The spear-phishing campaign unfolded in the autumn of 2021, and the confirmed targets include an aerospace expert in the Netherlands and a political journalist in Belgium.

According to ESET, which published a report on the campaign today, the primary goal was espionage and data theft.

Abusing Dell driver for BYOVD attacks

The EU-based targets of this campaign were emailed fake job offers, this time for Amazon, a typical and common social engineering trick employed by the hackers in 2022.

Opening these documents downloads a remote template from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more.

ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.

"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver," explains ESET in a new report on the attack.

"This is the first ever recorded abuse of this vulnerability in the wild."

"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way."

A Bring Your Own Vulnerable Driver (BYOVD) attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system.

However, the threat actors can now exploit the driver's vulnerabilities to launch commands with kernel-level privileges.

In this attack, Lazarus was exploiting the CVE-2021-21551 vulnerability in a Dell hardware driver ("dbutil_2_3.sys"), which corresponds to a set of five flaws that remained exploitable for 12 years before the computer vendor finally pushed security updates for it.

In December 2021, researchers at Rapid 7 warned about this particular driver being an excellent candidate for BYOVD attacks due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions.

It appears that Lazarus was already well aware of this potential for abuse and exploited the Dell driver well before security analysts issued their public warnings.

"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way," continued ESET's report.

For those interested in the BYOVD aspect of the Lazarus attack, you can dive into the details on this 15-page technical paper that ESET published separately.

BLINDINGCAN and other tools

ESET added that the group deployed its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first discovered by U.S. intelligence in August 2020 and attributed to Lazarus by Kaspersky in October 2021.

The 'BLINDINGCAN' remote access trojan (RAT) sampled by ESET appears to run with significant backing from an undocumented server-side dashboard that performs parameter validation.

The backdoor supports an extensive set of 25 commands, covering file actions, command execution, C2 communication configuration, screenshot taking, process creation and termination, and system info exfiltration.

Other tools deployed in the presented campaign are the previously described FudModule Rootkit, an HTTP(S) uploader used for secure data exfiltration, and various trojanized open-source apps like wolfSSL and FingerText.

Trojanizing open-source tools are something Lazarus continues to do, as a Microsoft report from yesterday mentions this technique was used with PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.

Source

"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker," Microsoft said.

"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

The company added that the CVE-2022-41040 flaw can only be exploited by authenticated attackers. Successful exploitation then allows them to trigger the CVE-2022-41082 RCE vulnerability.

Microsoft says Exchange Online customers don't need to take any action at the moment because the company has detections and mitigation in place to protect customers.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft added.

According to Vietnamese cybersecurity outfit GTSC, who first reported the ongoing attacks, the zero-days are chained to deploy Chinese Chopper web shells for persistence and data theft and to move laterally through the victims' networks.

GTSC also suspects that a Chinese threat group might be responsible for the ongoing attacks based on the web shells' code page, a Microsoft character encoding for simplified Chinese.

The threat group also manages the web shells with the Antsword Chinese open-source website admin tool, as revealed by the user agent used to install them on compromised servers.

Mitigation available

Redmond has also confirmed mitigation measures shared yesterday by GTSC, whose security researchers also reported the two flaws to Microsoft privately through the Zero Day Initiative three weeks ago.

"On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports," Microsoft added.

"The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns."

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}

Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

• HTTP: 5985
• HTTPS: 5986

GTSC said yesterday that admins who want to check if their Exchange servers have already been compromised could run the following PowerShell command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Source

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations from malicious threats from email messages, links, and collaboration tools.

This in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites.

"End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails - to help the organization to protect itself from attacks via Microsoft Teams," Microsoft explains on the Microsoft 365 roadmap.

Redmond is also working on updating Defender for Office 365's Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on, according to the users' reports.

While the upgraded submission feature is expected to reach general availability next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide.

Recent Defender for Office 365 security enhancements

These new Defender for Office 365 capabilities build upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts.

Microsoft achieved this by extending Defender for Office 365 Safe Links protection to the Teams communication platform to help safeguard users from malicious URL-based phishing attacks.

Microsoft explained that the "Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender."

Redmond also started rolling out Built-In Protection to Defender for Office 365 in November 2021, a new feature that automatically enables recommended settings and policies to ensure that all new and existing users get at least a basic level of protection.

Built-In Protection patches gaps in enterprise protection coverage and is designed to improve the organization's overall security posture by drastically reducing the risk of a breach.

This security upgrade targeted at all Office 365 customers was soon followed, in January 2022, by the addition of differentiated protection for priority enterprise accounts (i.e., critical accounts of high-profile employees such as executive-level managers, the ones who attackers most often target).

Christopher Bouzy is trying to stay ahead of the bots. As the person behind Bot Sentinel, a popular bot-detection system, he and his team continuously update their machine learning models out of fear that they will get “stale.” The task? Sorting 3.2 million tweets from suspended accounts into two folders: “Bot” or “Not.”

To detect bots, Bot Sentinel’s models must first learn what problematic behavior is through exposure to data. And by providing the model with tweets in two distinct categories—bot or not a bot—Bouzy’s model can calibrate itself and allegedly find the very essence of what, he thinks, makes a tweet problematic.

Training data is the heart of any machine learning model. In the burgeoning field of bot detection, how bot hunters define and label tweets determines the way their systems interpret and classify bot-like behavior. According to experts, this can be more of an art than a science. “At the end of the day, it is about a vibe when you are doing the labeling,” Bouzy says. “It’s not just about the words in the tweet, context matters.”

He’s a Bot, She’s a Bot, Everyone’s a Bot

Before anyone can hunt bots, they need to figure out what a bot is—and that answer changes depending on who you ask. The internet is full of people accusing each other of being bots over petty political disagreements. Trolls are called bots. People with no profile picture and few tweets or followers are called bots. Even among professional bot hunters, the answers differ.

Bot Sentinel is trained to weed out what Bouzy calls “problematic accounts”—not just automated accounts. Indiana University informatics and computer science professor Filippo Menczer says the tool he helps develop, Botometer, defines bots as accounts that are at least partially controlled by software. Kathleen Carley is a computer science professor at the Institute for Software Research at Carnegie Mellon University who has helped develop two bot-detection tools: BotHunter and BotBuster. Carley defines a bot as “an account that is run using completely automated software,” a definition that aligns with Twitter’s own. “A bot is an automated account—nothing more or less,” the company wrote in a May 2020 blog post about platform manipulation.

Just as the definitions differ, the results these tools produce don’t always align. An account flagged as a bot by Botometer, for example, might come back as perfectly humanlike on Bot Sentinel, and vice versa.

Some of this is by design. Unlike Botometer, which aims to identify automated or partially automated accounts, Bot Sentinel is hunting accounts that engage in toxic trolling. According to Bouzy, you know these accounts when you see them. They can be automated or human-controlled, and they engage in harassment or disinformation and violate Twitter’s terms of service. “Just the worst of the worst,” Bouzy says.

Botometer is maintained by Kaicheng Yang, a PhD candidate in informatics at the Observatory on Social Media at Indiana University who created the tool with Menczer. The tool also uses machine learning to classify bots, but when Yang is training his models, he’s not necessarily looking for harassment or terms of service violations. He’s just looking for bots. According to Yang, when he labels his training data he asks himself one question: “Do I believe the tweet is coming from a person or from an algorithm?”

How to Train an Algorithm

Not only is there no consensus on how to define a bot, but there’s no single clear criteria or signal any researcher can point to that accurately predicts whether an account is a bot. Bot hunters believe that exposing an algorithm to thousands or millions of bot accounts helps a computer detect bot-like behavior. But the objective efficiency of any bot-detection system is muddied by the fact that humans still have to make judgment calls about what data to use to build it.

Take Botometer, for example. Yang says Botometer is trained on tweets from around 20,000 accounts. While some of these accounts self-identify as bots, the majority are manually categorized by Yang and a team of researchers before being crunched by the algorithm. (Menczer says some of the accounts used to train Botometer come from data sets from other peer-reviewed research. “We try to use all the data that we can get our hands on, as long as it comes from a reputable source,” he says.)

There’s a mystical quality in the way Yang speaks about how the team trains the Random Forest, the supervised machine-learning algorithm at the core of Botometer. “When I ask other people to label accounts, I don’t give them too many specific directions,” Yang says. “There are signals in bots that are hard to describe but that humans notice.” In other words, the Botometer team is trying to bake in some of the human instincts that allow people to detect who’s human and who’s not.

After these accounts are labeled, Botometer’s model crunches more than a thousand features of each category of account, according to Menczer. For instance, the model looks at how many of each part of speech appeared in the text of a tweet. It also considers sentiment, when the account was created, and how many tweets or retweets it has. Time is also a factor, says Menczer. “How often does an account tweet? How many times in a day? How many times in a week? What is the distribution of the interval?” If an account is tweeting all hours of the day without enough downtime to sleep, for example, it could be a bot. These inputs, amongst others, carefully calibrate a decision tree that dictates how the model evaluates accounts it is unfamiliar with. “So it’s a little bit complicated,” Menczer says.

The tools are also evolving. The Botometer you can use today is the fourth version of the tool, according to Menczer, and it’s trained using new data sets that account for changes in bot behavior. “We add new data sets, we add new features. Sometimes we remove features that we don’t think are as useful anymore,” he says.

The Botometer team recently realized that bot accounts were frequently using AI-generated photos in their Twitter bios. They found that the position of the eyes on these fake faces follows a pattern: They’re too close together. Incorporating images of faces that are created by an algorithm into Botometer’s training data and labeling them as bots helped the tool flag accounts that use similar images in their bios.

Flawed Human Nature

Despite the work that goes into creating these tools, the bot-hunting field is not without detractors. Darius Kazemi, an engineer at Meedan, a nonprofit that works in the misinformation space, is not shy about his skepticism of bot-detection software. “I think the very premise of bot-detection is flawed, and I don’t think it’s going to get better,” he says. Part of the reason for this, Kazemi says, is that “problematic content” is not a standardized metric.

For Kazemi, bot hunting boils down to trust and ideology. “If you are ideologically aligned with the bot developers, then these tools will give you the signal you are looking for,” he says.

Bouzy and Yang express the same concerns about bias, and they have implemented measures to counter it. Bot Sentinel is largely trained with tweets from users that Twitter has already deemed problematic, using Twitter’s own policies as a benchmark. “We still use our judgment when labeling tweets, but at least we have a starting point,” Bouzy says. “We do our best to limit the bias, but unfortunately, no system is perfect. However, we believe Bot Sentinel is the most accurate publicly available tool to identify disruptive and problematic accounts.”

Botometer tries to have as many researchers as possible labeling tweets to mitigate Yang’s own biases. The team also seeds training data with nontraditional inputs. “For instance, we purchase fake followers that we know are bots and use those accounts to train the model,” Yang says. “We also can vet our model by seeing if accounts flagged as bots eventually get suspended.” All of this data is made publicly available and open for inspection. “We try different ways to make it as solid as possible.”

Menczer says the controversy over bot detection often lies in human biases—people trust such tools wholeheartedly or expect them to do something beyond their capabilities. “A tool can be useful, but it has to be used in the right way,” he says. Just as these tools shouldn’t be used as proof that someone you follow is a bot, Menczer says, it’s also incorrect to conclude that errors in the system are proof that it doesn’t work at all.

Lousy With Bots

Regardless of what these bot-hunting models have learned to detect, it’s clear that they are detecting something. Bot Sentinel and Botometer have become the go-to tools for misinformation researchers and both claim to have a track record of successfully flagging accounts before Twitter suspends them.

Kazemi is still not sold on the value of bot detection. “It’s measuring something,” he says. “But the real question is whether you can make useful decisions based on signals from these services. I’d say no.”

Menczer admits that bot-detection tools are not always accurate but says they don’t have to be perfect to be useful. “Yes, there are going to be some mistakes—for sure. That’s the nature of machine learning, right?” he says. “Yes, the tool makes mistakes. That doesn’t mean that it’s useless. But also the problem is hard, so you shouldn’t just use the tool blindly.”

This area of research is also relatively new and rapidly evolving—as are the bots. Carnegie Mellon’s Carley emphasizes that researchers have focused on Twitter bots because they’re public and therefore accessible. But Twitter bots are not alone. And without tools that can identify bots at scale, and stamp out the nefarious ones, the internet will become more overrun than it already is.

Update 9-30-22, 4:25 pm ET: This article has been updated to clarify that Bot Sentinel is trained to identify problematic accounts, not simply automated or partially automated accounts.

Bot Hunting Is All About the Vibes

(May require free registration to view)

The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.

The PuTTY and KiTTY SSH clients were also used to backdoor targets' devices in fake job skills assessments, as reported by Mandiant this month.

This trojanized software was used in social engineering attacks from late April to mid-September 2022 and primarily focused on engineers and technical support professionals working at IT and media organizations in the UK, India, and the U.S.

The attackers created "fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware," Microsoft said.

"Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies."

After the targets were tricked into downloading the weaponized software to deploy the malware on their systems, the Lazarus operators used the backdoor for lateral movement and network discovery, with the end goal of stealing sensitive info.

Mandiant said in its report that the group's latest activities seem to be a continuation of Operation Dream Job, a North Korean cyber-espionage campaign active since June 2020 when it lured targets from prominent defense and aerospace companies in the U.S. with fake job offers.

The Lazarus Group (also tracked as ZINC, Labyrinth Chollima, and Black Artemis) is a North-Korean military hacking group active since at least 2009.

It gained notoriety after hacking Sony Films in Operation Blockbuster, multiple banks worldwide, and for coordinating the 2017 global WannaCry ransomware campaign.

More recently, Lazarus targeted security researchers in social engineering attacks using elaborate fake "security researcher" social media personas in January and in a similar campaign in March.

They also used the ThreatNeedle backdoor in a large-scale cyber-espionage campaign against the defense industry of over a dozen countries.

The U.S. government sanctioned three DPRK-sponsored hacking groups (Lazarus, Bluenoroff, and Andariel) in September 2019 and now offers a reward of up to $5 million for information on North Korean hackers' cyber activity.

CISA's Known Exploited Vulnerabilities (KEV) catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.

While Microsoft hasn't yet released security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft said earlier today.

The third security flaw CISA added to its KEV list today (tracked as CVE-2022-36804) is a critical severity command injection vulnerability in Atlassian's Bitbucket Server and Data Center, with publicly available proof of concept exploit code.

Attackers can gain remote code execution by exploiting the flaw via malicious HTTP requests. Still, they must have access to a public repository or read permissions to a private one.

This RCE vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.

BinaryEdge and GreyNoise confirmed that attackers have been scanning and attempting to exploit CVE-2022-36804 in the wild [1, 2] since at least September 20th.

Federal agencies ordered to mitigate

All Federal Civilian Executive Branch Agencies (FCEB) agencies apply patches or mitigation measures for these three actively exploited bugs after being added to CISA's KEV catalog as required by a binding operational directive (BOD 22-01) from November.

The federal agencies were given three weeks, until October 21st, to ensure that exploitation attempts would be blocked.

The U.S. cybersecurity agency also strongly urged all private and public sector organizations worldwide to prioritize patching these vulnerabilities, although BOD 22-01 only applies to U.S. FCEB agencies.

Applying patches ASAP will help them decrease the attack surface potential attackers could target in breach attempts.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA explained on Thursday.

Since the BOD 22-01 binding directive was issued last year, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks while requiring federal agencies to address them on a tighter schedule.

Source

With the help of malicious vSphere Installation Bundles, the attacker was able to install on the bare-metal hypervisor two backdoors that researchers have named VirtualPita and VirtualPie.

Researchers also uncovered a unique malware sample that they called VirtualGate, which includes a dropper and a payload.

Deceiving trust

In an incident response engagement earlier this year, security researchers at cyber threat intelligence company Mandiant (acquired by Google) found that an actor suspected to have ties with China used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita and VirtualPie malware.

A VIB is a package of files for creating or maintaining an ESXi image. It lets the administrator manage how the ESXi installation behaves by creating startup tasks, firewall rules, or running binaries when the machine restarts.

The VIB package includes the following:

• an archive, typically referred to as "payload" files that need to be installed on the host
• an XML descriptor with information about the VIB requirements, dependencies, compatibility issues, payload to install, name, install date
• signature file that verifies the maker of the VIB and the level of trust associated with it

VIBs can be created by VMware (created and tested by the company), approved partners, or the community (not a source accepted through the VMware program, such as individuals or third-party partners).

During the investigation of the incident, Mandiant discovered that the threat actor, tracked as UNC3886, modified the acceptance level in the XML descriptor for the VBI used in the attack from 'community' to 'partner' to deceive anyone looking into it.

A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the '--force' flag to install the malicious VIBs.

On closer inspection, though, the falsified VIB became evident, showing that the signature file could not be associated with a party trusted by VMware.

Using these tricks, the threat actor was able to install the VirtualPita and VirtualPie malware on the compromised ESXi machine.

"VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server," Mandiant says in a report today.

The researchers added that the backdoor often impersonates a legitimate service by using VMware service names and ports. It allows execution of arbitrary commands, uploads and downloads files, as well as starting and stopping the logging mechanism ('vmsyslogd ').

During the research, a Linux variant for VirtualPita was found persistent as an init.d startup service on Linux vCenter systems, hiding under the name of the legitimate binary ksmd.

VirtualPie is Python-based and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server. It supports arbitrary command line execution, can transfer files, and set up a reverse shell.

On Windows guest virtual machines under the infected hypervisor, the researchers found another malware, VirtualGate, which includes a memory-only dropper that deobfusccates a second-stage DLL payload on the VM.

This attack requires the threat actor to have admin-level privileges to the hypervisor. While this may appear to lower the risk, adversaries often lurk on the victim network waiting for an opportunity to reach valuable assets or extend their presence.

In a separate blog post today, Mandiant provides technical details on how defenders can minimize the attack surface on ESXi hosts by detecting malicious VIBs.

Source

Broadcom's Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410 umbrella.

Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack.

Symantec's latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of a new backdoor called Stegmap.

The new malware leverages steganography – a technique used to embed a message (in this case, malware) in a non-secret document – to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.

"Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service," the researchers said. "Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server."

Stegmap, like any other backdoor, has an extensive array of features that allows it to carry out file manipulation operations, download and run executables, terminate processes, and make Windows Registry modifications.

Attacks that lead to the deployment of Stegmap weaponize ProxyLogon and ProxyShell vulnerabilities in Exchange Server to drop the China Chopper web shell, that's then used to carry out credential theft and lateral movement activities, before launching the LookBack malware.

A timeline of an intrusion on a government agency in the Middle East reveals Witchetty maintaining remote access for as many as six months and mounting a wide range of post-exploitation efforts till September 1, 2022.

"Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest," the researchers said.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations."

Source

If you visited BleepingComputer from Europe, you may have noticed an annoying cookie consent prompt asking if you would like to accept data-collecting cookies from our advertisers.

These notifications are incredibly annoying but have become necessary to do business online to comply with data protection regulations like GDPR.

In some cases, however, these banners can serve as trackers themselves, as they engage in a privacy-breaching data exchange before the user even has a chance to opt out.

Secondly, it is widely accepted that the consent prompts severely disrupt the browsing experience, as users have to deal with them almost every time they visit a website.

Brave to block cookie consent notifications

Brave will now proactively detect and block the cookie consent banners to deal with both of these issues, removing both a distraction and a potential privacy risk for users.

“New versions of Brave will hide—and, where possible, completely block—cookie consent notifications,” mentions Brave’s blog post.

“Brave’s approach is distinct and more privacy-preserving than similar systems used in other browsers (such as the “auto-consent” systems used in other browsers), and helps keep the Web user-first.”

Unlike other solutions, such as browser extensions, that auto-consent for a user or block prompts, Brave says they break the communication channel between the browser and the consent-tracking system.

The roll-out of the new system has already started in Brave Nightly, and is scheduled to reach the stable branch on version 1.45 in October, starting with Windows and Android. iOS will follow soon afterward.

The new option will appear in the browser’s Settings, in “Shields,” where users may tick the box for blocking obtrusive cookie notices.

All users will get a prompt to set the new option upon launching Brave for the first time after the update that introduced the feature.

On a final note, Brave bashes Google’s push for technologies that remove control from users and give more experience-shaping power to websites, advertisers, data collectors, and consent-management systems.

“Cookie banners highlight how much worse the Web will get if Google (and others) succeed in weakening users’ ability to block such annoyances,” states Brave.

Examples of such technologies are Manifest V3, WebBundles, and Privacy Sandbox, which Brave sees as obstacles rather than allies in its fight to bolster user privacy and deliver a frictionless web browsing experience.

Brave browser to start blocking annoying cookie consent banners

Brave's ad blocker will support Manifest V3

Brave Software tweeted a message to educate people that Manifest V3 will break ad blockers, and that its own browser will not be affected by the change. A few months ago, Brave's CEO and co-founder, Brendan Eich explained that the limitations caused by Manifest V3 affects extensions directly by restricting their capabilities, but that browsers can still access the required API. This is what Brave browser will rely on to ensure its built-in content blocker continues to function.

It will change once the extended support for Enterprise is over, when Google removes said code from the Chromium project, and all browsers that rely on it will have to follow suit. You could argue that this doesn't seem promising, but it is pretty much exactly what Vivaldi's developers mentioned recently. Both browsers depend on the underlying code to access webRequest for their built-in ad blocker to work.

Brave browser and Manifest V2 extensions

There's more to this bit of news.  Here's what the tweet from the company says.

"Brave will support Manifest V2 extensions such as uBlock Origin even after Chrome stops doing so."

Vivaldi had assured users its ad blocker would continue to function beyond Manifest V3, but Brave browser wants to go one step further by saying it will support third party Manifest V2 extensions. Brave's ad blocker is quite good, and in some ways better than Vivaldi's implementation, especially when it comes to the ease of adding custom filters. But uBlock Origin with its element picker, custom filters filter lists, etc., is far more powerful than a built-in content blocker with limited features. So while this could be incredible news for users and developers, I'm not sure how Brave's plans to support Manifest V2 extensions could work out in reality.

A Reddit user points out that Eich had questioned whether Google will kick Manifest V2 extensions from the Chrome Web Store, and when asked about how Brave's long term support for Manifest V2 code paths could work, he had replied that "we could fork them back in at higher maintenance cost".

He had also mentioned that Brave was open to curating some add-ons like uBlock Origin and uMatrix for a start, this seems to suggest that the browser may not support "all Manifest V2 extensions"as the tweet seems to suggest, but only a select few.  That's not exactly impressive. I can only imagine that Brave could accomplish this is by either bundling the add-ons as an optional feature that users can toggle, or by hosting a web store for extensions on its website. Eich's words about hosting and curating add-ons suggest that it could be the latter.

Wouldn't it be better to open a proper extension store, similar to Opera's add-ons site? Brave launched its own search engine and partners with cryptocurrency wallets, so one might assume that the company has the resources to host its own web store for extensions.  That would require some effort and willingness from add-on developers, who would have to upload and update their Manifest V2 extensions to the store. Brave would need to review the extensions in order to prevent malicious plugins from sneaking in. A curated list of specific add-ons would be easier, and financially viable, to implement.

An extension store would still only be a temporary solution. Once Chrome drops Manifest V2 completely, both Brave and Vivaldi will need to find a different way to support older extensions, or see their users switch over to Firefox.

But there's some good news, Google will drop support for Manifest V2 in 2024, as opposed to its previous plans to discontinue it in 2023. This will provide browser makers and developers of ad blockers with some much-needed time to work on their projects, to find a way to continue protecting users from the harmful changes of Manifest V3.

Brave confirms it will support Manifest V2 extensions like uBlock Origin even after Chrome drops them

Researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

Black Lotus Labs, the research arm of security firm Lumen, is calling the malware Chaos, a word that repeatedly appears in function names, certificates, and file names it uses. Chaos emerged no later than April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number reached 111.

Black Lotus has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

"The potency of the Chaos malware stems from a few factors," Black Lotus Labs researchers wrote in a Wednesday morning blog post. "First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys."

CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday's report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.

Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have led Black Lotus Labs to suspect Chaos "is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining," company researchers said.

Black Lotus Labs believes Chaos is an offshoot of Kaiji, a piece of botnet software for Linux-based AMD and i386 servers for performing DDoS attacks. Since coming into its own, Chaos has gained a host of new features, including modules for new architectures, the ability to run on Windows, and the ability to spread through vulnerability exploitation and SSH key harvesting.

Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America and Asia-Pacific.

Black Lotus Labs researchers wrote:

Over the first few weeks of September, our Chaos host emulator received multiple DDoS commands targeting roughly two dozen organizations’ domains or IPs. Using our global telemetry, we identified multiple DDoS attacks that coincide with the timeframe, IP and port from the attack commands we received. Attack types were generally multi-vector leveraging UDP and TCP/SYN across multiple ports, often increasing in volume over the course of multiple days. Targeted entities included gaming, financial services and technology, media and entertainment, and hosting. We even observed attacks targeting DDoS-as-a-service providers and a crypto mining exchange. Collectively, the targets spanned EMEA, APAC and North America.

One gaming company was targeted for a mixed UDP, TCP and SYN attack over port 30120. Beginning September 1 – September 5, the organization received a flood of traffic over and above its typical volume. A breakdown of traffic for the timeframe before and through the attack period shows a flood of traffic sent to port 30120 by approximately 12K distinct IPs – though some of that traffic may be indicative of IP spoofing.

A few of the targets included DDoS-as-a-service providers. One markets itself as a premier IP stressor and booter that offers CAPTCHA bypass and “unique” transport layer DDoS capabilities. In mid-August, our visibility revealed a massive uptick in traffic roughly four times higher than the highest volume registered over the prior 30 days. This was followed on September 1 by an even larger spike of more than six times the normal traffic volume.

The two most important things people can do to prevent Chaos infections are to keep all routers, servers, and other devices fully updated and to use strong passwords and FIDO2-based multifactor authentication whenever possible. A reminder to small office router owners everywhere: Most router malware can't survive a reboot. Consider restarting your device every week or so. Those who use SSH should always use a cryptographic key for authentication.

Source

Instead of the user having to interact with a simple puzzle, the Turnstile system uses non-intrusive challenges based on telemetry and client behaviour during a session. Cloudflare said that as Turnstile challenges become less effective, they will be rotated out for new ones, keeping malicious actors at bay. Explaining how it works in a bit more detail, Cloudflare said:

“With Turnstile, we adapt the actual challenge outcome to the individual visitor/browser. First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.

Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast.”

Setting up Turnstile on your website is very easy, just create a Cloudflare account and go to the Turnstile tab on the navigation bar. Here you can get a sitekey and secret key. You’ll then need to copy some JavaScript code from the dashboard and use it to replace your existing CAPTCHA JavaScript. Cloudflare then says you need to update the server-side integration by replacing the old siteverify URL with Cloudflare's.

Cloudflare announces invisible alternative to CAPTCHAs

An update from the Chrome team says that they will proceed in careful, experimental steps, ensuring a smooth end-user experience during the phase-out of Manifest V2 in June 2023.

During that time, Google will support extension developers with guidance and information on the new protocol and how they can best roll out versions that support it without their users experiencing hiccups.

Manifest V3 overview

Google announced Manifest V3 in 2019 as a new permissions and capabilities framework for Chrome extensions that would introduce stricter rules to upgrade user data security and privacy.

In short, Manifest V3 hopes to achieve the following:

• Limit extension access to user network requests.
• Force developers to include all functionality within the extension, ending the practice of hosting code remotely.
• Move network request modifications from the extensions to the browser.
• Replace background pages with dedicated service workers to improve browser performance.

While this is positive, it inevitably introduces technical challenges for extension developers, as they often have to change how they implement features in their tools.

This is particularly evident for extensions that take a more active role in the browser, like ad-blockers, that are currently struggling to find ways to offer their users the same level of functionality in Manifest V3.

Timelines for roll-out

Google first started testing Manifest V3 in November 2019 in the Chrome 80 Canary builds and was later introduced into production builds as part of Chrome 88. 

In January 2022, the Chrome Web Store stopped accepting new extensions built on Manifest V2.

According to the original roll-out timeline released by Google a year ago, starting from January 2023, all extensions built on Manifest V2 would stop working on the Chrome browser.

Today's update provides more granular information on the roll-out of Manifest V3 (and phase-out of Manifest V2), adding the following milestones:

• In January 2023, with the release of Chrome 112, Chrome may run experiments to turn off support for Manifest V2 extensions in Canary, Dev, and Beta channels.
• In June 2023, with the release of Chrome 115, Chrome may run experiments to turn off support for Manifest V2 extensions in all channels, including Stable channel.

Based on this update, the deadline for lifting Manifest V2 support has been pushed back by five months, from January to June 2023.

For the enterprise, Manifest V2 support will be extended to January 2024, giving more cumbersome entities time to adjust to the change.

Additionally, in regards to the Chrome Web Store, the following milestones have been explained:

• In January 2023, the use of Manifest V3 will become a prerequisite for the Featured badge.
• In June 2023, the Chrome Web Store will no longer allow Manifest V2 items to be published with visibility set to Public. Manifest V2 items with visibility set to Public at that time will have their visibility changed to Unlisted.
• In January 2024, following the expiry of the Manifest V2 enterprise policy, the Chrome Web Store will remove all remaining Manifest V2 items from the store.

Meanwhile, the Chrome team promises to continue working with extension developers to introduce new APIs along the way and improve the platform's functionality.

Developers who would like to join in the discussion on matters relating to the Manifest V3 migration are recommended to do so by posting to the chromium-extensions Google Group.

Ad blockers face the most obstacles

Developers of Google Chrome ad blockers are facing the most obstacles while transitioning their extensions to Manifest V3 as many of the APIs no longer support features required by their extensions.

"An example that the declarativeNetRequest ("DNR") API is an obstacle to innovation in content blockers," uBlock Origin developer Raymond Hill explained in December 2021.

"I can count over 420 filters currently in the default filterset which uses this feature, clearly a benefit to filter list maintainers. These filters would cease to exist in a DNR-based blocker," continued Hill.

While some of these restrictions have been overcome, Manifest V3 ad blockers still suffer from drawbacks that reduce the functionality of their programs.

For example, AdGuard announced that their ad blocker was ported to Manifest V3 in August, but they warned it did not come without issues.

"Although the experimental extension is not as effective as its predecessor, most users won't feel the difference. The only thing you might notice is ad flickering due to the lag in the application of cosmetic rules," warned AdGuard in their announcement.

For uBlock Origin, Hill has begun working on a uBO Lite extension to get past some of the issues experienced by AdGuard's transition to Manifest V3. While Hill has overcome some of these issues, he too warns that the new extension will not come without limitations.

"Many users of uBO will dislike the limitations of uBOL when compared to uBO. There is no point complaining about it, it's just not for you, it's meant for another kind of users -- you do not have to use it," explained Hill in a lengthy post about Manifest V3 on GitHub.

"For the record, it's not for me either (I want/need the full control uBO allows me), but I want to offer an option for those who use uBO as an install-and-forget blocker without ever interacting with it."

Google to test disabling Chrome Manifest V2 extensions in June 2023

 The two-sentence push notifications were attributed to Fast Company and contained the n-word and graphic language, prompting shocked users to post screenshots on Twitter.

While breaches at media companies are not unheard of, the notification was one of the biggest violations of Apple’s “walled garden” in memory. There was nothing to indicate that user security was compromised beyond the upsetting wording.

“Fast Company’s Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart,” the magazine said by email. “The messages are vile and are not in line with the content of Fast Company. We are investigating the situation and have suspended the feed and shut down FastCompany.com until we are certain the situation has been resolved.”

An Apple spokesperson pointed to a tweet from Apple News that said: “An incredibly offensive alert was sent by Fast Company, which has been hacked.

Apple News has disabled their channel.”

While the magazine’s site was defaced, an article that was labeled sponsored content gave the hackers’ description of how the break-in occurred.

That account said the group had gotten into the company’s WordPress program and found keys to functions including the Apple News programming interface.

Source

Optus, Australia's second-largest mobile operator, first disclosed the security breach on September 22, 2022, saying that an attacker might have gained access to customers' personal information.

This information includes a customer's name, dates of birth, phone numbers, email addresses, physical addresses, driver's licenses, and passport numbers, but no account passwords or financial information.

On September 23, 2022, a hacker using the alias "optusdata" published a small sample of the stolen data on the Breached hacking forum and demanded that the firm pay a $1,000,000 (USD) ransom or the data for 11,000,000 customers would be publicly leaked. 

Optus didn't give in to the extortion demands and instead engaged with law enforcement authorities to investigate the incident.

The hacker told reporter Jeremy Kirk that they used an unsecured API endpoint to steal the data rather than breaching the company's internal systems.

After not receiving a ransom demand, the threat actor released a larger sample of stolen data for 10,000 Optus customers for free on the same hacking forum, allowing threat actors to download and abuse it for their own campaigns.

Today, reports from victims of the data breach have started to receive messages demanding the payment of AUD 2,000 ($1,300) within two days, or their data would be sold to other hackers.

The threat actor listed a Commonwealth Bank of Australia (CBA) account to receive the money, which the financial institution has since blocked.

While the texts include the name 'OptusData' used by the original hacker, it is unclear if they are behind the SMS texts or another threat actor who downloaded the leaked data sample.

Giving up on the extortion

Today, the alleged Optus hacker posted a new message on Breached stating that the stolen data will no longer be sold or leaked to anyone due to increased scrutiny on the data breach.

The threat actor also claimed that the stolen data had been deleted from their device that held the only copy and apologized to both the exposed Optus customers and the company.

"Too many eyes. We will not sale data to anyone. We can't if we even want to: personally deleted data from drive (only copy)," claims the threat actor.

It's worth noting that the particular user was never officially confirmed as the person or group responsible for the Optus breach.

However, the decision to stop extorting the company likely comes in response to the Australian Federal Police (AFP) announcing yesterday that they launched "Operation Hurricane" to identify the threat actors behind the breach and extortion demands.

"We are aware of reports of stolen data being sold on the dark web and that is why the AFP is monitoring the dark web using a range of specialist capabilities," announced the AFP.

"Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them."

As part of this operation, the AFP is working closely with overseas law enforcement to identify and apprehend those behind the attack.

Should AFP identify the person(s) responsible for the Optus breach, they will face penalties of up to ten years in prison.

Incident response

Optus continues to update its customers on the situation via a dedicated portal on its website. In addition, yesterday, it offered all impacted individuals a 12-month subscription to credit monitoring and identity protection service through Equifax.

Today, Australia's Minister for Infrastructure, Transport, Energy & Mining, Tom Koutsantonis, announced that victims of the Optus data breach would receive new driver's licenses free of charge.

The driver's licenses that the attackers have stolen will be invalidated, as threat actors could use them to forge fake documents that match entries in the state's system.

Finally, Cyber Security Minister Clare O'Neil told ABC during an interview that Australia's current regulatory framework isn't strict enough, and companies need to ramp up their effort to protect customer data as it happens in Europe with GDPR.

The official criticized Optus's security stance, saying it "left the window open" for the hackers, so this incident might spark regulatory changes in the country.

Optus hacker apologizes and allegedly deletes all stolen data

The Australian government has blamed lax cybersecurity at Optus for the unprecedented breach last week of the personal data of 9.8 million current and former customers.

Jeremy Kirk, a Sydney-based cybersecurity writer, said the purported hacker, who uses the online name Optusdata, had released 10,000 Optus customer records on the dark web and threatened to release another 10,000 every day for the next four days unless Optus pays the ransom.

Asked if the hacker had threatened to sell the remaining data if Optus did not pay the $1 million within a week, the company’s chief executive, Kelly Bayer Rosmarin, told Australian Broadcasting Corp., “We have seen there is a post like that on the dark web.”

Australian Federal Police said Monday their investigators were working with overseas agencies, including the FBI, to determine who was behind the attack and to help shield the public from identity fraud. Police declined further comment Tuesday as the investigations were ongoing.

“They’re looking into every possibility and they’re using the time available to see if they can track down that particular criminal and verify if they are bona fide,” Bayer Rosmarin said.

Kirk wrote in his website Bank Info Security that Optusdata later deleted the post along with three samples of the stolen data.

Optusdata sent Kirk a link to a new post that withdrew the ransom demand, claimed the stolen data had been deleted and apologized to Optus as well as its customers.

“Too many eyes. We will not sale (sic) data to anyone,” the post said, adding that Optus had not paid a ransom.

Kirk said he asked why Optusdata had changed their mind but received no response.

Australian Information and Privacy Commissioner Angelene Falk, the national data protection authority, said the latest post “indicates ... this is a very fast-moving incident.”

“It’s a major incident of significant concern for the community. What we need to focus on here is ensuring that all steps are maintained to protect the community’s personal information from further risk of harm,” Falk said.

Web security consultant Troy Hunt suspected the apology had come from the hacker. But he did not accept that the data was now safe.

“The question now is what happens next? Will we just hear no more from this individual? Will the data appear in a larger volume tomorrow, next week, possibly years from now?” Hunt said.

At least one of the 10,000 Optus customers whose data was released on the dark web Tuesday had received a text message purportedly from the hacker demanding a 2,000 Australian dollar ($1,300) ransom, Nine Network News in Sydney reported.

“Your information will be sold and used for fraudulent activity within two days or until a payment of AU$2,000 is made,” the text said, including details of an Australian bank account in the name Optusdata.

The extortion target, identified only as Belinda and described as a mother of a 5-year-old child with cancer, told Nine, “To be honest, it’s just not what we need.”

“I guess they’re just trying to hopefully pressure people into paying,” she said. Nine did not report whether she intended to pay.

Earlier Tuesday, Kirk said the released personal data appeared to include health care numbers, a form of identification not previously revealed publicly to have been hacked.

Cybersecurity Minister Clare O’Neil urged Optus to give priority to informing customers of what information had been taken.

“I am incredibly concerned this morning about reports that personal information from the Optus data breach, including Medicare numbers, are now being offered for free and for ransom,” O’Neil said. “Medicare numbers were never advised to form part of compromised information from the breach,” she added.

O’Neil on Monday described the hack as an “unprecedented theft of consumer information in Australian history.”

Of the 9.8 million people affected, 2.8 million had “significant amounts of personal data,” including driver’s licenses and passport numbers, breached and are at significant risk of identity theft and fraud, she said.

Kirk said he used an online forum for criminals who trade in stolen data to ask Optusdata how the Optus information was accessed.

Optus appeared to have left an application programming interface, a piece of software known as an API that allows other systems to communicate and exchange data, open to the public, Kirk said.

The Australian Financial Review newspaper said the theory that Optus “left open an API” had been widely reported.

Bayer Rosmarin rejected such explanations, but said police had told her not to release details.

“It is not the case of having some sort of completely exposed API sitting out there,” Bayer Rosmarin said.

O’Neil didn’t detail how the breach occurred, but described it as a “quite a basic hack.”

Optus had “effectively left the window open for data of this nature to be stolen,” O’Neil said.

Source

Windows login credentials are valuable to threat actors as they allow them to access internal corporate networks for data theft or ransomware attacks.

These passwords are commonly acquired through phishing attacks or by users saving their passwords in insecure applications, such as word processors, text editors, and spreadsheets.

In some cases, simply typing your password in a phishing login form, and not submitting them, is enough for them to be stolen by threat actors.

To combat this behavior, Microsoft introduced a new feature called 'Enhanced Phishing Protection' that warns users when they enter their Windows password on a website or enter it into an insecure application.

"SmartScreen identifies and protects against corporate password entry on reported phishing sites or apps connecting to phishing sites, password reuse on any app or site, and passwords typed into Notepad, Wordpad, or Microsoft 365 apps," explains Microsoft Security Product Manager Sinclaire Hamilton.

"IT admins can configure for which scenarios end users see warnings through CSP/MDM or Group Policy."

This new feature is only available in Windows 11 22H2 at this time, and it is not enabled by default. It also requires you to log into Windows with your Windows password rather than use Windows Hello.

So if you use a PIN to log in to Windows, this feature will not work.

When enabled, Microsoft will detect when you enter your Windows password and then issue a warning prompting you to remove the password from an insecure file or, if entered on a site, to change your Windows password.

How to enable Enhanced Phishing Protection

While Windows 11 22H2 has Phishing protection enabled by default, the options to protect your passwords are disabled.

To enable these options, go to Start > Settings > Privacy & security > Windows Security > App & browser control > Reputation-based protection settings.

Under the Phishing protection section, you will see two new options labeled 'Warn me about password reuse' and 'Warn me about unsafe password storage.'

When enabled, the 'Warn me about password reuse' option will cause an alert to be displayed when you enter your Windows password on a website, whether it's a phishing site or a legitimate site.

The 'Warn me about unsafe password storage' option will warn you when you type your password into an application like Notepad, Wordpad, and Microsoft Office and then press enter.

To protect your passwords, put a checkmark in both options to enable them, as shown in the image below. When you enable each option, Windows 11 will display a UAC prompt, which you should accept.

BleepingComputer created a test account on our Windows 11 22H2 device and entered our password into Notepad to test this feature.

As you can see below, once we typed the password and pressed enter, Windows 11 displayed a warning stating, "It's unsafe to store your password in this app," and recommended we remove it from the file.

We also tested this feature in other applications, such as WordPad, Microsoft Word 2019, Excel 2019, OneNote, and Notepad2. We were not able to test this in Microsoft 365, which Microsoft claims is supported by the feature.

While Windows 11 warned us about our password in WordPad and Microsoft Word, it surprisingly did not warn us when typing it into Excel, OneNote, and Notepad2, which should be fixed.

This is especially true for Microsoft Excel, as it's known to be used to create password lists.

We also tested the password reuse feature by trying to log in to Twitter with our Windows password using Google Chrome and Microsoft Edge. Once we entered our password, Windows 11 displayed the following alert warning us to change our Windows password.

However, the Enhanced Phishing Protection feature did not work when testing Mozilla Firefox.

Overall, this is an excellent new security feature for Windows users, and it is strongly recommended that you use it to protect yourself from phishing attacks and from saving your passwords in insecure files.

However, there is still plenty of room for improvement, with Microsoft needing to expand the security feature to support more browsers and applications.

Windows 11 now warns when typing your password in Notepad, websites

Running the ransomware builder is simple and quickly creates an encryptor, private/public encryption keys, and a decryptor by just running a batch file.

The LockBit 3.0 ransomware builder makes it easy for any would-be threat actor to roll out their own operation simply by modifying the enclosed configuration file to use custom ransom notes.

Ransomware operations were launched in the past from the leaks of the Babuk ransomware builder and Conti source code.

Other research this week shows how the BlackMatter ransomware gang continues to evolve its operation by upgrading its data exfiltration tool for double-extortion attacks.

This week, we also learned more about ransomware attacks, including those on the New York Racing Association and a New York ambulance service.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @Seifreed, @malwareforme, @fwosar, @BleepinComputer, @FourOctets, @billtoulas, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @serghei, @S2W_Official, @GeeksCyber, @BroadcomSW, @pcrisk, @3xp0rtblog, @vxunderground, @PogoWasRight, @AhnLab_SecuInfo, and @zscaler.

September 17th 2022

New York ambulance service discloses data breach after ransomware attack

Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.

September 19th 2022

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .aawt, .aabn, .aamv, and .aayu extension.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .duck extension and drops a ransom note named info.txt and info.hta.

New VoidCrypt variant

PCrisk found a new VoidCrypt ransomware variant that appends the .Joker extension and drops a ransom note named Decryption-Guide.txt and Decryption-Guide.HTA.

New VSOP variant

PCrisk found a new VSOP ransomware variant that appends the .minex extension and drops a ransom note named readme.txt.

September 20th 2022

Hive ransomware claims attack on New York Racing Association

The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data.

New BlackBit ransomware

PCrisk found a ransomware called BlackBit that appends the .BlackBit extension and drops a ransom notes named Restore-My-Files.txt and info.hta.

September 21st 2022

LockBit ransomware builder leaked online by “angry developer”

The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor.

Technical Analysis of Crytox Ransomware

The threat actor using Crytox ransomware has been active since at least 2020, but has received significantly less attention than many other ransomware families. In September 2021, the Netherlands-based company RTL publicly acknowledged that they were compromised by the threat actor. The company paid Crytox 8,500 euros. Compared with current ransom demands, this amount is relatively low. Unlike most ransomware groups, the Crytox threat actor does not perform double extortion attacks where data is both encrypted and held for ransom.

September 22nd 2022

BlackCat ransomware’s data exfiltration tool gets an upgrade

The BlackCat ransomware (aka ALPHV) isn't showing any signs of slowing down, and the latest example of its evolution is a new version of the gang's data exfiltration tool used for double-extortion attacks.

Quick Overview of Leaked LockBit 3.0 (Black) builder program

Build.bat creates an RSA public/private key pair by executing Keygen.exe, and Builder.exe that generates a LockBit 3.0 ransomware using the generated key pair.

A technical analysis of the leaked LockBit 3.0 builder

This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022.

Ransomware disguised as GTA 6 source code

MalwareHunterTeam found a few ransomware samples pretending to be GTA 6 source code.

New Zeppelin variant

PCrisk found a new Zeppelin ransomware variant that appends the .ORCA extension and drops the HOW_TO_RECOVER_DATA.hta ransom note.

September 23rd 2022

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .ofoq, .ofww, and .oflg extension.

FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - September 23rd 2022 - LockBit leak

"The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access," the Microsoft 365 Defender Research Team said.

"The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server."

The attacker then used this inbound connector and transport rules designed to help evade detection to deliver phishing emails through the compromised Exchange servers.

The threat actors deleted the malicious inbound connector and all the transport rules between spam campaigns as an additional defense evasion measure.

In contrast, the OAuth application remained dormant for months between attacks until it was used again to add new connectors and rules before the next wave of attacks.

These email campaigns were triggered from Amazon SES and Mail Chimp email infrastructure commonly used to send marketing emails in bulk.

The attacker used a network of single-tenant applications as an identity platform throughout the attack.

After detecting the attack, Redmond took down all apps linked to this network, sent alerts, and recommended remediation measures to all affected customers.

Microsoft says this threat actor was linked to campaigns pushing phishing emails for many years.

The attacker was also seen sending high volumes of spam emails within short timeframes through other means "such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure."

"The actor's motive was to propagate deceptive sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize," Microsoft further revealed.

"While the scheme possibly led to unwanted charges for targets, there was no evidence of overt security threats such as credential phishing or malware distribution."

Source

The Indian government has proposed a law to bring under a legal framework the interception of communication services. According to the new draft of the Telecommunications bill 2022 uploaded late on Wednesday:

Telecommunication services mean service of any description. This includes broadcasting services, electronic mail, voice mail, voice, video, and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, and satellite-based communication services.

The law applies also applies to internet-based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine-to-machine communication services, and over-the-top (OTT) communication services) which is made available to users by telecommunication.

Needless to mention, if the bill turns into law, the modern-day telecommunications industry might be forced to take some very drastic measures. Encrypted messages have become one of the most important attributes of several messaging platforms. In order to comply, communication platforms and apps may have to compromise privacy.

The concerning component of the Indian Telecommunications Bill, 2022 is under section 24, which gives the government wide-ranging powers. Under Section 24 (2), "on the occurrence of any public emergency or in the interest of public safety," the central or state governments, or any authorized officer, can issue a directive to intercept and disclose any message or class of messages transmitted or received by any telecommunication services.

If enacted, it could mean the end of E2EE, at least for Indians. This is because the provision of the draft bill essentially lets the Indian government bypass encryption and intercept messagesand calls on platforms such as WhatsApp, Signal, and more. If these platforms won’t comply, the government could even ban them from the country.

Recently, the Indian government went after VPN (virtual private network) services. However, action against non-complying platforms has been postponed as of now.

Source: The Hindustan Times

Indian government proposes law to intercept and read encrypted messages

When Brave users visited a foreign language site previously, an option to install a Google Translate plugin was presented to them. While that ensured that sites and content could be translated, it was not the most privacy friendly option.

Now, with the release of Brave 1.43.88 for desktop systems and Android in early September 2022, comes the switch to a new translation service. Like Vivaldi Technologies, Brave is using a self-hosted Lingvanex server to power translations.

Whenever Brave users visit a website that is in a foreign language, meaning a language not installed on the user's device, Brave offers to translate it. The prompt is subtle, displaying only the source and target languages, and a menu icon. Compare to Vivaldi, it is lacking direct access to options, including the ability to pick a different target language and enabling the always translate option.

These are supported by Brave, but only displayed when the menu is selected. All it takes to translate a webpage is to select the default target language. Translations happen quickly, just like in Vivaldi.

The menu displays options to change the target language, preferences to always or never translate the language, or to never display the translate prompt for the active site. The last option gives users an option to switch the source language, if Brave's detection of the language failed.

Closing Words

Brave's new translate feature is a self-hosted privacy friendly service that does not require connections to Google to translate webpages. Brave's translation feature, and Vivaldi's as well, still requires Internet connectivity. Mozilla's Firefox Translate feature for Firefox integrates locally into the Firefox browser, which means that users may translate content without making any connections to servers on the Internet.

The one downside to using Firefox Translate is that language support is limited currently.

Still, for Brave users who rely on translate functionality, it is an important feature.

Now You: do you use translate functionality in your browsers of choice?

Brave integrates privacy friendly translate option in its browser

Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.

Unpatched since 2007

The vulnerability is in the Python tarfile package, in code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall(). It is a path traversal bug that enables an attacker to overwrite arbitrary files.

Technical details for CVE-2007-4559 have been available since the initial report in August 2007. While there are no reports about the bug being leveraged in attacks, it represents a risk in the software supply chain.

Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix, a new business providing extended detection and response (XDR) solutions that resulted from the merger of McAfee Enterprise and FireEye.

The flaw stems from the fact that code in the extract function in Python's tarfile module explicitly trusts the information in the TarInfo object "and joins the path that is passed to the extract function and the name in the TarInfo object"

Less than a week after the disclosure, a message on the Python bug tracker announced that the issue was closed, the fix being updating the documentation with a warning "that it might be dangerous to extract archives from untrusted sources."

Estimated 350,000 projects impacted 

Analyzing the impact, Trellix researchers found that the vulnerability was present in thousands of software projects, both open and closed source.

The researchers scraped a set of 257 repositories more likely to include the vulnerable code and manually checked 175 of them to see if they were affected. This revealed that 61% of them were vulnerable.

Running an automated check on the rest of the repositories increased the number of impacted projects to 65%, indicating a widespread issue.

However, the small sample set served only as a baseline for coming up with an estimation of all impacted repositories available on GitHub.

Using the 61% vulnerability rate verified manually, Trellix estimates that there are more than 350,000 vulnerable repositories, many of them used by machine learning tools (e.g. GitHub Copilot) that help developers complete a project faster.

Such automated tools rely on code from hundreds of thousands of repositories to provide "auto-complete" options. If they provide insecure code, the issue propagates to other projects without the developer knowing it.

Looking further into the problem, Trellix found that open-source code vulnerable to CVE-2007-4559 "spans a vast number of industries."

As expected, the most impacted is the development sector, followed by web and machine learning technology.

Exploiting CVE-2007-4559

In a technical blog post today, Trellix vulnerability researcher Kasimir Schulz, who rediscovered the bug, described the simple steps to exploit CVE-2007-4559 in the Windows version of Spyder IDE, an open-source cross-platform integrated development environment for scientific programming.

The researchers showed that the vulnerability can be leveraged on Linux, too. They managed to escalate the file write and achieve code execution in a test on Polemarch IT infrastructure management service.

Apart from drawing attention to the vulnerability and the risk it poses, Trellix also created patches for a little over 11,000 projects. The fixes will be available in a forked of the impacted repository. Later, they will be added to the main project via pull requests.

Because of the large number of affected repositories, the researchers expect more than 70,000 projects to receive a fix in the next few weeks. Hitting the 100% mark is a tough challenge, though, as merge requests also need to be accepted by the maintainers.

BleepingComputer has reached out to Python Software Foundation for a comment about CVE-2007-4559 but has not received an answer at publishing time.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/

According to a large number of reports from people affected by this, their browsers were prevented from accessing Google sites after Malwarebytes flagged and blocked them as malicious.

As many shared, they were swarmed by a barrage of malware notifications, all pointing to various websites on google.com subdomains tagged as containing malware. 

"Malwarebytes pushed a bad update it seems. I couldn't access any Google websites and was getting constant malware notifications from Google websites," one impacted customer said.

"I turned off real time web protection and now it works fine. Any device I have that doesn't have Malwarebytes (Android phone, other windows devices) wasn't affected."

Malwarebytes quickly picked up on what was going on and explained in a tweet published in response to the stream of user reports that this was caused by a temporary issue affecting a web filtering component module in the company's security products.

"We are aware of a temporary issue with the web filtering component of our product that may be blocking certain domains, including http://google.com," the company said.

False positive fix rolling out

Malwarebytes also provided a workaround for impacted users, which required them to disable the buggy module by opening Malwarebytes and toggling off the Web Protection option in the Real Time Protection card.

One hour, the anti-malware software vendor revealed that it had resolved the issue and all customers' software would update on its own to remove the false positive errors.

"The issue is now resolved, and the update should happen automatically," Malwarebytes told affected users via Twitter.

"If you are still experiencing issues, please ensure the Malwarebytes client is updated to the latest version."

However, according to some reports, the issue might still impact enterprise customers since some endpoints still see Google's domains being blocked.

The most likely reason is that the update still has to finish rolling out to Malwarebytes' entire customer base.

Malwarebytes mistakenly blocks Google, YouTube for malware

DDoS attacks are cyberattacks that flood servers with fake requests and garbage traffic, rendering them unavailable to legitimate visitors and customers.

The cybersecurity and cloud services company Akamai reports that the recent attack appears to originate from the same threat actor, meaning that the operators are in the process of empowering their swarm further.

The victim is also the same as in July, an unnamed customer in Eastern Europe who has been “bombarded relentlessly” by the DDoS operatives all this time.

On September 12, these attacks culminated at unprecedented levels when the “garbage” traffic sent to the target network peaked at 704.8 Mpps, roughly 7% higher than the July attack.

Apart from the volume of the attack, the threat actors also expanded their targeting, which was previously rather narrow, focusing on the company’s primary data center.

This time, the threat actors spread their firepower to six data center locations in Europe and North America.

Additionally, Akamai detected and blocked 201 cumulative attacks, compared to 75 in July, and recorded traffic sources from 1813 IPs, compared to 512 previously.

“The attackers’ command and control system had no delay in activating the multidestination attack, which escalated in 60 seconds from 100 to 1,813 IPs active per minute,” comments Akamai in the report.

This expansion in the targeting scope aims at hitting resources that are not prioritized as critical and thus inadequately protected but whose downtime will still cause trouble to the firm.

The particular company, however, had taken precautions due to the July attack and had secured all their 12 datacenters, resulting in 99.8% of the malicious traffic being pre-mitigated.

The motivation behind these persistent and massive-scale attacks remains unknown, but the region of Eastern Europe has been at the epicenter of hacktivism since the start of the year.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/akamai-stopped-new-record-breaking-ddos-attack-in-europe/