Your boss probably has enough data about your digital activities to get a snapshot of your workday — without using any special monitoring software.

Commonly used network-connected apps such as Zoom, Slack and Microsoft Office give managers the ability to find everything from the number of video meetings in which you’ve actively participated, to how much you chatted online with co-workers and the number of documents you saved to the cloud.

But are these snippets of a worker’s digital day an accurate representation of the amount of work employees accomplish?

“Activity does not equal productivity,” says Bart Willemsen, Gartner vice president and analyst focused on privacy and technology. “Productivity should equal outcomes.”

Workers should be aware that many online work apps offer data about their daily activities. But workplace and privacy experts say data from these work apps should be considered only one part of a larger picture of employee productivity. The issue gets messier if managers use data from apps meant to aid employees with stress, time management and well-being to determine an individual’s future at their workplace.

Hundreds of thousands of people adopted new ways of working during the pandemic, spending several days or all of the workweek at home. Gallup estimates that in June — the latest data that’s available — about 34 million people worked in hybrid environments, a mix of office and home. And about 36.5 million people in the United States worked remotely at least five days a week as of early August, according to the Census Bureau’s Household Pulse Survey.

As a result, employers have been seeking new ways to manage and ensure productivity, with a growing number of them turning to surveillance software. At the beginning of 2022, global demand for employee monitoring software increased 65 percent from 2019, according to internet security and digital rights firm Top10VPN.

< Watch the video at the source page. >

But popular work apps also offer data.

On Microsoft 365, an account administrator can pull data — though it may not be easy and would be tracked in compliance logs — on how many emails workers sent, how many files they saved on a shared drive and how many messages they sent as well as video meetings they participated in on the messaging and video tool Microsoft Teams. Google Workspace, Google’s suite of work tools, allows administrators, for security and audit purposes, to see how many emails a user sent and received, how many files they saved and accessed on Google Drive, and when a user started a video meeting, from where they joined meetings, and who was in a meeting. Select administrators on both services can also access the content of emails and calendar items.

On paid Slack accounts, managers can see how many days users have been active and how many messages they’ve sent over a set period of time. Zoom allows account administrators to see how many meetings users participated in, the length of the meetings, and whether users enabled their camera and microphone during them. And if employees have company-issued phones or use office badges or tech that requires them to sign in at the office, managers can track phone usage and office attendance.

To be sure, several software companies say their reports are not for employee evaluation and surveillance. Microsoft has stated that using technology to monitor employees is counterproductive and suggested that some managers may have “productivity paranoia.” In the help section of its website, Slack states that the analytics data it offers should be “used for understanding your whole team’s use of Slack, not evaluating an individual’s performance.”

Brian Elliott, Slack senior vice president and executive leader of the Slack-led consortium focused on the future of work, said using activity-based analytics to gauge productivity doesn’t account for people’s various communication styles. And incentivizing this kind of activity vs. actual outcomes may increase stress and erode worker trust.

“Measuring productivity based on surface-level activity like ‘messages sent’ gives us an extraordinarily limited view into a person’s contributions to their organization,” he said. “Not only is it arbitrary, it’s usually counterproductive.”

Trello, a project management tool owned by software company Atlassian, offers teams the chance to see who’s working on which project and each person’s workload. But that data aims to help teams collaborate more easily, track projects and step in when a colleague may be carrying a heavy load, said Gaurav Kataria, Trello’s head of product. The product does not offer individual reports.

“We didn’t build the product for that use case,” he said. “We are building for the users.”

Several workplace experts agree on one thing: The data doesn’t properly represent a worker’s productivity. Activities such as in-person mentoring, taking time to brainstorm, sketching out a plan or using offline software won’t appear in the data. And measuring quantity might discount the quality of one’s work or interactions.

Getting a snapshot of a worker’s digital day becomes even easier if workers are using the same suite of products for all digital activities. But even without it, employers can use third-party tools to compile data from various digital services, said Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union’s Speech, Privacy and Technology Project.

“There’s nothing preventing anyone from [collecting this data],” Gillmor said, referring to both the tech companies and account administrators. “The more your work is done via these online services, the more information the service providers have.”

Less obvious ways employers might monitor workers without surveillance software is by checking local WiFi network logs and security cameras, Gillmor said. To track workers’ movement through the office, an employer may be able to use local networks’ access point logs to see who was connected to each point at any given time. Employers can also use software to automatically track employee office movement via security camera footage, Gillmor added.

Meanwhile, some apps may help employers understand worker sentiment, actions and behaviors to determine which workers might not be a “cultural fit,” or pose threats of whistleblowing or stealing files, said Wilneida Negrón, director of policy and research for worker advocacy organization Coworker.org.

Employers using Microsoft Viva, a tool that helps connect employees to insights, communications and other resources, can add a service called Insights, which sends a snapshot about a worker’s habits and potential for stress to the individual’s work email. That email can be accessed by a restricted set of account administrators. But the data can become problematic if employers secretly use it to discriminate or inform their decisions about employment, compensation or promotions, Negrón said.

Despite the surveillance, workers are not powerless, said Liz Shuler, president of the AFL-CIO.

“There’s power in collective action,” she said. “You can form a union, but you can also create pressure … it takes some form of coming together to rebalance the scale.”

If employers choose to quietly use that data to evaluate their workers, it will probably reduce company loyalty and lead to people working solely to meet metrics rather than effectively doing their jobs, Willemsen of Gartner said.

“My genuine fear is there’s a lot of experimenting going on and no transparency,” he said. “Say out loud and upfront what you’re monitoring and for what purpose. It’s the right thing to do.”

Source

Following Google Chrome, at a distant second place (which is actually a good thing), is Mozilla Firefox, with 117 vulnerabilities, while Microsoft Edge comes third with 103. Safari and Opera come fourth and fifth with 26 and 0 (zero) vulnerabilities, respectively.

When it comes to all-time figures, Chrome also comes out on top with 3,159 vulnerabilities since it launched in September 2008. While Firefox, Safari, and Opera are all older than Chrome, they have significantly fewer lifetime vulnerabilities at 2361, 1139, and 344, respectively. Edge, which launched in 2015, has a total of 806 vulnerabilities.

To mitigate the risk of hackers exploiting browser vulnerabilities to attack your system, make sure to install browser updates as soon as they become available. Also, carefully vet browser extensions before installing them, as some of them may have vulnerabilities that cybercriminals can take advantage of. Finally, always be wary of phishing attacks as threat actors will often use platforms like email to distribute malware capable of exploiting various browser flaws.

Source: AtlasVPN

Source

The 2011 Arab Spring unrests were a pivotal moment in the history of protests. New use of social media and digital technologies allowed citizens to organize mass demonstrations, spreading the wave of dissent even across borders. At the same time, it was also the first time the internet went dark.

Now, 11 years later, internet shutdowns and social media blocks have become common practice among worldwide governments as a means to silence protesters and hide rights abuses.

However, citizens around the world have learned to fight back. And, the answer always lies in digital technology. That's how security and circumvention software like the best VPN services have become the everyman's favorite weapon in times of conflict.  

We recently saw how VPN demand rose among Iranians after authorities restricted Instagram and WhatsApp to clamp down on the ongoing rallies over the death of 22 year-old Mahsa Amini at the hands of Iranian morality police. VPN downloads soared more than 3,000%.  

However, 2022 has been witnessing a surge in VPN downloads around the globe since January - perhaps as never before. Below we've got a breakdown of the most important events.

(Image credit: Statista)

2022 at a glance

We've had some pretty busy months lately in terms of internet shutdowns, online censorship and cyberattacks. All this pushed people around the world to turn to secure VPN services to bypass internet restrictions and protect their digital privacy.

The year kicked off with over 460% more downloads in Myanmar (opens in new tab) where the block of Facebook made the circumvention tool a necessity for Burmese citizens. What's more, this rise in demand occurred despite the country's digital dictatorship seeking to criminalize VPNs.

This was nothing in comparison with the leap registered in Kazakhstan, though. Following disruptions of mobile internet access amid anti-government protests, the rise in VPN demand skyrocketed around 3,400% on January 5.  

Another staggering increase came from Sri Lanka in April, with a peak of more than 17,000%. This prompted the government to lift social media bans as VPNs make it "completely useless."

Between February and March there was the beginning of the conflict in Ukraine to shake people's digital balance. So that fierce online censorship, together with a rise in cybercrime, has brought VPN demand to a new high in the region.

Russia VPN downloads kept soaring, reaching a peak of nearly 2,700%. That's not surprising as the Kremlin boosted its internet restrictions even further, blocking many national and foreign news sites along the way.

In Ukraine the demand has seen more than a 600% increase since the war started. Many providers even offered free subscriptions to support journalists working in the country.  

In Indonesia there was a surge of 196% in July following new internet regulations that blocked many platforms, like PayPal and Twitter, for failing to comply with new rules.

The same month, VPN downloads soared in Cuba to bypass internet disruptions enforced to crack down on citizens filling the street to protest against a staggering economic crisis. Over 34,000 more Psiphon downloads were recorded.

More recently, a military conflict erupted on the border between Azerbaijan and Armenia, causing a rise of security software across the region. People in Azerbaijan have been downloading VPN services 750% more since the clashes started on September 14. While, in Armenia, the VPN demand was 84% higher than in August.

(Image credit: Future)

How a VPN can help

Short for virtual private network, a VPN is a security software that spoofs your IP address location while securing your data inside an encrypted VPN tunnel.

While VPNs are ineffective in case of a complete internet blackout, they are the perfect tool for accessing blocked social media platforms, apps and sites.

During times of conflict, cybercrime is also likely to rise. Authorities might boost their online surveillance to crack down on dissidents, too. Reliable VPN services are then vital for browsing the web anonymously and preventing nosy governments and malicious actors from accessing your data.

It's worth noting that authoritarian governments might block VPN usage. This is why it's important to opt for a service integrated with obfuscation technology to evade these blocks. Other features you should look out for include a strict no-logs policy, strong encryption protocols and additional security options like kill switch and split tunneling. 

Source

No single power utility company has enough resources to protect the entire grid, but maybe all 3,000 of the grid's utilities could fill in the most crucial security gaps if there were a map showing where to prioritize their security investments.

Purdue University researchers have developed an algorithm to create that map. Using this tool, regulatory authorities or cyber insurance companies could establish a framework that guides the security investments of power utility companies to parts of the grid at greatest risk of causing a blackout if hacked.

Power grids are a type of critical infrastructure, which is any network—whether physical like water systems or virtual like health care record keeping—considered essential to a country's function and safety. The biggest ransomware attacks in history have happened in the past year, affecting most sectors of critical infrastructure in the U.S. such as grain distribution systems in the food and agriculture sector and the Colonial Pipeline, which carries fuel throughout the East Coast.

With this trend in mind, Purdue researchers evaluated the algorithm in the context of various types of critical infrastructure in addition to the power sector. The goal is that the algorithm would help secure any large and complex infrastructure system against cyberattacks.

"Multiple companies own different parts of infrastructure. When ransomware hits, it affects lots of different pieces of technology owned by different providers, so that's what makes ransomware a problem at the state, national and even global level," said Saurabh Bagchi, a professor in the Elmore Family School of Electrical and Computer Engineering and Center for Education and Research in Information Assurance and Security at Purdue. "When you are investing security money on large-scale infrastructures, bad investment decisions can mean your power grid goes out, or your telecommunications network goes out for a few days."

Protecting infrastructure from hacks by improving security investment decisions

The researchers tested the algorithm in simulations of previously reported hacks to four infrastructure systems: a smart grid, industrial control system, e-commerce platform and web-based telecommunications network. They found that use of this algorithm results in the most optimal allocation of security investments for reducing the impact of a cyberattack.

The team's findings appear in a paper presented at this year's IEEE Symposium on Security and Privacy, the premier conference in the area of computer security. The team comprises Purdue professors Shreyas Sundaram and Timothy Cason and former Ph.D. students Mustafa Abdallah and Daniel Woods.

"No one has an infinite security budget. You must decide how much to invest in each of your assets so that you gain a bump in the security of the overall system," Bagchi said.

The power grid, for example, is so interconnected that the security decisions of one power utility company can greatly impact the operations of other electrical plants. If the computers controlling one area's generators don't have adequate security protection, then a hack to those computers would disrupt energy flow to another area's generators, forcing them to shut down.

Since not all of the grid's utilities have the same security budget, it can be hard to ensure that critical points of entry to the grid's controls get the most investment in security protection.

The algorithm that Purdue researchers developed would incentivize each security decision maker to allocate security investments in a way that limits the cumulative damage a ransomware attack could cause. An attack on a single generator, for instance, would have less impact than an attack on the controls for a network of generators. Power utility companies would be incentivized to invest more in security measures for the controls over a network of generators rather than for the protection of a single generator.

Building an algorithm that considers the effects of human behavior

Bagchi's research shows how to increase cybersecurity in ways that address the interconnected nature of critical infrastructure but don't require an overhaul of the entire infrastructure system to be implemented.

As director of Purdue's Center for Resilient Infrastructures, Systems, and Processes, Bagchi has worked with the U.S. Department of Defense, Northrop Grumman Corp., Intel Corp., Adobe Inc., Google LLC and IBM Corp. on adopting solutions from his research. Bagchi's work has revealed the advantages of establishing an automatic response to attacks and has led to key innovations against ransomware threats, such as more effective ways to make decisions about backing up data.

There's a compelling reason why incentivizing good security decisions would work, Bagchi said. He and his team designed the algorithm based on findings from the field of behavioral economics, which studies how people make decisions with money.

"Before our work, not much computer security research had been done on how behaviors and biases affect the best defense mechanisms in a system.

That's partly because humans are terrible at evaluating risk and an algorithm doesn't have any human biases," Bagchi said. "But for any system of reasonable complexity, decisions about security investments are almost always made with humans in the loop. For our algorithm, we explicitly consider the fact that different participants in an infrastructure system have different biases."

To develop the algorithm, Bagchi's team started by playing a game. They ran a series of experiments analyzing how groups of students chose to protect fake assets with fake investments. As in past studies in behavioral economics, they found that most study participants guessed poorly which assets were the most valuable and should be protected from security attacks. Most study participants also tended to spread out their investments instead of allocating them to one asset even when they were told which asset is the most vulnerable to an attack.

Using these findings, the researchers designed an algorithm that could work two ways: Either security decision makers pay a tax or fine when they make decisions that are less than optimal for the overall security of the system, or security decision makers receive a payment for investing in the most optimal manner.

"Right now, fines are levied as a reactive measure if there is a security incident. Fines or taxes don't have any relationship to the security investments or data of the different operators in critical infrastructure," Bagchi said.

In the researchers' simulations of real-world infrastructure systems, the algorithm successfully minimized the likelihood of losing assets to an attack that would decrease the overall security of the infrastructure system.

The research was published in the proceedings of the 2022 IEEE Symposium on Security and Privacy (SP).

Source

The changes to Telecommunications Regulations allow Optus and other providers to better coordinate with financial institutions and governments to detect and mitigate the risk of cybersecurity incidents, fraud, scams and other malicious cyber activities, Treasurer Jim Chalmers and Communications Minister Michelle Rowland said in a joint statement.

"What this is all about is to try and reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring," Rowland told reporters.

More than one in three Australians had personal data stolen when Optus lost the records of 9.8 million current and former customers including passport, driver's license and national health care identification numbers in a hack discovered on Sept. 21.

The hacker dumped the records of 10,000 of those customers on the dark web last week as part of an attempt to extort $1 million from Optus, a subsidiary of Singapore Telecommunications Ltd., also known as Singtel.

Optus ran full-page ads in Australian newspapers on Saturday under the headline: "We're deeply sorry."

Customers walk out of an Optus telecommunications retail store in the central business district of Sydney, Australia, Wednesday, Oct. 5, 2022. The government has announced changes to telecommunications law, Thursday Oct. 6 to protect customers of Australia's second-largest wireless carrier, Optus, whose personal details were stolen in a major cyberattack. Credit: AP Photo/Mark Baker

The ad included a link to an Optus website that details actions customers can take to avoid identity theft and fraud.

The government can change regulations without reference to the Parliament. But the government hopes to pass changes to the Privacy Act through the Parliament during its final four sitting weeks of 2022 in response to the Optus breach.

The changes would include increased penalties for companies with lax cybersecurity protections and curbs on the quantities and types of customer data that businesses can amass, as well as the duration for which personal information can be kept.

Source

A business email compromise (BEC) campaign is using an email thread that pretends to have been forwarded by the boss in a bid to trick targets into handing over big sums of money.

Not only are BEC attacks one of the most lucrative forms of cybercrime – the FBI says they've cost victims a combined total of more than $43 billion in recent years – but they're also one of the simplest to carry out because all attackers really need is an internet connection, an email account and perhaps some background research into their targets.

Often, BEC emails seem to be from a colleague or a boss, claiming that a wire transfer must be made quickly and quietly, with scammers hoping that generating a sense of urgency will be enough to trick the unfortunate target into making a bogus payment.

But with a little more nuance, BEC attacks have the potential to be more effective and harder for victims to spot – and that could prove very costly for businesses.

One of these more advanced BEC campaigns is designed to trick victims into thinking they've been forwarded an ongoing thread by their boss, asking them to deal with an invoice and make a payment – which is sent to an account run by the scammer.

The campaign has been detailed by cybersecurity researchers at Abnormal Security, who describe it as a "a sophisticated new business email compromise attack" that combines vendor impersonation with executive impersonation.

Attacks are even personalized, using email spoofing and a claim that they're from an actual executive of the company that the target victim works for.

And to make the attack look more convincing, it's designed to look like it's part of an ongoing thread, with the "boss" asking the victim to set up a financial transaction related to a business payment that is referenced in the forwarded email. But like the message from the "boss", the forwarded request for an invoice is also fake, made up by scammers as part of the lure.

By using an invoice request that looks like it's being paid to a real company, the attackers hope the target organisation might have a genuine business relationship with the victim and will follow the instructions and make the transfer without asking questions or alerting anyone else.

And because there's no malware or malicious code used in BEC attacks, they often bypass email protections.

"Like all BEC attacks, the reason traditional email defenses have a difficult time detecting them is because they don't contain any of the static indicators most defenses look out for, like malicious links or attachments. Most BEC attacks are nothing more than pure, text-based social engineering that traditional email defenses are not well-equipped to detect," Crane Hassold, director of threat intelligence at Abnormal Security, told ZDNET.

According to analysis of the attacks, the campaign has been active since July 2022 and is believed to be the work of a group that researchers refer to as Cobalt Terrapin, which appears to operate out of Turkey.

The nature of BEC campaigns makes them tricky to defend against, particularly when the attacks rely on social engineering, instead of relying on malware or other malicious activity that can be detected by anti-virus software.

However, it's possible to take steps to help detect against BEC email threats – and those measures start with educating staff on how to identify scam emails. For example, by examining if the email is correct, or if an unexpected message has been sent with an unusually urgent request.  

Staff should also be advised to verify any suspect request through a different means of communication, such as instant messaging or a phone call.

Taking the time to verify a request might sound unintuitive in a fast-paced business environment, but it could save you from losing hundreds of thousands of dollars in a BEC attack.

Source

A major ransomware gang is using a new technique that allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.

The technique has been detailed by cybersecurity researchers at Sophos, who've seen it being used in attacks by the BlackByte ransomware gang.

BlackByte is a relatively new ransomware operation, but a series of attacks going after critical infrastructure and other high-profile targets have led to the FBI issuing a warning about the group.

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

Now the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extended control over the graphics card.

However, by exploiting the vulnerability, attackers which have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for privilege escalation, code execution or accessing information.

Researchers describe this as "Bring Your Own Driver". When abused, it allows attackers to bypass more than 1,000 drivers used by industry endpoint detection and response (EDR) products – antivirus software.

This tactic is achieved by exploiting the vulnerability to communicate directly with the targeted system's kernel and telling it to switch off routines used in antivirus software, as well as ETW (Event Tracing for Windows).

"If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte's pool of potential targets for deploying this EDR bypass is enormous," said Christopher Budd, senior manager for threat research at Sophos.

By abusing this vulnerability, BlackByte can gain the privileges required to quietly access systems, before triggering a ransomware attack and demanding a ransom payment for the decryption key. Like many other ransomware groups, BlackByte also steals data from victims and threatens to release it if their extortion demands aren't met.

In order to help protect against Bring Your Own Driver attacks, Sophos recommends that drivers are regularly updated, so any known vulnerabilities in them can be remedied. Researchers also recommend blocklisting drivers that are known to still be exploitable.

"It's critical for defenders to monitor new evasion and exploitation techniques and implement mitigations before these techniques become widely available on the cybercrime scene," said Budd.

Ransomware continues to be one of the biggest cybersecurity issues facing organisations today. Additional steps that organisations can take to help protect against ransomware and other malware attacks include applying security patches and updates in a timely fashion, as well as providing multi-factor authentication to users.  

These can help prevent cyber criminals from being able to access the network in the first place.

Source

The compromise lasted for about ten months and it is likely that multiple advanced persistent threat (APT) groups likely compromised the organization, some of them gaining initial access through the victim’s Microsoft Exchange Server in January last year.

Entities in the Defense Industrial Base Sector provide products and services that enable support and deployment of military operations.

They are engaged in the research, development, design, production, delivery, and maintenance of military weapons systems, including all necessary components and parts.

ProxyLogon, RAT, and custom malware

A joint report from the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) provides technical details collected during incident response activity that lasted between November 2021 and January 2022.

The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples.

They also exploited the ProxyLogon collection of four vulnerabilities for Exchange Server around the time Microsoft released an emergency security update to fix them.

At the time, Microsoft had detected the ProxyLogon exploit chain when the vulnerabilities were zero days (unknown to the vendor), in attacks attributed to a Chinese state-sponsored hacking group they call Hafnium.

• CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows sending arbitrary HTTP requests and authenticating as the Exchange server
• CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Hafnium used it to run code as SYSTEM on the Exchange server
• CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. It could be exploited after compromising a legitimate admin’s credentials.
• CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange

While the initial access vector is unknown, the current advisory notes that the hackers gained access to the organization’s Exchange Server in mid-January 2021.

Within four hours, the threat actor started mailbox searches and used a compromised administrator account belonging to a former employee to access the Exchange Web Services (EWS) API, which is used for sending and receiving web service messages from client applications.

Less than a month later, in early February 2021, the attackers accessed the network again using the same admin credentials through a virtual private network (VPN) connection.

After four days, the hackers engaged in reconnaissance activity using command shell. They learned about the victim’s environment and manually archived (WinRAR) sensitive data, e.g. contract-related information stored on shared drives, preparing it for exfiltration.

At the beginning of March, the hackers exploited the ProxyLogon vulnerabilities to install no less than 17 China Chopper webshells on the Exchange Server.

China Chopper carries powerful capabilities in a very small package (just 4 kilobytes). It was initially used by Chinese threat actors but it became so popular that other groups adopted it.

Activity to establish persistence on the network and to move laterally started in April 2021 and was possible Impacket, which allows working with network protocols.

CISA says that the attacker used Impacket with the compromised credentials to obtain a service account with higher privileges, which enabled remote access from multiple external IP addresses to the organization’s Exchange server through Outlook Web Access (OWA).

Accessing the remote Exchange Server was done through services from two VPN and virtual private server providers, M247 and SurfShark, a common tactic to hide the interaction with the victim network.

Burrowed deeply in the victim network, the hackers relied on the custom-built CovalentStealer to upload additional sensitive files to a Microsoft OneDrive location between late July and mid-October 2022.

In a separate report, CISA provides technical analysis for CovalentStealer noting that the malware relies on code from two publicly available utilities, ClientUploader and the PowerShell script Export-MFT, to upload compressed files and to extract the Master File Table (MFT) of a local storage volume.

CovalentStealer also contains resources for encrypting and decrypting the uploaded data, and configuration files, and to secure communications.

CISA shares technical details for the HyperBro RAT in distinct report, saying that the capabilities of the malware include uploading and downloading files to and from the system, logging keystrokes, executing commands on the infected host, and bypassing User Account Control protection to run with full admin privileges.

The U.S. government at this time does not provide an indication about the origin of the threat actors but notes that “CISA uncovered that likely multiple APT groups compromised the organization’s network.”

A set of recommendations are available in the joint report for detecting persistent, long-term access threat activity, one of them being to monitor logs for connections from unusual VPSs and VPNs.

Defenders should also examine connections from unexpected ranges and, for this particular attacker, check for machines hosted by SurfShark and M247.

Monitoring for suspicious account use, such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts, is also on the list.

The use of compromised credentials with a VPS may also indicate a potential breach that could be uncovered by:

• Reviewing logs for "impossible logins," e.g. logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location
• Searching for "impossible travel," which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart. False positives can result from this when legitimate users connect through a VPN
• Searching for one IP used across multiple accounts, excluding expected logins (successful remote logins from M247 and SurfShark IPs may be a red flag)
• Identifying suspicious privileged account use after resetting passwords or applying user account mitigations
• Searching for unusual activity in typically dormant accounts
• Searching for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity

The joint report from CISA, FBI, and NSA shares a set of YARA rules created to detect activity from this particular threat actor and indicators of compromise for the tools used in the attack: CovalentStealer, HyperBro, and China Chopper.

Source

The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim's conversations.

"Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more," warned a new report by Zimperium Labs shared with BleepingComputer before publication.

"The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices."

Distributed through fake Android apps

The spyware is distributed through a fake virtual number generator used for activating social media accounts called "NumRent." When installed, the app requests risky permissions and then abuses them to sideload the malicious RatMilad payload.

The main distribution channel for the fake app is Telegram, as NumRent, or other trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores.

The RatMilad threat actors have also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website is promoted through URLs shared on Telegram or other social media and communication platforms.

After successfully installing in a victim’s device, RatMilad hides behind a VPN connection and attempts to steal the following data:

• Basic device information (model, brand, buildID, Android version)
• Device MAC address
• Contact list
• SMS
• Call logs
• Account names and permissions
• Installed applications list and permissions
• Clipboard data
• GPS location data
• SIM information (number, country, IMEI, state)
• File list
• File contents

Moreover, RatMilad can perform file actions such as deleting files and stealing files, modifying the permissions of the installed app, or even using the device's microphone to record audio and eavesdrop on the room.

These capabilities are more than enough for collecting corporate information, personal details, private communications, photos, videos, documents, etc.

Zimperium discovered RatMilad after the spyware failed to load on a customer’s device and proceeded to analyze the malware.

"Spyware such as RatMilad is designed to run silently in the background, constantly spying on its victims without raising suspicion," explains Zimperium’s report.

"We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims."

From the evidence, Zimperium concludes that the operators of RatMilad are following a random-target approach instead of running a laser-focused campaign.

At the time of the investigation, the Telegram channel used for distributing the spyware was viewed over 4,700 times and counted over 200 external shares.

To protect yourself from Android spyware infections like this one, always avoid downloading apps outside the Google Play Store, run an AV scan on newly downloaded APKs, and carefully review the requested permissions during installation.

Maggie is controlled through SQL queries that instruct it to run commands and interact with files. Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server's network environment.

The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.

Maggie commands

Analysis of the malware revealed that it disguises as an Extended Stored Procedure DLL (“sqlmaggieAntiVirus_64.dll”) that is digitally signed by DEEPSoft Co. Ltd, a company that appears to be based in South Korea.

Extended Stored Procedure files extend the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data.

Maggie abuses this technical behavior to enable remote backdoor access with a rich set of 51 commands.

A report from DCSO CyTec says that the variety of commands supported by Maggie allow querying for system information, executing programs, interacting with files and folders, enabling remote desktop services (TermService), running a SOCKS5 proxy, and setting up port forwarding.

The attackers can append arguments to these commands, and Maggie even offers usage instructions for the supported arguments in some cases.

The researchers say that the command list also includes four “Exploit” commands, indicating that the attacker may rely on known vulnerabilities for some actions, such as adding a new user.

However, the analysts couldn’t test the exploits as they appear to depend on an additional DLL that is not shipped with Maggie.

Brute-forcing admin passwords happens through the commands “SqlScan” and “WinSockScan” after defining a password list file and a thread count. If successful, a hardcoded backdoor user is added to the server.

Maggie network bridge

The malware offers simple TCP redirection functionality, which allows remote attackers to connect to any IP address the infected MS-SQL server can reach.

“The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie,” the researchers added.

The malware also features SOCKS5 proxy functionality to route all network packets through a proxy server, making it even stealthier if needed.

At this time some details remain unknown, like the post-infection use of Maggie, how the malware is planted in the servers in the first place, and who is behind these attacks.

The security company says it discovered a flaw in the encryption scheme of the Hades strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.

Utilizing Avast's tool, victims of the supported ransomware variants can decrypt and access their files again without paying a ransom to the attackers, which ranges between $50 and $300. However, ransom demands reached tens of thousands in some cases.

It should be noted that this Hades ransomware family is different than the Hades ransomware used by Evil Corp in an attack on ForwardAir.

The Hades ransomware targeted by this encryptor is a lower-level operation that did not perform data theft and double-extortion attacks.

Using the Hades decryptor

The Avast decryptor only supports files encrypted by specific variants of the Hades ransomware family. These variants include the following extensions and strings appended/prepended to an encrypted file's name:

• .MafiaWare666
• .jcrypt
• .brutusptCrypt
• .bmcrypt
• .cyberone
• .l33ch

If you were affected by one of these variants, you can download the free decryptor from here, run the executable, select the drive that holds the encrypted files, and point the tool to a sample pair of encrypted and original files.

Those who possess a valid password for decrypting the files but couldn't get the decryptor supplied by Hades to work can tick the box and provide it onto Avast's tool.

Most victims don't have a password, so they will have to wait for Avast's tool to crack it manually, which may take some time.

After the password is found, the users can initiate the decryption process. At this stage, it is highly recommended to tick the boxes to back up the encrypted files and run the tool as an administrator.

It is important to stress that you should enable the option to back up encrypted files, as if there is a problem with the decryptor, the encrypted files can become further corrupted.

For a step-by-step guide on using the decryptor, you can read Avast's blog post.

Source

Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.

Exploiting the security issue allowed BlackByte to disable drivers that prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally.

The “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because the vulnerable drivers are signed with a valid certificate and run with high privileges on the system.

Two notable recent examples of BYOVD attacks include Lazarus abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the Genshin Impact game.

Attack details

Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access.

This makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit.

In the first stage of the attack, BlackByte identifies the kernel version to select the correct offsets that match the kernel ID.

Next, RTCore64.sys is dropped in “AppData\Roaming” and creates a service using a hardcoded name and a randomly selected, not-so-subtle display name.

The attackers then exploit the driver’s vulnerability to remove Kernel Notify Routines that correspond to security tool processes.

The retrieved callback addresses are used to derive the corresponding driver name and compared to a list of 1,000 targeted drivers that support the function of AV/EDR tools.

Any matches found in this stage are removed by overwriting the element that holds the address of the callback function with zeros, so the targeted driver is nullified.

Sophos also highlights several methods that BlackByte employs in these attacks to evade analysis from security researchers, like seeking for signs of a debugger running on the target system and quitting.

The BlackByte malware also checks for a list of hooking DLLs used by Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, and terminates its execution if found.

System administrators can protect against BlackByte’s new security bypassing trick by adding the particular MSI driver to an active blocklist.

Additionally, admins should monitor all driver installation events and scrutinize them frequently to find any rogue injections that don’t have a hardware match.

Source

"[Advanced persistent threat] actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data," the authorities said.

The joint advisory, which was authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), said the adversaries likely had long-term access to the compromised environment.

The findings are the result of CISA's incident response efforts in collaboration with a trusted third-party security firm from November 2021 through January 2022. It did not attribute the intrusion to a known threat actor or group.

The initial infection vector used to breach the network is also unknown, although some of the APT actors are said to have obtained a digital beachhead to the target's Microsoft Exchange Server as early as mid-January 2021.

Subsequent post-exploitation activities in February entailed a mix of reconnaissance and data collection efforts, the latter of which resulted in the exfiltration of sensitive contract-related information. Also deployed during this phase was the Impacket tool to establish persistence and facilitate lateral movement.

A month later, the APT actors exploited ProxyLogon flaws in Microsoft Exchange Server to install 17 China Chopper web shells and HyperBro, a backdoor exclusively used by a Chinese threat group called Lucky Mouse (aka APT27, Bronze Union, Budworm, or Emissary Panda).

The intruders, from late July through mid-October 2021, further employed a bespoke malware strain called CovalentStealer against the unnamed entity to siphon documents stored on file shares and upload them to a Microsoft OneDrive cloud folder.

Organizations are recommended to monitor logs for connections from unusual VPNs, suspicious account use, anomalous and known malicious command-line usage, and unauthorized changes to user accounts.

Source

"There has been no breach of Telstra's systems," Narelle Devine, the company's chief information security officer for the Asia Pacific region, said. "And no customer account data was involved."

It said the breach targeted a third-party platform called Work Life NAB that's no longer actively used by the company, and that the leaked data posted on the internet concerned a "now-obsolete Telstra employee rewards program."

Telstra also noted it became aware of the breach last week, adding the information included first and last names and the email addresses used to sign up for the program. It further clarified that the data posted was from 2017.

The data was "basic in nature," Devine said.

The company did not reveal how many employees were affected, but a Reuters report pegged the number at 30,000, citing internal staff email sent by Telstra.

The revelation comes a day after its rival Optus confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information in the aftermath of a massive hack.

Source

BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos.

The UK cybersecurity vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys.

This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.

The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider.

This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralizing it in this way renders any security tool relying on the feature also useless, the firm argued.

“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Christopher Budd, senior manager, threat research at Sophos.

“If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”

BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said.

“Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” confirmed Budd.

“This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”

Source

"The said accused was detained by the Bureau of Immigration at Indira Gandhi International Airport, Delhi while arriving in India from Almaty, Kazakhstan," the primary investigating agency said in a press release.

The name of the individual was not disclosed by the agency, but Indian news reports identified the person as Mikhail Shargin.

The CBI further said that Shargin's role was uncovered as part of its investigation into alleged irregularities committed in the Joint Entrance Examination (JEE-Main) conducted last year. JEE is a standardized test used for admissions to engineering colleges in India.

The September 2021 incident, per the agency, involved breaking into iLeon software, the platform on which the exam was held, with the goal of granting remote access to a specific set of co-conspirators, who then solved the questions on the students' behalf.

Shargin's associates have been accused of "manipulating the online examination of JEE (Mains) and facilitating aspiring students to get admission in top NITs in consideration of huge amount by solving the question paper of the applicant through remote access from a chosen examination center in Sonepat (Haryana)," the CBI noted.

The cheating scheme also incorporated a financial element in that the operators charged approximately 12-15 lakh Rupees ($14,700-$18,400) from each candidate once the aspirants secured their admissions.

The CBI stated it conducted searches at 19 places last year across the cities of Delhi, Pune, Jamshedpur, Indore, and Bangalore, leading to the seizure of 25 laptops, seven PCs, along with other incriminating evidence.

Source

In July, the FBI warned of scam 'dApps' (decentralized applications) that impersonated cryptocurrency liquidity mining services but, in reality, stole a victim's crypto investments.

Liquidity mining is when an investor lends their crypto to a decentralized exchange in exchange for high rewards, commonly generated through trading fees.

However, instead of creating their own scam sites, Water Labbu hacks into these types of fake dApp sites and injects JavaScript code into site's HTML.

The hackers do not engage with the victims and instead leave all the social engineering work to the scammers.

When an investor connects to their wallet to the dApp, Water Labbu's script will detect if it contains a lot of crypto holdings, and if so, attempts to steal it using multiple methods described below.

According to the analysts, Water Labbu has compromised at least 45 scam websites, most following the “lossless mining liquidity pledge” theme.

Trend Micro says the profit made by Water Labbu is estimated to be at least $316,728 based on transaction records from nine identified victims.

No honor among thieves

The parasitic threat actor locates cryptocurrency scam websites and injects the “dapps” with malicious scripts that easily blend with the website’s systems.

“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique, to bypass Cross-Site Scripting (XSS) filters,” details Trend Micro’s report.

“The injected payload then creates another script element that loads another script from the delivery server tmpmeta[.]com.”

The script monitors newly connected wallets on the scam sites and retrieves the address and balances of TetherUSD and Ethereum wallets.

If the balance is above 0.005 ETH or 22,000 USDT, the target is valid for Water Labbu, and the script then determines if the victim is using Windows or a mobile OS (Android, iOS).

If the victim is on a mobile device, Water Labbu's malicious script sends a transaction approval request via the dApp site, so it appears as if it comes from the scam website.

If the recipient agrees to the transaction, the malicious script will drain the wallet of its funds and send them to an address owned by Water Labbu.

For Windows users, the hacked sites will show a fake Flash Player update notice overlayed on the scam site instead. The Flash installer is, in reality, a backdoor fetched directly from GitHub.

The threat actors then use this backdoor to steal cryptocurrency wallets and cookies from the device.

Scammed twice

For victims, the result is the same; they lose all of their cryptocurrency.

The only thing that has changed with this attack is that the victim's digital assets are diverted from the original scammer to the Water Labbu hacking group.

To avoid these types of scams, always research dApp sites, especially liquidity mining platforms, to determine if they are legitimate before you connect your wallet to them.

Also, periodically review your wallet's allowed sites to make sure you did not inadvertently add a scam site.

Finally, never jump into investments with strangers you meet on social media, as they commonly lead to scams, and avoid trading cryptocurrency on unknown exchanges.

Source

Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution.

Both security flaws were reported privately through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity company GTSC, who shared the details publicly last week.

Mitigation too specific

Microsoft confirmed the two issues on Friday and said that they were “aware of limited targeted attacks” exploiting them.

As part of an advisory, Microsoft shared mitigations for on-premise servers and a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organization."

To reduce the risk of exploitation, Microsoft proposed blocking the known attack patterns through a rule in the IIS Manager:

1. Open the IIS Manager.
2. Select Default Web Site.
3. In the** Feature View**, click URL Rewrite.
4. In the Actions pane on the right-hand side, click Add Rules....
5. Select** Request Blocking** and click OK.
6. Add the string “.autodiscover.json.*@.*Powershell.” (excluding quotes) and then click OK.
7. Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.” and click Edit under Conditions.
8. Change the Condition input from {URL} to {REQUEST_URI}

Administrators can achieve the same result by running Microsoft’s updated Exchange On-premises Mitigation Tool - a script that requires PowerShell 3 or later, needs to run with admin privileges, and runs on IIS 7.5 or newer.

The rule that Microsoft proposes, though, covers only known attacks, so the URL pattern is limited to them.

Security researcher Jang in a tweet today shows that Microsoft’s temporary solution for preventing the exploitation of CVE-2022-41040 and CVE-2022-41082 is not efficient and can be bypassed with little effort.

Will Dormann, a senior vulnerability analyst at ANALYGENCE, agrees with the finding and says that the '@' in Microsoft’s URL block “seems unnecessarily precise, and therefore insufficient.”

Jang’s finding has been tested by researchers at GTSC, who confirmed in a video today that Microsoft’s mitigation does not provide sufficient protection.

Instead of the URL block that Microsoft put forward, Jang provided a less specific alternative, designed to cover a wider set of attacks:

.*autodiscover\.json.*Powershell.*

Hybrid deployments at risk

In their advisories for the two vulnerabilities, Microsoft says that the mitigation instructions apply for customers with on-premise Exchange Server and that Exchange Online clients do not need to take any action.

However, many organizations have a hybrid setup that combines on-prem with cloud deployment of Microsoft Exchange and they should understand that they are also vulnerable. 

In a video today, security researcher Kevin Beaumont is warning that as long as there is an on-premise Exchange Server deployment, the organization is at risk.

Referring to the exploit chain as ProxyNotShell, Beaumont says that a hybrid Exchange setup is "extremely common" in enterprise environments and should consider the level of risk they're exposed to.

More than 1,200 of these organizations also expose their hybrid deployments on the public web. Among them are entities in the financial, education, and the government sector, all highly attractive targets for hackers running espionage or extortion operations.

A patch is yet to come

At the time of publishing, Microsoft has not released an update to fix the two issues but published security advisories with information about the impact and the conditions necessary for exploitation.

Microsoft describes CVE-2022-41040 as a high-risk (8.8/10 severity score) vulnerability that an attacker can leverage easily to increase their privilege on the affected machine without any user interaction.

The reason this security issue does not have a higher severity score is that the threat actor needs to be authenticated.

CVE-2022-41082 has the same high-severity score but it can be used for remote code execution on vulnerable on-premise Microsoft Exchange Servers by an attacker with “privileges that provide basic user capabilities” (settings and files owned by the user).

Update [October 3, 2022, 17:06 EST]: Article updated with clarification from Kevin Beaumont about some organizations' misconception that having a hybrid Microsoft Exchange setup would keep them safe from attacks.

In a press statement released yesterday, the mobile carrier updated the information regarding the personal data of 9.8 million customers exposed during the attack.

In an investigation, Optus confirmed that a total of 2.1 million customers had valid or expired ID document numbers exposed to the hackers.

Of these 2.1 million customers, 1.2 million had at least one number from a current and valid form of identification compromised, and 900,000 had ID numbers exposed but from documents that are now expired.

"Today's update helps provide more clarity for our customers," reads the press statement.

"Having worked with government agencies to meticulously analyse the data for the company's 9.8 million customers, Optus can confirm the exposed information did not contain valid or current document ID numbers for some 7.7 million customers."

However, all 9.8 million customers had other personal information exposed, including email addresses, date of birth, or phone numbers.

Optus has sent SMS text messages to customers whose ID numbers were compromised in the cyberattack with information on their next steps.

Customers whose driver's license details were compromised can request a new driver's license number to prevent identity theft or fraudulent activity.

The threat actor had initially attempted to extort Optus with a $1 million ransom demand not to publish or sell the stolen data.

After not receiving a payment, the hacker leaked the data of 10,000 customers on a hacking forum that included names, addresses, email addresses, phone numbers, and dates of birth.

A few days later, feeling the pressure of law enforcement, the hacker apologized to Optus and its customers and claimed to have deleted all of the stolen data.

However, as there is no way to determine if the hacker actually deleted the data, all Optus users should assume that threat actors may use their data in future fraud or phishing attacks.

Therefore, it is strongly advised to be wary of any emails claiming to be from Optus asking you to provide further information or login into your account.

If you receive an email or SMS text claiming from Optus, directly log in to the company's site and review any messages there.

Optus confirms 2.1 million ID numbers exposed in data breach

The prompt "Tired of cookie consent notices?" has yes and no buttons but can easily be dismissed by clicking elsewhere in the browser.

Cookie consent banners, for those unaware, are displayed by the majority of sites on first visit. Some display these banners only to visitors from the European Union, others may display them for all visitors.

The main idea was to give users more control over cookies and tracking on the Internet. While users do get more control, many are also highly annoyed by the sheer number of cookie consent banners that they are exposed to on a regular day on the Internet.

Extensions and filter lists were created to deal with these banners. Extensions like Never Consent or Cookie Block automate the process for the most part. Filter lists, for use in content blockers and browsers that support these, are another option. It is this option that Brave selected to block cookie consent prompts for users.

Brave users need to enable the feature. In Brave 1.45, this can be done via the prompt that the browser's protective Shields feature displays on startup. Since all that happens is the enabling of the filter list, Brave 1.44 and earlier support the option as well.

Here is how you enable the cookie consent blocking feature right now in Brave:

1. Load brave://settings/shields/filters to display the available content blocking filters that Brave supports.
2. Type cookie in the search box at the top of the page to display only filter lists with cookie in the name.
3. Check the Easylist-Cookie List - Filter Obtrusive Cookie Notices to enable the feature. It is downloaded at this stage and may take a minute to activate fully in the browser.

Once done, you should notice a reduction of cookie prompts that you get while browsing the Internet in the Brave browser. Brave will either block or hide the prompts, depending on different implementations of the prompts.

Note that some cookie prompts may still be displayed, but the majority of prompts should be gone.

Users of other browsers may also enable the same level of blocking, if they use content blockers that support custom filter lists. All it takes is to import this list into the content blocker then.

Now You: how do you handle cookie prompts?

How to enable Brave's upcoming cookie consent blocking feature right now

With hybrid working on the rise and data mismanagement continuing to make headlines, you’d be forgiven for thinking that even the most unsuspecting users would be interested in securing their online privacy.

However, new data provided to TechRadar Pro by digital intelligence platform SimilarWeb indicates that the growth of veteran privacy-focused browsers Mozilla Firefox and Opera is stalling.

A rough estimate of Opera’s user acquisition rate (based on traffic to the browser installation page) suggests June was an especially low point, marking a 23.1% decrease in pace of growth since the start of the year. There have been minor gains since then, but Opera appears to be becoming less and less attractive to new users.

Meanwhile, Firefox has fared even worse, perhaps as a consequence of the decision to focus on Mozilla VPN and other privacy products. In August, visits to the browser’s install page were down 7% on January, and its market share (opens in new tab) (which once sat at 30%) has fallen to just 3.35%.

The raw data shows that Firefox currently attracts only a few hundred thousand new users each month, while Opera is drawing in circa two million. Market leader Google Chrome, however, is thought to be used by more than 3.1 billion (opens in new tab) people.

The rise of the “big default browser”

The release of the figures by SimilarWeb coincided with a report (opens in new tab) published by Mozilla in late September 2022 that accused Google, Microsoft and Apple of “abusing their privileged position” to make it “difficult or impossible” for users to change the browsers set as default by the operating system.

Battle lines have already been drawn this year with the European Union’s antitrust legislation targeting Google, Apple and Meta’s stranglehold in browsers, search engines and other markets. Google also recently failed to overturn a €4.34 billion antitrust fine relating to restrictions on manufacturers of Android devices designed to “consolidate the dominant position of its search engine”, according to a spokesperson for the EU’s General Court.

Google Chrome and Microsoft Edge are both overwhelmingly popular defaults that trade almost entirely on brand recognition and their status as default options across multiple operating systems (Chrome on Chrome OS and Android, and Edge on Windows 11). Other “big defaults” include the macOS and iOS versions of Safari.

“Default settings can create burdens for consumers who prefer to use a browser other than the default, but who are unable to or unaware how to change their default. We know from our research that some consumers adopt unnecessarily cumbersome workarounds to stick with their preference,” the Mozilla report claims.

Mozilla’s report offers some explanation as to why operating system providers pursue these kinds of strategies, stating that the developers of “big default” browsers stand to profit from user data.

“Although consumers don’t pay to use browsers, their browsing history is valuable data for platforms with advertising businesses like Meta, Amazon, Google and Microsoft. It is not coincidental that many of these companies have yet to implement robust anti-tracking technologies in their browsers or deprecate third-party cookies,” said Mozilla.

However, the firm also acknowledged that Big Tech’s motives extend beyond data collection: the operators of the “big default” browsers make significant sums through advertisements served to users locked into their proprietary search engines.

“Google Chrome is captive to Google Search (powered by Google advertising) and Microsoft Edge is captive to Bing search (powered by Microsoft advertising). Independent browsers are the only companies able to freely consider search defaults on behalf of their consumers. They are also among the few companies to encourage discovery, evaluation, adoption and innovation of alternative search and advertising experiences.”

(Image credit: Shutterstock)

Browser choice

Although the likes of Mozilla and Opera have struggled of late, an enduring demand for “alternative” web browsers is supported by separate data from SimilarWeb.

From January through August, privacy-focused Brave Browser saw its estimated monthly downloads surge 272%. Admittedly, Brave saw just 17,827 and 66,340 hits to its installation page during these months, respectively, but that’s a significant rate of growth nonetheless.

These numbers suggest the continued success of “big default” browsers likely isn’t just the result of the suppression of alternatives, but also a function of user apathy and brand recognition.

While Big Tech seeks pure profit, privacy-focused browsers may simply be fighting amongst themselves. The growth in installs Brave has seen this year suggests Mozilla Firefox and Opera are losing market share to newer options, such as Brave and DuckDuckGo’s new Privacy Browser (for which we don’t currently have any data).

Crucially, the statistics also suggest that the push for web browser privacy may be a small movement, but one that’s still capable of gaining traction.

Apple’s decision to let users change their default browser in iOS 14 is a welcome one in the fight to get consumers to care about their online privacy, but the first step towards total browser independence is to abolish the idea of defaults completely - something that may never happen with Apple maintaining its own “big default” on the most popular mobile operating system in the US.

As things stand, Mozilla may have made the mistake of assuming that every ”big default” browser user is a potential convert. User apathy will always play into the hands of large and powerful companies; even minus suppression tactics, “big default” browsers would still trounce independent alternatives in monthly growth.

With a solution like inviting users to choose their own default browser from a list of privacy-focused alternatives, alongside simple, reasoned arguments for doing so, that apathy could wane. It’s just that legislating for something like this seems unthinkable to most lawmakers outside the European Union.

Shutterstock / Robuart (Image credit: Shutterstock / Robuart)

Mozilla, DuckDuckGo, and eleven other companies did recently lobby the US Congress to table a data privacy bill that would address Big Tech monopolies, default browsers, and unfettered data collection, but the chances of the move leading anywhere are slim, thanks to Big Tech’s lobbying resources.

In addition, the lack of regulations surrounding “revolving doors” (whereby politicians leave office, often for corporate positions, and use their connections to curry favor with lawmakers) in territories such as the UK and Australia mean that legislating for web privacy and freedom of choice for anonymous browsers there may turn out to be an extremely slow process, if not a completely insurmountable problem.

Would privacy-focused browsers see more even growth if users were given the option to make an informed choice between them? The problem, right now, is that we might never get to find out.

Source

Fellow media outlet Phoronix decided to test the new Ryzen 9 7950X, which is the flagship Ryzen 7000 SKU, with the various CPU vulnerability mitigations and more turned on and off. And the results are somewhat surprising in a good way for AMD.

In the default state where the mitigations are enabled, the new Zen 4 chip actually manages to win by a bigger overall margin than with the mitigations disabled. Phoronix says:

With Zen 4 you can still boot the kernel with mitigations=off to disable the SSB, Spectre V1, and Spectre V2 mitigations applied while leaving the system in a "vulnerable" state. While many route to the mitigations=off approach to avoid the performance penalties attributed to the different mitigations, in the case of AMD Zen 4 on the Ryzen 9 7950X it's not actually beneficial.

Here is a full breakdown of the all tests showing the performance advantage of the two scenarios:

Here is the geometric mean of the results where the default (mitigations enabled) state has clearly won more. Out of the total 190 tests conducted in this evaluation, the default state managed to win nearly 72% of the tests.

Overall, it looks like AMD has clearly built on top of what it had achieved with Zen 3. The previously tested 5950X had actually managed to fare better than tested Intel CPUs with the retpoline patch.

Source and images: Phoronix

Testing shows AMD Zen 4 handling Spectre, Retbleed mitigations like a real champ

As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.

Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.

Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.

Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk.

September 24th 2022

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning.

September 25th 2022

Ransomware data theft tool may show a shift in extortion tactics

Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future.

Analyzing Bloody Ransomware

Today (09/25/22) very limited information was received for analysis from one of the Ukrainian victims of the Bl00dy Ransomware Gang . Unfortunately, from the files provided, it is not possible to establish the vector of interference, the time frame of the attack, and which operations were automated and which were conducted interactively, however, the information turned out to be quite sufficient to reconstruct the attack scheme .

September 26th 2022

LockBit 3.0: Decryptor Analysis

In this analysis, conducted by Soc Team Swascan, the decryptors of “LockBit 3.0” (Windows version) and “LockBit” (Linux variant) were analyzed.

New Wanqu ransomware

PCrisk found a ransomware appending the .Wanqu extension and dropping ransom notes named RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt.

New Chaos ransomware variant

PCrisk found a new Chaos variant called TeamDarkAnon Ransomware that appends the .anon extension and drops a ransom note named read_it.txt.

September 27th 2022

New Chaos ransomware variant

PCrisk found a new Chaos variant called OkHacked Ransomware that appends the .okhacked extension and drops a ransom note named read_it.txt.

New Phobos variant

PCrisk found a new Phobos variant that appends the .MMXXII extension and drops ransom notes named info.txt and info.hta.

September 28th 2022

Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks

The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.

New 'Wizard' Ransomware

PCrisk found a ransomware that appends the .wizard and drops a ransom note named decrypt_instructions.txt.

September 29th 2022

New Royal Ransomware emerges in multi-million dollar attacks

A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .iq20 extension and drops a ransom note named info.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - September 30th 2022 - Emerging from the Shadows

The spear-phishing campaign unfolded in the autumn of 2021, and the confirmed targets include an aerospace expert in the Netherlands and a political journalist in Belgium.

According to ESET, which published a report on the campaign today, the primary goal was espionage and data theft.

Abusing Dell driver for BYOVD attacks

The EU-based targets of this campaign were emailed fake job offers, this time for Amazon, a typical and common social engineering trick employed by the hackers in 2022.

Opening these documents downloads a remote template from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more.

ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.

"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver," explains ESET in a new report on the attack.

"This is the first ever recorded abuse of this vulnerability in the wild."

"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way."

A Bring Your Own Vulnerable Driver (BYOVD) attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system.

However, the threat actors can now exploit the driver's vulnerabilities to launch commands with kernel-level privileges.

In this attack, Lazarus was exploiting the CVE-2021-21551 vulnerability in a Dell hardware driver ("dbutil_2_3.sys"), which corresponds to a set of five flaws that remained exploitable for 12 years before the computer vendor finally pushed security updates for it.

In December 2021, researchers at Rapid 7 warned about this particular driver being an excellent candidate for BYOVD attacks due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions.

It appears that Lazarus was already well aware of this potential for abuse and exploited the Dell driver well before security analysts issued their public warnings.

"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way," continued ESET's report.

For those interested in the BYOVD aspect of the Lazarus attack, you can dive into the details on this 15-page technical paper that ESET published separately.

BLINDINGCAN and other tools

ESET added that the group deployed its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first discovered by U.S. intelligence in August 2020 and attributed to Lazarus by Kaspersky in October 2021.

The 'BLINDINGCAN' remote access trojan (RAT) sampled by ESET appears to run with significant backing from an undocumented server-side dashboard that performs parameter validation.

The backdoor supports an extensive set of 25 commands, covering file actions, command execution, C2 communication configuration, screenshot taking, process creation and termination, and system info exfiltration.

Other tools deployed in the presented campaign are the previously described FudModule Rootkit, an HTTP(S) uploader used for secure data exfiltration, and various trojanized open-source apps like wolfSSL and FingerText.

Trojanizing open-source tools are something Lazarus continues to do, as a Microsoft report from yesterday mentions this technique was used with PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.

Source

"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker," Microsoft said.

"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

The company added that the CVE-2022-41040 flaw can only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.

Microsoft says Exchange Online customers don't need to take any action at the moment because the company has detections and mitigation in place to protect customers.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft added.

According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims' networks.

GTSC also suspects that a Chinese threat group might be responsible for the ongoing attacks based on the web shells' code page, a Microsoft character encoding for simplified Chinese.

The threat group also manages the web shells with the Antsword Chinese open-source website admin tool, as revealed by the user agent used to install them on compromised servers.

Mitigation available

Redmond has also confirmed mitigation measures shared yesterday by GTSC, whose security researchers also reported the two flaws to Microsoft privately through the Zero Day Initiative three weeks ago.

"On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports," Microsoft added.

"The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns."

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}

Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

• HTTP: 5985
• HTTPS: 5986

GTSC said yesterday that admins who want to check if their Exchange servers have already been compromised could run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Source