The San Francisco Bay Area professional American football team confirmed that personal information (including names and Social Security numbers) belonging to 20,930 impacted individuals was accessed and/or stolen in the attack between February 6 and February 11, 2022.

"The 49ers conducted a thorough review of these files to identify the individuals whose information was contained in the files, and additional research to locate and verify the addresses for these individuals," the team revealed in notification letters sent to affected individuals starting Thursday.

"The 49ers completed this process on August 9, 2022, and discovered that the incident involved the name and Social Security number of seven Maine residents."

At the time, the 49ers confirmed the incident in a statement to BleepingComputer, saying it caused a temporary disruption to portions of their IT network.

While the football team did not reveal whether the attackers successfully deployed ransomware payloads, the statement said they are still restoring systems, indicating that the breached devices were also likely encrypted.

"As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible," the 49ers told BleepingComputer.

Attack claimed by the Blackbyte ransomware gang

The BlackByte gang claimed responsibility for the attack on February 12, right as the NFL was getting ready for Super Bowl 2022, by starting to leak files claimed were stolen from the 49ers' network.

The ransomware group also leaked an archive containing 292 MB worth of files the gang said were invoices stolen from 49ers' compromised servers.

Although it is unknown how much data was stolen during the February attack, BlackByte is known for selling gigabytes of data from some of its previous victims.

The BlackByte ransomware operation was launched in July 2021 when it started targeting corporate entities worldwide.

"We notified law enforcement and are fully supporting their investigation," the 49ers added in the data breach notification letters. 

"We are also taking steps to help prevent something like this from occurring again, including additional measures to further enhance our security protocols and continued education and training to our employees."

Source: Bleeping Computer

https://www.bleepingcomputer.com/news/security/san-francisco-49ers-blackbyte-ransomware-gang-stole-info-of-20k-people/

The limited-edition commemorative coin was released on Thursday to mark the 75th anniversary of the Australian Signals Directorate (ASD), with only 50,000 minted for the occasion.

The ASD said the coin's four different layers of encryption were each progressively harder to solve, and clues could be found on both sides — but ASD director-general Rachel Noble said in a speech at the Lowy Institute today that the 14-year-old managed it in just over an hour.

"There's a challenge out there to see who can correctly break all the layers, and, would you believe it, yesterday the coin was launched at 8:45am; we put up our web form and said, 'Hey, if you think you've got the answers, fill in the form'," she said.

"Just unbelievable. Can you imagine being his mum?

"So we're hoping to meet him soon ... to recruit him."

Ms Noble and Royal Australian Mint chief executive Leigh Gordon launched the coin on Thursday.(ABC News: Mark Moore)

A fifth level of encryption

Ms Noble yesterday said the coin celebrated the work of the agency's members and the evolution of code-breaking, and that those who crack the codes could be "pretty well placed" to get a job at the ASD.

"We thought this was a really fun way to engage people in code-breaking with the hope that, if they make it through all four levels of coding on the coin, maybe they'll apply for a job at the Australian Signals Directorate."

Both sides of the coin contain parts of ASD's encrypted puzzle.(Supplied: Royal Australian Mint)

Ms Noble said that while there were no classified messages on the coin, those who crack the codes could discover "some wonderful, uplifting messages".

"Like the early code breakers in ASD, you can get through some of the layers with but a pencil and paper but, right towards the end, you may need a computer to solve the last level."

She also revealed today that there was a fifth level of encryption on the coin which no one had broken yet.

Source

The official software repository for the Python language, Python Package Index (PyPI), has been targeted in a complex supply chain attack that appears to have successfully poisoned at least two legitimate projects with credential-stealing malware, researchers said on Thursday.

PyPI officials said last week that project contributors were under a phishing attack that attempted to trick them into divulging their account login credentials. When successful, the phishers used the compromised credentials to publish malware that posed as the latest release for legitimate projects associated with the account. PyPI quickly took down the compromised updates and urged all contributors to use phishing-resistant forms of two-factor authentication to protect their accounts better.

On Thursday, researchers from security firms SentinelOne and Checkmarx said that the supply chain attacks were part of a larger campaign by a group that has been active since at least late last year to spread credential-stealing malware the researchers are dubbing JuiceStealer. Initially, JuiceStealer was spread through a technique known as typosquatting, in which the threat actors seeded PyPI with hundreds of packages that closely resembled the names of well-established ones, in the hopes that some users would accidentally install them.

JuiceStealer was discovered on VirusTotal in February when someone, possibly the threat actor, submitted a Python app that surreptitiously installed the malware. JuiceStealer is developed using the .Net programming framework. It searches for passwords stored by Google Chrome. Based on information gleaned from the code, the researchers have linked the malware to activity that began in late 2021 and has evolved since then. One likely connection is to Nowblox, a scam website that purported to offer free Robux, the online currency for the game Roblox.

Over time, the threat actor, which the researchers are calling JuiceLedger, started using crypto-themed fraudulent applications such as the Tesla Trading bot, which was delivered in zip files accompanying additional legitimate software.

"JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor," the researchers wrote in a post. "The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatted packages and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal."

PyPI has begun offering contributors free hardware-based keys for use in providing a second, unphishable factor of authentication. All contributors should switch to this stronger form of 2FA immediately. People downloading packages from PyPI—or any other open source repository—should take extra care to ensure the software they're downloading is legitimate.

Source: Ars Technica

https://arstechnica.com/information-technology/2022/09/actors-behind-pypi-supply-chain-attack-have-been-active-since-late-2021/

Today's announcement follows multiple reminders and warnings the company has issued over the last three years, the first published in September 2019.

The company again asked customers to toggle off basic auth in September 2021 and May 2022 after seeing that many of them were yet to move their clients and apps to Modern Authentication.

"Since our first announcement nearly three years ago, we've seen millions of users move away from basic auth, and we've disabled it in millions of tenants to proactively protect them. We're not done yet though, and unfortunately usage isn't yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled," the Exchange Team said today.

"Starting October 1st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell."

Redmond says a message announcing this move will be posted to the Windows Message Center seven days before the rollout begins. Each tenant will be notified via the Service Health Dashboard notifications when basic auth is disabled.

On tenants where this authentication scheme will be disabled, customers will still be able to re-enable it once per protocol using the self-service diagnostic until the end of December 2022. However, the protocols "will be disabled for basic auth use permanently" during the first week of January 2023, with no way of using basic auth again.

Until now, Microsoft says it has already disabled basic auth in millions of tenants that weren't using it and is also toggling off unused protocols within tenants still using it to protect them from attacks exploiting this insecure auth scheme.

Why is Microsoft disabling basic authentication?

Basic authentication (aka legacy authentication or proxy authentication) is an HTTP-based auth scheme applications use for sending credentials in plain text to servers, endpoints, or various online services.

Unfortunately, this allows threat actors to steal credentials in man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal clear text credentials from apps using basic auth via several tactics, including social engineering and info-stealing malware.

Modern Authentication (an umbrella term for multiple authentication and authorization methods) uses OAuth access tokens that can't be re-used to authenticate on other resources besides the ones they were issued for.

To make things even worse, basic auth makes it quite complicated to enable multi-factor authentication (MFA), which means that it will often not be used at all. Toggling on Modern Auth makes enabling MFA much less complicated, thus allowing for better Exchange Online security.

While there are many reasons behind switching to Modern Auth in Exchange Online, a Guardicore report added another to the list in September 2021.

It further highlighted the importance of this move, showing how hundreds of thousands of Windows domain credentials were leaked in plain text to external domains by misconfigured email clients using basic auth.

"This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps. IT and change can be hard, and the pandemic changed priorities for many of us, but everyone wants the same thing: better security for their users and data," Microsoft added.

You can find more info on preparing for October's forced basic authentication deprecation and the best way to disable basic auth beforehand in the blog post The Exchange Team published today.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exchange-online-basic-auth-next-month/

The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency.

The hackers stopped all running virtual machines and encrypted their files, appending the ".crypt" filename extension.

According to CSIRT, the malware used in this attack also had functions for stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts.

In typical double-extortion fashion, the intruders offered Chile's CSIRT a communication channel to negotiate the payment of a ransom that would prevent leaking the files and unlock the encrypted data.

The attacker set a three-day deadline and threatened to sell the stolen data to other cybercriminals on the dark web.

Attribution unclear

Chile's CSIRT announcement doesn't name the ransomware group is responsible for the attack, nor does it provide sufficient details that woul lead to identifying the malware.

The extension appended to the encrypted files does not offer any hint because it has been used by multiple threat actors.

While the little information Chile's CSIRT provided on the behavior of the malware points to 'RedAlert' ransomware (aka "N13V"), an operation launched in July 2022, technical details suggest otherwise.

RedAlert ransomware used the ".crypt" extension in attacks, targets both Windows servers and Linux VMWare ESXi machines, is capable to force-stop all running VMs prior to encryption, and uses the NTRUEncrypt public-key encryption algorithm.

However, the indicators of compromise (IoCs) in Chile's CSIRT announcement are either associated with Conti or are return an inconclusive result when fed to automated analysis systems.

Conti has been previously linked to attacks on entire nations, such as the one on Costa Rica in July 2022, which took five days from gaining initial access to stealing and encrypting the systems.

Chilean threat analyst Germán Fernández told BleepingComputer that the strain appears to be entirely new, and the researchers he talked to couldn't associate the malware with known families.

Fernandez also commented that the ransom note wasn't generated during the infection, a detail that BleepingComputer can confirm. The researcher said that the note was delivered before deploying the file-locking malware.

BleepingComputer was able to analyze multiple samples of the malware used for the attack and retrieved a ransom note named 'readme_for_unlock.txt', seen below:

All ransom notes that BleepingComputer has seen when analyzing this ransomware strain include a link to a unique website in the Tor network along with a password to log in.

As far as we've seen a data leak site for this ransomware does not exist, yet. The Tor site is for showing a message box where victims can contact the hackers.

Accessing the above communication channel requires a password, which is included in the ransom note.

The malware configures itself to launch on Windows login and uses the name SecurityUpdate at startup.

Registry key added to launch at startup - source: BleepingComputer

 

From what BleepingComputer could learn so far about this ransomware, this is a new operation that launched at the beginning of August.

Chile's cybersecurity organization recommends all state entities as well as large private organizations in the country to apply the following measures:

• Use a properly configured firewall and antivirus tool
• Update VMware and Microsoft assets
• Keep backups of most important data
• Verify the configuration of anti-spam filters and train employees to recognize malicious email
• Implement network segmentation and apply the principle of least privilege
• Stay informed about new vulnerabilities that need immediate patching or mitigation

Chile CSIRT has provided a set of indicators of compromise for files used in the attack that defenders can use to protect their organizations.

Public Administration Minister Maras Dukaj stated on local television yesterday that behind the attack is an organized cybercrime group. The effects of the incindet continue for the tenth day.

The minister added that a "special virus" is used in this attack and there is a ransom demand of $10 million.

Dukaj also added that at this point, the state could not give an estimate of when the services will become available.

False allegations and Cuba

Previously, Dukaj himself, along with Montenegro's Defense Minister, told local media that they had enough evidence to suspect the cyberattacks were directed by Russian services.

This gave the incident a geopolitical hue and mobilized the Balkan country's NATO allies to help them with incident response, defense, and remediation.

The next day, though, Cuba ransomware gang listed the Parliament of Montenegro (Skupstina) as its victim and claimed to have stolen financial documents, correspondence with banks, balance sheets, tax documents, compensation, and even source code.

The data was published on the "free" section of the site, available to any visitor with no restrictions.

Cuba ransomware evolution

Cuba ransomware has demonstrated notable evolution lately. Three weeks ago, researchers spotted a novel toolset used by the gang along with previously unseen tactics, techniques, and procedures.

In June, Cuba ransomware updated its encryptor with additional options and set up a communication channel for "live victim support."

Another notable change is observed in the group's targeting scope. In 2021, Cuba focused heavily on U.S.-based organizations.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/montenegro-hit-by-ransomware-attack-hackers-demand-10-million/

This guidance is designed by the Enduring Security Framework (ESF)—a public-private partnership that works to address threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers.

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

"Developers will find helpful guidance from NSA and partners on developing secure code, verifying third party components, hardening the build environment, and delivering the code. Until all DevOps are DevSecOps, the software development lifecycle will be at risk."

The ESF will release two more advisories coinciding with the software supply chain lifecycle, with the other two parts in this series focusing on software suppliers and customers.

You can find detailed information on how to develop secure code, verify third-party components, harden build environments, and deliver code securely in today's advisory [PDF].

The guidance has been released after recent high-profile cyber attacks like the SolarWinds hack have highlighted weaknesses in the software supply chain that nation-state-backed threat groups can easily exploit.

Following the snowball effect of the SolarWinds supply-chain attack that led to the compromise of multiple U.S. govt agencies after FireEye revealed its network was breached in December 2020, President Biden signed an executive order in May 2021 to modernize the country's defenses against cyberattacks.

The White House released a new Federal strategy in January, pushing the U.S. government to adopt a "zero trust" security model. This was prompted by Biden's executive order and the NSA and Microsoft recommending this approach in February 2021 for large enterprises and critical networks (National Security Systems, Department of Defense, Defense Industrial Base).

In May, the U.S. National Institute of Standards and Technology (NIST) also released updated guidance on how enterprises can better defend themselves from supply-chain attacks.

A Microsoft report from October 2021 also revealed that the Russian-backed Nobelium threat group kept targeting the global I.T. supply after hacking SolarWinds, attacking 140 managed service providers (MSPs) and cloud service providers and breaching at least 14 since May 2021.

Microsoft's findings demonstrated the software supply chain had become an increasingly popular target for threat actors since it allows them to compromise a single product and impact numerous downstream companies that use it.

The danger behind supply-chain attacks was also made evident in real-world scenarios multiple times since Russian threat actors compromised SolarWinds to infect its downstream customers, including by Kaseya's MSP software which was used to encrypt the systems of over a thousand companies worldwide and by how npm modules have been used to execute remote commands.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/nsa-and-cisa-share-tips-to-secure-the-software-supply-chain/

Findings of the investigation launched on July 20, 2022 revealed that attackers had access to the Neopets IT systems from January 3, 2021 until July 19, 2022.

The company learned about the breach only after a hacker offered to sell a Neopets database for four bitcoins. 

The hacker claimed the database contained 460MB of source code and sensitive personal information for 69 million members.

An update from the company on Monday confirmed the hacker's claims, saying:

"For players that played prior to 2015, the information also could have included non-hashed, but inactive, passwords," the company added.

Responding to the situation

Neopets has taken a series of measures to improve their systems' security and to minimize the impact future incidents would have on the players.

The company says that it enhanced network monitoring to catch threats earlier and strengthened the authentication schemes for better account access protection.

Passwords have now been reset and Neopets is now working on implementing multi-factor authentication as an added defense layer.

Finally, the announcement recommends that all Neopets players change their passwords if they're recycling them for other online platforms or services.

Neopets players should remain vigilant for emails that urge them to take immediate action or ask them to provide sensitive information, such as that related to banking accounts.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/neopets-says-hackers-had-access-to-its-systems-for-18-months/

Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers' personal data.

Scale of the problem

Researchers at Symantec’s Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android.

Roughly 77% of those applications contained valid AWS access tokens that could be used for direct access to private cloud services.

Additionally, 874 applications contained valid AWS tokens that hackers can use for accessing cloud instances containing live-service databases that hold millions of records.

These databases typically contain user account details, logs, internal communication, registration information, and other sensitive data, depending on the type of the app.

Real examples

The threat analysts highlight three notable cases in their report where the exposed AWS tokens could have had catastrophic consequences for both authors and users of the vulnerable apps.

One example is a business-to-business (B2B) company providing intranet and communication services to over 15,000 medium-to-large companies. 

The software development kit (SDK) the company provided to clients to access its services contains AWS keys, exposing all private customer data stored on the platform.

Another case is a third-party digital identity and authentication SDK used by several banking apps on iOS that included valid cloud credentials.

Due to this, all authentication data from all customers of those banks, including names, dates of birth, and even biometric digital fingerprint scans, were exposed in the cloud.

Finally, Symantec found a sports betting technology platform used by 16 online gambling apps, that exposed its entire infrastructure and cloud services with admin-level read/write permissions.

Why is this happening?

The issue with hard-coded and “forgotten” cloud service credentials is basically a supply chain problem, as the negligence of an SDK developer can impact an entire collection of apps and services that rely on it.

Mobile app development relies on ready-made components instead of creating everything from scratch, so if the app publishers don’t run a thorough check on the SDKs or libraries they use, a security risk is likely to propagate into their project.

As for developers hard-coding the credentials in their products, this is a matter of convenience during the development and testing process and skipping proper code review for security issues.

Referring to reasons why this is happening, Symantec highlights the following possibilities:

• Downloading or uploading assets and resources required for the app, usually large media files, recordings, or images
• Accessing configuration files for the app and/or registering the device and collecting device information and storing it in the cloud
• Accessing cloud services that require authentication, such as translation services
• No specific reason, dead code, and/or used for testing and never removed

Failing to remove these credentials when the software is ready to be deployed by clients is a matter of carelessness and the result of the absence of a checklist-based release process that includes security, too.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/over-1-000-ios-apps-found-exposing-hardcoded-aws-credentials/

There's been a big rise in ransomware attacks targeting Linux as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security.

According to analysis by cybersecurity researchers at Trend Micro, Linux servers are "increasingly coming under fire" from ransomware attacks, with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems.

Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs – particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime.

Researchers note that ransomware groups are increasingly tailoring their attacks to focus specifically on Linux systems.

For example, LockBit is one of the most prolific and successful ransomware operations of recent times and now offers the option of a Linux-based variant that is designed to target Linux systems and has been used to conduct attacks in the wild.

Ransomware attackers are financially motivated and will readily follow new opportunities if they think that it can help them make more money – and it appears that encrypting Linux systems and demanding a payment for the key to unlock files and servers is becoming increasingly popular.

Researchers suggest that this approach is only going to become more common as ransomware attackers look to make the most money possible.

"New and emerging threat groups continue to evolve their business model, focusing their attacks with even greater precision. That's why it's essential that organizations get better at mapping, understanding, and protecting their expanding digital attack surface," said Jon Clay, VP of threat intelligence for Trend Micro.

And it isn't just ransomware groups that are increasingly turning their attentions towards Linux – according to Trend Micro, there's been a 145% increase in Linux-based cryptocurrency-mining malware attacks, where cyber criminals secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves.

One of the ways cyber criminals are compromising Linux systems is by exploiting unpatched vulnerabilities. According to the report, these flaws include CVE-2022-0847 – also known as Dirty Pipe – a bug that affects the Linux kernel from versions 5.8 and up, which attackers can use to escalate their privileges and run code. Researchers warn that this bug is "relatively easy to exploit".

To protect Linux systems from ransomware and other cyberattacks, it's recommended that all security patches are applied as soon as possible to prevent cyber criminals from being able to take advantage of known exploits that have fixes available.

It's also recommended that multi-factor authentication is applied across the entire ecosystem to provide an additional layer of defence against attacks and prevent ransomware hackers from being able to move around networks.

Source

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Microsoft 365 Defender Research Team's Dimitrios Valsamaras said.

"Attackers could have then accessed and modified users' TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users."

Clicking the link exposed more than 70 JavaScript methods that could be abused by an attacker with the help of an exploit designed to hijack the TikTok app's WebView (an Android system component used by the vulnerable app to display web content).

Using the exposed methods, threat actors could access or modify TikTok users' private information or perform authenticated HTTP requests.

In short, attackers who would've managed to exploit this vulnerability successfully could've easily:

• retrieved the users' authentication tokens (by triggering a request to a server under their control and logging the cookie and the request headers)
• retrieved or modified the users' TikTok account data, including private videos and profile settings (by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback)

"A WebView Hijacking vulnerability was found on the TikTok Android application via an un-validated deeplink on an un-sanitized parameter. This could have resulted in account hijacking through a JavaScript interface," the HackerOne report further explains.

Now patched, not exploited in attacks

The security vulnerability, tracked as CVE-2022-28799, is now patched since the release of TikTok version 23.7.3, published less than a month after Microsoft's initial disclosure.

Microsoft says it has not yet found evidence of CVE-2022-28799 being exploited in the wild. 

TikTok users can defend against similar issues by not clicking links from untrusted sources, keeping their apps up to date, only installing apps from official sources, and reporting any strange app behavior as soon as possible.

Additional information on how this vulnerability could have been used in attacks for account takeover can be found in Microsoft's report.

In November 2020, TikTok fixed vulnerabilities that enabled threat actors to quickly hijack the accounts of users who signed up via third-party apps.

The company has also addressed other security flaws that could have allowed attackers to steal users' personal information or hijack their accounts to manipulate videos.

According to its Google Play Store entry, TikTok's Android app has over 1 billion installs. Based on Sensor Tower Store Intelligence estimates, the mobile app has already crossed the 2 billion installs mark on all platforms since April 2020.

The company said the attack was blocked and added that it found no evidence indicating the attackers gained access to customer information stored on impacted servers.

"TAP was the target of a cyber-attack, now blocked. Operational integrity is guaranteed," the airline operator revealed in a statement on Friday via its official Twitter account.

"No facts have been found that allow us to conclude that there has been improper access to customer data. The website and app still have some instability."

On Monday, the airline also published an alert saying that its website and app are unable because of the Thursday cyberattack.

It also added that customers could book flights, manage previously made bookings, and check in and download their boarding passes without logging in.

Even though TAP is yet to confirm if this was a ransomware attack, the Ragnar Locker ransomware gang posted a new entry on their data leak website today, claiming to be behind last week's cyberattack that hit TAP's network.

The ransomware group says it has "reasons" to believe that hundreds of Gigabytes of data might have been compromised in the incident and threatened to provide "irrefutable evidence" to disprove TAP's statement that its customers' data wasn't accessed in the incident.

"Several days ago Tap Air Portugal made a press-release where they claimed with confidence that they successfully repelled the cyber attack and no data was compromised (but we do have some reasons to believe that hundreds of Gigabytes might be compromised)," the gang says.

Ragnar Locker also shared a screenshot of a spreadsheet containing what looks like customer information stolen from TAP's servers, including names, dates of birth, emails, and addresses.

Ragnar Locker ransomware payloads were first observed in attacks against several targets in late December 2019.

Attackers using Ragnar Locker ransomware have also encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and asked for a 1580 BTC ransom (the equivalent of more than $10 million at the time).

A list of Ragnar Locker's past victims also includes Japanese game maker Capcom, computer chip manufacturer ADATA, and aviation giant Dassault Falcon.

In March, the FBI said that Ragnar Locker ransomware had been deployed on the networks of at least 52 organizations from multiple US critical infrastructure sectors since April 2020.

TAP (short for Transportes Aéreos Portugueses) is the largest airline in Portugal, accounting for more than 50% of arrivals and departures at the Lisbon International Airport in 2019.

TAP Air Portugal didn't reply to a request for comment when BleepingComputer reached out earlier today.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-claims-attack-on-portugals-flag-airline/

This functionality isn't limited to Google Chrome. Safari and Firefox also allow web pages to write to the system clipboard, yet they have gesture-based protections in place.

Chrome developers have identified the problem but a fix has yet to come, so it persists in current versions of the Google Chrome browser for mobile and desktop.

What's the big deal?

The system clipboard is a temporary storage location on operating systems. It's typically used for copy-pasting and it can involve sensitive information such as banking account numbers, cryptocurrency wallet strings, or passwords.

Overwriting this temporary storage space with arbitrary content puts users at risk as they could become victims of malicious activity.

Threat actors could lure users to specially crafted websites impersonating a legitimate cryptocurrency service. When the user tries to make a payment and copies the wallet address to the clipboard, the website can write to the clipboard the threat actor's address.

On some websites, when the user selects text to copy from a web page, additional content is appended to the clipboard (typically the page URL). In this case, though, the clipboard fills up with arbitrary content without any visible indication or user interaction.

What protects me from this?

Developer Jeff Johnson highlights in a blog post that explores the topic, all web browsers that support clipboard writing have poor and inadequate safeguards.

User gestures that give a web page permission to use the clipboard API include the keyboard shortcut for copying content (Ctrl+C), but in many cases, merely any interaction with the website is enough.

Johnson tested on Safari and Firefox and found that pressing the down arrow key or using his mouse scroll wheel to navigate on a site gave clipboard writing permission to the loaded web page.

Considering how common these actions are, this permission is sufficiently risky to deserve a fix.

Thankfully, Johnson's tests confirmed that websites could not abuse this permission to read clipboard contents, which would be detrimental to user privacy.

Am I impacted?

To determine if this issue impacts your web browser, you can visit "webplatform.news" and then "paste" your clipboard contents into a text app, like Windows Notepad.

If you see the following message, your browser is vulnerable to permission abuse.

Not all Chromium-based browsers are impacted by this issue, though. In tests from BleepingComputer, Brave didn't give the testing site permission to overwrite the clipboard.

However, Johnson's embedded test box that fills the visitor's clipboard with website navigation actions worked on all browsers, so the cause of the discrepancy is unclear.

Johnson says that users overly worried about this problem can use his 'StopTheMadness' extension but warns they will still not be 100% protected from arbitrary clipboard overwrites in all circumstances.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/google-chrome-bug-lets-sites-write-to-clipboard-without-asking/

More specifically, eSentire's Threat Response Unit (TRU) discovered that the IT infrastructure used to attack Cisco was also deployed in an attempted compromise of one of its clients in April 2022.

"TRU believes that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack," eSentire wrote.

According to security company Mandiant the threat actor known as mx1r would be a member of an Evil Corp affiliate group called UNC2165.

For context, in an advisory published after the May attack, Cisco attributed their breach to a threat actor with ties to the Lapsus$ threat group, the Yanluowang ransomware operators, and a group that Mandiant calls UNC2447.

Fast forward to the present day, the MDR advisory clarified that while the tactics, techniques, and procedures (TTPs) of the attack against the workforce management corporation matched those of Evil Corp, the infrastructure used matched that of a Conti ransomware affiliate, which has been seen deploying both Hive and Yanluowang ransomware payloads.

"Looking at various technical details of the malicious infrastructure leveraged, TRU discovered a handful of additional instances of Cobalt Strike infrastructure," eSentire wrote.

"TRU tracks this infrastructure cluster as HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a reputation for attacking critical targets including hospitals, energy companies and IT companies."

According to eSentire's report, HiveStrike also bears some similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti.

"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp," reads the advisory.

eSentire concluded its advisory by providing a series of suggestions to help companies protect their systems from cyber-attacks. These include having offline backup copies of all critical files, using multi-factor authentication (MFA) and only allowing administrators to access network appliances using a VPN service, among others.

Source

A vulnerability in the TikTok app for Android could have let attackers take over any account that clicked on a malicious link, potentially affecting hundreds of millions of users of the platform.

Details of the one-click exploit were revealed today in a blog post from researchers on Microsoft’s 365 Defender Research Team. The vulnerability was disclosed to TikTok by Microsoft, and has since been patched.

The bug and its resulting attack, labelled a “high severity vulnerability,” could have been used to hijack the account of any TikTok user on Android without their knowledge, once they clicked on a specially crafted link. After the link was clicked, the attacker would have access to all primary functions of the account, including the ability to upload and post videos, send messages to other users, and view private videos stored in the account.

The potential impact was huge, as it affected all global variants of the Android TikTok app, which has a total of more than 1.5 billion downloads on the Google Play Store. However, there’s no evidence it was exploited at scale. Researchers involved with the discovery and disclosure praised TikTok for a quick response.

“We gave them information about the vulnerability and collaborated to help fix this issue” Tanmay Ganacharya, partner director for security research at Microsoft Defender for Endpoint, told The Verge. “TikTok responded quickly, and we commend the the efficient and professional resolution from the security team.”

According to details published in the blog post, the vulnerability affected the deep link functionality of the Android app. This deep link handling tells the operating system to let certain apps process links in a specific way, such as opening the Twitter app to follow a user after clicking an HTML “Follow this account” button embedded in a webpage.

This link handling also includes a verification process that should restrict the actions performed when an application loads a given link. But the researchers found a way to bypass this verification process and execute a number of potentially weaponizable functions within the app.

One of these functions let them retrieve an authentication token tied to a certain user account, effectively granting account access without the need to enter a password. In a proof-of-concept attack, the researchers crafted a malicious link that, when clicked, changed a TikTok account’s bio to read “SECURITY BREACH.”

Fortunately, the vulnerability was detected, and Microsoft has used the opportunity to stress the importance of collaboration and coordination between technology platforms and vendors.

“As threats across platforms continue to grow in numbers and sophistication, vulnerability disclosures, coordinated response, and other forms of threat intelligence sharing are needed to help secure users’ computing experience, regardless of the platform or device in use,” wrote Microsoft’s Dimitrios Valsamaras in the blog post. “We will continue to work with the larger security community to share research and intelligence about threats in the effort to build better protection for all.”

Although the TikTok app is not known to have suffered any major hacks so far, some critics have branded it a security risk for other reasons.
Recently, concerns have been raised over the extent to which US users’ data can be accessed by China-based engineers at ByteDance, TikTok’s parent company. In July, Senate Intelligence Committee leaders called on FTC chair Lina Khan to investigate TikTok after reports brought into question claims that US users’ data was walled off from the Chinese branch of the company.

TikTok had not responded to questions from The Verge by time of publication.

Source

The platform’s administrators shared that network intruders managed to steal a 2021 database from its systems and are now distributing samples online.

The stolen database contains email addresses, phone numbers, and usernames. START characterizes it as uninteresting to most cybercriminals as it can’t be used for taking over accounts.

Financial information, bank card data, browsing history, or user passwords have not been impacted because these details were not present in the database.

“We have already fixed the vulnerability, and access to our data is closed,” mentions the statement on Telegram.

Even though a global reset isn’t enforced by START, it is recommended that all users change their passwords.

At least 7.5 million users impacted

The rumors about a data breach impacting START first appeared on Sunday, August 28, when a 72GB MongoDB JSON dump containing information of almost 44 million users started to be distributed over a social network.

Many of these entries concern test accounts. However, the dump contains 7,455,926 unique email addresses, which is likely close to the real number of exposed users.

The records date as recently as on September 22, 2021, so this incident doesn’t impact users who registered with the service after that date.

Russian news outlet Medusa reports having tested random entries from the leaked database on START’s password recovery tool, and all logins turned out to be valid.

One discrepancy between START’s statement and the leaked dump is that the latter contains md5crypt-hashed passwords, IP addresses, login logs, and subscription details, which have not been included in the official statement from the platform.

Russia to tighten data leak rules

Due to the increased cyber-offensive activity against Russian online platforms, the Moscow is implementing methods to defend user data from unauthorized access and to protect its citizens from exposure.

Last week, Kommersant reported that the Ministry of Digital Development is promoting a plan to create a register of “unacceptable IT security practices,” to help raise awareness among organization leaders.

Earlier this month, the same ministry proposed establishing a fund that would be used to compensate victims of database leaks. The fund would be backed by fines imposed on the entities responsible for the security breaches.

The presented draft law suggests a fine of 3% of the breached company’s annual turnover to introduce an incentive for firms to develop and apply sound security practices.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/

The fraudsters behind these illegal call centers were also allegedly involved in scamming citizens of Ukraine and European Union countries interested in cryptocurrency, securities, gold, and oil investments.

Throughout this cross-border fraud operation, they used software and high-tech equipment that made it possible to spoof the phone numbers of state banking organizations.

"In the course of the investigation, it was established that the employees of call centers presented themselves as employees of these state banking institutions and extorted confidential data of citizens' bank cards," the NPU revealed.

"The organizers of the scheme used previously created websites and platforms for exchange trading of currency and cryptocurrency, securities, gold and oil to attract funds from foreign citizens, guaranteeing the receipt of excess profits in a short time."

While claiming to be members of a so-called "Community of cryptocurrency brokers," the attackers also used contact information belonging to previous victims of other cryptocurrency scammers to deceive them that they could help them recover their stolen funds for a "commission."

However, they interrupted all communications after tricking the targets into transferring the money to attacker-controlled accounts.

Ukrainian law enforcement officers confirmed these illegal activities following authorized searches at the location of multiple "call centers" linked to this cybercrime operation and the seizure of computer equipment, mobile phones, and data records.

Those linked to this fraud scheme are investigated for being part of an organized criminal group, fraud, and using malicious software, and are facing up to 12 years in prison.

In September 2021, the Security Service of Ukraine (SBU) also took down another network of call centers in Lviv linked to a ring of scammers who defrauded cryptocurrency investors worldwide.

They used VoIP (Voice over Internet Protocol) phone numbers to hide their actual location while scamming thousands of foreign investors.

The U.S. Federal Trade Commission (FTC) said last year that more than $80 million were lost to cryptocurrency investment scams, according to roughly 7,000 reports received since October 2020.

The Federal Bureau of Investigation (FBI) also alerted cryptocurrency owners of fraudsters actively targeting virtual assets in phone calls by impersonating cryptocurrency exchange or payment platform support staff.

Stock market investors were also warned by the Securities and Exchange Commission (SEC) in July 2021 that scammers are impersonating registered investment professionals such as brokers and investment advisers.

Source: Bleepingcomputer

https://www.bleepingcomputer.com/news/security/ukraine-takes-down-cybercrime-group-hitting-crypto-fraud-victims/

The updated Google Play policy, which outlines specific requirements for VPN services that work on Android devices, was announced last month. It will take effect on November 1.

Google basically asks all VPN service providers to use the Android VPNService base class. Apps that explicitly confirm they offer VPN services and choose to use Google’s VPN API, would be allowed to open a secure device-level tunnel to a remote service.

However, no VPN service should, “manipulate ads that can impact apps monetization”. In other words, VPN service providers may open a secure device-level channel for data exchange that takes place via a remote service. However, services will have to ensure that apps and services that pass through the VPN tunnel retain their communication to ad servers.

The revised Terms and Conditions state that developers must declare the use of VPNservice in their apps' Google Play listing, must encrypt data from the device to the VPN endpoint, and must comply with Developer Program Policies, particularly those related to ad fraud, permissions, and malware.

The majority of these conditions seem logical as they will secure a user’s data. Users will have the added reassurance that the data isn’t being used in any other way. Nonetheless, it appears Google may be prioritizing its own interests.

Google claims it is taking action against apps that advertise a VPN service, but use it instead to track user data. These apps can, and often do reroute user traffic to earn money through ads.

Incidentally, Apple's iOS App Store has a very similar requirement. Apple mandates VPN service providers use a specific VPN API, called NEVPNManager. The API is only available to developers who are part of an organization.

Via: The Register

Google will cripple Android VPN services that threaten to break advertisements

The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

In the recent campaign discovered by researchers at Securonix, the threat actor drops payloads that are currently not marked as malicious by antivirus engines on the VirusTotal scanning platform.

Infection chain

The infection starts with a phishing email with an attached malicious document, “Geos-Rates.docx”, which downloads a template file.

That file contains an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite. The code then downloads a JPG image (“OxB36F8GEEC634.jpg”) from a remote resource (“xmlschemeformat[.]com”), decodes it into an executable (“msdllupdate.exe”) using certutil.exe, and launches it.

In an image viewer, the .JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022.

However, if opened with a text editor, the image reveals additional content disguised as an included certificate, which is a Base64-encoded payload that turns into the malicious 64-bit executable.

The payload’s strings are further obfuscated using ROT25, while the binary uses XOR to hide the Golang assemblies from analysts. On top of that, the assemblies use case alteration to avoid signature-based detection by security tools.

Malware functions

Based on what could be deduced via dynamic malware analysis, the executable achieves persistence by copying itself to '%%localappdata%%\microsoft\vault\' and adding a new registry key.

Upon execution, the malware establishes a DNS connection to the command and control (C2) server and sends encrypted queries.

“The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents,” explains Securonix in the report.

The C2 may respond to the malware by setting time intervals between connection requests, changing the nslookup timeout, or sending out commands to execute through the Windows cmd.exe tool.

During testing, Securonix observed the threat actors running arbitrary enumeration commands on its test systems, a standard first reconnaissance step.

The researchers note that the domains used for the campaign were registered recently, the oldest one on May 29, 2022.

Securonix has provided a set of indicators of compromise (IoCs) that includes both network and host-based indicators.

Hackers hide malware in James Webb telescope images

Chrome and Chromium-based browser users who have not followed the news regarding the future of extensions in the browsers, may need a quick explanation to better understand what is going to happen in the coming months and years.

Google announced plans to release a new Manifest for extensions in 2018. Manifest V3 defines what extensions can and can't do in the Chrome web browser, and any other browser that implements it. Extension developers, privacy advocates and users criticized Manifest V3 shortly thereafter. The developer of uBlock Origin, who maintains one of the most respected content blockers, said that the release of Manifest V3 could mean the end uBlock Origin for Chrome.

Some browser makers, including Mozilla, maker of Firefox, stated openly that they would not implement the limiting changes of Manifest V3. Google made some concessions, but went ahead with the launching of Manifest V3 in the company's Chrome web browser.

Starting in January 2023, extension developers may no longer publish new Manifest V2 extensions or update existing ones. From June 2023 onward, Manifest V2 extensions won't run in Chrome anymore.

In other words: extension developers need to update their extensions to be compatible with the new Manifest V3 or end development for Chrome. Some Chromium-based browsers may modify the default behavior to support Manifest V2 extensions, but most won't, probably.

AdGuard MV3 Browser extension

AdGuard published a new browser extension for Chrome and other Chromium-based browsers that is based on Manifest V3. Users of AdGuard do not need the extension, as the main solution runs system-wide.

Work on the extension started in mid-2021. The developers note that the new APIs of Manifest V3 caused a lot of headache during development. While they managed to produce a working content blocker based on Manifest V3, they concede that it has certain limitations that Manifest V2 content blockers did not have.

One of the main issues of Manifest V3 is that it imposes a fixed limit of 330,000 rules for all extensions installed in Chrome. Any one extension has guaranteed access to 30,000 rules. The number may sound like much, but when you realize that modern content blockers rely on tens of thousands of even hundred thousands of rules, the limitation becomes apparent right away.

Take uBlock Origin as an example. The default configuration of uBlock Origin uses 80435 network filters and 45243 cosmetic filters; that is already more than four times the minimum guaranteed rules limit. Users may add their own custom rules to many content blockers or subscribe to more rules listings. It is easy to reach the 330,000 rules limit with just one extension.

Now imagine that other extensions are installed that rely on rules. These compete with each other then when it comes to the limits.

Dynamic rules have an even stricter limit of 5000, which includes a limit of 1000 regular expression rules. When the limit is exceeded, only the first 5000 rules will be applied by the content blocker, while all other rules have no effect.

AdGuard MV3 Browser takes that into account. The developers have added warnings to the extension that inform users when the rules limitation is forcing the extension to reduce the number of rules that it supports. In fact, the developers note that even the basic filter lists, which is the primary list of AdGuard, may be disabled in the worst case, as it has more than 30,000 rules. For users, it can mean that the installed content blocker does nothing at all.

Closing Words

AdGuard's new browser extension for Chrome demonstrates that content blockers are possible under Manifest V3. Compared to Manifest V2 content blockers, Manifest V3 extensions can be less powerful due to the artificial rules limits of Manifest V3. Especially the competing part is troublesome, as extensions may stop working if rules limits are reached.

Most Chrome users may want to switch to another browser when Manifest V3 becomes the standard to get a reliable protection and not a chaotic one.

Now You: are you affected by Manifest V3?

AdGuard launches Manifest V3 compatible ad-blocker for Chrome

Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give online access students taking out a loan access to their loan accounts.

Sometime in June, unidentified intruders compromised Nelnet Servicing and stayed on  its systems until July 22. The hackers compromised the company's network likely after exploiting a vulnerability.

About 2,501,324 individuals have been impacted by  the breach.

A sample notification letter to impacted parties sent to the Office of the Maine Attorney General as part of the data breach disclosure process, Nelnet Servicing has informed OSLA and EdFinancial, who are notifying their customers.

Although Nelnet states it blocked the cyberattack as soon as the breach was detected, a subsequent investigation that was completed on August 17, 2022, determined that certain student loan account registration information might have been accessed.

The exposed information includes the following:

• Full name
• Physical address
• Email address
• Phone number
• Social Security Number

The letters clarify that no financial account numbers or any form of payment information were exposed due to the security incident.

EdFinancial also underlines that not all its clients are hosted by Nelnet Servicing, so not all students that took a loan through them are impacted by the data breach.

Threat actors with access to the aforementioned information may engage in phishing attacks, social engineering, impersonation, and various scamming schemes. As the topic of loans is particularly sensitive, the risk of exposure is amplified.

Due to the seriousness of this data breach incident, law firm "Markovits, Stock & DeMarco" yesterday launched an investigation on the potential of a class action lawsuit.

Both EdFinancial and OSLA offer impacted individuals free access to a 24-month identity theft protection service through Experian, with instructions on how to enroll enclosed in the letters.

“We encourage you to remain vigilant against incidents of identity theft and fraud over the next 24 months, by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors,” reads to notice sent to affected borrowers.

It is recommended that recipients of the notices take immediate action to protect themselves from fraud by enrolling in Experian’s IdentityWorks service and remaining vigilant against all incoming communication.

Monitoring bank account statements and requesting a credit report is also advisable. Finally, placing a credit freeze should be considered for high-risk cases. Instructions on how to do that are included in the distributed notices.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/nelnet-servicing-breach-exposes-data-of-25m-student-loan-accounts/

"The FBI has observed cyber criminals exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal investors' cryptocurrency," the federal law enforcement agency said.

"The FBI encourages investors who suspect cyber criminals have stolen their DeFi investments to contact the FBI via the Internet Crime Complaint Center or their local FBI field office."

The public service announcement, published on the FBI's Internet Crime Complaint Center (IC3) today, adds that out of roughly $1.3 billion in cryptocurrency stolen between January and March 2022, snatched almost 97 percent of it from DeFi platforms.

Per FBI's calculations, this amounts to a significant increase from 72 percent in 2021 and approximately 30 percent in 2020, respectively.

Attackers have used various methods to hack and steal cryptocurrency from DeFi platforms, including initiating flash loans that trigger exploits in the platforms' smart contracts and exploiting signature verification flaws in their token bridge to withdraw all investments.

The agency has also observed cybercriminals manipulating crypto price pairs by exploiting chains of vulnerabilities, including the DeFi platforms' use of a single price oracle and then conducting leveraged trades to bypass slippage checks.

The FBI recommends investors take precautions before making an investment decision, such as to:

• Research DeFi platforms, protocols, and smart contracts before investing and be aware of the specific risks involved in DeFi investments.
• Ensure the DeFi investment platform has conducted one or more code audits performed by independent auditors. A code audit typically involves a thorough review and analysis of the platform's underlying code to identify vulnerabilities or weaknesses in the code that could negatively impact the platform's performance.
• Be alert to DeFi investment pools with extremely limited timeframes to join and rapid deployment of smart contracts, especially without the recommended code audit.
• Be aware of the potential risk posed by crowdsourced solutions to vulnerability identification and patching. Open source code repositories allow unfettered access to all individuals, including those with nefarious intentions.

DeFi platforms under heavy targeting

FBI's warning follows a Chainalysis report from April that highlighted how, according to Q1 2022 data, DeFi cryptocurrency platforms are now more targeted than ever.

In most incidents, the attackers rely on exploiting security vulnerabilities in their code or a security breach on the platform, allowing them to siphon cryptocurrency to addresses under their control.

According to Chainalysis, threat actors behind such attacks have laundered most of the stolen assets in 2022 using risky laundering services such as illegal exchanges and coin tumblers on the dark web.

While in 2021, around 25% of all cryptocurrency stolen from DeFi platforms was later recovered and returned to the victims, this year no DeFi-stolen funds have been returned, showing that attackers are less interested in securing their stolen assets.

In April, the FBI linked the hack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever, to the Lazarus and BlueNorOff (aka APT38) North Korean threat groups.

The previous most significant theft of cryptocurrency was the $611 million hack of the decentralized cross-chain protocol and network Poly Network in August 2021.

"Cyber criminals seek to take advantage of investors' increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open source nature of DeFi platforms," further warned the FBI today.

"Investors should make their own investment decisions based on their financial objectives and financial resources and, if in any doubt, should seek advice from a licensed financial adviser."

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/fbi-hackers-increasingly-exploit-defi-bugs-to-steal-cryptocurrency/

The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor's cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops.

The five malicious extensions that McAfee researchers discovered are the following:

• Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
• Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
• Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
• FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
• AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads

It is worth noting that the above extensions still feature the promised functionality, making it more difficult for victims to notice the malicious activity. Although using  them does not impact users directly, they are a severe privacy risk.

Thus, if you are using any of the listed extensions, even if you find their functionality useful, it is recommended to remove them from your browser immediately.

How the extensions work

All five extensions discovered by McAfee have a similar behavior. The web app manifest ("manifest.json" file), which dictates how the extension should behave on the system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the attackers control (“langhort[.]com”).

The data is delivered through via POST requests each time the user visits a new URL. The info reaching the fraudster includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.

If the visited website matches any entries on a list of websites for which the extension author has an active affiliation, the server responds to B0.js with one of two possible functions.

The first one, “Result[‘c’] – passf_url “, orders the script to insert the provided URL (referral link) as an iframe on the visited website.

The second, “Result[‘e’] setCookie”, orders B0.js to modify the cookie or replace it with the provided one if the extension has been granted with the associated permissions to perform this action.

McAfee has also published a video to showcase how the URL and cookie modifications happen in real time:

To evade detection, analysis, and to confuse researchers or vigilant users, some of the extensions feature a delay of 15 days from the time of their installation before they start sending out the browser activity.

At the time of writing this, "Full Page Screenshot Capture – Screenshotting" and "FlipShope – Price Tracker Extension" are still available on the Chrome Web Store.

The two Netflix Party extensions have been removed from the store, but this doesn't delete them from web browsers, so users should take manual action to uninstall them.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/

Victims landed on the fraudulent site after receiving phishing emails with enticing lures and received a malicious JavaScript payload from the ScanBox reconnaissance framework.

The campaign was active from April to June this year and targeted people at local and federal Australian Government agencies, Australian news media organizations, and at global heavy industry manufacturers that provide maintenance to wind turbines in the South China Sea.

Security researchers at Proofpoint and PwC (PricewaterhouseCoopers) observing the campaign assess that the objective was cyberespionage. They attribute the activity with moderate confidence to a China-based group tracked as  from a threat group tracked as APT40 (a.k.a. TA423, Leviathan, Red Ladon).

ScanBox campaign

ScanBox has been seen in multiple attacks from at least six China-based threat actors in the past and there is sufficient evidence indicating that the toolkit has been used since at least 2014.

A report from Proofpoint today notes that the phishing emails were delivered to targets in several waves, using Gmail and Outlook email addresses.

The sender posed as an employee of “Australian Morning News,” a fake media outlet, and added a URL to the malicious website. The site featured content copied from various legitimate news portals.

The URLs also included unique values for each target, the researchers say, although they led to the same page and malicious payload in every instance.

Visitors of the fake website were served with a copy of the ScanBox framework via JavaScript execution and staged module loading.

“ScanBox can deliver JavaScript code in one single block, or, as is the case in the April 2022 campaign, as a plugin-based, modular architecture,” explains Proofpoint.

The report further explains that delivering the entire code may be preferable to the threat actors. However, it would risk crashes and errors and it could draw the attention of researchers, so selective plugin loading was chosen.

Modules available in the ScanBox framework include:

• Keylogger: records key presses performed within a ScanBox iframe.
• Browser plugins: identifies installed browser plugins
• Browser fingerprinting: identifies and analyzes victim’s browser technical capabilities
• Peer connection: implements WebRTC to real-time communication over APIs
• Security check: checks if Kaspersky security tools are installed on the victim’s machine
•  

Once the framework has been assembled on the victim’s machine and the selected plugins are loaded, it sets up command and control (C2) communications and begins sending victim profile data, technical details, and information useful for reconnaissance and basic espionage.

In some cases observed in June 2022, the threat actors targeted the Australian Naval Defense, oil and petroleum, and deep water drilling firms using COVID-19 passport services lures that downloaded a DLL stager for loading Meterpreter.

Links to past operations

Based on recent evidence from the targeting methods and tools, Proofpoint concludes that the 2022 campaign is the third phase of the same intelligence-gathering mission APT40 has been carrying out since March 2021.

Back then, the threat actors impersonated news outlets like “The Australian” and “Herald Sun”, to perform RTF Template injection and load Meterpreter on the victims’ machines. The use of ScanBox in APT40 campaigns was seen in 2018 too.

The threat actor has an attack history long enough to prompt the U.S. Department of Justice in July 2021 to indict members of APT40.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/chinese-hackers-target-australian-govt-with-scanbox-malware/

According to security researcher Ashutosh Barot, the issue is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers.

The bug was identified on August 7, 2022, the same day the low-cost airline commenced its operations in the country.

"I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format," Borot said in a write-up. "I immediately changed some parameters in [the] request and I was able to see other user's PII. It took around ~30 minutes to find this issue."

Upon receiving the report, the company said it temporarily shut down parts of its system to incorporate additional security guardrails. It has also reported the incident to the Indian Computer Emergency Response Team (CERT-In).

Akasa Air emphasized that no travel-related information or payment details were left accessible and that there is no evidence the glitch was exploited in the wild.

The airline further said it has directly notified affected users of the incident, although the scale of the leak remains unclear, adding it "advised users to be conscious of possible phishing attempts."

Source