a grievance against their company, perhaps because of being overlooked for a promotion they were expecting.

That stressed or disgruntled worker may see the LAPSUS$ opportunity as the perfect way to get quick money or inflict payback on their employer without getting deeply involved.

Tools To Address Insider Threats

Companies deploy cybersecurity technologies based on their perceived risks. Insider threats using legitimate credentials and permissions must be taken into consideration. There are several tools and techniques to consider that can help.

Identity And Access Management

Identity and access management (IAM) is a framework of policies and technologies that manage user identities—and a user can be a person, a device or a service—and restrict access to only those systems and resources needed to perform a job. IAM won’t necessarily prevent an inside attacker from getting to some resources, but it can lock the bad actor out from restricted areas.

Privileged Access Management

Privileged access management (PAM) is a tool that monitors the actions of users with high privileges on the network, such as network administrators and other IT professionals. Attackers that use stolen (or purchased) credentials prefer using privileged accounts because of the access levels they have. PAM looks for abuse of these privileges if the account attempts to do something that’s not permitted.

User And Entity Behavior Analytics

A user and entity behavior analytics (UEBA) security tool gathers information on every user and entity/device of the network and funnels it into a large data lake. This includes every activity performed, such as logging in, opening a file, accessing a directory, copying information to an external drive, printing information, going into an application and so on. These types of activities, taken over a length of time, comprise a common baseline of what a specific user identity does on a daily basis.

All these data points are fed into a machine learning system to analyze the data for subtle differences, or anomalies. For example, a user identity might attempt to access an application or data that it has never accessed before. This different activity leads to further analysis to determine the level of risk it might pose. The UEBA system uses machine learning techniques such as clustering, outlier analysis and peer analysis to see if the suspicious activity truly stands out from normal benign activity. If so, an alert is raised to prompt attention to the matter and/or execute an automated response.

LAPSUS$ upped the ante on insider attacks. Now organizations need to rethink their approach to preventing, detecting and shutting them down.

Source

FCC tackles a thorny robocall problem—how to verify caller ID on old landlines

There is no indication that any airport operations were affected, and the type of cyberattack the hackers claimed to use doesn’t do any lasting damage. But it was a sign of how an increasingly effective pro-Russia group, Killnet, can cause mischief for U.S. websites. Last week, Killnet targeted the websites of several U.S. states, successfully knocking Colorado.gov offline for more than a day and briefly interrupting Kentucky.gov.

Killnet specializes in Distributed Denial of Service attacks, or DDoS attacks, which overwhelm a website with internet traffic. While DDoS attacks are generally considered little more than a nuisance, they can knock websites offline for hours or even days.

Killnet frequently posts lists of targeted websites on its Telegram channel, encouraging fellow Russia supporters with entry-level hacker skills to join it in trying to disrupt them. On Monday morning, it posted a list of websites for 49 airports and other air travel sites, most of them in the U.S., as its latest targets.

A spokesperson for Los Angeles International Airport said in an email: "Early this morning, the FlyLAX.com website was partially disrupted," but that it didn't affect flights.

"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," the spokesperson said.

A spokesperson for the U.S. Cybersecurity and Infrastructure Agency, the federal government’s main cybersecurity agency, declined to comment. The U.S. Department of Transportation and Hartsfield-Jackson Atlanta International Airport didn’t immediately respond to requests for comment.

An NBC News survey of the 49 websites posted on the Killnet Telegram channel found that the websites for many airports did not load properly, including Atlanta International; Montgomery, Alabama; Los Angeles International; Long Beach, California; Delaware Coastal; Southwest Florida International; Central Illinois Regional; Indianapolis International; Des Moines International; Jackson Municipal in Mississippi; and St. Louis Lambert International.

Some of Killnet’s targets indicated a lack of understanding of U.S. airports. It listed the city of Chicago’s general air travel website, flychicago.com, which was inaccessible Monday, but not that of its major airports, like O’Hare International or Midway International. Similarly, it targeted Hawaii’s state website for air travel, which was also inaccessible, but not Honolulu International.

This article was originally published on NBCNews.com[.]

Source

Computer security researchers say they've developed an AI-driven system that can guess computer and smartphone passwords in seconds by examining the heat signatures that fingertips leave on keyboards and screens when entering data.

Called ThermoSecure, researchers at the University of Glasgow's School of Computing Science developed the system to show how the falling price of thermal-imaging cameras and increasing access to machine-learning and artificial intelligence (AI) algorithms are creating new opportunities for what they describe as thermal attacks.

By using a thermal-imaging camera to look at a computer keyboard, smartphone screen or ATM keypad, it's possible to take a picture that reveals the recent heat signature from fingers touching the device.

The brighter the area appears in the thermal image, the more recently it was touched – meaning that the image could be used to crack a password or pin code by analyzing where the keyboard or screen was touched, and when.

Earlier research by the University of Glasgow into thermal attacks has suggested that humans without expertise can guess passwords by looking at thermal images, and now – by adding artificial intelligence – passwords could be cracked even faster by specialist attackers.

Using ThermoSecure to analyse images using AI, 86% of passwords were revealed when thermal images were taken within 20 seconds, 76% could be guessed using images within 30 seconds, and 62% could be discovered after 60 seconds.

The longer the password, the more difficult it was to reveal, but it still proved possible in the majority of cases. ThermoSecure could crack two-thirds of passwords of up to 16 characters and, as passwords get shorter, the more success the system had – 12-character passwords were guessed up to 82% of the time and eight-character passwords were guessed up to 93% of the time.  

Passwords made up of six characters or less were successfully cracked 100% of the time – something that could make ATM PIN codes or shorter codes that are used to protect smartphones particularly vulnerable to attacks.

By using this clever technique, a malicious attacker observing potential victims could take a thermal photo of a keyboard, smartphone or ATM and use that to guess passwords. In some cases, they'd also need to physically access the device themselves – but it's also possible that the target could leave their computer unattended. 

There's also the possibility that an attacker could already know the username of their target's online account – or they could potentially use the thermal attack to uncover that, too.

The paper on ThermoSecure – authored by the University of Glasgow's Dr Mohamed Kham, Dr John Williamson and Norah Alotaibi – has been released in the hope that it shows the potential risk posed by thermal imaging attacks as the technology used to power them becomes cheaper and more widely available.

"Access to thermal-imaging cameras is more affordable than ever – they can be found for less than £200 – and machine learning is becoming increasingly accessible, too. That makes it very likely that people around the world are developing systems along similar lines to ThermoSecure in order to steal passwords," said Dr Mohamed Khamis, reader in computer science at the University of Glasgow, who led the development of ThermoSecure.

"It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers," he added.

But while the research demonstrates some advanced techniques that could be used to crack passwords, for users, protecting their accounts is possible by doing one relatively simple thing – using stronger passwords.

"Longer passphrases take longer to type, which also makes it more difficult to get an accurate reading on a thermal camera, particularly if the user is a touch typist," said Dr Khamis, who also suggested that biometric verification also adds protection.  

"Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack."

Source

The hacker also agreed to return 10,000 BNB ($2.74 million) to victims of the exploit, according to a blog post by Transit Finance.

This is in addition to $18.9 million that was returned last week after security firms helped track the hacker's IP address.

The Transit Finance hack is one of several that has plagued DeFi, umbrella term for lending, trading and other financial activities carried out on a blockchain without traditional middlemen, in 2022.

Last month crypto market maker Wintermute had $160 million stolen out of its DeFi business, this came shortly after a $570,000 breach of Curve Finance in August.

Source

Alder Lake is the name of Intel's 12th generation Intel Core processors, released in November 2021. 

On Friday, a Twitter user named 'freak' posted links to what was said to be the source code for Intel Alder Lake's UEFI firmware, which they claim was released by 4chan.

The link led to a GitHub repository named 'ICE_TEA_BIOS' that was uploaded by a user named 'LCFCASD.' This repository contained what was described as the 'BIOS Code from project C970.'

The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22, likely when a hacker or insider copied the data.

BleepingComputer has been told that all the source code was developed by Insyde Software Corp, a UEFI system firmware development company.

The leaked source code also contains numerous references to Lenovo, including code for integrations with 'Lenovo String Service', 'Lenovo Secure Suite', and 'Lenovo Cloud Service.'

At this time, it is unclear whether the source code was stolen during a cyberattack or leaked by an insider.

However, Intel has confirmed to Tom's Hardware that the source code is authentic and is its "proprietary UEFI code."

"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation." - Intel spokesperson.

Security researchers concerned

While Intel has downplayed the security risks of the source code leak, security researchers warn that the contents could make it easier to find vulnerabilities in the code.

"The attacker/bug hunter can hugely benefit from the leaks even if leaked OEM implementation is only partially used in the production," explains hardware security firm Hardened Vault.

"The Insyde’s solution can help the security researchers, bug hunters (and the attackers) find the vulnerablity and understand the result of reverse engineering easily, which adds up to the long-term high risk to the users."

Positive Technologies hardware researcher Mark Ermolov also warned that the leak included a KeyManifest private encryption key, a private key used to secure Intel's Boot Guard platform.

While it is not clear if the leaked private key is used in production, if it is, hackers could potentially use it to modify the boot policy in Intel firmware and bypass hardware security.

BleepingComputer has contacted Intel, Insyde, and Lenovo with questions about the leak and whether the private keys were used in production.

We will update this article with any responses as we learn more.

Intel confirms leaked Alder Lake BIOS Source Code is authentic

While it is unclear how the threat actors promoted the websites, they all used host names that indicated they were offering nude photos, such as nude-girlss.mywire[.]org, sexyphotos.kozow[.]com, and sexy-photo[.]online.

According to threat intelligence firm Cyble, who first reported on the campaign, the websites would automatically prompt users to download an executable named SexyPhotos.JPG.exe that impersonates a JPG image.

Dating site dropping the malware (Cyble)

 

However, as Windows disables file extensions by default, a user would have seen a file named SexyPhotos.JPG in their Downloads folder and likely double-clicked on it, thinking it was an image.

Upon launch, the fake ransomware drops four executables (del.exe, open.exe, windll.exe, and windowss.exe) and one batch file (avtstart.bat) in the user's %temp% directory and runs them.

Files dropped by the malware (Cyble)

 

The batch file establishes persistence by copying all four executables to the Windows Startup folder.

Next, "windowss.exe" is executed to drop three additional files, including "windows.bat," which performs the renaming. The file types and folders targeted by the batch file are given in the table below.

The result is the renaming of all files to a generic name, like 'Lock_6.fille'. So, while the contents of these files haven't been modified or encrypted, the victims would have no way to figure out their original names.

The appearance of the files after the faux encryption (Cyble)

 

The ransom notes are dropped by "windll.exe" in various locations under the name "Readme.txt."

The note demands a payment of $300 in Bitcoin in three days, threatening to double it to $600 for an extended deadline of seven days, after which all files will be permanently deleted on the attacker's server.

Ransom notes dropped in various locations (Cyble)

 

In reality, this fake ransomware has not stolen any data, and as previously mentioned, it's unlikely that the malware author has developed a tool to recover the files.

“Even if a decryptor is provided, renaming files to their original file name is impossible as the malware is not storing them anywhere during the infection,” comments Cyble in the report.

A data wiper in disguise

However, the malware doesn't appear to be ransomware and was designed only to use the fake encryption as a decoy while deleting almost all of the files on your drives.

Cyble discovered that after performing the fake encryption, the malware attempts to execute “dell.exe,” but due to a naming error that results in dropping “del.exe” instead, this step doesn’t work in the sample seen by Cyble.

Error resulting from the wrong file name (Cyble)

 

If the threat actors fix this minor error, “dell.exe” will run to delete all system drives from [A:\ – Z:\] except for the C:\ drive.

The drive wiper's code (Cyble)

 

Finally, the malware executes "open.exe," which drops and runs "open.bat," which, in turn, connects to the URL "hxxps[:]//lllllllllll.loseyourip[.]com/downloads" and then opens the ransom note.

This fake ransomware is an excellent example of how carelessness can lead to data loss, even by buggy, unsophisticated malware.

A possible way to recover from this malware would be to restore your OS to a previous state since the fake ransomware doesn't delete shadow copies.

Of course, this could still result in data loss, depending on the date of the last restore point.

In general, regular backups of your most important data would be the best practice, as an OS re-installation should be the quickest way out of this trouble.

Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware.

BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move.

Now, the market's operators decided to promote the site with a much more massive dump in the same fashion that the similar platform 'All World Cards' did in August 2021.

The threat actors announced the credit card dump yesterday on new URLs BidenCash launched late last month in response to DDoS (distributed denial of service) attacks, so it could be a way to promote the new shop domains.

Announcing the free dump event on the shop

 

To ensure larger reach, the crooks distribute the collection via a clearnet domain and on other hacking and carding forums.

 

The clearnet site from where anyone can download the card dump

 

The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States.

Heatmap reflecting the global exposure, and focus in the U.S. (Cyble)

 

The dump of 1.2 million credit cards includes the following credit card and associated personal information:

• Card number
• Expiration date
• CVV number
• Holder’s name
• Bank name
• Card type, status, and class
• Holder’s address, state, and ZIP
• Email address
• SSN
• Phone number

Not all the above details are available for all 1.2 million records, but most entries seen by BleepingComputer contain over 70% of the data types.

The “special event” offer was first spotted Friday by Italian security researchers at D3Lab, who monitors carding sites on the dark web.

The analysts claim these cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites that steal submitted credit card and customer information.

Authenticity of the dump

Dark web posts and offers of this size are usually scams, so the massive dump of cards could easily be fake data or recycled data from old dumps repackaged under a new name.

BleepingComputer has discussed the authenticity with analysts at D3Lab, who confirmed that the data is real with several Italian banks, so the leaked entries correspond to real cards and cardholders.

However, many of the entries were recycled from previous collections, like the one  'All World Cards' gave away for free last year.

From the data D3Labs has examined so far, about 30% appear to be fresh, so if this applies roughly to the entire dump, at least 350,000 cards would still be valid.

Of the Italian cards, roughly 50% have already been blocked due to the issuing banks having detected fraudulent activity, which means that the actually usable entries in the leaked collection may be as low as 10%.

Source

A remote employee of a U.S. business who was fired for refusing to leave his webcam on while he was working was awarded roughly 75,000 euros by a Dutch court for wrongful termination. The resident of Diessen, Noord-Brabant, was hired by the the Rijswijk branch of Chetu Inc., a software development company headquartered in Miramar, Florida.

The employee began working for Chetu in January 2019, and said he was earning over 70,000 euros per year in salary, commission, variable bonus, and holiday allowance. He worked for the American firm for over a year and a half, but on 23 August he was ordered to take part in a virtual training period called a "Corrective Action Program." He was told that during the period he would have to remain logged in for the entire workday with screen-sharing turned on and his webcam activated.

The telemarketing worker replied back two days later, “I don't feel comfortable being monitored for 9 hours a day by a camera. This is an invasion of my privacy and makes me feel really uncomfortable. that's the reason why my camera isn't on. You can already monitor all activities on my laptop and I am sharing my screen.” He was summarily fired on 26 August, for “refusal to work” and “insubordination.”

The plaintiff brought the case to the Zeeland-West Brabant court in Tilburg a few weeks later, saying “there was no urgent reason given to justify the immediate dismissal given.” He alleged that the termination was disproportionate, and that the demand to leave his webcam turned on was unreasonable, and contravened data privacy rules.

The court agreed that the termination was not legally valid. “The employer has not made it clear enough about the reasons for the dismissal. Moreover, there has been no evidence of a refusal to work, nor was there a reasonable instruction. Instruction to leave the camera on is contrary to the employee's right to respect for his private life,” the court said.

Chetu argued instead that the webcam was no different than if the worker had been present in the office being observed by management. The sub district court considered it unlikely that Chetu intended to store the webcam images, and said data privacy was not the relevant issue.

Instead, it cited Article 8 of the European Convention on Human Rights, and a European court ruling that made it clear that, “Strict conditions are attached to observing employees.” The demand to keep the camera activated was an unreasonable intrusion on the plaintiff’s privacy rights, the court ruled.

The court ordered Chetu Inc. to pay the man over 2,700 euros in unpaid salary, 8,375 euros for wrongful termination, 9,500 euros in worker transition assistance, and 50,000 euros in additional compensation. On top of that, the company has to pay the dismissed worker for 23 vacation days that were not taken, the 8 percent statutory holiday allowance, and possibly an additional penalty for failure to provide a payslip for August. Chetu also has to cover about 585 euros for court filing costs and the plaintiff’s legal fees. Chetu will also be responsible for interest fees for late payment.

In the ruling, issued at the end of September and published on Wednesday, the court also declared the non-compete and confidentiality clauses in the employment contract as being invalid. In civil cases in the Netherlands where the judgement is over 1,750 euros, an appeal can be filed by either side within three months of the court ruling.

Less than a week after the plaintiff was fired, the Rijswijk branch of Chetu Inc. was deregistered from the Chamber of Commerce and shut down on 2 September, records show. The branch was first registered in the Netherlands on 1 June 2013 with the capital declared at 10 million euros. Atal Bansal was listed as the director of the Dutch branch. He is the founder and CEO of the company in the U.S., according to Forbes.

Source

Earlier this week, CommonSpirit Health confirmed it experienced an "IT security issue" but it has yet to answer detailed questions about the incident, including how many of its 1,000 care sites that serve 20 million Americans may have been affected. The health system giant, which is the second largest nonprofit health system in America, has 140 hospitals in 21 states.

"It actually takes a while to fully know the scope because you're in the middle of trying to restore all your systems," said Allan Liska, an analyst with the cybersecurity firm Recorded Future. "You're trying to get patient care up and running. You're trying to get your nurses and your doctors back to the systems they need."

Healthcare organizations are an appealing target for cyber attackers—particularly those who use malware to lock up a victim organization's files and leverage the information for a payment. Ransomware has remained a persistent threat for the industry, which is among the 16 sectors the U.S. government classifies as critical infrastructure.

"Ransomware actors know that's going to cause a lot of disruption," Liska said.

The MercyOne Des Moines Medical Center campus is seen, Thursday, Oct. 6, 2022, in Des Moines, Iowa. Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on the major nonprofit health system that disrupted operations throughout the U.S. Meanwhile, The Des Moines Register said the incident occurred Monday, Oct. 3, 2022, and forced the diversion of five ambulances from the emergency department of the city's Mercy One Medical Center to other medical facilities.

Credit: AP Photo/Charlie Neibergall

Health care systems in 2021 saw an unusually high amount of attacks, with 285 publicly reported worldwide, Liska added. So far, Liska's firm has tracked 155 this year with an average of 20 attacks happening a month. However, he estimated that only about 10% of ransomware attacks are publicized.

Cybersecurity experts said years of work have built health care leaders' trust in the FBI and other federal agencies focused on cyber crime.

An FBI spokesperson declined to comment on whether they were investigating the CommonSpirit Health cyberattack.

John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, said he could not discuss CommonSpirit specifically. In general, though, he said it can take days, weeks or more to discover how an attacker gained access, determine what damage has been done and prevent further harm.

Riggi, who spent nearly 30 years with the FBI, called any significant cyber attack on a hospital "a potential risk to patient safety" and said the U.S. government takes that seriously. Their goal, he said, is to identify the attacker and make their identity and methodology public.

The MercyOne Des Moines Medical Center campus is seen, Thursday, Oct. 6, 2022, in Des Moines, Iowa. Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on the major nonprofit health system that disrupted operations throughout the U.S. Meanwhile, The Des Moines Register said the incident occurred Monday, Oct. 3, 2022, and forced the diversion of five ambulances from the emergency department of the city's Mercy One Medical Center to other medical facilities.

Credit: AP Photo/Charlie Neibergall

"They don't want to show their hand, what they know about the bad guys," he said. "You're really processing a crime scene in real time."

But there are risks to victims of cyber attacks who fail to communicate their response plan and strategies for recovery, said Mike Hamilton, the chief information security officer with Critical Insights Cybersecurity in Washington state.

The reaction of patients, staff and affiliated health care operations to the chain's handling of the incident all could affect the company's future survival, he said.

"Here's how close we are to resolution, here's where we're diverting, here are the other hospitals we're partnering with," Hamilton said. "They need to be sure they're communicating ... because so many people are being impacted by this."

Source

A Florida court this week sentenced former Netwalker ransomware affiliate Sebastien Vachon-Desjardins to twenty years in prison and demanded he forfeits $21.5 million for an attack on a Tampa business and other companies worldwide.

We also had reports released this week that linked the Cheerscrypt ransomware to a Chinese hacking group and showed how the BlackByte ransomware operation uses 'Bring Your Own Vulnerable Driver' (BYOVD) attacks to terminate security software.

Motherboard also released a report based on FOIA requests, showing how US schools have responded to ransomware attacks on their networks.

Finally, the Vice Society began leaking data belonging to students, parents, and employees of the Los Angeles Unified school district, and Ferrari denies RansomEXX attacked them.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @malwrhunterteam, @demonslay335, @malwareforme, @Seifreed, @billtoulas, @jorntvdw, @serghei, @fwosar, @FourOctets, @BleepinComputer, @struppigel, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @PolarToffee, @Avast, @Sophos, @sygnia_labs, @BrettCallow, @pcrisk, @jgreigj, @lorenzofb, and @elhackernet.

October 2nd 2022

Ransomware gang leaks data stolen from LAUSD school system

The Vice Society Ransomware gang published data and documents Sunday morning that were stolen from the Los Angeles Unified School District during a cyberattack earlier this month.

October 3rd 2022

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .adlg and .adww extensions.

How Ransomware Is Causing Chaos in American Schools

May 19, 2021 was supposed to be just another day at the end of the school year at Sierra College, a community college in Rocklin, California. Instead, hackers hit the school with ransomware, throwing it into chaos.

October 4th 2022

Ransomware hunters: the self-taught tech geniuses fighting cybercrime

Hackers are increasingly taking users’ data hostage and demanding huge sums for its release. They have targeted individuals, businesses, vital infrastructure and even hospitals. Authorities have been slow to respond – but there is help out there

Decrypted: MafiaWare666 Ransomware

MafiaWare666 is a ransomware strain written in C# which doesn’t contain any obfuscation or anti-analysis techniques. It encrypts files using the AES encryption. We discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis.

Cheerscrypt ransomware linked to a Chinese hacking group

The Cheerscrypt ransomware has been linked to a Chinese hacking group named 'Emperor Dragonfly,' known to frequently switch between ransomware families to evade attribution.

Netwalker ransomware affiliate sentenced to 20 years in prison

Former Netwalker ransomware affiliate Sebastien Vachon-Desjardins has been sentenced to 20 years in prison and demanded to forfeit $21.5 million for his attacks on a Tampa company and other entities.

New RedKrypt Ransomware

PCrisk found a new RedKrypt Ransomware that appends the .p.redkrypt extension and drops a ransom note named RedKrypt-Notes-README.txt.

Ferrari denies data breach and ransomware attack following gang’s online claims

Luxury car maker Ferrari is denying that it was hit with a ransomware attack after a gang added the company to its list of victims this week.

Cyber attack on health provider Pinnacle a 'wake up call'

A top doctor is calling a cyber attack on a major primary health provider that has compromised the details of potentially thousands of patient details a “wake up call to the sector”.

October 5th 2022

BlackByte ransomware abuses legit driver to disable security products

The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.

October 7th 2022

Ransomware cyberattack affects 13 hospitals and outpatient clinics in Catalonia

The Consorci Sanitari Integral (CSI) has suffered a ransomware computer attack (for the second time in two years) that affects all its healthcare centers in Barcelona and Baix Llobregat. Health activity and patient care are maintained in what does not require computer services , with consultations practically only for emergencies, since health workers do not have access to patient information or procedures through computers .

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .towz and .tohj extensions.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - October 7th 2022 - A 20 year sentence

The RansomHouse gang added ADATA files to their data leak site on Tuesday, claiming they stole 1TB worth of documents in a 2022 cyberattack.The threat actors also leaked samples of allegedly stolen files, which appear to belong to the company.

However, in a statement to BleepingComputer, ADATA says it had not suffered a recent cyberattack and that the leaked files are from a May 2021 RagnarLocker ransomware attack when 1.5 TB of data was stolen.

"By several technical ways check, we are confident what Ransomhouse claimed are fake and those data has been stolen by Ragnar Locker in 2021," a spokesperson for ADATA told BleepingComputer.

"After the hit by Ragnar Locker in 2021, ADATA retained information security experts and implemented effective methods to set up strong protection.  Since then, no attack to ADATA was successful.  None of confidential information of ADATA was leaked."

Comparing the timestamps on the data shared by RansomHouse with the data leaked by Ragnar Locker in June 2021, both sets of stolen data have similar timestamps, with no file being newer than May 2021.

ADATA added that RansomHouse had not left any ransom notes on their servers to prove that an attack occurred.

However, RansomHouse continues to claim they breached ADATA recently in a data theft attack and that they had negotiated with the company on the stolen data.

Who is RansomHouse?

RansomHouse launched its extortion operation in 2021 when it leaked its first victim, Saskatchewan Liquor and Gaming Authority (SLGA).

The threat actors claim not to use any ransomware in their attacks, but the White Rabbit ransom notes clearly link encryption attacks to Ransom House.

White Rabbit ransom note mentioning Ransom House - Source: BleepingComputer

More recently, RansomHouse claimed an attack on eight municipalities in Italy.

During this attack, ransomware was used that appended the .mario extension to encrypted files and left a ransom note greeting victims with, "Buongiorno la mia bella Italia."

RansomHouse has targeted other high-profile companies, including AMD and Shoprite Holdings, Africa's largest supermarket chain.

Source

In AV-Comparatives testing, Microsoft's Defender for Endpoint did really well, scoring full marks in the test. A total of 15 test cases were conducted. In a blog post, the Redmond giant praised itself for the achievement, as it is clearly elated by the test results. It says:

In May 2022, Microsoft participated in an evaluation conducted by independent testing organization AV-Comparatives specifically on detecting and blocking the LSASS credential dumping technique. The test, which evaluated several endpoint protection platforms (EPP) and endpoint detection and response (EDR) vendors, is the first time AV-Comparatives focused on a single attack technique, and we’re happy to report that Defender for Endpoint passed all 15 test cases used to dump user OS credentials from the LSASS process, achieving 100% detection and prevention scores.

Notably, we also passed all test cases with only Defender for Endpoint’s default settings configured, that is, with LSASS ASR and Protective Process Light (PPL) turned off to validate our antivirus protection durability in itself. Such results demonstrate our continued commitment to provide organizations with industry-leading defense.

However, it was not all smooth sailing initially for Defender. AV-Comparatives found that out of the 15 test cases, Defender initially missed four of them (cases 01, 03, 09, and 10):

Microsoft made improvements after this and in the August retest, it had the 100% detection rate like the final results showed. Microsoft acknowledged this and has thanked AV-Comparatives for helping it improve its solution. Additionally, it is also itching to go for the next set of tests:

We’d like to thank AV-Comparatives for this thorough test, which led us to improve our protection and detection capabilities in Defender for Endpoint. These improvements have already been rolled out to benefit our customers, and we’re looking forward to the next similar test.

You can read Microsoft's blog post here.

Microsoft pats itself on the back as it thanks AV-Comparatives for helping improve Defender

The federal law enforcement agency warned that foreign actors are actively spreading election infrastructure disinformation to manipulate public opinion, discredit the electoral process, sow discord, and encourage a lack of trust in democratic processes and institutions.

As the FBI added, foreign actors might also target the public with attempts to incite violence before and after the midterms.

"Foreign actors may intensify efforts to influence outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure," the FBI said in a public service announcement jointly issued with CISA.

"Additionally, these foreign actors may create and knowingly disseminate false claims and narratives regarding voter suppression, voter or ballot fraud, and other false information intended to undermine confidence in the election processes and influence public opinion of the elections' legitimacy."

Disinformation campaigns could use various channels to spread and amplify false claims, including spoofed websites, fake social media personas, and dark web and publicly available media channels.

These platforms could be used to spread claims that election infrastructure has been compromised, using "hacked" or "leaked" U.S. voter registration data likely to cast doubt on the election's legitimacy.

"While some voter registration information is publicly available, the FBI and CISA have no information suggesting any cyber activity against U.S. election infrastructure has impacted the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast," the PSA says.

"These efforts by foreign actors aim to undermine voter confidence and to entice unwitting consumers of information and third-party individuals to like, discuss, share, and amplify the spread of false or misleading narratives." — FBI

Americans urged to use trusted sources only

The FBI and CISA urged voters to carefully evaluate their sources of information in the lead-up to and after the 2022 midterm elections and to only trust info from trusted sources, including reputable news outlets and election officials.

Two years ago, before the 2020 U.S. elections, the Director of the U.S. National Counterintelligence and Security Center (NCSC) shared info on election influence efforts linked to China, Russia, and Iran.

This was followed by two PSAs regarding spreading disinformation about the results of the 2020 U.S. elections and detailing how attempts to compromise election infrastructure could only slow down but not prevent voting efforts.

Influence operations remain the biggest threat to the election process, as shown by another advisory issued this week by the two federal agencies.

The FBI and CISA said cyber-attacks attempting to compromise election infrastructure are unlikely to affect election results and will not prevent or cause massive disruption of the voting process.

Source

Details are scant at the moment, but the attack appears to have started at 2:30 PM EST today, with the attacker's wallet receiving two transactions [1, 2], each consisting of 1,000,000 BNB.

Soon after the hacker began spreading some of the funds across a variety of liquidity pools, attempting to transfer the BNB into other assets.

Binance acknowledged the security incident at 6:19 PM EST and paused the BNB Smart Chain while they investigated the incident.

At 7:51 PM EST, the CEO of Binance tweeted that an exploit was used in the BSC Token Hub to transfer the BNB to the attacker and that they had asked all validators to suspend the Binance Smart Chain.

"An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB," tweeted Binance CEO Changpeng Zhao.

"We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly."

While the majority of the stolen funds remain on the BNB Smart Chain, and are now inaccessible to the hacker, Binance estimates that between $70M - $80M were taken off-chain.

Working with partners in the cryptocurrency community, $7 million of those off-chain assets have already been frozen.

Update 10/7/22: 

At approximately 2:30 AM EST Friday, Binance again resumed the BNB Smart Chain (BSC) and enabled deposits and withdrawals on Binance.

In a further update on Binance.com, the company apologized to the community for the attack and thanked partners and validators for their swift response.

While Binance says they will provide a postmortem with further details in the future, they confirmed that 2 million BNB was stolen using an exploit on the BSC Token Hub.

"There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as “BSC Token Hub”," reads an update posted to Binance's website.

A total of 2 million BNB was withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library."

This is a developing story.

Source

The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.

"NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," the advisory says.

"This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs)."

The advisory also bundles recommended mitigations for each of the security flaws most exploited by Chinese threat actors, as well as detection methods and vulnerable technologies to help defenders spot and block incoming attack attempts.

The following security vulnerabilities have been the top most exploited by Chinese-backed state hackers since 2020, according to the NSA, CISA, and the FBI.

Mitigation measures

NSA, CISA, and FBI also urged U.S. and allied governments, critical infrastructure, and private sector orgs to apply the following mitigation measures to defend against Chinese-sponsored cyber-attacks.

The three federal agencies advise organizations to apply security patches as soon as possible, use phishing-resistant multi-factor authentication (MFA) whenever possible, and replace end-of-life network infrastructure no longer receiving security patches.

They also recommend moving towards the Zero Trust security model and enabling robust logging on internet-exposed services to detect attack attempts as soon as possible.

Today's joint advisory follows two others that shared information on tactics, techniques, and procedures (TTPs) used by Chinese-backed threat groups (in 2021) and publicly known vulnerabilities they exploit in attacks (in 2020).

In June, they also revealed that Chinese state hackers had compromised major telecommunications companies and network service providers to steal credentials and harvest data.

On Tuesday, the U.S. Government also issued an alert about state-backed hackers stealing data from U.S. defense contractors using a custom CovalentStealer malware and the Impacket framework.

While CommonSpirit Health confirmed it experienced an "IT security issue" earlier this week, the company has remained mum when pressed for more details about the scope of the attack. The health system giant has 140 hospitals in 21 states. As of Thursday, it's still unknown how many of its 1,000 care sites that serve 20 million Americans were affected.

Despite the lingering questions, the incident underscores the growing concerns surrounding ransomware attacks on health care systems with patient care at stake.

In Tacoma, Washington, Mark Kellogg told KING-TV that his wife, Kathy, had been scheduled to get a cancerous tumor on her tongue removed on Monday, but the procedure was put off several days because of the cyberattack. Virginia Mason Franciscan Health's parent company is CommonSpirit Health.

"Everything we do today is all on a computer, and without it you're back to the stone age writing on a tablet," Kellogg said.

In Iowa, the Des Moines Register reported that the incident forced the diversion of five ambulances from the emergency department of the city's MercyOne Medical Center to other medical facilities.

The incident forced both MercyOne and VMFH to take certain IT systems offline—including patients' electronic health records—as a precaution.

Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said the incident could be "the most significant attack on the health care sector to date" if all CommonSpirit hospitals and other facilities were affected.

Emsisoft has tracked at least 15 health care systems in the U.S. affected by ransomware this year, which manage more than 60 hospitals. Callow said data was stolen in 12 of the 15 instances, adding that those are almost surely undercounts as some ransomware attacks aren't widely reported.

Callow said one of the largest known attacks within health care came in September 2020 when a ransomware attack struck all 250 health care facilities owned by Universal Health Services.

CommonSpirit's incident could exceed that, depending on how many of its facilities were hit. That could mean the company faces large financial costs to get through the incident and recover.

Callow cited the loss of more than $100 million reported by Scripps Health tied to a 2021 ransomware attack that affected its five hospitals in California as an example.

Asked for more information on the incident and its effects on Thursday, a spokesperson for CommonSpirit said the health system could not provide more details.

The most worrying effect of any substantial attack on healthcare is on patients, Callow said.

"I've seen reports that at least one of the impacted hospitals had to divert ambulances to other facilities and that delay in getting people the care they need could obviously represent a risk to the lives of patients," he said. "Beyond that, these incidents can have a long-term impact on patient outcomes—delaying treatments, for example."

In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-scrambling extortion attempts against U.S. hospitals and health care providers.

That's because ransomware criminals are increasingly stealing data from their targets before encrypting networks, using it for extortion. They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments.

Health care is classified by the U.S. government as one of 16 critical infrastructure sectors Health care providers are seen as ripe targets for hackers.

If patient data is accessed, health care providers are required by law to notify the Department of Health and Human Services.

Source