The majority of RSS feeds can be read and updated without cookies. Only some require cookies, usually to access content that is blocked otherwise.

A user of RSS Guard noticed that RSS Guard was writing a lot of data to disk. On further investigation, the user identified the Reddit RSS feeds as the culprit. Monitoring revealed that three subscribed Reddit feeds were writing 8 Gigabytes of data to the disk in less than 24 hours. Reddit's RSS feed sends cookies and RSS Guard manages these by default.

All other feeds did not send cookies, which meant, that they would not write to disk because of it.

Note: All writes happened to the config.ini file of RSS Guard. Windows users find the file under C:\Users\[Username]\AppData\Local\RSS Guard 4\config. The cookies section of the file lists all current cookies.

There is no reason for that, as the feeds update fine without cookies. Users may want to block cookies in RSS Guard to avoid similar scenarios.

Thankfully, cookie blocking functionality was added in a recent update by the application's lead developer. The feature is not enabled by default. The following section explains how to configure RSS Guard to block all cookies when retrieving RSS feeds.

1. Open the RSS Guard application on your system. RSS Guard is available for multiple operating system, but the Setting is available in all of them.
2. Check Help > Check for Updates to make sure you are running the latest version. Cookie blocking behavior was introduced in version 4.2.3 of the application. The latest version is 4.2.4 at the time of writing.
3. Select Tools > Settings, or use the keyboard shortcut Ctrl-S.
4. Go to Network & web & tools.
5. Check the "Do not accept any incoming cookies" box under Network.
6. Select OK to apply the change.

That is all there is to it.

Now You: which RSS feed reader do you use? Does it accept cookies?

How to configure RSS Guard to block all cookies

The threat group, tracked as Worok by ESET security researchers who first spotted it, has also attacked targets from Africa and the Middle East.

To date, Worok has been linked to attacks against telecommunications, banking, maritime, and energy companies, as well as military, government, and public sector entities.

In late 2020, Worok targeted a telecommunications company in East Asia, a bank in Central Asia, a maritime industry company in Southeast Asia, a government entity in the Middle East, and a private company in southern Africa.

While there have been no sightings until February 2022, ESET once again linked the group with new attacks against an energy company in Central Asia and a public sector entity in Southeast Asia.

"We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities," ESET malware researcher Thibaut Passilly said.

Even though the group used ProxyShell exploits to gain initial access to its victims' networks, the initial access vector remains unknown for most of its breaches.

"In such cases, typically webshells have been uploaded after exploiting these vulnerabilities, in order to provide persistence in the victim's network. Then the operators used various implants to gain further capabilities," Passilly added.

Worok's malicious toolset includes two loaders, a C++ loader known as CLRLoad and a C# loader dubbed PNGLoad helps the attackers hide malware payloads in PNG image files using steganography.

While ESET is yet to retrieve one of the final payloads delivered in the group's attacks, it did spot a new PowerShell backdoor dubbed PowHeartBeat, which replaced CLRLoad in incidents observed since February 2022 as the tool designed to launch PNGLoad on compromised systems.

PowHeartBeat comes with a wide range of capabilities, including file manipulation and command or process execution, as well as uploading or downloading files to and from victims' devices.

"Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence," Passilly concluded.

"While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information about this group."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/new-worok-cyber-espionage-group-targets-governments-high-profile-firms/

The malware exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and eventually launches a cryptocurrency miner on infected devices.

Shikitega is quite stealthy, managing to evade anti-virus detection using a polymorphic encoder that makes static, signature-based detection impossible.

An intricate infection chain

While the initial infection method is not known at this time, researchers at AT&T who discovered Shikitega say the malware uses a multi-step infection chain where each layer delivers only a few hundred bytes, activating a simple module and then moving to the next one.

"Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload.," explains AT&T’s report.

The infection begins with a 370 bytes ELF file, which is the dropper containing encoded shellcode.

The encoding is performed using the polymorphic XOS additive feedback encoder ‘Shikata Ga Nai,’ previously analyzed by Mandiant.

“Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer until the final shellcode payload is decoded and executed,” continues the report.

“The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.”

After the decryption is completed, the shellcode is executed to contact the malware's command and control servers (C2) and receive additional shellcode (commands) stored and run directly from memory.

One of these commands downloads and executes ‘Mettle,’ a small and portable Metasploit Meterpreter payload that gives the attackers further remote control and code execution options on the host.

Mettle fetches yet a smaller ELF file, which exploits CVE-2021-4034 (aka PwnKit) and CVE-2021-3493 to elevate privileges and download the final stage payload, a cryptocurrency miner, as root.

Persistence for the crypto miner is achieved by downloading five shell scripts that add four cronjobs, two for the root user and two for the current user.

The crontabs are an effective persistence mechanism, so all downloaded files are wiped to reduce the likelihood of the malware being discovered.

The crypto miner is XMRig version 6.17.0, focusing on mining the anonymity-focused and hard-to-trace Monero.

To further reduce the chances of raising alarms on network security products, the threat actors behind Shikitega use legitimate cloud hosting services to host their command and control infrastructure.

This choice costs more money and puts the operators at risk of being traced and identified by law enforcement but offers better stealthiness in the compromised systems.

The AT&T team reports a sharp rise in Linux malware this year, advising system admins to apply the available security updates, use EDR on all endpoints, and take regular backups of most important data.

For now, Shikitega appears focused on Monero mining, but the threat actors may decide that other, more potent payloads can be more profitable in the long run.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/new-linux-malware-evades-detection-using-multi-stage-deployment/

IHG is a British multinational company that currently operates 6,028 hotels in more than 100 countries and has more than 1,800 in the development pipeline.

Its brands include luxury, premium, and essential hotel chains such as InterContinental, Regent, Six Senses, Crowne Plaza, Holiday Inn, and many others.

"InterContinental Hotels Group PLC (IHG or the Company) reports that parts of the Company's technology systems have been subject to unauthorised activity," the company said in a filing with the London Stock Exchange on Tuesday.

"IHG's booking channels and other applications have been significantly disrupted since yesterday, and this is ongoing."

The global hotel group has hired the services of external experts to investigate the incident and is also notifying relevant regulatory authorities.

Signs of a ransomware attack?

While the company did not reveal any details regarding the nature of the attack, it did mention in its disclosure that it's working on restoring impacted systems.

This hints at a possible ransomware attack where the threat actors have deployed ransomware payloads and encrypted systems on IHG's network.

In most ransomware incidents, the attackers will also steal sensitive information from their targets' networks before encryption.

This is later used in double extortion schemes where the victims are pressured into paying a ransom under the threat of leaking the stolen data.

"IHG is working to fully restore all systems as soon as possible and to assess the nature, extent and impact of the incident," IHG added.

"We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."

Last month, the Lockbit ransomware gang claimed an attack on Holiday Inn Istanbul Kadıköy, one of the hotels operated by IHG.

From BleepingComputer's tests, the hotel group's APIs are also down and showing 502 and 503 HTTP errors.

Customers are also unable to log in at the moment, with IHG's app displaying "Something is wrong. The credentials you entered are invalid. Please reset your password or contact Customer Care." errors.

Cybercrime intelligence company Hudson Rock says that IHG has at least 15 compromised employees and more than 4,000 compromised users, according to data linked to the ihg[.]com domain.

An IHG spokesperson denied commenting when contacted by BleepingComputer earlier today, saying that "outside of the statement, we don't have any more that we can say at the moment."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/intercontinental-hotels-group-cyberattack-disrupts-booking-systems/

"The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks," today's joint advisory reads.

They also "anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks."

The joint advisory also provides network defenders with Vice Society indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) observed by the FBI in attacks as recently as September 2022.

"The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents," the advisory adds.

Attacks on the education sector, mainly targeting kindergarten through K-12 institutions, have a massive impact on their operations, ranging from restricted access to networks and data, delayed exams, and canceled school days to the theft of personal information belonging to students and school staff.

One such attack was disclosed today by Los Angeles Unified (LAUSD), the second largest school district in the U.S., after a ransomware attack took down some of its Information Technology (IT) systems over the weekend—LAUSD hasn't yet attributed the attack to a specific ransomware gang.

Victims asked to share attack details with the FBI

Network defenders are advised to take measures to defend against and limit the impact of ransomware attacks, including prioritizing and remediating known exploited vulnerabilities, training their users to recognize and report phishing attempts commonly used as initial attack vectors, and enabling and enforcing multifactor authentication.

The FBI also asked victims to share logs and other information linked to the attacks.

"The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file," the federal law enforcement agency said.

Vice Society is a threat group known for deploying multiple ransomware strains on their victims' networks, such as Hello Kitty/Five Hands and Zeppelin ransomware.

They also steal sensitive data from compromised systems before encryption and later use it for double-extortion, threatening their victims to leak the stolen data if their ransom demand isn't paid.

One of the group's recent victims is the Austrian Medical University of Innsbruck which was forced to reset all 3,400 students' and 2,200 employees' account passwords after severe IT service disruption and data stolen in the attack being leaked on the gang's data leak site.

LAUSD enrolls more than 640,000 students, spanning from kindergarten through 12th grade. It includes Los Angeles and 31 smaller municipalities, as well as several Los Angeles County unincorporated sections.

The school district first revealed districtwide technical issues after discovering that the attackers disrupted access to LAUSD systems, including email servers.

Roughly seven hours later, it confirmed that this was a ransomware attack, tagging the incident as "criminal in nature."

LAUSD has reported the incident and is working with law enforcement and federal agencies (the FBI and CISA) as part of an ongoing investigation and incident response. 

"After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies," the district said.

"At the District's request, agencies marshaled significant resources to assess, protect and advise Los Angeles Unified's response, as well as future planned mitigation protocols." 

Even though the attack disrupted LAUSD infrastructure, the district says schools will still open today while it works to restore impacted servers, with some expected delays affecting some services.

"While we do not expect major technical issues that will prevent Los Angeles Unified from providing instruction and transportation, food or Beyond the Bell services, business operations may be delayed or modified," LAUSD added.

"Based on a preliminary analysis of critical business systems, employee healthcare and payroll are not impacted, nor has the cyber incident impacted safety and emergency mechanisms in place at schools."

The district added that instruction and staffing, as well as payroll processing, were undisrupted by this incident. 

In November, the U.S. Department of Education and the Department of Homeland Security (DHS) were urged to strengthen cybersecurity protections at K-12 schools nationwide to keep up with a massive and ongoing wave of attacks.

The call for action came from U.S. Senators Maggie Hassan, Kyrsten Sinema, Jacky Rosen, and Chris Van Hollen after a Government Accountability Office (GAO) report assessing the Education Dept's current plan for addressing K-12 school threats (issued in 2010) to be significantly outdated and focusing on mitigating physical threats.

According to Emsisoft threat analyst Brett Callow, ransomware attacks have disrupted education at approximately 1,000 universities, colleges, and schools during 2021.

This number was lower than in 2020 (when 1,681 education institutions were affected), mainly because last year's ransomware attacks have hit smaller school districts.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/second-largest-us-school-district-lausd-hit-by-ransomware/

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorized activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated.

“Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East.

It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

The firm also operates several high-capacity railway services in the UK including Great Northern, Thameslink, Gatwick Express and Southern.

The incident comes just weeks before Go-Ahead is due to be acquired by a consortium of Australia and New Zealand's largest bus network, Kinetic, and Spanish firm Globalvia. The acquisition previously estimated the value of the UK business at £669m.

It’s too early to say yet whether the “incident” is ransomware, but threat actors have targeted mass public transit systems frequently in the past.

Previous victims have included subway operators in Toronto, San Francisco and New York.

Source

On Friday, a hacking group known as 'AgainstTheWest' created a topic on a hacking forum claiming to have breached both TikTok and WeChat. The user shared screenshots of an alleged database belonging to the companies, which they say was accessed on an Alibaba cloud instance containing data for both TikTok and WeChat users.

The threat actor says this server holds 2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info, and many more.

While the name AgainstTheWest may sound like the hacking group is targeting Western countries, the threat actors claim to only target countries and companies hostile to Western interests.

"Don't let the name confuse you, ATW targets countries they perceive to be a threat to western society, currently they are targeting China and Russia and have plans to target North Korea, Belarus and Iran in the future," explains cybersecurity researcher CyberKnow.

TikTok denies being hacked

TikTok has told BleepingComputer that the claims of the company being hacked are false. Furthermore, the company said the source code shared on hacking forums isn't part of its platform.

"This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok's backend source code, which has never been merged with WeChat data." - TikTok.

TikTok also told us that the leaked user data could not result from a direct scraping of its platform, as they have adequate security safeguards to prevent automated scripts from collecting user information.

BleepingComputer has also reached out to WeChat for a statement, but we have not yet received a response from them.

While WeChat and TikTok are both Chinese firms, they are not owned by the same parent company, with the former belonging to Tencent and the latter to ByteDance. Therefore, seeing them both in a single database indicates that it was not a direct breach on each platform.

Most likely, the unprotected database was created by a third-party data scraper or broker who scraped public data from both services and saved it into a single database.

The two companies are constantly in the spotlight of privacy investigations by national services, so finding such a rich cloud instance containing both companies' data is raising suspicions.

Troy Hunt, the creator of the HaveIBeenPwned data breach notification service, confirmed in a Twitter thread that some of the data were valid. However, Hunt could not find anything that is not publicly available in TikTok, thus proving an internal systems breach.

Similarly, "database hunter" Bob Diachenko has validated the leaked user data as real, but couldn't provide any concrete conclusions about the origin of the data.

If further analysis reveals that the data is legitimate, TikTok will be forced to take action to mitigate the leak's effects even if it wasn't breached. We have requested an additional comment from the platform on that front, but we haven't received an answer.

The story will be updated as soon as new evidence or conclusions become available.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/tiktok-denies-security-breach-after-hackers-leak-user-data-source-code/

The company has patched the security flaw but attacks continue today.

"QNAP® Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet," explains the security notice.

The attacks were widespread, with the ID Ransomware service seeing a surge in submissions on Saturday and Sunday.

QNAP releases patches for a zero-day flaw

QNAP released Photo Station security updates 12 hours after DeadBolt began using the zero-day vulnerability in attacks, urging NAS customers to immediately update Photo Station to the newest version.

The following security updates fix the vulnerability:

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

Alternatively, QNAP suggests users replace Photo Station with QuMagie, a safer photo storage management tool for QNAP NAS devices.

Applying the security updates will prevent the DeadBolt ransomware and other threat actors from exploiting the vulnerability and encrypting devices. However, NAS devices should never be publicly exposed to the Internet and instead placed behind a firewall.

QNAP customers can find detailed instructions on applying the available updates and setting up myQNAPcloud in the security advisory.

Finally, it is recommended to use strong passwords on all NAS user accounts and take regular snapshots to prevent data loss in the case of attacks.

DeadBolt: the NAS ransomware bane

The DeadBolt ransomware gang has been targeting NAS devices since January 2022, using an alleged zero-day vulnerability on Internet-exposed NAS devices.

The ransomware operation conducted further attacks on QNAP devices in May and June 2022.

Earlier in February, DeadBolt began targeting ASUSTOR NAS devices using a zero-day vulnerability they attempted to sell to the vendor for 7.5 Bitcoin.

In most of these attacks, DeadBolt demanded a payment of just over a thousand USD from impacted users in exchange for a working decryptor.

However, other NAS ransomware groups demand more significant amounts from their victims.

The Checkmate ransomware targeted QNAP NAS products in July, demanding victims pay $15,000.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/

Interpol says that 12 suspects believed to be core members of this criminal organization were arrested in July and August after investigators found that they asked potential victims via online sex and dating platforms to download a malicious mobile app to engage in "naked chats."

However, their targets didn't know this app was designed to steal the contents of their phones' contact lists which the cybercriminals would use to blackmail the victims, threatening to share their nude videos with relatives and friends in their address books.

"We conducted a proactive investigation and in-depth analysis of a zombie command and control server hosting the malicious application, which – along with the joint efforts by our counterparts – allowed us to identify and locate individuals linked to the criminal syndicate," said Raymond Lam Cheuk Ho, the head of Hong Kong Police's Cyber Security and Technology Crime Bureau.

Sextortion is a type of digital extortion where the criminals coerce or trick their targets into sharing explicit videos or images that will later be used for blackmail.

To make things even scarier for their targets, they'll also often gain access to their social media or contact info, threatening to send the sexual imagery they got their hands on to the victims' families and friends.

Scammers behind sextortion campaigns are also known to distribute various strains of malware via phishing emails, ranging from data-stealing trojans to ransomware.

Spike in sextortion attacks

Today's announcement comes after Interpol launched an awareness campaign in June to warn Internet users of a striking increase in digital extortion threats like sextortion, ransomware, and Distributed Denial-of-Service (DDoS) attacks.

"A sharp rise in sextortion reports has been observed around the world in recent years, mirroring a rise in other types of cybercrime that has been exacerbated by the COVID-19 pandemic," Interpol said.

"INTERPOL's awareness campaigns on cyber threats have emphasized that just one click – on an unverified link or to send an intimate photo or video to someone – can suffice to fall victim to cybercrime."

The FBI warned one year ago of a massive increase in sextortion complaints since the start of 2021, which resulted in total financial losses of more than $8 million until the end of July 2021.

As the FBI advised potential victims at the time to protect themselves from extortion attempts:

• NEVER send compromising images of yourself to anyone, no matter who they are or who they say they are.
• Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to access your private data, photos, and contacts or control your web camera and microphone without your knowledge.
• Turn off your electronic devices and web cameras when not in use.

"Having a criminal access the most intimate aspects of your life and using this information against you to extort enormous sums of cash is anyone's nightmare – and the most frightening part is that anyone could fall victim to this type of crime," added today Stephen Kavanagh, INTERPOL's Executive Director of Police Services.

"Sextortionists sometimes count on their victims feeling too much shame to go to the police, but reporting these crimes is often the first step to bringing these criminals to justice."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/interpol-dismantles-sextortion-ring-warns-of-increased-attacks/

The service enables low-skill threat actors who don't know how to set up reverse proxies to steal online accounts that are otherwise well-protected.

Reverse proxies are servers that sit between the targeted victim and a legitimate authentication endpoint, such as a company's login form. When the victim connects to a phishing page, the reverse proxy displays the legitimate login form, forwards requests, and returns responses from the company's website.

When the victim enters their credentials and MFA to the phishing page, they are forwarded to the actual platform's server, where the user is logged in, and a session cookie is returned. 

However, as the threat actor's proxy sits in the middle, it can also steal the session cookie containing the authentication token. The threat actors can then use this authentication cookie to log in to the site as the user, bypassing configured multi-factor authentication protections.

Sophisticated APT groups have been employing reverse proxies for a while now to bypass MFA protections on target accounts, some using their own custom tools while others using more readily-deployable kits like Modlishka, Necrobrowser, and Evilginx2.

The difference between these phishing frameworks and EvilProxy is that the latter is far simpler to deploy, offers detailed instructional videos and tutorials, a user-friendly graphical interface, and a rich selection of cloned phishing pages for popular internet services.

A deeper look at EvilProxy

Cybersecurity firm Resecurity reports that EvilProxy offers an easy-to-use GUI where threat actors can set up and manage phishing campaigns and all the details that underpin them.

The service promises to steal usernames, passwords, and session cookies, for a cost of $150 for ten days, $250 for 20 days, or $400 for a month-long campaign. Attacks against Google accounts cost more, at $250/450/600.

In the following video, Resecurity demonstrates how an attack against a Google account would unfold through EvilProxy.

While the service is actively promoted on various clearnet and dark web hacking forums, the operators vet the clients, so some prospective buyers are likely rejected.

According to Resecurity, the payment for the service is arranged individually on Telegram. Once the deposit is made, the customer gets access to the portal hosted in the onion network (TOR).

Resecurity's test of the platform confirmed that EvilProxy also offers VM, anti-analysis, and anti-bot protection to filter out invalid or unwanted visitors on the phishing sites hosted by the platform.

“The bad actors are using multiple techniques and approaches to recognize victims and to protect the phishing-kit code from being detected,” explains Resecurity in the report.

“Like fraud prevention and cyber threat intelligence (CTI) solutions, they aggregate data about known VPN services, Proxies, TOR exit nodes and other hosts which may be used for IP reputation analysis (of potential victims).”

A service to look out for

As MFA adoption continues to increase, more threat actors turn to reverse-proxy tools, and the appearance of a platform that automates everything for the crooks isn’t good news for security professionals and network admins.

For now, this problem remains addressable only by implementing client-side TLS fingerprinting to identify and filter out man-in-the-middle requests. However, the status of this implementation in the industry isn’t in sync with the developments.

Hence, platforms like EvilProxy essentially bridge the skill gap and offer low-tier threat actors a cost-efficient way to steal valuable accounts.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-all-hackers-use-advanced-phishing-tactics/

In a statement, a Meta spokesperson said:

 “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

There is nothing about the fine on the DPC’s website just yet, it’s planning to release the full details next week. Apparently, the only fine that has been issued by the DPC that is larger than this one is a €746 million fine issued to Amazon for processing data it shouldn’t have.

There could be more bad news for Meta coming from the DPC in the months ahead, as it said it had six other investigations related to Meta in the works. It hasn’t revealed what it’s looking into just yet, but it won’t be surprising if the fines are hefty.

Source: Politico via The Telegraph (Yahoo! Finance)

Source

Google Chrome users on Windows, Mac, and Linux need to install the latest update to the browser to protect themselves from a serious security vulnerability that hackers are actively exploiting.

“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said in a September 2nd blog post. An anonymous tipster reported the problem on August 30th, and Google says it expects the update to roll out to all users in the coming days or weeks.

The company hasn’t released much information yet on the nature of the bug. What we know so far is that it has to do with “Insufficient data validation” in Mojo, a collection of runtime libraries used by Chromium, the codebase that Google Chrome’s built on.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said. By keeping those details under wraps for now, Google makes it harder for hackers to figure out how to exploit the vulnerability before the new update closes the opportunity for attacks.

Chrome users need to relaunch the browser to activate the update. This will update Chrome to version 105.0.5195.102 for Windows, Mac, and Linux. To make sure you’re using the latest version, click the icon with the three dots in the top right corner of your browser. Navigating to “Help,” and then “About Google Chrome” will lead you to a page that tells you whether Chrome is up to date on your device.

This latest update comes just days after Google released Chrome version 105 on August 30th. That update already came with 24 security fixes. Apparently, that still wasn’t enough.

This is the sixth zero-day vulnerability Chrome has faced so far this year. The last vulnerability that was actively exploited was just flagged in mid-August, BleepingComputer reported.

Google Chrome’s latest update has a security fix you should install ASAP

Washington has accused Beijing of cyberattacks against US businesses and government agencies, one of the issues over which ties between the two powers have nosedived in recent years.

China has consistently denied the claims and in turn lashed out against alleged US cyber espionage, but has rarely made public disclosures of specific attacks.

But a report released Monday by its National Computer Virus Emergency Response Center (CVERC) accused the US National Security Agency (NSA) of carrying out "tens of thousands of malicious attacks on network targets in China in recent years".

It specifically accused the NSA's Office of Tailored Access Operations (TAO) of infiltrating the Northwestern Polytechnical University in the city of Xi'an.
The university is funded by China's Ministry of Industry and Information Technology, and specialises in aeronautical and space research.

CVERC alleged that TAO infiltrated the university's networks and took "control of tens of thousands of network devices" including servers, routers and network switches.

Using dozens of cyber weapons and exploiting previously unknown flaws in the SunOS operating system, the unit gained access to "core technical data" including passwords and the operations of key network devices, the report said.

TAO has "stolen over 140 gigabytes of high-value data" in recent years and received assistance from groups in Europe and South Asia, CVERC said in the report, which was co-authored by the private Chinese cybersecurity firm Qihoo 360.

The foreign ministry in Beijing on Monday condemned the alleged hack, saying it "seriously endangers China's national security and users' personal data security".
"We ask the US to provide an explanation and urge them to stop immediately this illegal move," Mao Ning, a spokeswoman for the foreign ministry, said at a regular press conference.

The NSA did not immediately respond to an AFP request for comment.

In June, Xi'an authorities said they had launched an investigation into a reported cyberattack at Northwestern Polytechnical University that carried the hallmarks of "overseas hacking groups and unlawful elements".

The attacks "caused significant risks and hidden dangers for normal work and life at our school", a university cybersecurity official told state broadcaster CCTV in comments published on Monday.

Last year, Washington accused Beijing of carrying out a massive attack on Microsoft's email software that affected at least 30,000 US organizations -- including local governments -- as well as customers in other countries.

China denied the allegations and countered that Washington was the "world champion" of cyber espionage.

Source

IRS Form 990T is used to report 'unrelated business income' paid to a tax-exempt entity, such as nonprofits (charities) or IRA and SEP retirement accounts.

This income is commonly derived from sales unrelated to a nonprofit's core purpose or real estate investments that pay income into an individual retirement account.

For regular taxpayers, these forms are meant to be confidential and seen only by the IRS. However, for nonprofits, a Form 990-T must be available for public inspection for three years.

On Friday, the IRS disclosed that in addition to sharing Form 990-T data for charities, they also accidentally included data for taxpayers' IRAs that was not meant to be public. 

"The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public," the IRS disclosed on Friday.

"This section is primarily used by those with the ability to use machine-readable data; other more widely used sections of TEOS are unaffected."

The Wall Street Journal reports that the data leak exposed info for approximately 120,000 taxpayers and included names, contact information, and reported income for those IRAs. However, the IRS states that the data did not include social security numbers, individual tax returns, or detailed account-holder information.

According to the Wall Street Journal, an IRS research employee discovered the data leak, which triggered a report to Congress on Friday.

The IRS states that the data has been removed and that they will send notifications to affected taxpayers in the coming weeks.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/irs-data-leak-exposes-personal-info-of-120-000-taxpayers/

The malware was present in two Android apps that did not feature any malicious code when submitted to Google's automatic review.

However, SharkBot is added in an update occurring after the user installs and launches the dropper apps.

According to a blog post by Fox IT, part of the NCC Group, the two malicious apps are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” collectively counting  60,000 installations.

The two applications have been removed from Google Play, but users who installed them are still at risk and should remove them manually.

SharkBot evolved

Malware analysts at Cleafy, an Italian online fraud management and prevention company, discovered SharkBot in October 2021. In March 2022, NCC Group found the first apps carrying it on the Google Play.

At that time, the malware could perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.

In May 2022, researchers at ThreatFabric spotted SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code.

Researchers at Fox IT discovered a new version of the malware (2.25) on August 22, which adds the capability to steal cookies from bank account logins.

Additionally, the new dropper apps don’t abuse the Accessibility Services as they did before.

“The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.

Once installed the dropper app contacts the command and control (C2) server requesting the malicious SharkBot APK file. The dropper then alerts the user that an update is available and asks them to install the APK and grant all required permissions.

To make automated detection more difficult, SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm.

Cookie-loving shark

The overlay, SMS intercept, remote control, and keylogging systems are still present on SharkBot 2.25, but a cookie logger has been added on top of them.

When the victim logs into their bank account, SharkBot snatches their valid session cookie using a new command (“logsCookie”) and sends it to the C2.

Cookies are valuable for taking over accounts because they contain software and location parameters that help bypass fingerprinting checks or, in some cases, the user authentication token itself.

During the investigation, Fox IT's observed new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, Austria) and the U.S. The researchers noticed that the malware uses in these attacks the keylogging feature and steals the sensitive info straight from the official app it targets.

With an improved version of the malware available, Fox IT expects SharkBot campaigns to continue and an evolution of the malware.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/sharkbot-malware-sneaks-back-on-google-play-to-steal-your-logins/

The issue started Sunday morning when Microsoft pushed out Defender signature update 1.373.1508.0 to include two new threat detections, including Behavior:Win32/Hive.ZY.

"This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it," reads the Microsoft detection page for Win32/Hive.ZY.

According to BornCity, the false positive is widespread, with users reporting on BleepingComputer, Twitter, and Reddit that the detections appear each time they open their browser or an Electron app.

Even though Microsoft Defender will continuously display these detections when apps are opened, it is important to note that this is a false positive, and your device is mistakenly being detected as infected.

Microsoft has since released two new Microsoft Defender security intelligence updates, the latest being 1.373.1518.0.

While this signature update does not display Win32/Hive.ZY detections in BleepingComputer's tests, other users report that they continue to receive false positives.

To check for new security intelligence updates, Windows users can search for and open Windows Security from the Start Menu, click Virus & threat protection, and then click on Check for updates under Virus & threat protection updates.

While it is usually not required, in this case, it may be helpful to reboot Windows after installing the new security intelligence update to see if it resolves the false positive.

As this issue is widespread and causing panic among Windows users worldwide, we will likely see a new update fixing the problem within a few hours, if not sooner.

At this time, there has been no formal confirmation of the issue from Microsoft.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

New research has claimed that there is a 75 percent increment in the ransomware attacks that target Linux operating systems. This data has been collected from the first half of 2022 and the rise has been compared to the data from the first half of last year. Researchers from the cybersecurity firm, Trend Micro have found a spike in ransomware attacks. The researchers have found that there is an emergence of new Linux ransomware families for the first half of 2022.

The researchers stated, “We observed how malicious actors favoured ransomware-as-a-service (RaaS) methods for faster deployments and bigger payouts. They also used relatively new ransomware families in high-profile attacks and increasingly targeted Linux-based systems with attacks.”

According to the data presented by the researchers, there were 67 active RaaS and extortion groups and over 1,200 victim organisations that were reported in the first six months of this year alone.

The operators of this Ransomware also resorted to both novel and tried-and-tested methods to attack cloud environments. The researchers have also discovered a new ransomware variant this year which is called Cheerscrypt, that also targeted ESXi servers.

“Successful infection of these servers, which are widely used by enterprises, could cause significant security issues in critical infrastructures,” the team warned.

In the beginning of 2022, many companies around the world began calling for most, if not all, of their workforce to return to the office on a full-time basis, a phenomenon aptly referred to as “the Great Return.”

Meanwhile, some companies embraced permanent hybrid work or remote setups.

Trend Micro statement said, “This diffused labour pool, together with a widened digital attack surface, has made it increasingly difficult for cybersecurity teams to keep different work structures secure — a susceptibility thread that cybercriminals are quick to pull on to launch critical attacks and exploit vulnerabilities,”.

This new model of Ransomware delivery allows affiliates to buy or rent ransomware tools and infrastructures. It also made waves in the first half of 2022.

Source

The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.

The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.

More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

Cybersecurity company SafeBreach reports that the malware also spies on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog - a hardware description language for modeling electronic systems.

To communicate with its operator and to exfiltrate stolen data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API instead of the more common command and control server infrastructure.

Although the campaign stopped abruptly when the researchers contacted the malware developer, CodeRAT is likely to become more prevalent now that its author made the source code public,

CodeRAT details

The malware supports  around 50 commands that include taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, executing programs.

The attacker can generate the commands through a UI tool that builds and obfuscates them and then uses one of the following three methods to transmit them to the malware:

1. Telegram bot API with proxy (no direct requests)
2. Manual mode (includes USB option)
3. Locally stored commands on the 'myPictures' folder

The same three methods can also be used for data exfiltration, including single files, entire folders, or targeting specific file extensions.

If the victim's country has banned Telegram, CodeRAT offers an anti-filter functionality that establishes a separate request routing channel that can help bypass the blocks.

The author also claims that the malware can persist between reboots without making any changes to the Windows registry, but SafeBreach doesn't provide any details about this feature.

CodeRAT comes with strong capabilities that are likely to attract other cybercriminals. Malware developers are always looking for malware code that can be easily turned into a new "product" that would increase their profits.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-coderat-after-being-exposed/

The malware developer has planted in the builder for the infostealer a backdoor that is present in every resulting copy that is being rented to cybercriminals for prices between $100 per month or $700 per year to $900 for a lifetime subscription.

Prynt Stealer can steal cryptocurrency wallet information, sensitive info stored in web browsers (credentials credit cards), VPN account data, cloud gaming account details.

Cyble analyzed Prynt Stealer back in April 2022 and highlighted that it included inactive code for a clipper and keylogger, both being unusual functions for an infostealer.

The data that Prynt Stealer grabs is typically compressed and exfiltrated through a Telegram bot to a channel controlled by the cybercriminal.

However, according to a report from cloud security company Zscaler, the malware comes with an additional, hardcoded Telegram token and ID to send stolen data to the author behind the operator's back.

Built for scamming

Prynt Stealer is based on the code of the AsyncRAT remote access tool and the StormKitty infostealer. The developer made some minor modifications to some of the features and removed others.

Zscaler's researchers also note that Prynt Stealer is very similar to the malware families WorldWind and DarkEye, suggesting that the same author is behind them.

Prynt Stealer's builder is meant to help unskilled cybercriminals configure the malware for deployment, setting all parameters and letting the automated tool do the work.

Zscaler's analysts acquired a leaked copy of the builder and found that during execution, a loader fetches 'DarkEye Stealer' from Discord and configures it to exfiltrate data to the author.

DarkEye is a variant of Prynt Stealer, the difference between them being that the clipper and keylogger functionality is enabled in the former and disabled in the latter.

In addition, the malware author configures the builder to drop and execute LodaRAT, an old (2017) yet powerful trojan, that enables remote actors to take control of the infected system, steal information, fetch additional payloads, etc.

Now that the backdoor in Prynt Stealer has been exposed, the cybercriminals using it are likely to look elsewhere. It looks like the Prynt Stealer author already has two products waiting, since they are not currently actively promoted hacking forums.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/dev-backdoors-own-malware-to-steal-data-from-other-hackers/

GSE is a publicly-owned company that promotes and supports renewable energy sources (RES) across Italy.

A GSE spokesperson disclosed that its website and systems were taken down to block the attackers from gaining access to the data after detecting the attack on Sunday night—GSE's website is still down, almost a week after the incident.

Cybersecurity authorities and police in Italy are still investigating the attack and looking into what data was compromised during the incident, GSE told Bloomberg.

Before GSE's disclosure, the BlackCat ransomware group added a new entry to its dark web data leak site claiming to have stolen roughly 700GB of files from the Italian energy agency's servers.

The attackers say that the stolen files contain confidential data, including contracts, reports, project information, accounting documents, and other internal documentation.

This attack follows another incident involving Eni SpA, the largest energy company in Italy, with more than 31,000 employees that operates in national and international markets.

Eni SpA also revealed that it was recently hacked as part of a cyberattack the firm said had minor consequences on its operations.

Earlier this year, BlackCat also said it was behind ransomware attacks against Creos Luxembourg S.A., a natural gas pipeline and electricity network operator from central Europe, and the German petrol supply firm Oiltanking.

A Darkside/Blackmatter rebrand

The BlackCat/ALPHV ransomware operation was launched in November 2021 and is believed to be a rebrand of the DarkSide/BlackMatter gang.

The ransomware gang first gained notoriety as DarkSide after attacking the Colonial Pipeline and landing in the crosshairs of international law enforcement.

Although they rebranded as BlackMatter in July 2021, they were quickly forced to shut down again in November, after the gang's servers were seized and Emsisoft found and exploited a weakness in the ransomware to create a decryptor.

This group is considered one of the most significant ransomware threats currently targeting enterprises worldwide.

So far, it has been linked to attacks against companies such as the Swissport airline cargo handling services provider and the Moncler fashion group.

More recently, BlackCat has also been evolving its extortion tactics, launching a new searchable database of stolen data that made the group's double-extortion attacks even more damaging for victims.

In April, the FBI warned that BlackCat has "extensive networks and experience with ransomware operations" as they had breached more than 60 entities worldwide between November 2021 and March 2022.

The company said its systems were compromised in late July 2022. Samsung later discovered on August 4 that customer personal information was accessed and exfiltrated out of its network.

While the attackers did not steal Social Security or credit card numbers during the breach, they snatched Samsung customers' names, contacts and demographic information, dates of birth, and product registration data.

"Samsung detected the incident and has taken actions to secure the affected systems. As part of our ongoing investigation, we have engaged a leading outside cybersecurity firm and are coordinating with law enforcement," Samsung said.

"The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter," the company added.

Samsung advises impacted individuals to:

• Remain cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information
• Avoid clicking on links or downloading attachments from suspicious emails
• Review your accounts for suspicious activity 

This is the second data breach Samsung confirmed since the start of the year, with the electronics giant saying in March that the data extortion group Lapsus$ breached its network and stole confidential information, including Galaxy devices' source code.

The hackers leaked 190GB of archives containing what they claimed at the time to be documents stolen from Samsung's servers.

Samsung didn't reply to a request for more details regarding the July data breach when BleepingComputer reached out earlier today.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/samsung-discloses-data-breach-after-july-hack/

Some of the company's systems have been encrypted and operations have been disrupted since August 15.

A report from Valéry Marchive, who was able to retrieve a leaked ransom note and published details on LeMagIT, notes that the hackers are not willing to negotiate and expect parent company Damartex to pay the full ransom.

The threat actors haven't posted the victim on their extortion site, opting to keep negotiations private.

Marchive shared additional information with BleepingComputer, which helped us confirm the attack and extortion.

Damart has not engaged in negotiations with the cybercriminals yet but informed the national police of the incident, which makes it unlikely that Hive would receive a payment.

Timeline of the attack

The first signs of trouble appeared on August 15, when Damart published a message about an unscheduled maintenance on the homepage of its online store.

At that time, following a request for comment from BleepingComputer, Damart stated the following:

"Damart, the mail order clothing brand, based in Bingley, West Yorkshire, has confirmed that there was an attempt to intrude into their IT systems, which they were rapidly able to intercept with strong security protocols.

"As a precaution, they have temporarily restricted some services available to customers, which is why the website is currently offline. Data and system security is a top priority for the business and reassuringly there is no evidence to-date that any customer data has been impacted in any way."

On August 24, it was reported that Damart's sales network wasn't operating normally and the disruption had impacted 92 of its stores. As a result, the number of accepted orders decreased and customer support was unavailable.

The company clarified that the hackers had successfully reached the Active Directory and launched a rushed attack that resulted in encrypting some of the systems.

According to Damart, the reason for degraded services was due to the company's proactive actions by shutting down systems to protect them from being encrypted.

At this time, it is unknown if Hive managed to steal any data during the network intrusion. However, the gang has adopted the double-extortion tactic and exfiltrates data before the encryption stage.

This enables the cybercriminals to put more pressure on the victim to pay a ransom by threatening with a data leak.

Hive ransomware has not listed Damart on their data leak site and the company has repeatedly denied that the hackers stole any data.

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/hive-ransomware-hits-damart-clothing-store-with-2-million-ransom/

The San Francisco Bay Area professional American football team confirmed that personal information (including names and Social Security numbers) belonging to 20,930 impacted individuals was accessed and/or stolen in the attack between February 6 and February 11, 2022.

"The 49ers conducted a thorough review of these files to identify the individuals whose information was contained in the files, and additional research to locate and verify the addresses for these individuals," the team revealed in notification letters sent to affected individuals starting Thursday.

"The 49ers completed this process on August 9, 2022, and discovered that the incident involved the name and Social Security number of seven Maine residents."

At the time, the 49ers confirmed the incident in a statement to BleepingComputer, saying it caused a temporary disruption to portions of their IT network.

While the football team did not reveal whether the attackers successfully deployed ransomware payloads, the statement said they are still restoring systems, indicating that the breached devices were also likely encrypted.

"As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible," the 49ers told BleepingComputer.

Attack claimed by the Blackbyte ransomware gang

The BlackByte gang claimed responsibility for the attack on February 12, right as the NFL was getting ready for Super Bowl 2022, by starting to leak files claimed were stolen from the 49ers' network.

The ransomware group also leaked an archive containing 292 MB worth of files the gang said were invoices stolen from 49ers' compromised servers.

Although it is unknown how much data was stolen during the February attack, BlackByte is known for selling gigabytes of data from some of its previous victims.

The BlackByte ransomware operation was launched in July 2021 when it started targeting corporate entities worldwide.

"We notified law enforcement and are fully supporting their investigation," the 49ers added in the data breach notification letters. 

"We are also taking steps to help prevent something like this from occurring again, including additional measures to further enhance our security protocols and continued education and training to our employees."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/san-francisco-49ers-blackbyte-ransomware-gang-stole-info-of-20k-people/

The limited-edition commemorative coin was released on Thursday to mark the 75th anniversary of the Australian Signals Directorate (ASD), with only 50,000 minted for the occasion.

The ASD said the coin's four different layers of encryption were each progressively harder to solve, and clues could be found on both sides — but ASD director-general Rachel Noble said in a speech at the Lowy Institute today that the 14-year-old managed it in just over an hour.

"There's a challenge out there to see who can correctly break all the layers, and, would you believe it, yesterday the coin was launched at 8:45am; we put up our web form and said, 'Hey, if you think you've got the answers, fill in the form'," she said.

"Just unbelievable. Can you imagine being his mum?

"So we're hoping to meet him soon ... to recruit him."

Ms Noble and Royal Australian Mint chief executive Leigh Gordon launched the coin on Thursday.(ABC News: Mark Moore)

A fifth level of encryption

Ms Noble yesterday said the coin celebrated the work of the agency's members and the evolution of code-breaking, and that those who crack the codes could be "pretty well placed" to get a job at the ASD.

"We thought this was a really fun way to engage people in code-breaking with the hope that, if they make it through all four levels of coding on the coin, maybe they'll apply for a job at the Australian Signals Directorate."

Both sides of the coin contain parts of ASD's encrypted puzzle.(Supplied: Royal Australian Mint)

Ms Noble said that while there were no classified messages on the coin, those who crack the codes could discover "some wonderful, uplifting messages".

"Like the early code breakers in ASD, you can get through some of the layers with but a pencil and paper but, right towards the end, you may need a computer to solve the last level."

She also revealed today that there was a fifth level of encryption on the coin which no one had broken yet.

Source