Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.

"DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege," researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing noted. "Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged."

This entails three steps -

•  Free an in-use unprivileged credential with the vulnerability

•  Allocate privileged credentials in the freed memory slot by triggering a privileged userspace process such as su, mount, or sshd

•  Operate as a privileged user

The novel exploitation method, according to the researchers, pushes the dirty pipe to the next level, making it more general as well as potent in a manner that could work on any version of the affected kernel.

"First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability," the researchers said.

"Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of."

Dirty Pipe, tracked as CVE-2022-0847 (CVSS score: 7.8) and affecting Linux kernel versions starting from 5.8, refers to a security vulnerability in the pipe subsystem that allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.

The exploitable vulnerability was so called after the Dirty Cow vulnerability discovered in 2016 based on their similarities.

Given that objects are isolated based on their type and not privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross-cache attacks.

Source

Hackers are taking advantage of the self-enrollment process in the Azure Active Directory and other platforms. Usually, when an organization first enforces MFA, many platforms allow their users to immediately enroll for their MFA device. However, in Azure AD in its default configuration, there is no such enrollment enforced. This means that anyone who has the login credentials for an account can enroll in MFA as long as they are doing it for the first time on that account.

The Russian espionage group APT29 had earlier conducted a password guessing attack against a list of emails. For accounts that were set up but never used, the hacker group was able to use them to access the organization's VPN infrastructure. The VPN was using Azure AD for authentication and MFA.

Mandiant recommends that organizations ensure all active accounts have at least one MFA device enrolled and work with their platform vendor to add additional verifications to the MFA enrollment process. Microsoft Azure AD recently rolled out a feature to allow organizations to enforce controls around specific actions such as MFA device enrollment.

Organizations can also restrict the location of MFA registration to only trusted locations, such as an internal network or trusted devices. They can also use a temporary MFA pass to enroll in MFA when people first join or lose their MFA device.

Source: ZDnet (via Mandiant)

Source

But, did you know it is possible for an encrypted ZIP file to have two correct passwords, with both producing the same outcome when the ZIP is extracted?

A ZIP file with two passwords

Arseniy Sharoglazov, a cybersecurity researcher at Positive Technologies shared over the weekend a simple experiment where he produced a password-protected ZIP file called x.zip.

The password Sharoglazov picked for encrypting his ZIP was a pun on the 1987 hit that's become a popular tech meme:

But the researcher demonstrated that when extracting x.zip using a completely different password, he received no error messages.

In fact, using the different password resulted in successful extraction of the ZIP, with original contents intact:

pkH8a0AqNbHcdw8GrmSp

BleepingComputer was able to successfully reproduce the experiment using different ZIP programs. We used both p7zip (7-Zip equivalent for macOS) and another ZIP utility called Keka.

Like the researcher's ZIP archive, ours was created with the aforementioned longer password, and with AES-256 encryption mode enabled.

While the ZIP was encrypted with the longer password, using either password extracted the archive successfully.

How's this possible?

Responding to Sharoglazov's demo, a curious reader, Rafa raised an important question, "How????"

Twitter user Unblvr seems to have figured out the mystery:

When producing password-protected ZIP archives with AES-256 mode enabled, the ZIP format uses the PBKDF2 algorithm and hashes the password provided by the user, if the password is too long. By too long, we mean longer than 64 bytes (characters), explains the researcher.

Instead of the user's chosen password (in this case "Nev1r-G0nna-G2ve-...") this newly calculated hash becomes the actual password to the file.

When the user attempts to extract the file, and enters a password that is longer than 64 bytes ("Nev1r-G0nna-G2ve-... "), the user's input will once again be hashed by the ZIP application and compared against the correct password (which is now itself a hash). A match would lead to a successful file extraction.

The alternative password used in this example ("pkH8a0AqNbHcdw8GrmSp") is in fact ASCII representation of the longer password's SHA-1 hash.

SHA-1 checksum of "Nev1r-G0nna-G2ve-..." = 706b4838613041714e62486364773847726d5370.

This checksum when converted to ASCII produces: pkH8a0AqNbHcdw8GrmSp

Note, however, that when encrypting or decrypting a file, the hashing process only occurs if the length of the password is greater than 64 characters.

In other words, shorter passwords will not be hashed at either stage of compressing or decompressing the ZIP.

This is why when picking the long "Nev1r-G0nna-G2ve-... " string as the password at the encryption stage, the actual password being set by the ZIP program is effectively the (SHA1) hash of this string.

At the decryption stage, if you were to enter "Nev1r-G0nna-G2ve-...," it will be hashed and compared against the previously stored password (which is the SHA1 hash). However, entering the shorter "pkH8a0AqNbHcdw8GrmSp" password at the decryption stage will have the application directly compare this value to the stored password (which is, again the SHA1 hash).

The HMAC collisions subsection of PBKDF2 on Wikipedia provides some more technical insight to interested readers.

"PBKDF2 has an interesting property when using HMAC as its pseudo-random function. It is possible to trivially construct any number of different password pairs with collisions within each pair," notes the entry.

"If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password."

But, the fact that there are now two possible passwords to the same ZIP does not represent a security vulnerability, "as one still must know the original password in order to generate the hash of the password," the entry further explains.

Arriving at a perfect password

An interesting key aspect to note here is, ASCII representations of every SHA-1 hash need not be alphanumeric.

In other words, let's assume we had chosen the following password for our ZIP file during this experiment. The password is longer than 64 bytes:

It's SHA-1 checksum comes out to be: bd0b8c7ab2bf5934574474fb403e3c0a7e789b61

And the ASCII representation of this checksum looks like a gibberish set of bytes—not nearly elegant as the alternative password generated by the researcher for his experiment:

BleepingComputer asked Sharoglazov how was he able to pick a password whose SHA-1 checksum would be such that its ASCII representation yields a clean, alphanumeric string.

"That's why hashcat was used," the researcher tells BleepingComputer.

By using a slightly modified version of the open source password recovery tool, hashcat, the researcher generated variations of the "Never Gonna Give You Up..." string using alphanumeric characters until he arrived at a perfect password.

"I tested Nev0r, Nev1r, Nev2r and so on... And I found the password I need."

And, that's how Sharoglazov arrived at a password that roughly reads like "Never Gonna Give You Up...," but the ASCII representation of its SHA-1 checksum is one neat alphanumeric string.

For most users, creating a password-protected ZIP file with a choice of their password should be sufficient and that is all they would need to know.

But should you decide to get adventurous, this experiment provides a peek into one of the many mysteries surrounding encrypted ZIPs, like having two passwords to your guarded secret.

An encrypted ZIP file can have two correct passwords — here's why

During the latest edition of the DEF CON hacking conference held in Las Vegas, the group of white hat hackers Shadytel demonstrated how to take control of a satellite in geostationary orbit. The group used a satellite called Anik F1R, which was dismissed in 2020.

The group was authorized to perform the hack and the satellite they hacked had been decommissioned, which means that it is going to send to a graveyard orbit. The graveyard, also called a junk orbit, is an orbit that lies away from common operational orbits, some satellites are moved into such orbits at the end of their operational life to avoid colliding with operational spacecraft and satellites.

One of the members of the group, Karl Koscher, explained that they had access to an unused uplink facility which included the hardware to connect to a satellite.

“[Koscher] said that they also had a license to use the uplink, and a lease on the satellite’s transponder, which is a unit that opens a channel between the receiving and the transmitting antennas.” Lorenzo Franceschi-Bicchierai wrote on Motherboard.

The group of hackers was able to stream the talks at the hacking conference ToorCon last year along with hacker movies like WarGames.

Koscher and its group highlighted the risks that threat actors, once gained access to an uplink facility, could take control of decommissioned satellites to conduct malicious activities.

Koscher explained that it is quite easy to find the hardware to connect the satellite, the group used a Hack RF software defined radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz. The software is cheap, it only costs around $300.

Source

DDoS (distributed denial of service) protection screens are commonplace on the internet, protecting sites from bots that ping them with bogus requests, aiming to overwhelm them with garbage traffic.

Internet users treat these "welcome screens" as an unavoidable short-term annoyance that keeps their favorite online resources protected from malicious operatives. Unfortunately, this familiarity serves as an excellent opportunity for malware campaigns.

Malware through fake Cloudflare prompts

As detailed in a report by Sucuri, threat actors are hacking poorly protected WordPress sites to add a heavily obfuscated JavaScript payload that displays a fake Cloudflare protection DDoS screen.

This screen, shown below, requests that the visitor clicks on a button to bypass the DDoS protection screen. However, clicking on the button will download a 'security_install.iso' file to the computer, which pretends to be a tool required to bypass the DDoS verification.

The victims are then told to open the security_install.iso, which they pretend is an application called DDOS GUARD, and enter the code shown.

When a user opens the security_install.iso, they will see a file called security_install.exe, which is actually a Windows shortcut that runs a PowerShell command from the debug.txt file.

Ultimately, this causes a chain of scripts to run that display the fake DDoS code needed to view the site, as well as installing the NetSupport RAT, a remote access trojan used extensively in malicious campaigns today.

Additionally, the scripts will download the Raccoon Stealer password-stealing trojan and launch it on the device.

Raccoon Stealer returned to operations in June this year, when its authors released its second major version and made it available to cybercriminals under a subscription model.

Raccoon 2.0 targets passwords, cookies, auto-fill data, and credit cards saved on web browsers, a wide range of cryptocurrency wallets, and it's also capable of performing file exfiltration and taking screenshots of the victim's desktop.

How to protect

Admins should check the theme files of their WordPress sites, as according to Sucuri, this is the most common infection point in this campaign.

Additionally, it is advisable to employ file integrity monitoring systems to catch those JS injections as they happen and prevent your site from being a RAT distribution point.

Internet users can protect themselves from such threats by enabling strict script blocking settings on their browser, although that will break the functionality of almost all sites.

Finally, keep in mind that downloading ISO files are never part of legitimate anti-DDoS procedures, so even if you do that out of carelessness, do not unpack or run their contents.

WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware

This week's attacks were on Argentina's Judiciary of Córdoba, a UK water supplier (though Clop attributed to the wrong company), and LockBit claiming to be behind the attack on Entrust.

Finally, researchers found a new variant of the SOVA Android malware that includes a ransomware feature to encrypt mobile devices.

While Entrust has not responded to our queries about the attack, sources have told us that LockBit conducted the attack.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @PolarToffee, @BleepinComputer, @Seifreed, @jorntvdw, @fwosar, @serghei, @struppigel, @FourOctets, @demonslay335, @malwrhunterteam, @Ionut_Ilascu, @malwareforme, @VK_Intel, @DanielGallagher, @juanbrodersen, @AlvieriD, @Cyberknow20, @Intel_by_KELA, @MauroEldritch, @luisezegarra, @Cleafy, and @pcrisk.

August 13th 2022

SOVA malware adds ransomware feature to encrypt Android devices

The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices.

August 15th 2022

Argentina's Judiciary of Córdoba hit by PLAY ransomware attack

Argentina's Judiciary of Córdoba has shut down its IT systems after suffering a ransomware attack, reportedly at the hands of the new 'Play' ransomware operation.

August 16th 2022

Hackers attack UK water supplier but extort wrong company

South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6m consumers daily, has issued a statement confirming IT disruption from a cyberattack.

IceFire Ransomware launches data leak site

New STOP ransomware variants

PCrisk found a bunch of new STOP ransomware variants that append the .qqlc, .qqlo, and .qqmt extensions.

New VoidCrypt variants

PCRisk found new VoidCrypt variants that append the .dark and .Angry extensions and drops a ransom note named unlock-info.txt.

New VoidCrypt variants

PCRisk found a new Chaos ransomware variant that appends the .sex extension and drops a ransom note named read_it.txt.

August 17th 2022

BlackByte ransomware gang is back with new extortion tactics

The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.

Videos from SANS Ransomware Summit

SANS has published the videos from their ransomware summit.

Alleged Russian Money Launderer Extradited from the Netherlands to U.S.

According to court documents, Dubnikov and his co-conspirators laundered the proceeds of ransomware attacks on individuals and organizations throughout the United States and abroad. Specifically, Dubnikov and his accomplices laundered ransom payments extracted from victims of Ryuk ransomware attacks.

August 18th 2022

LockBit claims ransomware attack on security giant Entrust

The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust.

August 19th 2022

Córdoba: chaos in the Justice after the ransomware attack

The ransomware attack suffered by the Judiciary of Córdoba last Friday left the Justice of that province in limbo. Since then, the systems team has been working amid the chaos to recover the sequestered information: password changes, USB port blockages, suspension of Exchange email and interruption of communications between users to prevent the spread of the virus.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qqri extension.

The Week in Ransomware - August 19th 2022 - Evolving extortion tactics

The release notes for Sysmon v14.0 says:

This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.

Sysmon GitHub repo maintainer Olaf Hartong has explained that such a feature can help to prevent the creation of malicious files or downloading of secondary malicious payloads by malware droppers like those used in Macros, among others. He says:

Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk.

A demonstration using a simple example was also given to show how it works. In this case, Sysmon was used to block downloads:

As you can see in the image below, the downloads for all the PE files failed due to Sysmon blocking them:

You can find more details on Olaf Hartong write-up here.

Microsoft's latest Sysmon 14.0 could help block dangerous malware

The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device.

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," warns Apple in a security bulletin released today.

An out-of-bounds write vulnerability is when an attacker can supply input to a program that causes it to write data past the end or before the beginning of a memory buffer.

This causes the program to crash, corrupt data, or in the worst-case scenario, remote code execution. Apple says they fixed the bug through improved bounds checking.

Apple says the vulnerability was disclosed by a researcher who wishes to remain anonymous.

This zero-day vulnerability is the same one that was patched by Apple yesterday for macOS Monterey and iPhone/iPads.

Apple has not provided details on how the vulnerability is being used in attacks other than saying that it "may have been actively exploited."

This is the seventh zero-day vulnerability fixed by Apple in 2022, with the previous bugs outlined below:

• In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In January, Apple patched two more actively exploited zero-days that allowed attackers to execute code with kernel privileges (CVE-2022-22587) and track web browsing activity (CVE-2022-22594).
• In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs.

Apple releases Safari 15.6.1 to fix zero-day bug used in attacks

You file a lawsuit and take the organizers to court, right?

That was the answer social engineer and self-described “human hacker” Christopher Hadnagy reached for to defend himself against what he is calling defamation after Def Con, revoked his ability to attend its annual summer event, citing breaches in the code of conduct.

Described as a “master practitioner of understanding human behavior,” Hadnagy claims to provide people the tools they need to establish a rapport with strangers using body language and verbal cues, or if need be elicit their support.

The ban is all that more unusual given Hadnagy’s social engineering village drew crowds. It included tips on how to extract information under the theme “get anyone to tell you anything.”

Yet organizers said in February they had received multiple reports Hadnagy violated Def Con’s code of conduct at last year’s convention.

Following conversations with all parties, it was “confident the severity of the transgressions merits a ban.”

Conference rules are brief and simple—they specifically prohibit harassment against any participant for any reason. According to the code, this extends to any behavior that makes others feel uncomfortable, unsafe, afraid or unwelcome.

Organizers have taken steps to make more people feel included, such as providing relief areas for the service animals of disabled hackers and making menstrual products available in all restrooms regardless of gender.

“It’s not about what you look like, but what’s in your mind and how you present yourself that counts,” according to the Def Con code of conduct.

Reached by The Verge, Hadnagy denied “any and all allegations of misconduct” in an emailed statement.

He is now suing both the company behind Def Con as well as its chief organizer, Jeff Moss, who goes by the name “The Dark Tangent”.

In his lawsuit, Hadnagy alleges organizers inflicted “severe and irreversible harm” and “exposed him to public ridicule”.

Moreover, he argues Def Con and Moss intentionally fabricated the allegations in order to replace at this year’s conference, held earlier this month, his company’s social engineering village with that of its own.

“These statements have created a shroud of scandal over [Hadnagy‘s] company thus harming its relationships with longstanding clientele and future business projects,” his suit claims.

Perhaps because it is unclear what precisely is being alleged, the author of a cybersecurity career guide believes the lawsuit may serve an ulterior motive—discovery.

“This is about CH trying to force the names and full details of his accusers into the public sphere so he can go after them, attack them and try to discredit them,” wrote Alyssa Miller.

Interestingsly, Hadnagy himself defines social engineering as “any act that influences a person to take an action that may or may not be in their best interest.”

That would suggest that regardless of who holds them there is an inherent risk social engineering workshops can result in people feeling uncomfortable or unsafe, and therefore be in violation of Def Con’s code of conduct.

This story was originally featured on Fortune.com.

Source

In this guide, I’ll go over:

• How to set up your encryption keys
• How to add your contact’s keys
• How to share your own keys
• How to upload your keys to a keyserver, so they can be found easily
• How to backup your keys

How to set up your encryption keys

To start this guide, you’ll need to download Thunderbird (if you don’t already have it) and then you’ll need to log in to your e-mail account. Once you have added your e-mail address, you’ll want to press the e-mail address in the Folders side panel, then right-click it and open Settings. Look for End-To-End Encryption in the side panel and press that.

Under the OpenPGP subheading, if you have not set up a key yet, it should say Thunderbird doesn’t have a personal OpenPGP key for , to the side of that press Add Key…. Thunderbird will allow you to create a new key or import an existing one, for the sake of this guide, we will select create a new key but if you have one already, import it.

Next, you should see the Generate OpenPGP Key menu, ensure the Identity matches your e-mail, choose your expiry, and alter the advanced settings if you want, though, they are fine left as they are. Once you’re happy with your settings, press Generate then Confirm. You should now see a green confirmation box that the key was successfully created, and the new key will be automatically selected as your account’s associated key. Just below, you’ll see OpenPGP Key Manager go there next.

How to add your contact’s keys

In the key manager, you’ll see your newly minted encryption keys. If you selected the wrong settings while making them, you can right-click and revoke then delete your keys, then repeat the steps above to make a new key. Under File in the key manager, you can also import public keys for your contacts who you wish to correspond with encryption enabled. You’ll need their keys saved to your computer, so ask them to e-email their keys to you.

How to share your own keys

To send your public key to a contact, head back into the OpenPGP Key Manager and right-click your key. You should then see an option to send your public key by e-mail, pressing this will open up a new compose window with your key attached. To import this, your recipient just needs to open their key manager, press File and import the public key from the file.

Interestingly, if your contacts use ProtonMail, they can go to their contacts menu, press your e-mail then press the settings cog. From there, there’s an option to see advanced PGP settings, and they can import your public PGP key. To add their keys go to the key manager in Thunderbird the press Keyserver > Discover Keys Online and search their ProtonMail address, their public key for that account should then appear.

How to upload your keys to a keyserver, so they can be found easily

Finally, if you want your public key to be searchable in a keyserver, you’ll want to export your public key from the Key Manager and head to keys.openpgp.org. Look for the upload button, then upload your public key. This allows people to find your public key with just your e-email address, making it easier to send encrypted e-mails.

Backing up your keys

Finally, you need to know how to back up your secret keys in case you would like to decrypt e-mails on another computer or if you need to reinstall your operating system on your existing computer. Simply open the OpenPGP Key Manager, click the key you want to back up, and press File. You should see Backup Secret Key(s) To File you will have to give the secret key a filename and enter a password, which you'll need to restore the key in the future. It'll take a short time to export the secret key, but it'll let you know when it's done.

To import a secret key in the future, select File in the OpenPGP Key Manager and then press Import Secret Key(s) From File and select the file to import. Tap in your password, and you should be ready to go.

If you ever lose your secret key, you will never be able to decrypt messages encrypted with your public key so be sure to keep it safe.

Conclusion

While setting up end-to-end encrypted e-mail is still not as simple as sending encrypted WhatsApp messages, Mozilla has improved the situation in recent years because these tools are baked into Thunderbird. In the past, you needed to use an add-on called EnigMail to offer these features. Hopefully, setting up this feature gets a bit easier so that more people can use it.

How to set up end-to-end encryption for your e-mails in Mozilla's Thunderbird

In a report today, Sky News said it was sent fraudulent Microsoft-branded USB drives. They were uncovered by cybersecurity consultant, Martin Pitman, from Atheniem. The drive is packaged inside a Office 2021 Professional Plus box which suggests the scammers spent some good time and also money while making these.

You can view the fake Office 2021 photos below:

After a target plugs in the USB stick in their PC, the scam operates in a way that you'd expect. A fake warning message would pop up saying there is a virus in their system and prompt the victim to call a tech support number, which will obviously be the number used by scammers. The scammer then asks the victim to install a remote access program to take over the system, the usual drill.

A Microsoft spokesperson issued the following statement to Sky News regarding this case:

Microsoft is committed to helping protect our customers. We take appropriate action to remove any suspected unlicensed or counterfeit products from the market and to hold those targeting our customers accountable

The Redmond tech firm is very well aware of such scams and has provided a support page where you can know more about it. You can also report a scam directly to Microsoft here.

Source and images: Sky News

Beware: Tech support scammers are out to get you using Microsoft-branded USB drives

In just two minutes, the attack escalated from 100,000 RPS to a record-breaking 46 million RPS, almost 80% more than the previous record, an HTTPS DDoS of 26 million RPS that Cloudflare mitigated in June.

Assault lasted 69 minutes

The attack started on the morning of June 1, at 09:45 Pacific Time, and targeted the victim’s HTTP/S Load Balancer initially with just 10,000 RPS.

In eight minutes, the attack intensified to 100,000 RPS and Google’s Cloud Armor Protection kicked in by generating an alert and signatures based on certain data pulled from traffic analysis.

Two minutes later, the attack peaked at 46 million requests per second:

To put into perspective how massive the attack was at its peak, Google says that it was the equivalent of getting all the daily requests to Wikipedia in just 10 seconds.

Luckily, the customer had already deployed the recommended rule from Cloud Armor allowing operations to run normally. The assault ended 69 minutes after it started.

The malware behind the attack has yet to be determined but the geographic distribution of the services used points to a Mēris, a botnet responsible for DDoS attacks peaking at 17.2 million RPS and 21.8 million RPS, both record-breaking at their time.

Mēris is known for using unsecured proxies to send out bad traffic, in an attempt to hide the origin of the attack.

Google researchers say that the attack traffic came from just 5,256 IP addresses spread in 132 countries and leveraged encrypted requests (HTTPS), indicating that the devices sending the requests have rather strong computing resources.

Another characteristic of the attack is the use of Tor exit nodes to deliver the traffic. Although close to 22% or 1,169 of the sources channeled the requests through the Tor network, they accounted for just 3% of the attack traffic.

Despite this, Google researchers believe that Tor exit nodes could be used to deliver “a significant amount of unwelcome traffic to web applications and services.”

Starting last year, an era of record-breaking volumetric DDoS attacks started with a few botnets leveraging a small number of powerful devices to hit various targets.

In September 2021, Mēris botnet hammered Russian internet giant Yandex with an attack peaking at 21.8 million requests per second. Previously, the same botnet pushed 17.2 million RPS against a Cloudflare customer.

Last November, Microsoft's Azure DDoS protection platform mitigated a massive 3.47 terabits per second attack with a packet rate of 340 million packets per second (pps) for a custmer in Asia.

Another Cloudflare customer was hit with DDoS reaching 26 million RPS.

Google blocks largest HTTPS DDoS attack 'reported to date'

Apple has released macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 for security flaws the company indicates “may have been actively exploited”. Simply put, these are mandatory security updates, and users should install them on qualifying devices as soon as possible.

All three updates fix the same set of security flaws. One of the bugs has been tagged and tracked with CVE ID CVE-2022-32894. This is a kernel-level vulnerability that can allow unauthorized apps “to execute arbitrary code with kernel privileges”.

The other security bug is being tracked with CVE ID CVE-2022-32893. It is a WebKit bug that allows for arbitrary code execution via “maliciously crafted web content.” WebKit is used by Apple in its own apps, such as the Safari browser. Even the company’s Mail app uses Apple's WebViews to render and display content.

The security flaws exist within the underlying code that Apple uses extensively. Hence, it is quite likely that previous editions of macOS, such as macOS Catalina and Big Sur, could also be vulnerable. However, Apple hasn’t released any patches for these older versions, yet. Still, Apple has been sending out regular security updates to these versions. In other words, Apple could send out patches for these versions soon.

The release notes for these updates do not mention any other fixes or features. Nevertheless, users are strongly urged to accept and install these updates as soon as possible.

Apple rushes macOS, iOS, and iPadOS updates to squash 'actively exploited' bugs

In the carpeted ballroom of one of the largest casinos in Las Vegas, the few dozen hackers competing in the challenge sat hunched over laptops from Friday through Sunday during the DEF CON security conference that hosts the event.

The winning team included participants from Carnegie Mellon University, its alumni, and the University of California, Santa Barbara.

The contest involves breaking in to custom-built software designed by the tournament organizers. Participants must not only find bugs in the program but also defend themselves from hacks coming from other competitors.

© Reuters/ZEBA SIDDIQUI

DEF CON hacking conference in Las Vegas

The hackers, mostly young men and women, included visitors from China, India, Taiwan, Japan and South Korea. Some worked for their respective governments, some for private firms and others were college students.

While their countries may be engaged in cyber espionage against one another, the DEF CON CTF contest allows elite hackers to come together in the spirit of sport.

The reward is not money, but prestige. "No other competition has the clout of this one," said Giovanni Vigna, a participant who teaches at the University of California in Santa Barbara. "And everybody leaves politics at home."

“You will easily find a participant here going to another who may be from a so-called enemy nation to say 'you did an amazing job, an incredible hack.'"

The game has taken on new meaning in recent years as cybersecurity has been elevated as a key national security priority by the United States, its allies and rivals. Over the last ten years, the cybersecurity industry has boomed in value as hacking technology has evolved.

© Reuters/ZACHARY WADE

DEF CON hacking conference in Las Vegas

Winning the title is a lifelong badge of honor, said Aaditya Purani, a participant who works as an engineer at electric car maker Tesla Inc.

This year's contest was broadcast for the first time on YouTube, with accompanying live commentary in the style of televised sports.

DEF CON itself, which began as a meetup of a few hundred hackers in the late 1990s, was organized across four casinos this year and drew a crowd of more than 30,000, according to organizing staff.

On Saturday afternoon, participants at the "Capture the Flag" contest sat typing into their laptops as conference attendees streamed in and out of the room to watch. Some participants took their meals at the tables, munching on hamburgers and fries with their eyes fixed on the screens.

© Reuters/TYLER NIGHSWANDER

DEF CON hacking conference in Las Vegas

Seungbeom Han, a systems engineer at Samsung Electronics, who was part of a South Korean team, said it was his first time at the contest and it had been an honor to qualify.

The competition was intense and sitting for eight hours a day at the chairs was not easy. They did take bathroom breaks, he said with a laugh, "but they are a waste of time."

(Reporting by Zeba Siddiqui in Las Vegas; Editing by Matthew Lewis)

Source

Android 13 was released this week, with the new operating system being rolled out to Google Pixel devices and the source code published on AOSP.

As part of this release, Google attempted to cripple mobile malware that attempted to enable powerful Android permissions, such as AccessibilityService, to perform malicious, stealthy behavior in the background.

However, analysts at Threat Fabric today say malware authors are already developing Android malware droppers that can bypass these restrictions and deliver payloads that enjoy high privileges on a user's device.

Android 13 security

In previous Android versions, most mobile malware found its way inside millions of devices via dropper apps available on the Play Store, which masquerade as legitimate apps.

During installation, the malware apps prompt users to grant access to risky permissions and then sideload (or drop) malicious payloads by abusing Accessibility Service privileges.

Accessibility Services is a massively abused disability assistance system on Android that enables apps to perform swipes and taps, go back or return to the home screen. All of this is done without the knowledge or permission of the user.

Typically, the malware uses the service to grant itself additional permissions and stop the victim from manually deleting the malicious app.

In Android 13, Google's security engineers introduced a 'Restricted setting' feature, which blocks sideloaded applications from requesting Accessibility Service privileges, limiting the function to Google Play-sourced APKs.

However, researchers at ThreatFabric were able to create a proof-of-concept dropper that easily bypassed this new security feature to gain access to Accessibility Services.

Bypassing Android's Restricted settings

In a new report released today, Threat Fabric has discovered a new Android malware dropper that is already adding new features to bypass the new Restricted setting security feature.

While following the Xenomorph Android malware campaigns, Threat Fabric discovered a new dropper still under development. This dropper was named "BugDrop" after the many flaws that plague its operation at this early phase.

This novel dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.

"What drew our attention is the presence in the Smali code of the string "com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED," explains Threat Fabric in the report.

"This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session."

Session-based installation is used to perform a multi-staged installation of malware onto an Android device by splitting the packages (APKs) into smaller pieces and giving them identical names, version codes, and signing certificates.

This way, Android won't see the payload installation as sideloading the APK, and thus Android 13's Accessibility Service restrictions won't apply.

"When fully implemented, this slight modification would circumvent Google's new security measures fully, even before they are effectively in place," comments Threat Fabric.

BleepingComputer has reached out to Google with further questions about this bypass and will update the story with any response.

Hadoken group

BugDrop is still a work in progress by a group of malware authors and operators named 'Hakoden,' who are also responsible for creating the Gymdrop dropper and the Xenomorph Android banking trojan.

When BugDrop is ready for mass deployment, it is expected to be used in Xenomorph campaigns, enabling on-device credential theft and fraud behavior on the most recent Android devices.

Additionally, the latest Xenomorph samples analyzed by Threat Fabric have added remote access trojan (RAT) modules, making the malware an even more potent threat.

Malware devs already bypassed Android 13's new security feature

iOS VPNs have leaked traffic for more than 2 years, researcher claims

TLS is a cryptographic protocol a client (browser) and server use to exchange encryption keys (handshake). The current implementation of TLS leaves several privacy-sensitive parameters—such as Server Name Indication that shows what server communicates with the client—without encryption. The Encrypted Client Hello extension fixes this long-standing privacy leak by providing full handshake encryption and protection from network eavesdropping. You can find an in-depth explanation of Encrypted Client Hello in a post on the official Cloudflare blog. Meanwhile, here is how to enable Encrypted Client Hello in Microsoft Edge 105 (and up) to improve privacy:

• 1. Update Microsoft Edge to version 105 and newer (Beta, Dev, and Canary).
• 2. Place the browser icon on the desktop, right-click it, and select Properties.
• 3. Click the Target field, enter one space, and type --enable-features=EncryptedClientHello. Do not place a period at the end of the line.
• 
• 4. Click Ok to save the changes and launch the browser with the shortcut you have just customized.
• 5. Go to edge://flags/#dns-https-svcb and enable the highlighted flag.
• 6. Repeat the same with the edge://flags/#use-dns-https-svcb-alpn flag.
• 
• 7. Restart the browser.
• 8. Go to Settings > Privacy, search, and services > Security and turn on Use secure DNS.
• 9. Click Choose a service provider and select Cloudflare.
• 
• 10. Restart Microsoft Edge once again.
• 11. Now you can check the status of Encrypted Client Hello by navigating to this webpage. It should display "success" next to the SSL_ECH_STATUS line.
• 

That's it. You can now use Microsoft Edge with extra privacy measures ensuring the browser does not leak parts of your data.

How to improve privacy in Microsoft Edge by enabling Encrypted Client Hello

According to a message posted on the Windows Message Center website, Microsoft will disable old TLS protocols in Internet Explorer and EdgeHTML on September 13, 2022. IT Admins who want to disable TLS 1.0 and 1.1 before the announced date can do that using dedicated rules in Group Policy Editor.

Another thing worth mentioning is that Microsoft is not deprecating old Transport Layer Security protocols. Companies that need TLS 1.0 and 1.1 for compatibility reasons can re-enable them through Group Policy or in Tools > Internet Options > Advanced inside Internet Explorer.

If you use Microsoft Edge Chromium (or WebView2 based on Chromium), the upcoming changes should not bother you, as the company turned off old TLS protocols in Edge 84 on July 16, 2020.

Microsoft will turn off TLS 1.0 and 1.1 in Internet Explorer and EdgeHTML on September 13

It's often said that the most important things you can do protect your accounts and wider network from hackers is to use multi-factor authentication (MFA).

That's because one of the most common ways cyber criminals breach networks is by using phishing attacks to steal passwords or simply by guessing weak ones. Either way, so long as they are using a real password many systems will assume it's safe to give them access.

MFA creates and additional barrier to attackers because it requires the user to additionally verify that the login attempt was really made by them. This verification can be via an SMS message, an authenticator app or even a physical security key. If the attacker has the password, but not the verification message or physical device, then the system won't let them in and they can't get any further.

Using MFA protects against the vast majority of attempted account takeovers, but recently there's been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organisations have been targeted in this way during the last year.

One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they're trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit - in this case to steal email. The user simply thinks they have logged into their account as usual.

"Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user's behalf, regardless of the sign-in method the latter uses," as Microsoft notes of that particular campaign.

That's because the attackers haven't broken the MFA themselves, they've managed to bypass it by stealing the cookies, and are now able to use the account as if they were the user, even if they go away and come back later. That means despite the presence of multi-factor authentication, it's unfortunately being made redundant in this situation – and that's bad for everyone.

So while multi-factor authentication is a deterrent most of the time, these attacks show that it isn't infallible.

"Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions," said security company ZScaler in its analysis of a similar attack.

And there are other scenarios which can be exploited to bypass multi-factor authentication too, because in many instances, a code is required, and a person needs to enter that code. And people can be tricked or manipulated even while the technology tries to protect us.

"At the end of the day, whether it's a number or it's a piece of information, as soon as the user sees it, it becomes something they know and if it's something that they know it's something the attacker can steal," says Etay Maor, senior director of security strategy at Cato Networks.

It takes a little more effort from the attacker, but it's possible to grab these codes. For example, SMS verification is still a common method of MFA for many, particularly for things like bank accounts and phone contracts. In some cases, the user is required to read out a code over the phone or input it into a service.

It's a potentially complex process, but it's possible for cyber criminals to spoof helplines and other services which ask for codes to devices – especially if people think they're talking to someone who is trying to help them. It's why many services will preface an SMS code with a warning that they'll never call you to ask for it.

"It's not that surprising attackers prey on the human aspect, the people components of the system. People being busy, people being stressed, all sorts of things influence decisions we make," says Oz Alashe, CEO & Founder of CybSafe.

Another method cyber criminals can exploit to bypass MFA is by using malware which actively steals codes. For example, the hackers could gain access to an account by using trojan malware to watch a user gain access to their account, then use the access they have from the infected device to go about their business.

There's also the potential for them to take control of devices without the victim knowing, using the authenticator app and using the code that's provided to remotely access the account they're after from another machine.

As far as the network or account is concerned, because the authentication has been used correctly, it's the legitimate user using the service. But there are signs which networks and information security teams could be set up to watch for, signs something might not be right, even if the correct details are used.

"The system itself should consider whether this person doesn't normally log in from here or at this time and, therefore, do we need to do another level, another layer of verification before we provide them access?" says Alashe.

While it isn't totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cyber criminals get smarter they're increasingly going to go after it – and that requires extra levels of defence, particularly from those responsible for securing networks.

"It's good it's recommended because you won't be the lower hanging fruit. But you definitely need to augment it with an additional layers of security because, just like just like any other siloed security solution, it can be circumvented and you can't think everything is secure, just because of one security layer," says Maor.

And technology can only do so much, especially when attackers are explicitly attempting to manipulate people into making bad decisions. That needs to be taken into account too, especially as more of what we do shifts towards cloud and other online services.

"This is a really important challenge for society right now as we increasingly digitize we've got an incredible opportunity to continue to put technology really good use. But we've also got to address these challenges when it comes to resilience and the human aspect," says Alashe.

"People are wonderful, they want to be helpful, so they'll get tricked sometimes," he adds.

Source

Bloomberg is reporting today that Apple is looking to expand its advertising reach across the iOS and iPadOS ecosystems, after restricting third-party advertising across the platform.

After launching App Tracking Transparency in early 2021, Apple has effectively taken away one of the key methods that advertisers use to generate money. This feature, in short, allows users to select whether an app can track activity across other websites and apps.

Off the back of this, Apple's advertising business has gone from strength to strength, originally starting with search ads within the App Store and moving to ads within News and Stocks apps and including Apple TV+ coverage of MLB.

At this stage, the next step for Apple looks to be to add search ads to Maps, as well as adding similar ads to those already in the App Store to both Books and Podcasts. Apple could also potentially introduce an ad supported tier of Apple TV+ similar to what is planned for Disney+.

Having generated approximately $4 billion in revenue annually, the ads group within Apple looks to expand significantly, wanting to increase this figure into the double digits, and these methods would be one way to achieve this target.

Source: Bloomberg

Apple is looking to add even more advertising across the iPhone and iPad

Twilio provides phone number verification services for Signal and last week disclosed that an attacker hacked its network on August 4.

The communications company confirmed that data belonging to 125 of its customers was exposed after the hackers gained access to Twilio employee accounts by sending them text messages with malicious links.

Hacker could register phone numbers to their device

Signal today published an advisory for its users informing them how the cyberattack on Twilio impacted them:

But for about 1,900 Signal users their phone numbers were potentially exposed to the Twilio attacker, who could have attempted to register them to another device.

Signal’s investigation into the incident concluded that the hacker’s access to Twilio’s customer support console either allowed them to see that the phone number was linked to a Signal account or revealed the SMS verification code for registering with the service.

The encrypted instant messaging service says that from the 1,900 phone numbers, the attacker “explicitly searched” for three of them. One of these users reported that their account was re-registered.

Signal reassures users that the message history remained safe at all times because it is available only on the device with no copy on the service’s servers.

Contact lists and profile information is protected by the Signal PIN, which could not be accessed during the Twilio data breach.

SMS notifications on their way

The company warns that if an attacker re-registers an account to one of their devices, they would be able to send and receive Signal messages from that phone number.

All affected 1,900 Signal users will be unregistered on all devices and they should go through the registering process on their devices.

Signal is now in the process of sending SMS messages to affected users to let them know about the risk and is expecting to complete the process by tomorrow.

Impacted users should receive a message reading: “This is from Signal Messenger. We’re reaching out so you can protect your Signal account. Open Signal and register again. More info: https://signal.org/smshelp.”

When opening the Signal app, they should also see a banner notifying them that their device is no longer registered, if they used the service recently.

Signal encourages users to turn on the registration lock option, which allows recovering the profile, settings, contacts, and blocked users. The feature can be enabled or disabled only from the device and requires the Signal PIN as an additional verification layer.

Twilio hack exposed Signal phone numbers of 1,900 users

However, in the previous report for the month of April, Defender was not able to secure the full 18 points like it was able to do till then. Speaking of 18 points, here is how the break-up of the points happens.

There are three categories with six points each. These categories are:

• Protection
• Performance
• Usability

Defender, alongside many others, has scored the full marks in all three categories as you can see in the image below which shows the break-up of points for all the 19 antivirus products which participated in the June 2022 test:

The worst of the bunch was PC Matic. Although it has scored the full six points in both the Protection and Performance categories, it tanked in the Usability section with just 3.5 points out of 6, AV-TEST rarely hands such poor numbers. The second-worst product was Protected.net which received 6 out of 6 in Usability but got one point less in the Protection category.

You may find more details on AV-TEST's official website here.

Microsoft Defender back to its charming best in the latest AV-TEST rankings

VNC (virtual network computing) is a platform-independent system meant to help users connect to systems that require monitoring and adjustments, offering control of a remote computer via RFB (remote frame buffer protocol) over a network connection.

If these endpoints aren’t properly secured with a password, which is often the result of negligence, error, or a decision taken for convenience, they can serve as entry points for unauthorized users, including threat actors with malicious intentions.

Depending on what systems lie behind the exposed VNCs, like, for example, water treatment facilities, the implications of abusing access could be devastating for entire communities.

Alarming findings

Security weakness hunters at Cyble scanned the web for internet-facing VNC instances with no password and found over 9,000 accessible servers.

Most of the exposed instances are located in China and Sweden, while the United States, Spain, and Brazil followed in the top 5 with significant volumes of unprotected VNCs.

To make matters worse, Cybcle found some of these exposed VNC instances to be for industrial control systems, which should never be exposed to the Internet.

“During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet,” details Cyble in the report.

In one of the explored cases, the exposed VNC access led to an HMI for controlling pumps on a remote SCADA system in an unnamed manufacturing unit.

To see how often attackers target VNC servers, Cyble used its cyber-intelligence tools to monitor for attacks on port 5900, the default port for VNC. Cyble found that there were over six million requests over one month.

Most attempts to access VNC servers originated from the Netherlands, Russia, and the United States.

Demand for VNC access

Demand for accessing critical networks via exposed or cracked VNCs is high on hacker forums, as this kind of access can, under certain circumstances, be used for deeper network infiltration.

"Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands," a Cyble researcher told Bleeping Computer during a private discussion.

"An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network."

In other cases, security enthusiasts offer instructions on how users can scan and locate these exposed instances on their own.

A darknet forum post seen by Bleeping Computer features a long list of exposed VNC instances with very weak or no passwords.

The case of weak passwords raises another concern around VNC security, as Cyble’s investigation only focused on instances that had the authentication layer completely disabled.

If poorly secured servers whose passwords are easy to crack were included in the investigation, the number of potentially vulnerable instances would be much more significant.

On that front, it is essential to remember that many VNC products do not support passwords longer than eight characters, so they are inherently insecure even when the sessions and passwords are encrypted.

VNC admins are advised to never expose servers directly to the Internet, and if they must be remotely accessible, at least place them behind a VPN to secure access to the servers.

Even then, admins should always add a password to instances to restrict access to the VNC servers.

Over 9,000 VNC servers exposed online without a password

Several users have reported seeing these ads this week, starting on August 10, with Lee Holmes, a Principal Security Architect at Microsoft Azure Security, also sharing today a screenshot showing the ad displayed as an alert bar under the Office menu.

As shown in the screenshot below, Microsoft has tagged this ad as a "LIMITED OFFER," allowing customers to "Get 3 months of Microsoft 365 Family for only $$0.99."

What makes this ad even worse is that Microsoft uses a banner format similar to what it uses when asking Office users to enable macros, replacing the "Enable content" button with a "Redeem Offer" one.

Other customers have seen slightly different worded ads saying, "For just $$0.99, get 3 months of Microsoft 365 Family and share with up to 5 people. It is like getting six subscriptions in one. TERMS APPLY."

In this ad version, Microsoft also uses a differently worded button, prompting users to click a "Redeem now" button to get the heavily discounted subscription.

Ads everywhere

This is not the first time Microsoft has displayed promotional messages within Office apps or other Windows apps' user interfaces.

The company has also shown ads pushing its free Office web apps in the menu bar for the Windows 10 Wordpad application two years ago.

In March, Microsoft displayed ads for some of its other products (including Microsoft Editor) in the File Explorer app on devices running its latest Windows 11 Insider build.

File Explorer got injected with another series of promotional messages in 2016 when Redmond showed OneDrive ads.

Microsoft also displayed ads for Microsoft Edge in the Windows 10 Start Menu every time users searched for competing browsers, prompting them to download the new Chromium-based Microsoft Edge.

Unfortunately, some of these tests also had unintended consequences, with Microsoft breaking the Windows Start Menu and Taskbar while testing Microsoft Teams ads on Windows Insiders.

Microsoft is showing ads for Microsoft 365 in Office 2021

On Wednesday, the Yanluowang ransomware gang claimed to have breached Cisco's network and stolen 2.8 GB of data from the company, later telling BleepingComputer that a total of 55GB was stolen.

While the exact amount of data could not be verified, Cisco confirmed that they suffered a network breach that allowed the threat actor to steal data from a Box account and gain admin access to their domain.

Other attacks we learned more about this week were on 7-Eleven Denmark, ista International, and Advanced MSP, causing an outage for the UK's NHS.

Researchers were also busy this week, with reports released on how ransomware gangs are moving to callback social engineering attacks, that Cuba ransomware is using a new RAT malware, a report on BlueSky, and that Zeppelin has been seen encrypting devices multiple times in a single attack.

Finally, the US government published a picture of a Conti ransomware member for the first, asking people to provide info on members named 'Target,' 'Tramp,' 'Dandis,' 'Professor,' and 'Reshaev.' The State Department is offering a reward of up to $10 million for information leading to their location, travel plans, and identity.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @VK_Intel, @fwosar, @struppigel, @Seifreed, @BleepinComputer, @billtoulas, @serghei, @malwrhunterteam, @FourOctets, @jorntvdw, @fiskerlarsen, @Sophos, @y_advintel, @AdvIntel, @Cyberknow20, @kaspersky, @PaloAltoNtwks, @AhnLab_SecuInfo, @ReversingLabs, @pcrisk, @Amigo_A_, @jamiemaccol, @Jarnecki, and @PogoWasRight.

August 6th 2022

New GwisinLocker ransomware encrypts Windows and Linux ESXi servers

A new ransomware family called 'GwisinLocker' targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.

August 8th 2022

7-Eleven stores in Denmark closed due to a cyberattack

7-Eleven stores in Denmark shut down today after a cyberattack disrupted stores’ payment and checkout systems throughout the country.

New Phobos ransomware variant

PCrisk found a new Phobos variants that append the .FLSCRYPT and .BITCOINPAYMENT extensions to encrypted files.

New World2022 ransomware

PCrisk found a new ransomware called World2022 that appends .world2022decoding and drops a ransom note named WE CAN RECOVER YOUR DATA.MHT.

August 9th 2022

Maui ransomware operation linked to North Korean 'Andariel' hackers

The Maui ransomware operation has been linked to the North Korean state-sponsored hacking group 'Andariel,' known for using malicious cyber activities to generate revenue and causing discord in South Korea.

New VoidCrypt variants

PCrisk found new VoidCrypt variants that append the .Daz and .Oiltraffic extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker ransomware variant that appends the .readlockfiles and drops a ransom note named HOW_TO_RECOVER_DATA.html.

August 10th 2022

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen

Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.

7-Eleven Denmark confirms ransomware attack behind store closures

7-Eleven Denmark has confirmed that a ransomware attack was behind the closure of 175 stores in the country on Monday.

Ransomware gangs move to 'callback' social engineering attacks

At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim’s network.

Automotive supplier breached by 3 ransomware gangs in 2 weeks

An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours.

Hacker uses new RAT malware in Cuba Ransomware attacks

A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.

BlueSky Ransomware: Fast Encryption via Multithreading

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.

ista International takes systems offline in wake of ransomware attack

Daixin Team claims thousands of servers encrypted

New FileRec ransomware

Amigo-A found a new FileRec ransomware that appends the .filerec extension and drops a ransom note named filerec.txt.

August 11th 2022

UK NHS service recovery may take a month after MSP ransomware attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS).

FBI: Zeppelin ransomware may encrypt devices multiple times in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times.

US govt will pay you $10 million for info on Conti ransomware members

The U.S. State Department announced a $10 million reward today for information on five high-ranking Conti ransomware members, including showing the face of one of the members for the first time.

August 12th 2022

Ransomware Now Threatens the Global South

Historically, ransomware has targeted a number of high-value sectors – finance, professional services, the public sector – in wealthy countries, concentrating on the US and other G7 members. Recent attacks on countries such as Costa Rica, South Africa, Malaysia, Peru, Brazil and India illustrate the increased threat to governments, critical national infrastructure providers and businesses in middle-income and developing countries. Ransomware presents a risk to these countries’ development, economic growth and political stability by disrupting commerce and the delivery of essential services.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - August 12th 2022 - Attacking the defenders