Security researchers at cybersecurity company Group-IB have identified more than 2,000 domains registered in 2022 specifically for this purpose.

A report published today notes that the amount of fake giveaways involving cryptocurrency have increased five times compared to the same period last year.

Each of these sites has an average reach of about 15,000 viewers. If this data is accuarte, scammers have a targeting pool of about 30 million people. The use of top-level domains (TLDs) that are considered more trustworthy (“.COM”, “.NET”), and “.ORG”) have also contributed to this success.

Group-IB says that scammers abuse several video platforms to promote the fake giveaways in live streams with deepfakes of Elon Musk, Garlinghouse, Michael J. Saylor, and Cathie Wood. YouTube is first on the list, followed by Twitch.

The promotional streams come from accounts that have been hijacked or rented from underground hackers who receive between 10% and 50% of the earnings, depending on the size of the channel.

The more subscribers the channel has, the harder it is to block the stream, as it would take a higher number of reports to trigger YouTube’s moderation system.

Additionally, the scammers have set up campaigns using the image of El Salvador’s president, Nayib Bukele, who has declared Bitcoin a legal tender in the country, or soccer player Cristiano Rolando who signed an exclusive partnership with Binance this summer.

This shows that scammers are quick to adjust to new developments in the field and take advantage of the current context to promote realistic scams.

Scams are easier to set up

Group-IB explains that the primary reason behind the sudden surge of cryptocurrency scams this year is the significant rise in the broader availability of tools that help in their making.

“The phenomenal growth of fake crypto giveaways can be explained by a significantly enhanced arsenal and availability of tools for crypto scammers, even with low technical skills,” explains the cyber-intelligence firm.

“Group-IB revealed that forums used by scammers make up a full-fledged marketplace that can help even first-time non-tech-savvy scammers carry out a crypto fraud scheme,” the researchers say.

Russian-speaking forums today offer a dedicated market for hacked YouTube accounts, viewer boosting services, detailed tutorials on how to set up scams, drag-and-drop website creating platforms, bulletproof hosting services, and deepfake creation tools.

Moreover, these forums are stamping grounds for scam mentors, fake giveaway promotion specialists, and various service contractors, so the fraudsters don't need any knowledge to run these campaigns.

Group-IB says a complete crypto stream design costs around $200, while the production of a celebrity deepfake video would set the crooks back around $30.

Fake giveaway landing pages cost between $200 and $600, manuals are sold for around $100, and fully automated toolkits range between $500 and $1,500 per month.

How to stay safe

Prospective investors and digital asset enthusiasts should be vigilant about cryptocoin giveaways and always do a thorough check of the details behind such promos before providing any sensitive information.

When a celebrity-endorsed promotion on YouTube looks too good, an easy way to figure out if it's a scam or not is to check the channel name and history. If it’s not the official channel of the celebrity, the giveaway is most likely a scam attempt.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/fake-cryptocurrency-giveaway-sites-have-tripled-this-year/

The free tool is available for download from Bitdefender's servers and allows you to recover encrypted files using instructions in this usage guide [PDF].

Bitdefender says the decryptor was developed in cooperation with law enforcement agencies, including Europol, the NoMoreRansom Project, the Zürich Public Prosecutor's Office, and the Zürich Cantonal Police.

For a working decryptor to be created, researchers usually need to identify a flaw in the cryptography used by the ransomware encryptor.

However, in this case, the LockerGoga operators were arrested in October 2021, which may have allowed law enforcement to access the master private keys used to decrypt victims' encryption keys.

How to decrypt your files

Files encrypted by LockerGoga will have the ".locked" filename extension and cannot be opened with regular software.

Bitdefender's tool offers to scan your entire filesystem or a single folder, locate any encrypted files, and perform the decryption automatically.

For this to work, the computer needs to be connected to the internet, and the ransom notes generated by the ransomware during the encryption need to be in the original paths.

Bitdefender says the decryptor can operate either on a single machine or on entire networks encrypted by LockerGoga.

Note that the decryption process can be interrupted or not always work as expected, and you might end up with corrupted files. For this reason, the decrypter has the "backup files" option ticked by default, and users are recommended to leave that setting enabled.

Who was LockerGoga

The LockerGoga ransomware operation launched in January 2019, hitting high-profile targets such as the French engineering firm Altran Technologies and the Norwegian aluminum giant Norsk Hydro.

Together with Ryuk and MegaCortex, LockerGoga was involved in ransomware attacks against at least 1,800 organizations worldwide.

In October 2021, twelve individuals were arrested in an international law enforcement operation for deploying various ransomware strains, including LockerGoga.

"Its operator, who has been detained since October 2021 pending trial, is part of a larger cybercrime ring that used LockerGoga and MegaCortext ransomware to infect more than 1,800 persons and institutions in 71 countries to cause an estimated damage of $US 104 million," Bitdefender explains in the decryptor announcement.

Since the operator's arrest, threat actors have ceased using the LockerGoga ransomware, and the ransomware's source code was never released.

Therefore, this decryptor will mostly be for past victims who refused to pay the ransom and have been waiting to recover their files for free.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-decryptor-for-lockergoga-ransomware/

Of the six security flaws, only one was disclosed this year. It impacts Trend Micro’s Apex One platform for automated threat detection and response.

Ancient bugs resurrected

CISA is giving federal agencies until October 6th to patch security vulnerabilities that have been reported between 2010 and 2022.

Exploiting most of them gives an attacker admin-level permissions (local privilege escalation - LPE) on the system while for two the result is remote code execution (RCE).

Most of the vulnerabilities that CISA added to its KEV catalog were disclosed in 2013 and were used to root Android devices back in the day, through the Tizi malware.

• CVE-2013-6282 (LPE) -Linux kernel improper input validation that allows read/write to memory, used for rooting Android devices [VROOT]
• CVE-2013-2597 (LPE) - stack-based buffer overflow in Code Aurora audio driver
• CVE-2013-2596 (LPE) - Linux kernel integer overflow
• CVE-2013-2094 (LPE) - Linux kernel privilege escalation

The oldest bug that CISA ordered federal agencies to patch is from 2010 and was used to spread the Stuxnet worm that damaged the centrifuges at the Natanz uranium enrichment plant to slow the country’s advancements towards developing nuclear weapons.

• CVE-2010-2568 (RCE) - Microsoft Windows parsing shortcuts incorrectly, allowing code execution when displaying an icon of a malicious shortcut file

The security issue affecting Trend Micro Apex One and Apex One as a Service is the most recent one. It was disclosed earlier this month (CVE-2022-40139) and threat actors have exploited it for at least one attack.

As per the binding operational directive 22-01 from November 2021, all Federal Civilian Executive Branch Agencies have to patch the security vulnerabilities CISA adds to its KEV catalog for a more secure environment.

While the directive is for organizations in the U.S., companies and corporations around the world can use CISA’s catalog to improve the security of their networks.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-vulnerability-used-in-stuxnet-attacks/

The lure in these phishing emails is a request for bids for lucrative government projects, taking them to phishing pages that are clones of legitimate federal agency portals.

This is the same operation that INKY reported about in January 2022, with the threat actors using attached PDFs with instructions on going through the bidding process for the U.S. Department of Labor projects.

According to a report by Cofense, the operatives have expanded their targeting and are now also spoofing the Department of Transportation and the Department of Commerce.

Moreover, there’s now a plethora of different lures used in the messages, better phishing web page behavior, and removal of artifacts that revealed the signs of fraud in previous versions of the attached PDFs.

Polishing a high-quality campaign

Building upon what they have previously achieved, the phishing actors behind this campaign have implemented careful revisions to increase their success rates.

Starting with the phishing emails, Cofense reports they now feature more consistent formatting, larger logos, and prefer to include a link to the PDF instead of attaching the file.

The PDF files used to contain detailed instructions on how to bid, with overly technical information included. Now, they have been simplified and reduced in size, featuring more prominent logos and a link to the phishing page.

Also, the PDFs previously featured the same signee, “edward ambakederemo,” whereas now, the metadata in the documents matches the spoofed department. For example, lures supposedly sent by the Wisconsin Department of Transportation are signed with “WisDOT.”

The phishing websites have also received targeted improvements, using HTTPS on all web pages in the same domain.

In addition to the “.gov” sites previously serving the campaign, the threat actors now also use very long domains like “transportation[.]gov[.]bidprocure[.]secure[.]akjackpot[.]com” to make them appear legitimate when opened from mobile browsers that can’t show the full length in the URL bar.

On the phishing page that tries to trick visitors into entering their Microsoft Office 365 account credentials, the threat actors have now added a Captcha Challenge step to ensure they’re not logging bot inputs.

Outlook

It appears that the operatives of this campaign aren’t likely to stop any time soon, as they are now simultaneously expanding their targeting scope while refining their lures.

Considering that the emails, PDFs, and websites used in this phishing operation are essentially copies of the actual content from requests for bids and state bidding portals, it may be hard to catch the signs of fraud.

“Given the advancements seen in each area of the phishing chain, it is likely the threat actors behind these campaigns will continue to innovate and improve upon their already believable campaigns,” predicts Cofense.

The only way to defend against this is to examine all details like the sending address, the landing URL, and eventually visit the bidding portal through a search engine instead of following provided links.

If unsure, try searching the URLs online, as many of these long-lasting campaigns have published indicators of compromise confirming their fraudulent nature.

Source: Bleeping Computer

In notification letters sent on Friday, September 16th, the airline explained that it has no evidence that the exposed data was misused. 

American Airlines discovered the breach on July 5th, immediately secured the impacted email accounts, and hired a cybersecurity forensic firm to investigate the security incident.

"In July 2022 we discovered that an unauthorized actor compromised the email accounts of a limited number of American Airlines team members," the airline told affected customers [PDF].

"Upon discovery of the incident, we secured the applicable email accounts and engaged a third party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident."

Personal information exposed in the attack and potentially accessed by the threat actors may have included employees' and customers' names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and / or certain medical information.

The airline said it would offer affected customers free two-year membership of Experian's IdentityWorks to help with identity theft detection and resolution.

"Although we have no evidence that your personal information has been misused, we recommend that you enroll in Experian's credit monitoring," American Airlines added.

"In addition, you should remain vigilant, including by regularly reviewing your account statements and monitoring free credit reports."

Limited number of affected individuals

The company is yet to disclose the number of affected customers and how many email accounts were breached in the incident.

Andrea Koos, American Airlines' Sr. Manager for Corporate Communications told BleepingComputer after the article was published that the employees' accounts were compromised in a phishing campaign but refused to reveal how many customers and employees were affected, instead saying that it was a "very small number."

"American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts," Koos said.

"While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support. We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future."

American Airlines was also hit by a data breach in March 2021 when global air information tech giant SITA confirmed that hackers breached its servers and gained access to the Passenger Service System (PSS) used by multiple airlines worldwide, including American Airlines.

As the world's largest airline by fleet size (more than 1,300 aircraft in its mainline), American Airlines has more than 120,000 employees and operates almost 6,700 flights daily to roughly 350 destinations in over 50 countries.

Update: Added American Airlines statement.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/american-airlines-discloses-data-breach-after-employee-email-compromise/

Wintermute provides liquidity to over 50 cryptocurrency exchanges and trading platforms, including Binance, Coinbase, Kraken, and Bitfinex.

The company remains solvent, holding twice the stolen amount in equity. A service disruption in the following days, though, is to be expected as the platform will work to restore all its operations.

Gaevoy has also stated that they’re willing to treat the security incident as a “white hat” event, meaning they are open to pay the attacker a bounty for successfully exploiting the vulnerability, without any legal consequences.

However, it’s unknown if the threat actor is interested in returning the stolen funds to Wintermute.

The company CEO has clarified that Wintermute’s CeFi (centralized finance) and OTC (over-the-counter) operations have not been impacted by the security breach.

To ease lender anxiety on investors, Gaevoy has offered them the opportunity to recall loans if they wanted to.

The hacker’s wallet currently holds roughly $47,7 million worth of digital assets. The rest of the money has been moved to Curve Finance’s “3CRV” liquidity pool, where the tokens will be hard to distinguish and freeze.

How the hack happened

Gaevoy did not provide details about how the hacker managed to steal the funds but some crypto-experts suggest as a plausible scenario that the attacker likely exploited a bug in Profanity, a vanity address generator for Ethereum, for which proof-of-concept (PoC) exists.

What the Profanity tools allows users is generate addresses that are not completely randomized but contain a  an Ethereum vanity address generation tool that allows users to create a personalized address that contains a predefined string of numbers and letters (A through F).

The author abandoned the project a few years ago, due to fundamental security flaws that enabled cracking the private keys.

More specifically, it was estimated that someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.

Although such a collection of GPUs requires a significant investment, many cryptocurrency mining farms work with a larger number of GPUs.

Furthermore, powerful mining farms have been rendered useless following the recent Ethereum merge. Some of these farm operators might find that cracking Profanity addresses would be an excellent way to return to profitability.

Security analysts have recently disclosed Profanity's vulnerability and claimed that attackers already used it to steal $3.3 million.

They called everyone holding funds on wallets created with Profanity to move the assets elsewhere immediately.

Following the recent disclosures, the author of Profanity removed all binaries and archived the project’s GitHub repository to reduce the risk of someone using the insecure tool in the future.

The compromised Wintermute wallet appears to have been created with the buggy vanity address generator, so the Profanity weakness looks like a valid possibility for stealing the money.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/hackers-steal-162-million-from-wintermute-crypto-market-maker/

Chromeloader infections surged in Q1 2022, with researchers at Red Canary warning about the dangers of the browser hijacker used for marketing affiliation and advertising fraud.

Back then, the malware infected Chrome with a malicious extension that redirected user traffic to advertising sites to perform click fraud and generate income for the threat actors.

A few months later, Palo Alto Network's Unit 42 noticed that Chromeloader was evolving into an info-stealer, attempting to snatch data stored on the browsers while retaining its adware functions.

On Friday evening, Microsoft warned about an "ongoing wide-ranging click fraud campaign" attributed to a threat actor tracked as DEV-0796 using Chromeloader to infect victims with various malware.

Today, analysts at VMware published a technical report describing different variants of Chromeloader that were used in August and this month, some of which are dropping much more potent payloads.

New variants dropping malware

The ChromeLoader malware is delivered in ISO files that are distributed through malicious ads, browser redirects, and YouTube video comments.

ISO files have become a popular method to distribute malware since Microsoft began blocking Office macros by default. Furthermore, when double-clicking on an ISO in Windows 10 and later, they are automatically mounted as a CDROM under a new drive letter, making them an efficient way to distribute multiple malware files at once.

ChromeLoader ISOs commonly contain four files, a ZIP archive containing the malware, an ICON file, a batch file (commonly named Resources.bat) that installs the malware, and a Windows shortcut that launches the batch file.

As part of their research, VMware sampled at least ten Chromeloader variants since the start of the year, with the most interesting appearing after August.

Timeline of Chromeloader evolution (VMware)

 

The first example is a program mimicking OpenSubtitles, a utility helping users locate subtitles for movies and TV shows. In this campaign, the threat actors moved away from their usual "Resources.bat" file and switched to one named "properties.bat," used to install the malware and establish persistence by adding Registry keys.

Another notable case is "Flbmusic.exe," mimicking the FLB Music player, featuring an Electron runtime and enabling the malware to load additional modules for network communication and port snooping.

For some variants, the attacks turned a bit destructive, extracting ZipBombs that overload the system with a massive unpacking operation.

"As recent as late August, ZipBombs have been seen being dropped onto infected systems. The ZipBomb is dropped with the initial infection in the archive the user downloads. The user must double-click for the ZipBomb to run. Once run, the malware destroys the user's system by overloading it with data," explains VMware's report.

Even more concerning, recent Chromeloader variants have been seen deploying the Enigma ransomware in an HTML file.

Enigma is an old ransomware strain using a JavaScript-based installer and an embedded executable so that it can be launched directly from the default browser.

After the encryption is complete, the ".enigma" filename extension is appended to the files, while the ransomware drops a "readme.txt" file containing instructions for the victims.

Adware is not to be ignored

Because adware doesn't create notable damage to victims' systems, besides eating up some bandwidth, it is usually a threat that is ignored or downplayed by analysts.

However, every software that nests into systems without being detected is a candidate for more significant trouble, as its authors may apply modifications that facilitate more aggressive monetization options.

While Chromeloader started as adware, it is a perfect example of how threat actors are experimenting with more potent payloads, exploring more profitable alternatives to advertising fraud.

Source: Bleeping Computer

The company added that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication (2FA) login requests until one of them was accepted.

This social engineering tactic has become very popular and has been used in recent attacks targeting well-known companies worldwide, including Twitter, Robinhood, MailChimp, and Okta.

"From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack," Uber explained in an update to the original statement.

"The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites."

The company added that it found no evidence that the threat actor could access production systems that store sensitive user information, including personal and financial data (e.g., credit card numbers, user bank account info, personal health data,

or trip history).

At the moment, the company is investigating the incident with help from the FBI and the US Department of Justice.

"We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts," Uber added.

Uber says it took some measures to prevent future breaches using such tactics, including:

• We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
• We disabled many affected or potentially affected internal tools.
• We rotated keys (effectively resetting access) to many of our internal services.
• We locked down our codebase, preventing any new code changes.
• When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
• We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.

Throughout, we were able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal. — Uber

Access to vulnerability reports confirmed

Uber added that it is yet to discover proof that the attacker has accessed and injected any malicious code within its codebase.

"First and foremost, we've not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection," Uber said.

"We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3)."

Unfortunately, the intrusion resulted in some confidential information being accessed, including some of Uber's invoices from an internal tool used by the company's finance team and HackerOne vulnerability reports (as BleepingComputer reported on Friday).

"However, any bug reports the attacker was able to access have been remediated," the company said. HackerOne has since disabled the Uber bug bounty program, thus cutting off access to the disclosed Uber vulnerabilities.

BleepingComputer was also told by a source that the threat actor was able to exfiltrate all vulnerability reports before losing access to Uber's bug bounty program, including reports that were waiting for a fix, presenting a severe security risk to the company.

It would not be surprising if the threat actor had already put these vulnerability reports for sale to cash in and for other threat actors to use if not (fully) patched in future attacks.

The attacker (known as 'teapots2022') also claimed the breach of video game studio Rockstar Games (under the 'teapotuberhacker' moniker) over the weekend after leaking in-game videos and screenshots of source code from both Grand Theft Auto V and Grand Theft Auto VI as proof.

Source: Bleeping Computer

The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.

The videos appear to be created by developers debugging various features in the game, such as camera angles, NPC tracking, and locations in Vice City. In addition, some of the videos contain voiced conversations between the protagonist and other NPCs.

The hacker claims to have stolen "GTA 5 and 6 source code and assets, GTA 6 testing build," but is trying to extort Rockstar Games to prevent further data from being released. 

However, the threat actor says they are accepting offers over $10,000 for the GTA V source code and assets but are not selling the GTA 6 source code at this time.

Selling GTA V source code on Telegram - Source: BleepingComputer

 

After forum members showed disbelief that the hack was real, the threat actor claimed he was behind the recent cyberattack on Uber and leaked screenshots of source code from both Grand Theft Auto V and Grand Theft Auto 6 as further proof.

Rockstar games have not released a statement or responded to our email about the attack at this time. However, Bloomberg's Jason Schreier confirmed the leak was valid after speaking to sources at Rockstar.

The leaked videos have since made it onto YouTube and Twitter, with Rockstar Games issuing DMCA infringement notices and takedown requests to get the videos offline.

Leaked GTA 6 video taken down on YouTube - Source: BleepingComputer

 

"This video is no longer available due to a copyright claim by Take 2 Interactive," reads a copyright claim by Take 2 Interactive, the owner of Rockstar Games. These takedown demands lend further validity to the fact that the leaked GTA 6 videos are real.

However, Rockstar Game's efforts come too late, as the threat actor and others had already started leaking the stolen GTA 6 videos and portions of the source code on Telegram.

For example, the threat actor leaked a GTA 6 source code file today that is 9,500 lines long and appears to be related to executing scripts for various in-game actions.

Claims to be behind Uber attack

The hacker hasn’t shared details on how they gained access to the GTA 6 videos and source code other than claiming to have stolen them from Rockstar’s Slack and Confluence servers.

The threat actor also claims to be the same hacker, named 'TeaPots,' behind the recent Uber cyberattack, but BleepingComputer could not confirm whether these claims are valid.

However, during the cyberattack on Uber, the threat actor also gained access to the company's Slack server and other internal services after performing a social engineering attack on an employee.

While there are not enough details about the Rockstar Games hack, the types of servers accessed and the very public announcements are similar to the Uber hacker’s tactics.

Update 9/19/22:

Rockstar confirms breach 

On Monday morning, Rockstar Games confirmed that they suffered a network intrusion allowing hackers to download company data from their systems.

BleepingComputer has shared the full statement below:

"We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects.

We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations.  We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready. We want to thank everyone for their ongoing support through this situation." - Rockstar Games.

Unfortunately, the company has not shared any technical details or IOCs related to their attack to help security professionals better defend their networks.

BleepingComputer has asked for further details about the cyberattack and will update this article if we learn anything new.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/gta-6-source-code-and-videos-leaked-after-rockstar-games-hack/

In an update to the security incident notification published last month, Lastpass' CEO Karim Toubba also said that the company's investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults.

"Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," Toubba said.

While method through which the attacker was able to compromise a Lastpass developer's endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he "had successfully authenticated using multi-factor authentication."

After analyzing source code and production builds, the company has also not found evidence that the attacker tried to inject malicious code.

This is likely because only the Build Release team can push code from Development into Production, and even then, Toubba said the process involves code review, testing, and validation stages.

Additionally, he added that the LastPass Development environment is "physically separated from, and has no direct connectivity to" Lastpass' Production environment.

Following the incident, Lastpass has "deployed enhanced security controls including additional endpoint security controls and monitoring," as well as additional threat intelligence capabilities and enhanced detection and prevention technologies in both Development and Production environments. 

Breach notification delayed for two weeks

This update comes after Lastpass notified users on August 25th that it "recently detected some unusual activities" in its development environment.

The disclosure came after BleepingComputer had learned of the breach from insiders one week before and reached out to the company on August 21st without receiving a reply to questions and requests to confirm the incident.

In the letter sent to customers after BleepingComputer's emails, Lastpass confirmed it was hacked two weeks before and that the attackers had stolen some source code and proprietary technical information.

"Two weeks ago, we detected some unusual activity within portions of the LastPass development environment," the company said at the time.

"After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults."

LastPass provides one of the most popular password management software in the world, with the company claiming that it's used by over 33 million people and 100,000 businesses.

LastPass says hackers had internal access for four days

Now, it seems like Chrome is getting another Edge feature too, and this time, it's a security enhancement.

Some Microsoft Edge users might not be aware of this but the browser actually offers a "Sign in with device password" setting. This adds a security layer when you are autofilling passwords in a form, as it prompts you to enter your device credentials prior to a password being autofilled. In essence, your device credentials act as a sort of a master password for autofill credentials on any website that you browse via Edge. This is not the default behavior of Edge, but you can see how to enable it in the screenshot above.

Now, it seems like Chrome may be getting the same feature soon. Eagle-eyed reader Leopeva64 has discovered that the capability is now available in Chrome Canary. You can see it in action below:

As highlighted, Chrome improves on Edge's implementation a bit by having the Windows dialog box tell you exactly which website you are granting autofill access to.

It's a nifty capability to have as it adds a security layer. It's also optional, which means that if you don't want to be bothered by prompts each time you autofill a password, you can easily leave the browser at its default configuration.

There's no word on when the feature will eventually reach Chrome Stable. Since it's currently on the Canary channel, it will have to go through some testing via Dev and Beta before it becomes available. Given that it's already available on Edge, there's little chance of it being canned during development.

Google Chrome may be getting a new security layer for autofill passwords

While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.

Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome's Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.

Spell-jacking: That's your spellcheck sending PII to Big Tech

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.

Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.

Josh Summitt, co-founder & CTO of JavaScript security firm otto-js discovered this issue while testing his company's script behaviors detection.

In cases where Chrome Enhanced Spellcheck or Edge's Microsoft Editor (spellchecker) were enabled, "basically anything" entered in form fields of these browsers was transmitted to Google and Microsoft.

"Furthermore, if you click on 'show password,' the enhanced spellcheck even sends your password, essentially Spell-Jacking your data," explains otto-js in a blog post.

"Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure."

Users may often rely on the "show password" option on sites where copying-pasting passwords is not allowed, for example, or when they suspect they've mistyped it.

To demonstrate, otto-js shared the example of a user entering credentials on Alibaba' Cloud platform in the Chrome web browser—although any website can be used for this demonstration.

With enhanced spellcheck enabled, and assuming the user tapped "show password" feature, form fields including username and password are transmitted to Google at the googleapis.com.

A video demonstration has also been shared by the company:

BleepingComputer also observed credentials being transmitted to Google in our tests using Chrome to visit major sites like:

• CNN—both username and password when using 'show password'
• Facebook.com—both username and password when using 'show password'
• SSA.gov (Social Security Login)—username field only
• Bank of America—username field only
• Verizon—username field only

A simple HTML solution: 'spellcheck=false'

Although the transmission of form fields is happening securely over HTTPS, it may not be imminently clear as to what happens to user data once it reaches the third-party, in this example, Google's server.

"The Enhanced spell check feature requires an opt-in from the user," a Google spokesperson confirmed to BleepingComputer. Note, that this is in contrast to the basic spellchecker that is enabled in Chrome by default and does not transmit data to Google.

To review if Enhanced spell check is enabled in your Chrome browser, copy-paste the following link in your address bar. You can then choose to turn it on or off:

As evident from the screenshot, the feature's description explicitly states that with Enhanced spell check enabled, "text that you type in the browser is sent to Google."

"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check," continued Google in its statement shared with us.

"We appreciate the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information."

As for Edge, Microsoft Editor Spelling & Grammer Checker is a browser addon that needs to be explicitly installed for this behavior to take place.

BleepingComputer reached out to Microsoft well in advance prior to publishing. We were told that the matter was being looked into but we are yet to hear back.

otto-js dubbed the attack vector "Spell-jacking" and expressed concern for users of cloud services like Office 365, Alibaba Cloud, Google Cloud - Secret Manager, Amazon AWS - Secrets Manager, and LastPass.

Reacting to otto-js' report, both AWS and LastPass mitigated the issue. In LastPass' case, the remedy was reached by adding a simple HTML attribute spellcheck="false" to the password field:

The 'spellcheck' HTML attribute when left out from form text input fields is usually assumed by web browsers be true by default. An input field with 'spellcheck' explicitly set to false will not be processed through a web browser's spellchecker.

"Companies can mitigate the risk of sharing their customers' PII - by adding 'spellcheck=false' to all input fields, though this could create problems for users," explains otto-js referring to the fact, users will now no longer be able to run their entered text though spellchecker.

"Alternatively, you could add it to just the form fields with sensitive data. Companies can also remove the ability to 'show password.' That won't prevent spell-jacking, but it will prevent user passwords from being sent."

Ironically enough, we observed Twitter's login form, which comes with the "show password" option, has the password field's "spellcheck" HTML attribute explicitly set to true:

As an added safeguard, Chrome and Edge users can turn off Enhanced Spell Check (by following the aforementioned steps) or remove the Microsoft Editor add-on from Edge until both companies have revised extended spellcheckers to exclude processing of sensitive fields, like passwords.

Google, Microsoft can get your passwords via web browser's spellcheck

On Wednesday, the US Treasury Department announced sanctions against Iranians affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their breaching of US networks and encrypting devices with DiskCryptor and BitLocker.

Researchers also released some interesting reports this week:

• Ransomware gangs are increasingly using intermitten encryption to encrypt systems faster.
• The Lorenz Ransomware group is using vulnerabilities in Mitel phone systems to breach networks.
• Bitdefender released a decryptor for the LockerGoga operation.

In ransomware attack-related news, the Yanluowang ransomware gang began leaking data stolen during a cyberattack on Cisco and the Hive ransomware claimed an attack on Bell Technical Solutions (BTS).

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @serghei, @malwareforme, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @FourOctets, @billtoulas, @struppigel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Bitdefender, @AlvieriD, @AWNetworks, @LabsSentinel, @pcrisk, @CISAgov, and @security_score, @censysio, and @juanbrodersen.

September 10th 2022

Ransomware gangs switching to new intermittent encryption tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

The Neverending Story of Deadbolt

But recently, Censys has observed a massive uptick in Deadbolt-infected QNAP devices. The Deadbolt crew is ramping up their operations, and the victim count is growing daily.

September 12th 2022

Cisco confirms Yanluowang ransomware leaked stolen company data

Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May.

Lorenz ransomware breaches corporate network via phone systems

The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .eemv and .eewt extensions to encrypted files.

New Scam ransomware variant

PCrisk found the new Scam Ransomware that appends the .scam extension to encrypted files and drops a ransom note named read_it.txt.

New Babuk ransomware variant

PCrisk found the new Babuk ransomware variant that appends the .demon extension to encrypted files and drops a ransom note named How To Recover Your Files.txt.

September 14th 2022

US govt sanctions ten Iranians linked to ransomware attacks

The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions today against ten individuals and two entities affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks.

The Buenos Aires Legislature recovers after the cyberattack

The Legislature of the City of Buenos Aires is slowly recovering from the cyberattack it suffered last Sunday : after changing passwords and disconnecting infected computers, they re-enabled WiFi , recovered one computer per area and continued with parliamentary work. However, they do not disclose what information was compromised or what type of attack it was.

CISA: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors

This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .gnik extension to encrypted files.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .eeyu extension to encrypted files.

New Snatch ransomware variant

PCrisk found a new Snatch ransomware variant that appends the .winxvykljw extension to encrypted files.

September 15th 2022

Hive ransomware claims cyberattack on Bell Canada subsidiary

The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS).

A Detailed Analysis of the Quantum Ransomware

Quantum ransomware, a rebrand of the MountLocker ransomware, was discovered in August 2021. The malware stops a list of processes and services, and can encrypt the machines found in the Windows domain or the local network, as well as the network shared resources. It logs all of its activities in a file called “.log” and computes a Client Id that is the XOR-encryption of the computer name.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .eebn extension to encrypted files.

New BISAMWARE ransomware

PCrisk found the BISAMWARE Ransomware that appends the .BISAMWARE and drops a ransom note named SYSTEM=RANSOMWARE=INFECTED.TXT.

September 16th 2022

Bitdefender releases free decryptor for LockerGoga ransomware

Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - September 16th 2022 - Iranian Sanctions

Custom web fonts, such as Google Fonts, give web designers more options when it comes to text display on websites, but they require that visitors download these fonts when they connect to the site. Caching is used, usually, to avoid that fonts are downloaded on every page visit.

For Internet users, the use of web fonts has two main disadvantages:

• Performance
• Privacy

Performance is the obvious one, as a request needs to be made to the server hosting the font to download it. While that is usually quick, it still adds to the loading time. Issues with the server may also lead to loading issues on the site. Users who are on a tight bandwidth budget or on very slow connections may benefit the most from the blocking.

Privacy is the second. Since requests are made to servers, e.g., Google servers that host the company's fonts, information such as the IP address is automatically submitted. Not all organizations that host web fonts use the information to track users, but there is always the chance that this is happening.

Google, for example, highlights the following in the terms:

The APIs are designed to help you enhance your websites and applications ("API Client(s)"). YOU AGREE THAT GOOGLE MAY MONITOR USE OF THE APIS TO ENSURE QUALITY, IMPROVE GOOGLE PRODUCTS AND SERVICES, AND VERIFY YOUR COMPLIANCE WITH THE TERMS. This monitoring may include Google accessing and using your API Client, for example to identify security issues that could affect Google or its users.

Since many sites use web fonts, widely used fonts may provide organizations with additional information about a user's activity on the Internet.

Blocking web fonts may lead to display issues on some sites. Sites that rely solely on web fonts, without having fallbacks in place, may not display correctly.

Find out if a site uses web fonts

It is relatively easy to find out if a site uses web fonts.

1. Open the Developer Tools of the browser with the shortcut Ctrl-Shift-I. You find it listed in the main menu as well, usually under More Tools.
2. Switch to the Network tab.
3. Activate the font filter.
4. Load the site in question and monitor the listing.

How to block web fonts

Web fonts can be blocked in a number of ways, depending on the browser that is used.

Firefox users may set the preferences gfx.downloadable_fonts.enabled and gfx.downloadable_fonts.woff2.enabled to false to block downloadable fonts in the browser.

The browser has another setting that may be of use. Introduced in Firefox 41, it enables Firefox to set specific fonts for visited websites.

1. Load about:preferences#general in the browser's address bar to get started.
2. Scroll down to the Fonts section and select the Advanced button.
3. Uncheck "Allow pages to choose their own fonts, instead of your selection above". You may need to scroll the window to see the option.
4. Select OK.

Users of the content blocker uBlock Origin may add a single custom line to it, to block web fonts. Open the Settings, switch to My Filters, and add the line *$font,third-party. Select Save, and you are all set. The content blocker includes an even stricter option, which blocks all remote fonts. To activate it, select "Block remote fonts" in the extension's settings. Sites that do not display correctly may be excluded from the blocking.

This blocks the use of web fonts on third-party sites only. First party sites are still allowed to load them.

Another option is to use a pre-made anti-fonts list, which you find here. Just import it into your content blocker of choice to block the majority of web fonts out there on third-party sites

Now You: how do you handle web fonts? Are you concerned about them? (via Collinmbarret)

How to block web fonts to improve privacy

Uber didn’t reveal the details about the incident or whether any user data was compromised but confirmed that the cyber-criminal was able to post on the company’s Slack after compromising a worker’s account. The hacker is believed to have social-engineered the worker to get hold of password details by masquerading as a corporate IT person and then using it to get access to internal systems and posting an explicit photo on an internal page with a message that the company had suffered a major data breach.

The hacker also claims to have compromised Uber's system by posting images of their AWS instance, vSphere, Google Workplace data, and more.

To prevent any further damage, Uber instructed its staff not to use Slack. Other internal systems, too, were made inaccessible to them. The company said that it was investigating a 'cybersecurity incident' after a hacker shared evidence that they had breached its computer systems with journalists and security researchers.

The officials from the Uber Comms Twitter handle tweeted:

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

This is not the ride-hailing company’s first breach. It suffered from a similar attack in 2016. The breach then affected 57 million riders and drivers. It came under scrutiny for failing to fully disclose the incident and paying off the hackers $100,000 to hide the event. It only became publicly known in late 2017.

Update: It appears things are going from bad to worse for Uber. We have now learned that the hacker has disclosed Uber's financial data. Even after reporting the incident many hours ago, Uber has not provided any information about its findings.

Source: New York Times, UberComms | Image: Uber Newsroom, VX-underground

Uber faces major cybersecurity breach, investigation underway [Update]

For those unaware, the real-world protection test in AV-Comparatives' suite is meant to assess the protection capabilities of an anti-malware solution in an online scenario when the system is interacting with the web.

In terms of scores, Microsoft Defender has a 99% block rate which has remained unchanged since last time. And just like last time, the user-dependent compromises was 0% implying the real compromise rate is once again 1%. However, in terms of false positives, Defender managed to get worse. In the last test, Microsoft had detected 0 false positives but this time, that number has increased to two.

Meanwhile, rival anti-virus makers like Avast, AVG, Avira, and Total AV put up the best show in the test as each of them improved tremendously compared to last time.

It is a little surprising to see Defender doing so poorly in the false positives department. This is because Microsoft had announced, back in March, that it was working on improving false positive detections, just a day after if had flagged its own Office updates as malicious. And while it's difficult to improve from apparent perfection with 0 false positive alerts in past tests, to get worse at it from there is somewhat perplexing.

Source: AV-Comparatives

Microsoft Defender gets outperformed easily by rivals Avast, AVG, and Avira in latest test

Unskippable ads are shown before videos. Unlike other advertisement on YouTube, these ads are shorter and can't be skipped. YouTube may display other ad types, including longer ads, which viewers may skip after five seconds of watching.

Unskippable ads have a play time of six seconds each. Having to sit through 5, 7 or even 10 of these ads increases the ad viewing time up to 500%. In seconds, the viewing time goes up from 12 seconds to 30, 42 or even 60 seconds, before the selected video starts to play.

YouTube revealed on Twitter that the increase would only happen with a specific ad format, called bumper ads.

hmm...this may happen with a certain type of ad format called bumper ads, since they're only up to 6 seconds long. if you'd like, you can send feedback directly from YouTube via the send feedback tool

Serving more advertisement on YouTube increases revenue on the platform significantly. Google is aware that the majority of users won't just leave the site for another, as content may not be available on alternatives. Unless creators move to another platform in masses, YouTube is more or less free to do as it pleases on the site without having to fear major repercussions.

An increase in ads on the site serves another purposes: users who are fed up with advertisement may subscribe to YouTube Premium, a paid subscription, to get rid of them. YouTube Premium is available for $11.99 per month or $119.99 per year in the United States; this is a lot, especially when compared to streaming services such as Disney+, Netflix (Basic) or Amazon Prime Video, which are all available for less.

What YouTube viewers can do about it

On desktop, installing a content blocker such as uBlock Origin, may help get rid of the majority of advertisement on the platform. Some browsers, such as Brave, include content blockers, which may also deal with the majority of ads on the platform.

On mobile, browsers that include content blocking functionality, like Brave or Microsoft Edge, may do the job. Dedicated clients for YouTube like NewPipe or Revanced are another option.

Here is another tip: don't use Chrome.

There are plenty of ways to support content creators on YouTube and elsewhere. Some tools come with options to turn off content blocking for specific channels, but there are other ways, such as donating.

Now You: do you spend time on YouTube? Do you endure ads or use tools to skip them?

YouTube is testing up to 10 unskippable ads before videos

Microsoft Edge is currently the default web browser on computers running the Windows operating system and it currently has a 4.3% market share worldwide, according to Statcounter's Global Stats.

This scam operation has been running for at least two months, according to Malwarebytes' Threat Intelligence Team, who said this is one of the most extensive campaigns at the moment based on the amount of telemetry noise it generates.

This is not surprising considering its scale, with the attackers switching between hundreds of ondigitalocean.app subdomains to host their scam pages within a single day.

The several malicious ads they're injecting into the Edge News Feed timeline are also linked to more than a dozen domains, at least one of them (tissatweb[.]us) also known for hosting a browser locker in the past.

The redirection flow used to send Edge users starts with a check of the targets' web browsers for several settings, such as timezone, to decide if they are worth their time. If not, they'll send them to a decoy page.

To redirect to their scam landing pages, the threat actors use the Taboola ad network to load a Base64 encoded JavaScript script designed to filter the potential victims.

"The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert," Malwarebytes explained.

"This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers."

While Malwarebytes didn't say what happens if you call the scammers' phone number, in most cases, they would lock your computer using various methods or tell you that your device is infected and you need to purchase a support license. 

Either way, once they connect to your computer to help you, the scammers will try to convince their victims to pay for an expensive tech support contract with no benefit to the victim.

A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Microsoft Edge’s News Feed ads abused for tech support scams

‘Hey Alexa, will you bow to any sponsor?’

A new Alexa feature has been announced at the Amazon Accelerate conference called “Customers Ask Alexa,” which allows brands to submit their own answers to questions you may ask the device. 

Brands on the Amazon Brand Registry who were invited to the beta will be able to see the new Customers Ask Alexa feature in Seller Central.

Image: Amazon

“Amazon recognizes brands as experts on their products,” said Rajiv Mehta, general manager of Alexa Shopping at Amazon. “With this new capability, we have made it easier for brands to connect with customers to help answer common questions and better inform their purchase decisions.”

Amazon Echo may soon answer your questions with ads

The extension deals with cookie notices that most websites display these days automatically. Instead of having to click on one or multiple buttons to submit your cookie preferences to a site, you'd have these prompts handled automatically by the extension.

The browser extension may accept all cookies or only necessary ones, staying true to its name. The developer suggests to use other means, such as blocking third-party cookies, to improve privacy while online. I don't care about cookies' aim is to remove an annoyance on the Internet only.

The developer of the extension published a short message on the official website about Avast's acquisition. According to the information, the extension remains free and the developer continues to work on the project.

Avast offered to acquire the project so that we can help each other in creating even better products and I decided to accept the offer: "I don't care about cookies" is now officially a member of Avast family

I will keep working on the project and the extension will remain free to use. Donations are not needed anymore to keep the project going, of course.

Avast has not published a press release about the acquisition up until now.  Avast's motivation to acquire the extension are unknown at this point. It is possible that the company is planning to integrate the functionality into some of its products.

Alternatives to I don't care about co0okies are available. We reviewed Cookie Block and Never-Consent recently, which reject consent on many Internet sites. These extensions attempt to pick the best choice for the user automatically, which almost always is reject consent for any form of cookie but necessary ones.

Now You: what is your take on the acquisition? (via Deskmodder)

Avast acquires I don't care about Cookies browser extension

The campaign aims to trick victims into entering their banking credentials on the sites, allegedly to confirm themselves and give authorization for a tax refund.

However, everything the user's type on these sites, even if they never click on submit to complete the login process, is sent directly to the malicious actors.

The campaign was discovered by researchers at cyber-intelligence firm Cyble, who shared their findings exclusively with BleepingComputer.

Targeting Greek taxpayers

The threat actors are sending phishing emails claiming that the Hellenic Tax Office has calculated a tax return amounting to 634 Euros but failed to send the funds to the beneficiary's bank account due to validation issues.

The emails contain links that point to multiple phishing URLs impersonating the Greek government tax portal, like “govgr-tax[.]me/ret/tax,”, “govgreece-tax[.]me”, and “mygov-refund[.]me/ret/tax”.

In the fake portal, the visitors are requested to select their bank institute, with the phishing actors offering seven options, including several major Greek banks.

Depending on the selection, the user is redirected to a fake login page themed after the selected financial institute, hosted on the same phishing domain.

A JavaScript keylogger on these pages captures all keystrokes and sends them to the actor's server, allowing the attackers real-time access to the stolen credentials.

Thanks to this aggressive phishing system, even if the victim realizes the fraud before they finish logging in to their bank account, the attackers will have already stolen the credentials.

The practice of aggressive keypress logging was documented recently in a study that revealed that many of the world's top-ranking websites feature third-party trackers that can log what visitors type even before they press "submit."

The companies hiding behind the most prolific of those trackers are advertising organizations, so their goal was to empower targeted advertising operations rather than to steal account credentials.

However, using real-time keylogging, as we see in this phishing campaign targeting Greeks, is rare and could be the start of a new trend in the field.

Using a keylogger instead of sending email-password pairs submitted on phishing forms to the C2 increases the success rate, even if it comes at an elevated risk of snatching passwords that have been mistyped.

Finally, the JavaScript keylogger will load and work as intended even if the victim has set their browser to block all third-party trackers, so there's no way to stop it proactively.

Users are advised to remain vigilant when receiving unsolicited emails making bold claims or offering money, items, and other benefits.

In cases of receiving tax return notifications, use a search engine to locate the official tax portal of your country and then log in to check the status of your account and any unread notices you need to review.

As always, never click on links embedded in email messages or contained in attached files like DOCXs and PDFs without first confirming their authenticity.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/phishing-page-embeds-keylogger-to-steal-passwords-as-you-type/

The company says:

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.

Aside from the security fixes, the new releases also feature runtime improvements.

.NET 6.0.9 and .NET Core 3.1.29 are available for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64. In terms of Visual Studio compatibility, you'll need Visual Studio 17.3 or later to use .NET 6.0 on Windows. On macOS, you'll need the latest version of Visual Studio for Mac.

You can find more information in the official blog post.

Latest .NET 6.0.9 fixes stack overflow denial of service in .NET Core and Visual Studio

Microsoft Teams is a communication platform, included in the 365 product family, used by more than 270 million people for exchanging text messages, videoconferencing, and storing files.

The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them.

An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim's account.

"This attack does not require special permissions or advanced malware to get away with major internal damage," Connor Peoples at cybersecurity company Vectra explains in a report this week.

The researcher adds that by taking "control of critical seats–like a company's Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization."

Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn't meet the criteria for patching.

Problem details

Microsoft Teams is an Electron app, meaning that it runs in a browser window, complete with all the elements required by a regular web page (cookies, session strings, logs, etc.).

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

Vectra analyzed Microsoft Teams while trying to find a way to remove deactivated accounts from client apps, and found an ldb file with access tokens in clear text.

Additionally, the analysts discovered that the "Cookies" folder also contained valid authentication tokens, along with account information, session data, and marketing tags.

Finally, Vectra developed an exploit by abusing an API call that allows sending messages to oneself. Using SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

The biggest concern is that this flaw will be abused by information-stealing malware that have become one of the most commonly distributed paylods in phishing campaigns.

Using this type of malware, threat actors will be able to steal Microsoft Teams authentication tokens and remotely login as the user, bypassing MFA and gaining full access to the account.

Information stealers are already doing this for other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more.

Risk mitigation

With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks.

The researchers advise Linux users to move to a different collaboaration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.

For those that can't move to a different solution immediately, they can create a monitoring rule to discover processes accessing the following directories:

• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
• [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
• [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
• [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
• [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

BleepingComputer has contacted Microsoft about the company's plans to release a fix for the issue and will update the article when we get an answer.

Update 9/14/22 - A Microsoft spokesperson sent us the following comment regarding Vectra's findings:

The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network.

 

We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.

Source: Bleeping Computer

The elevation of privileges bug in the Windows Common Log File System Driver is tracked as CVE-2022-37969, enabling local attackers to gain SYSTEM privileges following successful exploitation.

Microsoft patched the vulnerability discovered and reported by researchers at DBAPPSecurity, Mandiant, CrowdStrike, and Zscaler during the September 2022 Patch Tuesday.

"We found this 0Day bug during a proactive Offensive Task Force exploit hunting mission. An escalation of privilege (EOP) exploit was found in the wild, exploiting this Common Log File System (CLFS) vulnerability," Dhanesh Kizhakkinan, Senior Principal Vulnerability Engineer at Mandiant, told BleepingComputer.

"The exploit seems to stand-alone and not part of a chain (like browser + EOP)."

Apple also patched the arbitrary code execution vulnerability (CVE-2022-32917) on Monday and confirmed that it was exploited in attacks as a zero-day bug in the iOS and macOS kernel.

This was the eighth zero-day used in the wild that Apple addressed since the start of the year, all of them most likely used only in highly-targeted attacks.

Federal agencies ordered to patch within three weeks

A binding operational directive (BOD 22-01) issued in November 2021 says that all Federal Civilian Executive Branch Agencies (FCEB) agencies have to secure their networks against bugs added to CISA'sCISA's catalog of Known Exploited Vulnerabilities (KEV).

CISA has given Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until October 10th, to address these two security flaws and block attacks that could target their systems.

Even though the directive only applies to U.S. federal agencies, the cybersecurity agency strongly urged all orgs to fix the Windows privilege escalation and the Apple Kernel code execution flaws to thwart exploitation attempts.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA warned today.

Since BOD 22-01 was issued, CISA has added over 800 security flaws to the catalog of bugs exploited in the wild, requiring federal agencies to address them on a tighter schedule to block attacks and potential security breaches.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-windows-ios-bugs-used-in-attacks/

PsExec is designed to help administrators execute processes remotely on machines in the network without the need to install a client.

Threat actors have also adopted the tool and are frequently using it in post-exploitation stages of an attack to spread on the network, run commands on multiple systems, or deploy malware.

Impacket is a collection of Python classes for working with network protocols

PsExec and the TCP ports it needs

While the original PsExec is available in the Sysinternals utility suite, there is also an implementation in the Impacket collection of Python classes for working with network protocols, which has support for SMB and other protocols like IP, UDP, TCP that enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server (MSSQL).

Both the original version and the Impacket variant work in a similar way. They use an SMB connection and are based on port 445, which needs to be open to communicate over the SMB network file-sharing protocol.

They also manage Windows services (create, execute, start, stop) through Remote Procedure Calls (RPC), a protocol that enables high-level communication with the operating system.

For extended functionality, though, port 135 is required. However, blocking this port does not prevent a threat actor from completing an attack, therefore port 445 is essential for PsExec to work. 

Because of this, defenders mostly focus on blocking port 445, which is essential for PsExec to execute commands or run files. This works in most cases but is not enough.

New PsExec implementation

Based on the Impacket library, researchers at Pentera, a company that provides an automated security validation solution, have built an implementation of the PsExec tool that runs only on port 135.

This achievement brings changes to the defense game since blocking just port 445 to restrict malicious PsExec activity is no longer a reliable option for most attacks.

“We found that the SMB protocol is used to upload the binary and to forward the input and output,” Yuval Lazar, a senior security researcher at Pentera explains.

Lazar adds in a report shared with BleepingComputer that commands are executed through Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) and processes “run regardless of the output.”

The PsExec variation from Pentera uses an RPC connection that enabled the researchers to create a service that runs an arbitrary command without communicating over SMB port 445 for transport or output.

All-out monitoring needed

Unlike the original PsExec in the Sysinternals suite, Pentera’s variant has a higher chance of slipping undetected in a network, Lazar told BleepingComputer, because many organizations keep an eye on port 445 and SMB.

Another point Lazar makes is that other PsExec implementations have to use SMB because they are file-based. Pentera’s variant is fileless, the researcher said, which would make it more difficult to detect.

Lazar’s research on PsExec highlights that while security vulnerabilities like PetitPotam [1, 2] and DFSCoerce have drawn attention to the risk RPC poses, mitigations don’t emphasize monitoring DCE/RPC but on NTLM relay prevention.

Based on Pentera’s observations, blocking or monitoring RPC traffic is not common practice in corporate environments. The reason in many cases is that defenders are unaware that RPC can introduce a security risk to the network if left unchecked.

Will Dormann, vulnerability analyst at the CERT/CC, agrees that blocking TCP port 445 alone is insufficient to block malicious activity relying on the tool.

"If people think that blocking 445 only is enough to prevent PsExec (and other RPC-related things), then they are mistaken," the researcher told BleepingComputer.

PsExec is based on SMB and RPC connections, which require ports 445, 139, and 135. However, Lazar added that there is an RPC implementation on top of HTTP, meaning that PsExec could potentially work over port 80, too.

PsExec popular with ransomware actors

Hackers have been using PsExec in their attacks for a long time. Ransomware gangs, in particular, adopted it to deploy file-encrypting malware.

In an attack that lasted just one hour, NetWalker ransomware used PsExec to run their payload on all systems in a domain.

In a more recent example, the Quantum ransomware gang relied on PsExec and WMI to encrypt systems in an attack that took only two hours to complete after gaining access via IcedID malware.

A report from Microsoft in June details an attack from BlackCat ransomware, who also used PsExec to distribute their ransomware payload.

Another example is from the recently disclosed Cisco breach, where the Yanluowang ransomware gang used PsExec to add registry values remotely, allowing the threat actor to leverage the accessibility features available on the Windows logon screen.

Update [September 13, 10:10 EST]: Article updated with comment from Will Dormann, vulnerability analyst at the U.S. CERT Coordination Center.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/