Several users have reported seeing these ads this week, starting on August 10, with Lee Holmes, a Principal Security Architect at Microsoft Azure Security, also sharing today a screenshot showing the ad displayed as an alert bar under the Office menu.

As shown in the screenshot below, Microsoft has tagged this ad as a "LIMITED OFFER," allowing customers to "Get 3 months of Microsoft 365 Family for only $$0.99."

What makes this ad even worse is that Microsoft uses a banner format similar to what it uses when asking Office users to enable macros, replacing the "Enable content" button with a "Redeem Offer" one.

Other customers have seen slightly different worded ads saying, "For just $$0.99, get 3 months of Microsoft 365 Family and share with up to 5 people. It is like getting six subscriptions in one. TERMS APPLY."

In this ad version, Microsoft also uses a differently worded button, prompting users to click a "Redeem now" button to get the heavily discounted subscription.

Ads everywhere

This is not the first time Microsoft has displayed promotional messages within Office apps or other Windows apps' user interfaces.

The company has also shown ads pushing its free Office web apps in the menu bar for the Windows 10 Wordpad application two years ago.

In March, Microsoft displayed ads for some of its other products (including Microsoft Editor) in the File Explorer app on devices running its latest Windows 11 Insider build.

File Explorer got injected with another series of promotional messages in 2016 when Redmond showed OneDrive ads.

Microsoft also displayed ads for Microsoft Edge in the Windows 10 Start Menu every time users searched for competing browsers, prompting them to download the new Chromium-based Microsoft Edge.

Unfortunately, some of these tests also had unintended consequences, with Microsoft breaking the Windows Start Menu and Taskbar while testing Microsoft Teams ads on Windows Insiders.

Microsoft is showing ads for Microsoft 365 in Office 2021

On Wednesday, the Yanluowang ransomware gang claimed to have breached Cisco's network and stolen 2.8 GB of data from the company, later telling BleepingComputer that a total of 55GB was stolen.

While the exact amount of data could not be verified, Cisco confirmed that they suffered a network breach that allowed the threat actor to steal data from a Box account and gain admin access to their domain.

Other attacks we learned more about this week were on 7-Eleven Denmark, ista International, and Advanced MSP, causing an outage for the UK's NHS.

Researchers were also busy this week, with reports released on how ransomware gangs are moving to callback social engineering attacks, that Cuba ransomware is using a new RAT malware, a report on BlueSky, and that Zeppelin has been seen encrypting devices multiple times in a single attack.

Finally, the US government published a picture of a Conti ransomware member for the first, asking people to provide info on members named 'Target,' 'Tramp,' 'Dandis,' 'Professor,' and 'Reshaev.' The State Department is offering a reward of up to $10 million for information leading to their location, travel plans, and identity.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @VK_Intel, @fwosar, @struppigel, @Seifreed, @BleepinComputer, @billtoulas, @serghei, @malwrhunterteam, @FourOctets, @jorntvdw, @fiskerlarsen, @Sophos, @y_advintel, @AdvIntel, @Cyberknow20, @kaspersky, @PaloAltoNtwks, @AhnLab_SecuInfo, @ReversingLabs, @pcrisk, @Amigo_A_, @jamiemaccol, @Jarnecki, and @PogoWasRight.

August 6th 2022

New GwisinLocker ransomware encrypts Windows and Linux ESXi servers

A new ransomware family called 'GwisinLocker' targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.

August 8th 2022

7-Eleven stores in Denmark closed due to a cyberattack

7-Eleven stores in Denmark shut down today after a cyberattack disrupted stores’ payment and checkout systems throughout the country.

New Phobos ransomware variant

PCrisk found a new Phobos variants that append the .FLSCRYPT and .BITCOINPAYMENT extensions to encrypted files.

New World2022 ransomware

PCrisk found a new ransomware called World2022 that appends .world2022decoding and drops a ransom note named WE CAN RECOVER YOUR DATA.MHT.

August 9th 2022

Maui ransomware operation linked to North Korean 'Andariel' hackers

The Maui ransomware operation has been linked to the North Korean state-sponsored hacking group 'Andariel,' known for using malicious cyber activities to generate revenue and causing discord in South Korea.

New VoidCrypt variants

PCrisk found new VoidCrypt variants that append the .Daz and .Oiltraffic extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker ransomware variant that appends the .readlockfiles and drops a ransom note named HOW_TO_RECOVER_DATA.html.

August 10th 2022

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen

Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.

7-Eleven Denmark confirms ransomware attack behind store closures

7-Eleven Denmark has confirmed that a ransomware attack was behind the closure of 175 stores in the country on Monday.

Ransomware gangs move to 'callback' social engineering attacks

At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim’s network.

Automotive supplier breached by 3 ransomware gangs in 2 weeks

An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours.

Hacker uses new RAT malware in Cuba Ransomware attacks

A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.

BlueSky Ransomware: Fast Encryption via Multithreading

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.

ista International takes systems offline in wake of ransomware attack

Daixin Team claims thousands of servers encrypted

New FileRec ransomware

Amigo-A found a new FileRec ransomware that appends the .filerec extension and drops a ransom note named filerec.txt.

August 11th 2022

UK NHS service recovery may take a month after MSP ransomware attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS).

FBI: Zeppelin ransomware may encrypt devices multiple times in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times.

US govt will pay you $10 million for info on Conti ransomware members

The U.S. State Department announced a $10 million reward today for information on five high-ranking Conti ransomware members, including showing the face of one of the members for the first time.

August 12th 2022

Ransomware Now Threatens the Global South

Historically, ransomware has targeted a number of high-value sectors – finance, professional services, the public sector – in wealthy countries, concentrating on the US and other G7 members. Recent attacks on countries such as Costa Rica, South Africa, Malaysia, Peru, Brazil and India illustrate the increased threat to governments, critical national infrastructure providers and businesses in middle-income and developing countries. Ransomware presents a risk to these countries’ development, economic growth and political stability by disrupting commerce and the delivery of essential services.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - August 12th 2022 - Attacking the defenders

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam, says Thijs Alkemade, a security researcher at Netherlands-based cybersecurity firm Computest who found the flaw. “It's basically one vulnerability that could be applied to three different locations,” he says.

After deploying the initial attack against the saved state feature, Alkemade was able to move through other parts of the Apple ecosystem: first escaping the macOS sandbox, which is designed to limit successful hacks to one app, and then bypassing the System Integrity Protection (SIP), a key defense designed to stop authorized code from accessing sensitive files on a Mac.

Alkemade—who is presenting the work at the Black Hat conference in Las Vegas this week—first found the vulnerability in December 2020 and reported the issue to Apple through its bug bounty scheme. He was paid a “pretty nice” reward for the research, he says, although he refuses to detail how much. Since then Apple has issued two updates to fix the flaw, first in April 2021 and again in October 2021.

When asked about the flaw, Apple said it did not have any comment prior to Alkemade’s presentation. The company’s two public updates about the vulnerability are light on detail, but they say the issues could allow malicious apps to leak sensitive user information and escalate privileges for an attacker to move through a system.

Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, a blog post describing the attack from Alkemade says. The researcher says that while Apple fixed the issue for Macs running the Monterey operating system, which was released in October 2021, the previous versions of macOS are still vulnerable to the attack.

There are multiple steps to successfully launching the attack, but fundamentally they come back to the initial process injection vulnerability. Process injection attacks allow hackers to inject code into a device and run code in a way that’s different to what was originally intended.

The attacks are not uncommon. “It's quite often possible to find the process injection vulnerability in a specific application,” Alkemade says. “But to have one that’s so universally applicable is a very rare find,” he says.

The vulnerability Alkemade found is in a “serialized” object in the saved state system, which saves the apps and windows you have open when you shut down a Mac. This saved state system can also run while a Mac is in use, in a process called App Nap.

When an application is launched, Alkemade says, it reads some files and tries to load them using an insecure version of the “serialized” object. “In all of Apple’s operating systems, these serialized objects are used all over the place, often for inter-process exchange of data,” the researcher writes in the blog post describing the attack. “The way the attack works is that you can create those files at the place another application will load them from,” Alkemade says. Essentially, a malicious “serialized object” is created and can make the system behave in ways it is not supposed to.

From here, Alkemade was able to escape the Mac app sandbox using the vulnerability—this was the first flaw that Apple fixed. By injecting the code into another application, it was possible to extend what the attack could do. Finally, Alkemade was able to bypass the System Integrity Protection that’s supposed to stop unauthorized code from reading or changing sensitive files. “I could basically read all of the files on the disk and also modify certain system files,” he says.

There is no evidence to date that the vulnerability has been exploited in the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system, increasingly being able to access more data. In the description for his talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be reexamined.

A Single Flaw Broke Every Layer of Security in MacOS

(May require free registration to view)

• Windows 11
• Windows 10
• Windows 7/8.1

In this month's Patch, the Redmond company also issued an important fix related to the Secure Boot DBX with its KB5012170 update.

For those unaware, the Secure Boot Forbidden Signature Database or DBX is basically a block-list for blacklisted UEFI executables that were found to be bad. The latest KB5012170 update adds signatures of the known vulnerable UEFI modules to the DBX, meaning they will no longer be able to run after this update. The signatures this time are related to the GRand Unified Boot Loader (GRUB) vulnerability also called BootHole.

The official Microsoft bulletin explains how the attack works:

Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass.

To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.

[...]

Update: August 9, 2022

Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory.

The update is applicable to the following Windows and versions:

• Windows Server 2012
• Windows 8.1 and Windows Server 2012 R2
• Windows 10, version 1507
• Windows 10, version 1607 and Windows Server 2016
• Windows 10, version 1809 and Windows Server 2019
• Windows 10, version 20H2
• Windows 10, version 21H1
• Windows 10, version 21H2
• Windows Server 2022
• Windows 11, version 21H2 (original release)
• Azure Stack HCI, version 1809
• Azure Stack Data Box, version 1809 (ASDB)

The download is available via Windows Update as part of the Patch Tuesday package, but you can also get the standalone update from the Microsoft Update Catalog website here. You may find more information on the official support article here.

KB5012170: Microsoft August Patch Tuesday fixes critical Secure Boot GRUB vulnerability

Vendor-specific bootloaders used by Windows were found to be vulnerable while the status of almost a dozen others is currently unknown.

Threat actors could exploit the security issue to establish persistence on a target system that cannot be removed by reinstalling the operating system (OS).

Eclypsium security researchers Mickey Shkatov and Jesse Michael discovered vulnerabilities affecting UEFI bootloaders from third-party vendors that could be exploited to bypass the Secure Boot feature on Windows machines.

Secure Boot is part of the UEFI specification designed to ensure that only trusted code - signed with a specific, vendor-supplied certificate - is executed to start the OS booting process.

The firmware bootloader runs immediately after turning on the system to initialize the hardware and to boot the UEFI environment responsible for launching the Windows Boot Manager.

Eclypsium researchers found that three UEFI bootloaders that were approved by Microsoft had vulnerabilities that permitted bypassing the Secure Boot feature and executing unsigned code:

The three Microsoft-approved UEFI bootloads that were found to bypass the Windows Secure Boot feature and execute unsigned code are:

• New Horizon Datasys Inc: CVE-2022-34302 (bypass Secure Boot via custom installer)
• CryptoPro Secure Disk: CVE-2022-34301 (bypass Secure Boot via UEFI Shell execution)
• Eurosoft (UK) Ltd: CVE-2022-34303 (bypass Secure Boot via UEFI Shell execution) 

Microsoft has worked with the last two vendors in the list above and released security update KB5012170 to fix the problem in the provided bootloader.

As part of this fix, Microsoft has blocked all of their required certificates that were issued with the Security Update Release from July 2022.

In an advisory this week about the vulnerabilities, the Carnegie Mellon CERT Coordination Center warns that code executed in the early boot stages could “also evade common OS-based and EDR security defenses.”

Carnegie Mellon CERT CC has provided a list with 23 UEFI bootloader vendors, a clear status being available for just three of them: Microsoft (impacted), Phoenix Technologies (not impacted), and Red Hat (not impacted).

The rest of the 20 vendors have also been informed about the issues but it is currently unknown if their products are affected or not.

The list includes names like Acer, AMD, American Megatrends, ASUSTeK, DELL, Google, Hewlett Packard Enterprise, HP, Lenovo, Toshiba, and VAIO Corporation.

A fix for these vulnerabilities should be delivered either by the Original Equipment Manufacturer (OEM) or the OS vendor by updating the UEFI Revocation List - the Secure Boot Forbidden Signature Database (DBX), a database of revoked signatures for previously approved firmware and software that starts systems with UEFI Secure Boot.

Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass

The case has been going on since October 2019, with the ACCC alleging that Google is not being sufficiently clear about its data collection practices. It highlighted that Google could still access and retain location data even if location history was disabled. This is due to location data still being collected if the "Web & App Activity" toggle is left on and then a user utilizes a Google app. In essence, both toggles had to be disabled for Google to stop collecting your location data, and the ACCC emphasized that this wasn't made clear to the end-user.

Although Google had already fixed the problem in December 2018, the ACCC saw fit to retrospectively fine the company for misleading customers during the period of 2017-2018.

In April 2021, the court ruled against Google saying that it did "partially" mislead its customers. Today, after much back and forth, Google and the ACCC have agreed to a $60 million penalty. ACCC Chairperson Gina Cass-Gottlieb noted that:

This significant penalty imposed by the Court today sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used.

[...] Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google.

Both parties have agreed that $60 million is a "fair and reasonable" fine, and the court has agreed that the amount is also suitable to deter any future breaches in this space.

Source: ACCC via The Guardian

Google slapped with $60 million fine for misleading customers about data collection

The reward offer, first reported by WIRED, is also notable for the fact that it marks the first time the face of a Conti associate, known as "Target," has been unmasked. The four other associates have been referred to as "Tramp," "Dandis," "Professor," and "Reshaev."

The government, besides seeking information about the five operators that could lead to their identification or location, is also calling on people to share details about Conti and its affiliated groups TrickBot and Wizard Spider.

Since its rebrand from Ryuk to Conti, the transnational organized crime group has been linked to hundreds of ransomware incidents over the past two years.

As of January 2022, the Russia-based ransomware-as-a-service (RaaS) operation is estimated to have hit over 1,000 entities, with victim payouts exceeding $150 million. The State Department has dubbed Conti the "most damaging strain of ransomware ever documented."

An analysis of the leaked chats between Conti members in March 2022 that emerged after the syndicate sided with Russia in the ongoing conflict between the country and Ukraine highlighted Target's role as a manager involved in its physical operations in Russia.

"The leaks are of an unprecedented level and show the world how a government backed, multimillion-dollar ransomware gang operates," Trellix researchers noted in March 2022.

"In some fashion it was almost like a normal business; wages needed to be paid, software licenses obtained, customer service initiated, and strategic alliances had to be formed."

Although the Conti brand has been terminated, its members are still active, continuing their work through other ransomware and data extortion operations under different offshoots, including Karakurt, Silent Ransom, Quantum, and Roy/Zeon.

The development also comes a little over three months after the agency said it's offering a reward of up to $10 million for information leading to the identification and/or location of individuals who hold key leadership positions in the Conti team.

Source

Matt Edmondson, a federal agent with the Department of Homeland Security for the last 21 years, got a call for help last year. A friend working in another part of government—he won’t say which one—was worried that someone might have been tailing them when they were meeting a confidential informant who had links to a terrorist organization. If they were being followed, their source’s cover may have been blown. “It was literally a matter of life and death,” Edmondson says.

“If you’re trying to tell whether you’re being followed, there are surveillance detection routes,” Edmondson says. If you’re driving, you can change lanes on a freeway, perform a U-turn, or change your route. Each can help determine whether a car is following you. But it didn’t feel like enough, Edmondson says. “He had those skills, but he was just looking for an electronic supplement,” Edmondson explains. “He was worried about the safety of the confidential informant.”

After not finding any existing tools that could help, Edmondson, a hacker and digital forensics expert, decided to build his own anti-tracking tool. The Raspberry Pi-powered system, which can be carried around or sit in a car, scans for nearby devices and alerts you if the same phone is detected multiple times within the past 20 minutes. In theory it can alert you if a car is tailing you. Edmondson built the system using parts that cost around $200 in total, and will present the research project at the Black Hat security conference in Las Vegas this week. He’s also open-sourced its underlying code.

The anti-tracking tool is made up of a Raspberry Pi, wireless signal detectors, and a battery pack.

 Photograph: Matt Edmondson

In recent years there’s been an explosion in the number of ways people can be tracked by domestic abusers, stalkers, or those in the murky world of government-backed espionage. Tracking can either be software- or hardware-based. Stalkerware and spyware that can be installed directly on people’s phones can give attackers access to all your location data, messages, photos, videos, and more, while physical trackers—such as Apple’s AirTags—have been used to track where people are in real time. (In response to criticism, Apple has added some anti-tracking tools to AirTags.)

A quick search online reveals plenty of tracking tools, which are easy to buy. “There’s so much out there to spy on people, and so little to help people who are wondering whether they're being spied on,” Edmondson says.

The homemade system works by scanning for wireless devices around it and then checking its logs to see whether they also were present within the past 20 minutes. It was designed to be used while people are on the move rather than sitting in, say, a coffee shop, where it would pick up too many false readings.

The anti-tracking tool, which can sit inside a shoebox-sized case, is made up of a few components. A Raspberry Pi 3 runs its software, a Wi-Fi card looks for nearby devices, a small waterproof case protects it, and a portable charger powers the system. A touchscreen shows the alerts the device produces. Each alert may be a sign that you are being tailed.

The device runs Kismet, which is a wireless network detector, and is able to detect smartphones and tablets around it that are looking for Wi-Fi or Bluetooth connections. The phones we use are constantly looking for wireless networks around them, including networks they’ve connected to before as well as new networks.

Edmondson says Kismet makes a record of the first time it sees a device and then the most recent time it was detected. But to make the anti-tracking system work, he had to write code in Python to create lists of what Kismet detects over time. There are lists for devices spotted in the past five to 10 minutes, 10 to 15 minutes, and 15 to 20 minutes. If a device appears twice, an alert flashes up on the screen. The system can show a phone’s MAC address, although this is not much use if it’s been randomized. It can also record the names of Wi-Fi networks that devices around it are looking for—a phone that’s trying to connect to a Wi-Fi network called Langley may give some clues about its owner. “If you have a device on you, I should see it,” he says. In an example, he showed WIRED that a device was looking for a network called SAMSUNGSMART.

To stop the system from detecting your own phone or those of other people traveling with you, it has an “ignore” list. By tapping one of the device’s onscreen buttons, it’s possible to “ignore everything that it has already seen.” Edmondson says that in the future, the device could be modified to send a text alert instead of showing them on the screen. He is also interested in adding the capability to detect tire-pressure monitoring systems that could show recurring nearby vehicles. A GPS unit could also be added so you can see where you were when you were being tracked, he says.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.” The hacker says he lives near the desert, so he tested the system in his car while driving around places where nobody else was, carrying multiple phones with him that could be detected by the tool. Edmondson says he believes the tool can be effective, since even spies working for a government still carry devices.“You still have your phone in your pocket,” he says. “You still have your phone on the seat sitting next to you, or in the center console.”

Edmondson has no plans to make the device into a commercial product, but he says the design could easily be copied and reused by anyone with some technical knowledge. Many of the parts involved are easy to obtain or may be lying around the homes of people in tech communities.

Ultimately, he says, the tech community needs to take tech-enabled tracking and surveillance more seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says, adding that a person close to him has been the victim of a stalker in the past. In the case of his clandestine friend in another government department, the anti-tracking device was useful. “It was really designed to help someone who came to me asking for help,” he says. Fortunately for Edmondson’s friend (and his source), they used it in the real world, and the device didn’t find anyone following them.

This Anti-Tracking Tool Checks If You’re Being Followed

(May require free registration to view)

Illustration: Elena Lacey

When Jared Bauman was asked to look at nine dog pictures and identify which ones were smiling as part of a captcha test to log in to a website a few weeks ago, he was stumped. “To be honest, I had a bit of a moment,” the founder of a creative marketing agency in San Diego, California, says. “Do dogs really smile?” Most of the dogs looked neither happy nor sad—some were grimacing, or simply had their mouths open. No one is sure whether dogs can actually smile, meaning that correctly identifying smiling dogs in a captcha is a near-impossible task.

This kind of conundrum is becoming a bigger issue as captchas—tests designed to weed out robot web surfers from humans on websites—have grown increasingly cryptic. The smiling dogs were the final straw for an increasing number of people posting their disbelief on social media in recent months.

The increasingly complicated tests are the work of hCaptcha, a privacy-protecting alternative to Google’s captcha system, which claims to run on around 15 percent of the internet as of January 2022. And it’s not just asking you to identify which canines are bearing their own canines. A week after he was prompted to pick smiling dogs, Bauman was given a more mind-boggling task: to click images of horses made out of clouds. The marketer struggled in large part because two of the pictures had cloud-made elephants, perhaps designed to throw him off the scent. (Bauman managed to get it right the second time.)

Most people aren’t that persistent. “Something about the dogs broke me a little,” admits Eileen Ridge, who offers tech advice for generally older clients based near her in Virginia.

Ridge regularly fields calls from clients who struggle to discern the difference between a scuff of paint on a sidewalk and a formalized crosswalk that’s often requested in a traditional image-based captcha, and worry that one wrong answer may lock them out of an account. When confronted with something as intangible as whether a dog is smiling or not, she worries many will simply give up. She’s not the only one.

Captchas, which were designed to introduce an element of friction to the web browsing experience that would put off an automated system but would be basic enough not to put off humans, are fast becoming unusable, rendering the internet a wasteland of difficult puzzles which users must decipher to do the most basic things. “We’ve literally all been there through gritted teeth muttering: ‘Those were all the pictures with traffic lights,’” says Effie Le Moignan, research associate in social computing at Newcastle University, who calls the captcha era of the internet a “human-computer interaction atrocity.”

But while we’re at the nadir of the technology, captchas—short for Completely Automated Public Turing test to tell Computers and Humans Apart—have long rendered the internet impenetrable to the average user. “This has been the arms race since the beginning of the internet,” says Eli-Shaoul Khedouri, CEO of Intuition Machines, the company behind hCaptcha. Captchas served two purposes: They clamped down on bot behavior while training AI to understand the world, from text to images. (This is why we’re asked to identify traffic signals and sidewalks.) Google got into the captcha game in 2009, buying reCAPTCHA—developed by Duolingo founder Luis Van Ahn—for tens of millions of dollars.

However, after several decades, it appears as if captcha’s dominance over the internet could be waning. Apple has decided to give the technology the boot, and its impact on things like email analytics and ad tracking have already had an impact. At its Worldwide Developers Conference (WWDC) in June, the company announced it would be replacing captchas with Private Access Tokens. “Sometimes a captcha is just a button to press,” says Apple engineer Tommy Pauly. “But others can be a challenge to fill out.”

Apple’s alternative, Privacy Access Tokens, tackle the underlying issue captchas try to solve—identifying inauthentic behavior—but in a more user-friendly way. “Captchas often lead to a slower and more complex user experience,” says Pauly. “When I do the exact same thing on the iOS 16 phone that supports Private Access Tokens, I get right through. This is going to save a lot of people a lot of time, and your customers will appreciate being trusted.” The Privacy Access Token concept was developed in collaboration with Google, Cloudflare, and Fastly.

Khedouri says the Privacy Access Token isn’t the end of the captcha—far from it. “Privacy Access Tokens are basically just a rebranding of the Privacy Pass, of which we are one of the creators,” he says. “We’ve been working on this for many years now.”

Instead, he believes that the future of captchas is bright, in large part because hCaptcha is trying to rework it from users feeling like they’re doing unpaid labor for Big Tech companies to a moment of fun. “We don’t want to bore you to death,” he says. “We actually would like the experience to be pleasant.” To try and achieve that, Khedouri and Intuition Machines are taking the tests out of the realms of the ordinary and into the extraordinary. “It’s like a game,” he says. hCaptcha is testing a number of different puzzle variants for users to solve, and among the most popular are animal-based ones—unsurprisingly, he says. “The internet is primarily used to transmit pictures of animals.”

Although that’s the goal, users’ frustrations around trying to identify which dogs are smiling and which aren’t suggest we’re not there yet. The new generation of captchas may be more fantastical, but they’re still solutions to which we don’t always know the answer, and which we resent having to do. But we’re thinking about it the wrong way if we’re actually trying to find the ground truth of smiling dogs, says Khedouri. “Think about it this way: The goal of a captcha is that you do what people do,” he explains. We’re not actually meant to find the right answer: We’re just meant to answer the question in the same way as other people. “If people are mostly making the same kinds of errors, that’s fine,” he says. hCaptcha’s solve rate meets a 99 percent benchmark, according to Khedouri, meaning that out of 100 users, 99 can solve the query within two tries.

But for those with disabilities who already struggle with the existing generation of captchas, adding a whimsical, fictionalized element to the problem-solving is another frustration to pile on top of an already tricky challenge to daily browsing. Preexisting captchas have been shown to be harder to solve for people with learning difficulties. People with learning difficulties struggle enough to identify which parts of an image contain a sidewalk and which don’t; asking them to pick out the horses made of clouds from the elephants made of clouds could be a step too far.

Despite that, and despite Apple’s attempt to sidestep them, captchas will remain on the internet, Khedouri predicts. “As long as there are things that people can do quickly and easily that machines cannot do easily, then you will see some form of humanity verification,” he says.

In many ways, trying to rid the internet of the baffling mini-tests is fighting a battle we already lost long ago. “It’s very hard with these kinds of processes to backtrack and eliminate them from use once they’re ubiquitous,” says Le Moignan. “It’d take cohesive will in what’s an inherently fragmentary ecosystem of players, data generation, and processes. Ultimately you can’t opt out, so the user is over a barrel. You can’t, as a user, go ‘Not today, Satan, no captchas from me.’”

Smiling Dogs? Horses Made of Clouds? Captcha Has Gone Too Far

(May require free registration to view)

The vulnerability in question, referred to as CVE-2021-0920, was a zero-day “in the wild” exploit in a garbage collection mechanism within the Linux kernel, the core piece of software that governs the entire Linux operating system. Google says the attackers, using an exploit chain that included the vulnerability, were able to remotely gain controls of users’ devices.

Google says it has previously attributed a number of Android zero-day exploits to the developer behind CVE-2021-0920. In this case, a Google spokesperson told Gizmodo the surveillance vendor used “several novel and unseen exploitation techniques to bypass existing defensive mitigations.”

That, the spokesperson said, suggests the vendor is well funded.

Though the CVE-2021-0920 vulnerability was patched last September in response to Google’s research, they say the exploit was identified before 2016 and reported on the Linux Kernel Mailing List. A proper patch was offered up at the time, but Linux Foundation developers ultimately rejected it. Google shared the public Linux kernel email thread from the time which shows disagreement on whether or not to implement the patch.

“Why would I apply a patch that’s an RFC, doesn’t have a proper commit message, lacks a proper signoff, and also lacks ACK’s and feedback from other knowledgable developers,” one developer wrote.

Responding to the Surveillance-for-Hire Era

Google has ramped up its efforts to spot and publicly identify spyware groups in recent years, partly in response to the sheer increase in the number attacks. In testimony delivered to the House Intelligence Committee earlier this year, Google Threat Analysis Group Director Shane Huntley said, “the growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG [threat analyses groups] to counter these threats.”

Huntley said his team’s recent findings suggest advanced commercial spyware firms, like Israel-based NSO Group, have managed to acquire hacking capabilities once reserved to the world’s most advanced state-sponsored intelligence agencies. The use of those techniques, which can include zero click exploits that take over a device potentially without a user ever engaging with malicious content, appear to be increasing and are being carried out at the behest of governments, Huntley suggested. Seven of the nine zero-day exploits discovered by Huntley’s team last year were reportedly developed by commercial providers and sold to state-sponsored actors. Highly technical surveillance techniques, once available to only a select group of countries, can now simply be purchased by the highest bidder.

“These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house,” Huntley said. “While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.”

“This industry appears to be thriving.” Huntley said.

Source

What happened with the Zola attack?

Instead of going after Zola's core business-critical infrastructure, hackers went after customer accounts with the May attack. Attackers used an age-old technique called credential stuffing to compromise several Zola customer accounts. With access to the compromised accounts, they attempted to purchase gift vouchers which they could then use.

A Zola spokesperson mentioned that around 3,000 accounts, or around .1 % of Zola accounts, were compromised. Users saw hundreds of dollars worth of gift cards or monetary gifts taken from their accounts. Hackers even changed the email associated with users' Zola accounts in many cases, preventing them from logging in. Compromised Zola accounts were quickly placed for sale on the dark web. Other users reported fraudulent charges on credit cards associated with Zola accounts.

Emily Forrest, Zola Director of Communications, mentioned the following in a statement regarding the compromise:

"These hackers likely gained access to those set of exposed credentials on third-party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected…We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. All cash funds have been restored."

As part of their remediation of the attack, Zola, in addition to forcing users to reset their account passwords, temporarily disabled mobile apps connected to the platform. They have since reactivated the mobile app platforms. However, even though Zola allows connecting bank account information to Zola accounts, they still do not require multi-factor authentication as part of their security provisions.

What went wrong from a security perspective with the Zola attack?

Hindsight is often 20/20 when it comes to post-mortem analysis of cybersecurity breaches. However, there were many things that could have been done and can be done moving forward to prevent attacks like the Zola hack from being carried out.

More companies now require multi-factor authentication to be enabled on your account to take advantage of their services. Arguably, any service geared toward collecting money into an account or that allows connecting a bank account or credit card should require multi-factor. With multi-factor enabled, even if an attacker has legitimate credentials, such as a username and password, with an additional factor required, they still do not have everything needed to authenticate and log in.

The attack on Zola helps underscore that companies must also monitor accounts for suspicious activities. For example, watching for suspicious geolocations, the number of logins from a single source, or other metrics can help identify and remediate nefarious activities.

What is credential stuffing?

Credential stuffing is a hacking technique that has been around a long while and plays upon the weakness of password reuse among end-users. It is defined as the automated injection of stolen username and password pairs. What does this mean? It is human nature to reuse passwords across multiple sites, services, and applications. This technique makes it easier to remember logins across various platforms. Hackers use this logic to defeat password authentication used across most platforms. If they compromise or find leaked credentials associated with a user/email/password combination in one platform, they can try the same credentials across multiple platforms.

It can be effective even if they don't know the user/email address has an account associated. For example, suppose they can access several compromised credential sets (usernames, passwords). In that case, they will likely find valid user accounts across multiple services where users have used the same username/password combination.

Note the following alarming statistics related to credential reuse:

•  Some 50% of IT professionals admitted to reusing passwords on work accounts

• There was a surprisingly higher percentage of IT workers reusing credentials than non-privileged users (39% comparatively)

•  In a study that spanned three months, Microsoft found that some 44 million of its users had used the same password on more than one account

•  In a 2019 Google study, they found that 13% of people reuse the same password across all accounts, 52% percent use the same one for multiple online accounts, and only 35% use a different password for every account

Another alarming scenario that organizations must consider is that end-users may use the same passwords for their corporate Active Directory environments as they do for their personal accounts. While businesses can't control and enforce password policies for end-users personal accounts, monitoring for breached passwords and password reuse across their corporate Active Directory infrastructure is crucial.

Protecting Active Directory against breached passwords and password reuse

On-premises Active Directory Domain Services (AD DS) does not have built-in protection against breached passwords or password reuse. For example, suppose every single account in Active Directory has the same password, and the password meets the configured password policy. In that case, there is no notification or way to prevent this with native Active Directory Password Policy functionality.

Moreover, many organizations are federating Active Directory Domain Services on-premises with Single Sign-On (SSO) cloud solutions. Unfortunately, it means all of the weak passwords, breached passwords, and passwords reused across your organization are now federated for use with cloud services, further weakening your security posture.

Built-in Active Directory Password Policies can't protect you against:

•  Incremental passwords
•  Leetspeak passwords
•  Easily guessed but "complex" passwords
•  Breached passwords
•  Passwords associated with your business or industry

Bolster Active Directory password security with Specops

With the shortcomings of built-in capabilities provided by Active Directory Domain Services (AD DS), organizations need to bolster their Active Directory password security using a third-party solution. Specops Password Policy is a powerful solution that provides businesses with the tools and capabilities required to increase their password security and overall cybersecurity stance.

Specops Password Policy seamlessly integrates with existing Active Directory Password Policies and adds missing password security features to help protect your organization from many attacks, including credential stuffing. Note the following key features provided by Specops Password Policy:

•  You can create custom dictionary lists to block words common to your organization

•  Prevent the use of more than 2 billion compromised passwords with Specops Breached Password Protection

•  Find and remove compromised passwords in your environment

•  Users get informative messaging from Specops at failed password changes, reducing calls to the helpdesk

•  Real-time, dynamic feedback at password change with the Specops Authentication client

•  Length-based password expiration with customizable email notifications

•  Block user names, display names, specific words, consecutive characters, incremental passwords, reusing part of a password

•  Granular, GPO-driven targeting for any GPO level, computer, user, or group population

•  Passphrase support

•  Over 25 languages supported

•  Use Regular Expressions for more granular password policies

Organizations can start protecting their user's passwords with Breached Password Protection with just a few clicks in the Specops Password Policy configuration settings. With the continuously check for leaked passwords and force users to change them setting, you can leverage Specop Password Policy's enhanced honeypot intelligence for the most late-breaking breached passwords available.

< View the image at the source page. >

Configuring Specops Password Policy Breached Password Protection

Specops provides the tools needed to combat password risks such as reused passwords easily.

Preventing incremental passwords and requiring a minimum number of changes to an existing password

Wrapping Up

The Zola hack helps to emphasize the importance of preventing users from reusing passwords in business-critical environments. It leads to credential stuffing, password guessing, breached passwords, and many other types of password attacks. Specops Password Policy is a powerful tool allowing organizations to effectively prevent password reuse, incremental passwords, and a minimum number of changes to existing passwords at the next password change.

Source

A former employee of the NSA and NASA, he is also the founder of the Objective-See Foundation: a nonprofit that creates open-source security tools for macOS. The latter role means that a lot of Wardle’s software code is now freely available to download and decompile — and some of this code has apparently caught the eye of technology companies that are using it without his permission.

three different companies were found to be incorporating techniques from Wardle’s work[.]

Wardle will lay out his case in a presentation on Thursday at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University. The researchers found that code written by Wardle and released as open source has made its way into a number of commercial products over the years — all without the users crediting him or licensing and paying for the work.

The problem, Wardle says, is that it’s difficult to prove that the code was stolen, rather than implemented in a similar way by coincidence. Fortunately, because of Wardle’s skill in reverse-engineering software, he was able to make more progress than most.

“I was only able to figure [the code theft] out because I both write tools and reverse engineer software, which is not super common,” Wardle told The Verge in a call before the talk. “Because I straddle both of these disciplines I could find it happening to my tools, but other indie developers might not be able to, which is the concern.”

The thefts are a reminder of the precarious status of open-source code, which undergirds enormous portions of the internet. Open-source developers typically make their work available under specific licensing conditions — but since the code is often already public, there are few protections against unscrupulous developers who decide to take advantage. In one recent example, the Trump-backed Truth Social app allegedly lifted significant portions of code from the open-source Mastodon project, resulting in a formal complaint from Mastodon’s founder.

One of the central examples in Wardle’s case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users, but also uncover the fact that a legitimate application like Shazam was always listening in the background.

Wardle — whose cousin Josh Wardle created the popular Wordle game — says he built OverSight because there wasn’t a simple way for a Mac user to confirm which applications were activating the recording hardware at a given time, especially if the applications were designed to run in secret. To solve this challenge, his software used a combination of analysis techniques that turned out to be unusual, and thus unique.

But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products – even down to replicating the same bugs that Wardle’s code had.

© Patrick Wardle

A slide from Wardle and McGuire’s DEFCON presentation

Three different companies were found to be incorporating techniques lifted from Wardle’s work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy.

The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective See Foundation.

Code theft is an unfortunate reality, but by bringing attention to it, Wardle hopes to help both developers and companies protect their interests. For software developers, he advises that anyone writing code (whether open or closed source) should assume it will be stolen and learn how to apply techniques that can help uncover instances where this has happened.

For coporations, he suggests that they better educate employees on the legal frameworks surrounding reverse engineering another product for commercial gain. And ultimately, he hopes they’ll just stop stealing.

Source

Cisco said it became aware of a potential compromise on May 24, and disclosed it on Wednesday after the hacker leaked a list of the files it had stolen on the dark web.

An investigation determined that the hacker broke into Cisco's network by cracking into an employee's personal Google account, which synchronized their saved passwords across the web, the San Jose, California-based company said in a blog post published on Wednesday. The attacker then pretended to be trusted organizations during phone calls with the employee and successfully persuaded the employee to accept a multifactor push authentication notification to their device. That allowed the hacker to gain access to Cisco's network using the employee's credentials.

Cisco had "not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.," according to the blog. "The only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee's account. The data obtained by the adversary in this case was not sensitive."

Investigators said they believe that the attack was conducted by an adversary who has previously been identified as an initial access broker for several notorious cybercrime groups: UNC2447, Lapsus$ and Yanluowang ransomware operators. Initial access brokers attempt to gain privileged access to corporate computer networks and then sell it to other hackers.

UNC2447 is an "aggressive financially motivated group" that has targeted organizations with ransomware in Europe and North American, the cybersecurity firm Mandiant concluded last year. Yanluowang, named after a Chinese deity, is a ransomware variant that has been used against US corporations since August 2021, according to Symantec. The Lapsus$ group was accused of going on a rampage of high-profile attacks against technology companies including Okta Inc., Microsoft Corp. and Nvidia Corp.

Bloomberg News reported that the suspected mastermind was a 16-year-old British teenager living at his mother's house.

Cisco said it found evidence that the hacker was preparing to encrypt files but hadn't managed to do so before they were detected and booted out. There were repeated attempts to regain access after the attack had been evicted, according to Cisco.

The hack was previously reported by Bleeping Computer.

Source

Also:  Cisco Confirms It's Been Hacked by Yanluowang Ransomware Gang.

The Microsoft subsidiary announced this month, it would be adding "non-essential cookies" on some marketing web pages starting in September, and offered a thirty-day "comment period" for users.

GitHub to add non-essential cookies on marketing pages

GitHub's present privacy policy (dated May 31, 2022) states that the software development platform places only "strictly necessary" cookies on users' web browsers and adheres to W3C's standard concerning the "Do Not Track" (DNT) privacy preference, should it be set by users.

Effective September 1, 2022, however, GitHub will start placing non-essential cookies on its marketing subdomains like resources.github.com.

"GitHub is introducing non-essential cookies on web pages that market our products to businesses," explains Olivia Holder, GitHub's Senior Privacy Counsel.

"These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users."

Holder stresses, however, the change will only impact marketing webpages and select subdomains and that "Github.com will continue to operate as-is."

The non-essential cookies in this context, better known as "tracking cookies" refer to a class of cookies that are shared across multiple websites and web services.

These cookies may be used by third-parties for delivering ads or for the purposes of providing marketing, customization, and analytics features. But such cookies can make it easy to ascertain a user's browsing history and behavior across multiple sites, potentially allowing malicious actors to track this activity, explains cybersecurity firm F-Secure.

While drawing everyone's attention to the new policy and a "30-day comment period," GitHub Security Engineer Lucas Garron pointed out GitHub's 2020 blog post where the platform had "removed all non-essential cookies" out of its commitment to "respecting the privacy of developers using our product."

Ironically, this month's succinct announcement explaining the introduction of tracking cookies retains much the same wording.

Users criticize new policy wording, blame Microsoft

Reacting to GitHub's new policy wording, users sharply criticized the platform's decision, with some even considering leaving GitHub for GitLab.

"You lost me at 'ads for enterprise users,'" said pentester and security engineer Jonathan Gregson.

"If that PR goes in, I'm out. I'm not going to be a part of this digital dystopia where I am just a product and where companies don't care about the people," states user Willhelm Sokolov.

Some even blamed Microsoft, GitHub's parent company for bringing such detrimental changes that have "undermined" the platform.

But one of the devs had a slightly different take:

"Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention," commented Evelyn Marie, a Rust and Android developer.

Marie further states that most GitHub users don't use Enterprise, an offering oriented toward businesses, and will likely never be inconvenienced by, what is just, cookies.

"Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn't. There are always going to be changes that people don't like, but not all changes are influenced by the parent company. If Microsoft was [putting] their hands all over GitHub, they probably would've moved GitHub to the Microsoft Policy Statement a long time ago," says Marie.

A lengthy debate ensued on the thread that has now garnered over 1,200 dislikes from the community. Some even drafted a change.org petition, alleging that the new policy wording was "less transparent,... more unclear and confusing," and urged GitHub to drop marketing cookies altogether.

Those interested in reviewing the upcoming privacy policy updates can refer to the changelog on GitHub.

GitHub's new privacy policy sparks backlash over tracking cookies

However, Team Blue has also been found to be under threat from another CPU flaw that does not need side channel attack surface. The new flaw dubbed "ÆPIC" exploits the Advanced Programmable Interrupt Controller (APIC) registers via memory-mapped I/O (MMIO) and upon successful exploitation, a threat actor can read privileged information on a compromised system.

And so, although most systems can go unaffected by this, the researchers have warned against systems that use Intel Software Guard Extensions (SGX) as it is a privileged software and can expose data similar to how it has done during previous vulnerabilities.

Here's how the security researchers have described ÆPIC:

ÆPIC Leak is the first CPU bug able to architecturally disclose sensitive data. It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy.

[...]

A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

Intel has assigned the ID "CVE-2022-21233" to track the issue. It potentially affects all Intel CPUs 10th Gen Ice Lake and newer, that use the new Sunny Cove core.

Source: ÆPIC Leak via Intel

Beware: Intel 10th, 11th, 12th Gen CPUs have ÆPIC flaw that does not need side channels

The vulnerability is related to the multi-scheduler queues in CPUs. Intel, unlike Apple and AMD, uses a single scheduler in its architecture, which means it is not affected by SQUIP. The latter however use multiple schedulers.

On the AMD side, SKUs with simultaneous multi-threading (SMT) technology are affected, which is nearly every AMD processor SKU out there except for a few models (We have listed them towards the end). The issue is tracked under the ID “CVE-2021-46778”.

Here is a summary and mitigation measures provided by AMD:

Summary

Execution unit scheduler contention may lead to a side channel vulnerability found on AMD CPU microarchitectures codenamed “Zen 1”, “Zen 2” and “Zen 3” that use simultaneous multithreading (SMT). By measuring the contention level on scheduler queues an attacker may potentially leak sensitive information.

Mitigation

AMD recommends software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate to help mitigate this potential vulnerability.

The AMD Ryzen SKUs that are not affected by the SQUIP vulnerability are given below, starting from first-gen Zen 1 to Zen 3:

• Ryzen 1000 (Zen 1)
  • Ryzen 3 1200
  • Ryzen 3 1300X
• Ryzen 2000 (Zen 1+)
  • Ryzen 3 2300X
• Ryzen 3000 (Zen 2)
  • Ryzen 5 3500
  • Ryzen 5 3500X
• Athlon 3000/4000 (Zen 2)
  • Athlon Gold 3150G/GE
  • Athlon Gold 4150G/GE

Aside from the CPUs listed above, all other Ryzen, Athlon, Threadripper and EPYC processors are affected by SQUIP since they come with SMT.

Meanwhile, for Apple, it is said that the M1 is vulnerable to SQUIP. Interestingly, no mention of M2 has been made, which could mean that the flaw has been resolved in the case of the latter.

Source: AMD via The Register (PDF)

Beware: Apple M1 and many AMD Ryzen chips found vulnerable to side-channel SQUIP attacks

The matter came to light earlier this week when Indian tech journalist Abhishek Verma spotted a post by the hacker, who goes by “ViktorLustig” on a dark web hacking-related forum called Breached Forums. The forum is a popular one and several other hackers have shared data hacked by them on Breached Forums in the past.

ViktorLustig claimed that he had data including student info, registration numbers, and email passwords of over one million students of the University. He offered to sell the data for USD 250. He made this post on Breached Forums on August 6.

Shortly thereafter, the administrator of the forum responded to Verma saying that the database is genuine. However, by Wednesday, ViktorLustig’s post had been deleted. It is not yet clear whether it was deleted because he had found a buyer or for some other reason.

Meanwhile, student bodies of the University took up the matter with the authorities and on Wednesday, the University released a statement regarding the incident stating that as per the preliminary analysis, the data in their database is unmodified, meaning that it does not appear to have been tampered with in any way.

"Any breach on data (which is already accessible in public domain) is being analyzed in-depth and depending upon the analysis, University will take further course of action and take an appropriate legal recourse accordingly," the statement said.

Cyber law enforcement agencies, too, are tracking the development. Officials said it is too early to say whether any actual damage was caused to the database or whether a hacker simply got into the database, took whatever he could and then made the claim on the dark web forum.
Maharashtra cyber department asks citizens to avoid video calls, friend requests from unknown persons

Source

The newer privacy features include the ability to leave groups silently, choose who can see when you’re online and screenshot blocking for view once messages.

In many countries of the world, WhatsApp is synonymous with messaging. Really, each and every phone in these countries contain WhatsApp and most people make a daily use of it. WhatsApp for long has remained the number one app in app stores. Now with the launch of WhatsApp web not requiring any active smartphone connection, its usage has reached computers too.

The regular usage of any app means security and privacy of the users needs to be taken care of. To improve them is always a progressive effort which gets done over the time. Looks like the upcoming updates to WhatsApp takes that further.

In a blog post, WhatsApp has announced new privacy features for its chat client. Three main improvements have been announced. These improvements include the ability to leave groups silently, choose who can see when you’re online and screenshot blocking for view once messages.

Official Announcement

The official announcement and explanation for each of the features is as follows:

• Leave Groups Silently: We love our group chats but some are not forever. We’re making it possible to exit a group privately without making it a big deal to everyone. Now, instead of notifying the full group when you are leaving, only the admins will be notified. This feature will start to roll out to all users this month.
• Choose Who Can See When You’re Online: Seeing when friends or family are online helps us feel connected to one another, but we’ve all had times when we wanted to check our WhatsApp privately. For the moments you want to keep your online presence private, we’re introducing the ability to select who can and can’t see when you’re online. This will start rolling out to all users this month.
• Screenshot Blocking For View Once Messages: View Once is already an incredibly popular way to share photos or media that don’t need to have a permanent digital record. Now we’re enabling screenshot blocking for View Once messages for an added layer of protection. We’re testing this feature now and are excited to roll it out to users soon.

It also posted a short video on Twitter showing the same.

To take the point further, it explained the same in even simpler terms in the followup Tweets:

Honestly, these features are much welcomed. Hopefully the improvements in the privacy continues.

WhatsApp Announces More Upcoming Privacy Features

Some Windows users might wonder which option is the most secure or most comfortable. The answer is not as straightforward as it may seem. Using a PIN to sign-in may look inferior on first glance, as it is a four-digit number by default; but is that really the case?

Let's take a closer look at the different options and their characteristics.

• Local account with password -- works on a single local computer only. No online restoration options, but also no online attacks, e.g., on Microsoft sites against the username. No online monitoring or recovery options.
• Microsoft account with password -- works universally. One password for the account, regardless of number of devices. Options to restore and monitor access online. May be attacked online.
• Microsoft account with PIN -- works only on the computer the PIN has been set on. Restore options provided via the Microsoft account. No online attacks, as it is local.

Protecting a Windows PC with a PIN looks like a mix between using the password of a local account with the benefits that a Microsoft account offers. The PIN is stored locally and that means that it is safe from many online attacks. Local attacks are limited as well, as Microsoft is preventing fast brute force attacks against user account PINs by limiting attempts artificially. It may still be possible to guess the PIN, especially if information about the user is available. Windows users may, and should, improve the security of the PIN access by using more than four alpha-numerical characters.

Successfully gaining access to a Windows user account that is protected by a PIN does not give automatic access to the Microsoft Account of the user. The Microsoft Account password, or the passwordless option,  is still required to gain access to the account.

Access to a user account may open the can of worms, on the other hand. One example: email programs or email services may be accessed, and the linked email accounts may be used for verification requests. Therefore, it is essential to pick a secure PIN, if there is a chance that someone else may have access to the device.

Users who want to be even safer may want to explore options to fully encrypt the device; this adds another layer of security to the sign-in process, as the password to decrypt the entire PC needs to be supplied first before PIN or password prompts are even shown.

Now You: how do you secure your user accounts?

The differences between Windows account PINs and passwords

image credit: Avanan

Threat actors have found a way to send phishing emails using the tools and services provided by legitimate companies such as PayPal or QuickBooks.

Most phishing emails come from unrelated domains; experienced users may spot these right away, and so do many antivirus solutions. Using a domain that is on an allow list, on the other hand, adds trust to the email.

Phishing emails that come directly from PayPal have a greater chance of slipping through defenses because of that. Email providers and antivirus solutions may not want to block all emails coming from PayPal, as it is a legitimate service.

Security researchers at Avanan, a CheckPoint company, discovered a new phishing attack in June 2022 that used free PayPal accounts to "send malicious invoices and requests". Similar to the QuickBooks invoice phishing campaign, the campaign used the legitimacy of PayPal to push past most defenses to land in the inbox of the users it attacked.

PayPal users may send invoices and money requests using the service. The attackers created free PayPal accounts to create fake invoices and money requests. They changed invoice data to look legitimate, e.g., by using names of respected companies, such as Norton.

Victims who find the phishing emails in their inboxes may believe it is legitimate as it comes from an official PayPal domain and not an unrelated site.

Attacked users may be inclined to call the provided phone number and/or pay the invoice. Any attempt at contacting the company used in the fake leads to communication with the attacker. While some of the attacked users may open the legitimate website of the company that allegedly sent the invoice, most may use information provided in the invoice to do so.

Avanan published three suggestions to combat this phishing trend:

• Look up any number online before calling it to make sure it is legitimate.
• Implement additional security protections to defend against these kinds of phishing emails.
• Users who work in organizations should be trained to contact IT when in doubt.

Closing Words

The new phishing attack uses the tools that legitimate services and businesses provide to improve the legitimacy of the attack and bypass certain defenses.

One of the best options against this type of attack is to use common sense. Take an invoice for Norton Antivirus as an example: if you have no business relationship with Norton, then it is either a fake (very likely) or sent accidentally.

When in doubt, either contact IT support directly if that is an option, or open the website of the company in question to contact their support directly.

New phishing attacks have come to light recently. Microsoft described an attack that targeted Office users and was able to circumvent two-factor authentication protections. A similar attack was revealed by security researchers at Zscaler.

Now You: did you ever get phishing emails from legitimate domains? (via Born)

Your next Phishing email may come straight from PayPal

UPDATE: DuckDuckGo now says it will crack down on Microsoft trackers.

The company says it will "expand the third-party tracking scripts we block from loading on websites to include scripts from Microsoft in our browsing apps (iOS and Android) and our browser extensions (Chrome, Firefox, Safari, Edge and Opera), with beta apps to follow in the coming month."

An exception is the bat.bing.com domain, a tool within Microsoft Advertising that lets advertisers see if people's clicks turned into purchases.

"Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo, 3rd-Party Tracker Loading Protection will not block bat.bing.com requests from loading on the advertiser’s website following DuckDuckGo ad clicks, but these requests are blocked in all other contexts. For anyone who wants to avoid this, it's possible to disable ads in DuckDuckGo search settings," DuckDuckGo says.

Original Story 5/25:

DuckDuckGo's browser for iOS, Android, and macOS reportedly allows Microsoft trackers to operate despite claiming that it "automatically blocks hidden third-party trackers" for its users.

This exception to DuckDuckGo's tracker protections was revealed by security researcher Zach Edwards on May 23, BleepingComputer reports. Edwards tweeted evidence of DuckDuckGo's browser allowing trackers used by LinkedIn and Bing to load on the website for Workplace:

 Tweet

DuckDuckGo CEO Gabriel Weinberg said on May 23 that "our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties" and that his company has "been continually pushing and expect to be doing more soon."

But it's still unclear how exactly DuckDuckGo handles Microsoft's trackers. Weinberg says:

 Tweet

Weinberg offered additional clarification in a post on the Hacker News forum:

"This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser's protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We've also been tirelessly working behind the scenes to change this limited restriction. I also understand this is confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That's because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement. Our syndication agreement also has broad confidentially provisions and the requirement documents themselves are explicitly marked confidential."

DuckDuckGo has also updated the description of its browser in the App Store to read: "Note About our Tracker Blocking: While we block all cross-site (3rd party) cookies on other sites you visit, we cannot block all hidden tracking scripts on non-DuckDuckGo sites for a variety of reasons including: new scripts pop up all the time making them difficult to find, blocking some scripts creates breakage making parts or all of the page unusable, some we are prevented from blocking due to contractual restrictions with Microsoft."

In a statement, a DuckDuckGo spokesperson told us: "We are doing a lot to block [Microsoft] tracking, including blocking third-party cookies. It is not true to say we're not blocking anything from [Microsoft] at all. Only one part of multiple privacy protections we offer is impacted by the agreement." It also stressed that the deal with Microsoft "has no bearing on our search results."

The spokesperson says too that "folks who use the DuckDuckGo browser on mobile or macOS (in beta) are still getting significantly more privacy protection by default with DuckDuckGo than they would using Safari, Firefox, Chrome and other browsers" and that DuckDuckGo has "never promised 100% protection because it's not possible for a number of reasons."

Source

Researchers for the cybersecurity company Kasada say cybercriminals are increasingly using bots to crack the passwords of online pharmacy accounts and steal access to them.

Why it matters

Some of those accounts are connected to prescriptions for dangerous and highly addictive drugs, which could later be sold on the black market.

Cybercriminals are increasingly deploying software Bots to commandeer the online pharmacy accounts of everyday people, according to new research, allowing hackers to illegally buy prescription drugs and depriving patients of needed medications.

Researchers at Kasada, an Australia-based cybersecurity firm that focuses on bots, said they first spotted credential-stuffing attacks against online pharmacy accounts in April. In the months since, the researchers say they've seen tens of thousands of stolen online pharmacy accounts, a number that has ballooned five times over the last 60 days.

The stolen accounts included some with prescriptions for highly controlled and addictive medicines, such as Adderall and oxycodone, according to Kasada. Prices for the accounts ranged from just a few dollars to several hundred. Based on the volume of sales they've spotted over the past month, Kasada's researchers estimate that a single cybercriminal could make more than $25,000 per month selling stolen pharmacy accounts.

"This is one of the most egregious and dangerous uses of bots we've ever observed," Sam Crowther, Kasada founder and CEO, wrote in the report released ahead of the annual Black Hat cybersecurity conference in Las Vegas, Nevada.

To takeover the accounts, cybercriminals load automated account-cracking tools, many of which are open source and widely available, with bots similar to those used for scalping high-demand items like concert tickets and collectible sneakers, Kasada said. The tools then bombard a pharmacy's website or mobile app with stolen usernames and passwords until a few of the combinations work and allow the cybercriminal to take over the accounts.

At that point, the cybercriminal can extract prescription and other sensitive information like the customer's name, birth date, phone number and method of payment. Those profiles are then put up for sale on online marketplaces, where drug seekers can choose and buy an account based on what kinds of prescriptions they're looking for, Kasada said.

In addition to painkillers and amphetamines, the researchers say they've seen other medications, including cough suppressants, anti-seizure drugs and anti-anxiety treatments available for purchase.

To purchase the drugs, the account buyer could either use the credit card associated with the account, then change the shipping address, or pick up the prescription at their local pharmacy using the personal information associated with the account, such as the legitimate customer's birthdate to identify themselves.

From there, the purchaser can consume the drugs or resell them for a premium. Either option potentially puts dangerous drugs into the hands of people who shouldn't have them, Kasada said.

Source

On Friday, Twitter confirmed that a threat actor exploited a vulnerability that risked user privacy on the platform. The company revealed that this breach had a “global impact,” and it is yet unclear exactly how many Twitter accounts got impacted.

Details of the Breach

According to Twitter’s press blog, the vulnerability was exploited to match private data with pseudonymous Twitter accounts. Reportedly, the vulnerability lets a bad actor match phone numbers or email IDs to any Twitter account linked to that information and identify the user.

A Twitter spokesperson explained that passwords weren’t compromised in this breach that occurred in January 2022.

It is worth noting that around two weeks back, a hacker named “Devil” was offering email IDs and phone numbers linked to the impacted accounts on a hacker forum which surfaced as an alternative to popular and now-sized Raidforums. The hacker was selling the data for no less than $30,000.

The post was connected to a vulnerability in Twitter, which was discovered in January 2022 by a security researcher. The flaw was discovered via HackerOne’s bug bounty platform used by Twitter. Twitter paid HackerOne bug bounty worth $5,040 for the issue.

The bug that caused the breach originated from an update to Twitter’s code in June 2021 and was fixed quickly, said Twitter.

On the other hand, according to the hacker, the impacted accounts were of “celebrities, OGs, and companies, among others.” On 22 July 2022, Twitter announced to investigate the information posted by Devil.

On Friday, it confirmed that the data was legitimate and was stolen by exploiting the same bug that was fixed.

 “We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened.”

 Twitter

It is worth noting that at the time of publishing this article, the hacker had removed their advertisement from the hacker forum. The screenshot below however shows what the hacker was selling and was being offered:

Twitter Confirms Data Breach as 5M Accounts are Leaked on Hacker Forum

Image credit: Restore Privacy

The Nation-State Hacker Connection

The social media giant urges users to avoid adding information like a publicly known email ID or contact number to their Twitter accounts if they want to protect their identity from nation-state actors and other hackers.

Twitter further added that people with anonymous accounts could be easy targets for state-backed hackers. The data could be valuable for countries like China, Russia, North Korea, Iran, or Saudi Arabia as state actors are always looking for private accounts and often employ social engineering to reveal personal information.

Affected users will be notified accordingly. The company has decided to publish the update as it cannot confirm every account impacted by this breach. Although passwords weren’t exposed, the company asked users to enable 2FA and other security measures. It is, however, unclear if the hacker sold the data or not.

Source

The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means "ghost" in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language.

Also, the attacks coincided with Korean public holidays and occurred during early morning hours, so Gwisin has a good grasp of the country's culture and business routines.

Reports about Gwisin and its activities first appeared on South Korean media outlets late last month, when the threat actor compromised large pharmaceutical firms in the country.

On Wednesday, Korean cybersecurity experts at Ahnlab published a report on the Windows encryptor, and yesterday, security researchers at ReversingLabs published their technical analysis of the Linux version.

Targeting Windows and Linux servers

When GwisinLocker encrypts Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.

Requiring command-line arguments makes it harder for security researchers to analyze the ransomware.

When the proper command-line arguments are provided, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to evade AV detection, which is different for each company.

The configuration sometimes includes an argument that sets the ransomware to operate in safe mode. In those cases, it copies itself to a ProgramData subfolder, registers as a service, and then forces a reboot in safe mode.

For the Linux version analyzed by ReversingLabs, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.

The command-line arguments for the GwisinLocker Linxu encryptor are listed below:

Usage: Usage
-h, --help    show this help message and exit
Options
-p, --vp= Comma-separated list of paths to encrypt
-m, --vm= Kills VM processes if 1; Stops services and processes if 2
-s, --vs= Seconds to sleep before execution
-z, --sf= Skip encrypting ESXi-related files (those excluded in the configuration)
-d, --sd= Self-delete after completion
-y, --pd= Writes the specified text to a file of the same name
-t, --tb= Enters loop if Unix time is 

These arguments include the --vm flag, which will execute the following commands to enumerate ESXi virtual machines and shut them down.

esxcli --formatter=csv --format-param=fields=="DisplayName,WorldID" vm process list

esxcli vm process kill --type=force --world-id="[ESXi] Shutting down - %s"

To avoid rendering the Linux server unusable, GwisinLocker will exclude the following directories from encryption.

Processes excluded from encryption (ReversingLabs)

Unless the --sf command-line argument is used, the Linux ransomware will also exclude specific VMware ESXi related files (state.tgz, useropts.gz, jumpstrt.gz, etc) to prevent the server from becoming unbootable.

Finally, the ransomware terminates several Linux daemons before initiating encryption to make their data available for the locking process.

Services killed before encryption (ReversingLabs)

When encrypting files, the encryptor uses AES symmetric-key encryption with SHA256 hashing.

Customized for each victim

Regardless of the operating system targeted in the attack, all encryptors are customized to include the company name in the ransom note and to use a unique extension for encrypted file names.

For one victim known by BleepingComputer, threat actors heavily customized the ransom note to include the specific data that was stolen during the attack, which we redacted in the note below.

The ransom notes are named '!!!_HOW_TO_UNLOCK_[company_name]_FILES_!!!.TXT' and are written in English, with some warning the victim not to contact the South Korean law enforcement agencies or KISA (Korea Internet and Security Agency).

An example GwisinLocker ransom note
Source: BleepingComptuer

Instead, the victims are told to visit an onion address using the Tor browser, log in with the provided credentials, and follow the instructions on paying a ransom and restoring files.

While AhnLab's and ReversingLabs noted that GwisinLocker primarily targets South Korean industrial and pharmaceutical companies, BleepingComputer is aware of a healthcare clinic that was also targeted.

Source

However, in a post on its blog today, the block list will be expanded to include scripts from Microsoft in its browsing apps (for Android and iOS) and extensions (for Chrome, Firefox, Safari, Edge, and Opera).

The key reason for this, as explained on its blog post, is that it was “due to a policy requirement related to our use of Bing as a source for our private search results”.

It goes on to say that there are no similar limitations with other companies, and the scripts were never embedded in the search engine or apps and never sent any information to DuckDuckGo.

Microsoft has also committed to not profile users from DuckDuckGo on ad clicks, even though advertising on the site is done in partnership with Microsoft. At the moment there is reliance on a tracker to detect conversions for ad clicks, but work is underway to replace this with a private architecture in the future.

The site goes into further detail about improvements to privacy and transparency across DuckDuckGo, with an aim to restore trust with its core user base.

DuckDuckGo to begin blocking Microsoft scripts in its browsers