"When a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members," Slack told BleepingComputer.

"Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace."

The bug was discovered by an independent security researcher who disclosed it to Slack on July 17. The issue affected all users who created or revoked shared invitation links between April 17, 2017, and July 17, 2022.

Luckily, the hashed passwords were not visible to Slack clients, with active monitoring of encrypted network traffic from Slack's servers required to access this exposed information, according to Slack.

No plaintext passwords exposed

Slack also added that it has no reason to consider that the bug was used to gain access to plaintext passwords before getting fixed.

"We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue," the company stated on Thursday.

"However, for the sake of caution, we have reset affected users' Slack passwords. They will need to set a new Slack password before they can log in again."

It's also important to mention that, although hashes cannot be used for authentication and it's unfeasible to try to reverse them (for some hashing algorithms), Slack added in security notices sent to affected users that hashes could still be reversed via brute force.

"Hashed passwords are secure, but not perfect — they are still subject to being reversed via brute force — which is why we've chosen to reset the passwords of everyone affected," Slack warned.

BleepingComputer reached out to Slack for more info on the hashing algorithm used to generate the password hashes but did not receive a reply before this article was published.

To ensure that your account was not compromised, you can access personal access logs here. Slack also advises all users to enable two-factor authentication and create unique passwords not used with other online services.

Slack says it has more than 169,000 paying customers from over 150 countries, with 65 Fortune 100 companies using its services.

Slack resets passwords after exposing hashes in invitation links

The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.

The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.

Hackers who exploit this vulnerability could potentially perform the following actions:

• complete device takeover,
• information access,
• laying the ground for stealthy man-in-the-middle attacks,
• changing DNS settings,
• using the routers as DDoS or cryptominer bots,
• or pivoting to devices connected to the breached network.

Widespread impact

DrayTek Vigor devices became very popular during the pandemic by riding the "work from home" wave. They are excellent cost-efficient products for VPN access to small and medium-sized business networks.

A Shodan search returned over 700,000 online devices, most located in the UK, Vietnam, Netherlands, and Australia.

Trellix decided to evaluate the security of one of DrayTek's flagship models due to its popularity and found that the web management interface suffers from a buffer overflow issue on the login page.

Using a specially crafted pair of credentials as base64 encoded strings in the login fields, one can trigger the flaw and take control of the device's OS.

The researchers found at least 200,000 of the detected routers to expose the vulnerable service on the internet and hence are readily exploitable without user interaction or any other special prerequisites.

Of the remaining 500,000, many are also believed to be exploitable using one-click attacks, but only via LAN, so the attack surface is smaller.

The vulnerable models are the following:

• Vigor3910
• Vigor1000B
• Vigor2962 Series
• Vigor2927 Series
• Vigor2927 LTE Series
• Vigor2915 Series
• Vigor2952 / 2952P
• Vigor3220 Series
• Vigor2926 Series
• Vigor2926 LTE Series
• Vigor2862 Series
• Vigor2862 LTE Series
• Vigor2620 LTE Series
• VigorLTE 200n
• Vigor2133 Series
• Vigor2762 Series
• Vigor167
• Vigor130
• VigorNIC 132
• Vigor165
• Vigor166
• Vigor2135 Series
• Vigor2765 Series
• Vigor2766 Series
• Vigor2832
• Vigor2865 Series
• Vigor2865 LTE Series
• Vigor2866 Series
• Vigor2866 LTE Series

DreyTek quickly released security updates for all models mentioned above, so navigate to the vendor's firmware update center and locate the latest version for your model.

For information on performing the firmware update on your router, check out this guide by DreyTek.

There have been no signs of CVE-2022-32548, but as CISA reported recently, SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere.

Critical RCE vulnerability impacts 29 models of DrayTek routers

Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.

“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.

Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.

After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”

“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'”

Hardaway said he was out of town when all this happened, and that thankfully his mom eventually grew exasperated and gave up trying to help the scammers.

“They told her they were sending an Uber to pick her up and that it was on its way,” Hardaway said. “I don’t know if the Uber ever got there. But my mom went over to the neighbor’s house and they saw it for what it was — a scam.”

Hardaway said he has since wiped her computer, reinstalled the operating system and changed her passwords. But he says the incident has left his mom rattled.

“She’s really second-guessing herself now,” Hardaway said. “She’s not computer-savvy, and just moved down here from Boston during COVID to be near us, but she’s living by herself and feeling isolated and vulnerable, and stuff like this doesn’t help.”

According to the Federal Bureau of Investigation (FBI), seniors are often targeted because they tend to be trusting and polite. More importantly, they also usually have financial savings, own a home, and have good credit—all of which make them attractive to scammers.

“Additionally, seniors may be less inclined to report fraud because they don’t know how, or they may be too ashamed of having been scammed,” the FBI warned in May. “They might also be concerned that their relatives will lose confidence in their abilities to manage their own financial affairs. And when an elderly victim does report a crime, they may be unable to supply detailed information to investigators.”

In 2021, more than 92,000 victims over the age of 60 reported losses of $1.7 billion to the FBI’s Internet Crime Complaint Center (IC3). The FBI says that represents a 74 percent increase in losses over losses reported in 2020.

The abuse of ride-sharing services to scam the elderly is not exactly new. Authorities in Tampa, Fla. say they’re investigating an incident from December 2021 where fraudsters who’d stolen $700,000 from elderly grandparents used Uber rides to pick up bundles of cash from their victims.

Scammers Sent Uber to Take Elderly Lady to the Bank

"Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations," the cybersecurity agencies said.

"The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information."

The top malware strains observed in 2021 include Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader.

Out of these, Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have been used in attacks for at least the last five years, while Qakbot and Ursnif have been used for over a decade.

These malware families' longevity is due to their developers' ongoing efforts to upgrade them by adding new capabilities and ways to evade detection.

"Developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. Malware developers benefit from lucrative cyber operations with low risk of negative consequences," the agencies added.

"Many malware developers often operate from locations with few legal prohibitions against malware development and deployment."

Malware defense tips

The joint advisory includes Snort signatures for all malware in the top to detect payloads by monitoring network traffic and a list of mitigation measures.

CISA and ACSC encourage admins and security teams to apply the following mitigations to defend against malware attacks:

• Update software, including operating systems, applications, and firmware, on I.T. network assets
• Enforce MFA to the greatest extent possible
• If you use RDP and/or other potentially risky services, secure and monitor them closely
• Maintain offline (i.e., physically disconnected) backups of data
• Provide end-user awareness and training to help block social engineering and spearphishing attacks
• Implement network segmentation to separate network segments based on role and functionality

In April, cybersecurity authorities worldwide, in partnership with the NSA and the FBI, also released a list of the top 15 vulnerabilities routinely exploited in attacks during 2021.

CISA and the FBI have also published a list of the top 10 most exploited security bugs between 2016 and 2019 and a top of most routinely abused bugs in 2020 in collaboration with the ACSC and U.K.'s National Cyber Security Centre (NCSC).

In June, MITRE also shared this year's list of top 25 most dangerous software bugs after revealing the topmost dangerous programming, design, and architecture security flaws plaguing hardware in November 2021.

Cybersecurity agencies reveal last year’s top malware strains

DIHK is a coalition of 79 chambers representing companies within the German state, with over three million members comprising businesses ranging from small shops to large enterprises in the country.

The organization deals with legal representation, consultation, foreign trade promotion, training, regional economic development, and offers general support services to its members.

Hackers breach DIHK

A short statement published on the DIHK site describes the shutdown as a precaution and a way to give IT teams time to develop a solution and build up defense.

Some services for companies are being made gradually available again after a thorough checking to ensure that it would be safe to use them. However, the restoration is only partial at this time.

The General Manager of DIHK, Michael Bergmann, has informed the public via a LinkedIn post that the cyberattack occurred yesterday, Wednesday, and characterized the incident as 'massive.'

"At this stage, we cannot predict how long the (urgent shutdown) measures will be necessary," commented Bergmann.

While the cyberattack carries the signs of ransomware, with systems being shut down to prevent the spread of the malware, this hasn't been officially confirmed yet.

Also, there have been no announcements of successfully compromising DIHK on any of the major ransomware extortion sites, although it would be too early for that.

German tech news portal Heise.de reports that the attack's impact appears to have no regional focus, as individual divisions in North Rhine-Westphalia, Lower Saxony, Bavaria, and Mecklenburg-Western Pomerania have all confirmed facing problems.

For example, the Chamber of Industry and Commerce in Köln informed the public that phone lines work to a limited extent, while its website was still offline at the time of this writing.

In Köln's case, the shutdown of the systems is also presented as a precautionary measure, which further strengthens the hypothesis of a ransomware attack.

Bleeping Computer is in the process of collecting more information on the incident, and we will update this post as soon as we know more.

German Chambers of Industry and Commerce hit by 'massive' cyberattack

The researchers show that RapperBot is based on the Mirai trojan but deviates from the the original malware's normal behavior, which is uncontrolled propagation to as many devices as possible.

Instead, RapperBot is more tightly controlled, has limited DDoS capabilities, and its operation appears geared towards initial server access, likely to be used as stepping stones for lateral movement within a network.

Over the past 1.5 months since its discovery, the new botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers.

Mirai-based, but different

The new botnet was discovered in the wild by threat hunters at Fortinet, who noticed the IoT malware featured some unusual SSH-related strings and decided to investigate further.

RapperBot proved to be a Mirai fork, but with its own command and control (C2) protocol, unique features, and atypical (for a botnet) post-compromise activity.

"Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication," explains the Fortinet report.

"The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR."

The SSH brute-forcing relies on a list of credentials downloaded from the C2 via host-unique TCP requests, while the malware reports back to the C2 when it succeeded.

Fortinet researchers followed the bot and continued to sample new variants, noticing that RapperBot used a self-propagation mechanism via a remote binary downloader, which was removed by the threat actors in mid-July.

The newer variants circulating at that time featured a shell command that replaced the victim's SSH keys with the actor's, essentially establishing persistence that's maintained even after SSH password changes.

Moreover, RapperBot added a system to append the actor's SSH key to the host's "~/.ssh/authorized_keys," which helps maintain access on the server between reboots or even if the malware is found and deleted.

In the most recent samples analyzed by the researchers, the bot adds the root user "suhelper" on the compromised endpoints and creates a Cron job that re-adds the user every hour in case an admin discovers the account and deletes it.

RapperBot's attack overview (Fortinet)

Also, it's worth noting that the malware authors added extra layers of obfuscation to the strings in later samples, like XOR encoding.

String obfuscation added on later variants (Fortinet)

RapperBot's goal

Most botnets either perform DDoS attacks or engage in coin-mining by hijacking the host's available computational resources, and some do both.
The goal of RapperBot, however, isn't evident, as the authors have kept its DDoS functions limited and even removed and re-introduced them at some point.

Also, the removal of self-propagation and the addition of persistence and detection-avoidance mechanisms indicate that the botnet's operators may be interested in initial access sales to ransomware actors.

Fortinet reports that its analysts saw no additional payloads delivered post-compromise during the monitoring period, so the malware just nests on the infected Linux hosts and sits dormant.

Source

No matter how long it takes to reach commercialization in the enterprise, quantum computing could have major consequences for the world of cybersecurity well in advance of the technology going mainstream.

To date, most of the security discussion around quantum computing has focused on the possible implications for data encryption. The most common scenario: Someday — maybe in five, 10 or 20 years — mega-powerful computing systems that harness the very weird properties of quantum mechanics could achieve the unthinkable, and obliterate the current methods of encryption that the internet depends on for security.

On the other hand, maybe this will never happen at all. No one knows for sure.

What we do know, however, is that the tech industry is gearing up for this so-called "post-quantum" scenario. Software will be changed on an epic scale to accommodate new methods of quantum-resistant cryptography that are being advanced by the government and researchers.

That means while nobody can be certain if quantum computing will ever really pose a security risk itself, the preparations surely will: It's inevitable that we'll see a large number of security vulnerabilities unintentionally introduced into software as the process plays out, said Jonathan Katz, a cryptography expert and IEEE member. Any time software is changed on a large scale — particularly when it’s happening quickly — vulnerabilities will tend to creep in.
"We know how to design mathematically secure algorithms," said Katz, who’s also a professor of computer science at the University of Maryland. "We're not quite as good yet at implementing them in a secure way."

That’s a challenge the tech industry will have to figure out. If the hackers of, say, 2032 get their hands on a quantum computer that could break encryption, it would put much of the world's data at risk. (That includes, by the way, encrypted data that threat actors might be collecting today and storing away for a decrypting opportunity in the quantum future, according to experts.)

The preparations for this potential future threat are possible thanks to the efforts of cryptography specialists working in tandem with the National Institute of Standards and Technology. Back in 2016, the agency helped get the ball rolling on post-quantum cryptography by launching a process for soliciting the algorithms needed to do the job.

In July, NIST presented the fruits of that six-year process, announcing four algorithms that the agency aims to use as the basis for the new quantum-resistant method of encryption. The algorithm that will provide secure web access is known as CRYSTALS-Kyber (some experts refer to it as Kyber). The three remaining algorithms will come into play for identity verification during digital exchanges.

While NIST says it expects to finalize the algorithm choices in "about two years," the vendors whose technology underpins the functions of the internet have already begun exploring how to implement them — particularly Kyber.

Make it work

Since there are a number of different ways to implement Kyber, the industry now has to settle on which type of implementation to embed into the TLS protocol, which is what enables HTTPS secure web browsing.

"The industry is now in the mode of, 'OK, we know what the algorithm is going to look like — how do we actually deploy it into systems? And what are the troubles and pitfalls of that?'" said Nick Sullivan, head of research at web security and performance vendor Cloudflare.

Software developers, however, have had decades to figure out how to properly deploy existing forms of encryption, such as RSA. "That time has allowed people to learn from their mistakes," Katz said. "And many mistakes were made along the way."

Now, we may have the same situation occur again, with the implementation of largely untested new algorithms that are based on different techniques, he said. Rather than facing an underlying issue with the algorithms, he believes it's more probable we'll see a variety of flaws in the code introduced during the software engineering process.

We know how to design mathematically secure algorithms. We're not quite as good yet at implementing them in a secure way.

Buffer overflow issues — a common bug in software code that can enable an attacker to access parts of memory they shouldn't be allowed to — are among the types of vulnerabilities that are likely to pop up a lot in a situation such as this, Katz said.

How could this happen? For one thing, there will be a learning curve involved for software engineers.

To some degree, they "will need to understand what's going on under the hood," Katz said. The complexity of the algorithms could present bigger difficulties than understanding existing methods, however.

Meanwhile, as the saying goes, speed is the enemy of security. And there's going to be a lot of new software being written as part of these post-quantum preparations, and written quickly, Katz said.

All in all, the implementation of the new algorithms is sure to become a "significant source of vulnerabilities in the five years after these things are first widely deployed," he said.

Counting down to quantum

For better or worse, the tech industry feels a lot of urgency around implementing the post-quantum algorithms. In part, that's because "nobody knows" when the threat to encryption might emerge, said Nelly Porter, Google Cloud's lead product manager for technology areas including encryption and quantum computing.

"Everybody assumes that it will take many, many years. But I think in the world of cryptography, we are much more paranoid," Porter said.

When is the earliest she thinks it could happen?

"I would say [as soon as] three years for very advanced adversaries to make it usable," Porter said. "We have time to get ready. But we don't have too much time."

Other experts have predicted longer time frames before the performance of quantum computers would be able to break encryption (specifically, what’s known as “asymmetric” encryption, or public-key cryptography).

Chris Monroe, a quantum computing pioneer and Duke University physics professor, believes it will take 10 years or more to get there. In the meantime, early quantum computing applications — for instance, optimization of delivery routes or financial models — will likely be commercialized in a shorter time frame, said Monroe, who is also co-founder and chief scientist at quantum computing vendor IonQ.

However, it'll take longer for quantum computers to break encryption because the problem sizes are so big, he said. In other words, breaking encryption will probably not be the first thing that happens when it comes to real-world usage of quantum computers.

Once technology vendors have done their part to implement the quantum-resistant algorithms, that's when the work for businesses will begin. And that will probably be the hardest part of all, experts told Protocol.

Hardware, operating systems and software will all need updates to enable the new quantum-proof encryption methods.

"There's a big patching and replacement exercise that's going to go on here — which is complicated, time-consuming and important," said Tim Callan, chief compliance officer at Sectigo, a major provider of digital certificates that are used in the encryption process.

We have time to get ready. But we don't have too much time.

The process will require taking an inventory of everything they use that leverages encryption. That’s no small task for any organization, but it will be especially daunting for those with workers, data centers and edge devices scattered around the globe.

"They're going to need to look at every system. And they're going to need to say, 'Is this system post-quantum-ready or not?'" Callan said. "'And if it is not, how do I feel about that?' They're going to have to prioritize."

Businesses that rely heavily on cloud infrastructure will have less to worry about, since a lot of the updates will happen behind the scenes, said Cloudflare's Sullivan. Those who still have a lot of physical machines in their operation will need to figure out if their devices can even be updated, or if they'll need to be replaced, he said.

One of the big questions for businesses will also be whether their existing PC fleets will be able to handle the compute requirements of the new algorithms.

While NIST included a requirement that the new algorithms would not be significantly more compute-intensive, that doesn't mean that every PC will be able to run them, said Stel Valavanis, founder and CEO of managed security provider onShore Security.

In the same way that the shift to work-from-home and videoconferencing forced many businesses to upgrade their PC fleets, the arrival of post-quantum encryption could be the "next ceiling" that businesses run into in terms of device performance, Valavanis said.

Quantum divide

While it's still too early to know for sure, there's certainly a chance we could be heading into a "haves and have nots" scenario with quantum-resistant encryption, said Keith McCammon, co-founder and chief security officer at managed detection and response vendor Red Canary.

"We're probably going to run into questions of access: Is this thing equally accessible to everybody?" McCammon said.

On the other hand, there's also a chance that some businesses will not put a priority on quantum-proofing their systems at all.

Due to the uncertain and potentially long time frames — and all of the more immediate threats that businesses are dealing with on a daily basis — there's "always that risk" that some businesses will just ignore the issue, said Boaz Gelbord, chief security officer at Akamai Technologies.

In the short term, there might seem to be no consequences of inaction, said Joseph Steinberg, an independent information security consultant. But in all likelihood, we're never going to get much of an advanced warning about when encryption will be at risk, he said.

"The Chinese government doesn't announce what they're doing. We don't really know what the current capabilities are" for quantum computing, he said.
Ultimately, "we're talking about something catastrophic," Steinberg said. "And if we're wrong — and this hits sooner than expected — we have a problem."

Source

The initial 2019 version of the legislation, and the following 2021 draft with recommendations by a parliamentary committee, each failed to adequately protect privacy and granted excessive discretionary powers to the government. However, these iterations could have served as a basic foundation that lawmakers could subsequently improve, creating a law that would have strengthened Indians’ rights and control over their personal data. The government’s withdrawal of the bill without any discussion in parliament, and without presenting a concrete replacement, deepens the uncertainties and risks surrounding privacy and erodes people’s confidence in the government.

“As India celebrates 75 years of independence, we are also marking 12 years since policymakers first proposed a federal-level privacy and data protection law, and over five years since the Supreme Court of India ruled that privacy was a fundamental right, requiring government action to safeguard our personal data,” said Raman Jit Singh Chima, Asia Pacific Policy Director and Senior International Counsel at Access Now. “Today, far too many sessions of parliament have passed with zero progress on the Personal Data Protection Bill, when it should have been the top priority. The government’s withdrawal of legislation and failure to say when we will move forward on a strengthened, people-centric data protection law — one that does not privilege the interests of government and the tech sector over fundamental rights — is wholly unacceptable.”

The lack of a data protection law is especially dangerous given the government and tech sector’s unabating efforts to collect, retain, and utilise an increasing amount of people’s personal data. India is the third most-impacted country by network security attacks in the world, and we are seeing a dramatic increase in the number of data leaks and breaches. Without data protection, the attacks and leaks will only increase, as will the harm they cause to India’s internet infrastructure and people’s privacy.

“The government’s vision of Digital India is accelerating, but any endeavour to protect people’s privacy as more of their data is exploited is decelerating,” said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now. “The failure to pass a federal privacy and data protection framework exemplifies the government’s approach of putting the horse before the cart — mandating increased collection and utilisation of personal data, without first ensuring people’s information will be safe and secure. The delay in implementing meaningful data protection is costing people their right to privacy.”

The government must explain publicly, and in detail, why it’s withdrawing the Personal Data Protection Bill, a clear disservice to all stakeholders and parliamentarians who have been engaged in the process. It must also prioritise developing new legislation that takes into account the input so far, and immediately share a timeline for implementation.

Source

The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190) in Windows.

Like other implants engineered for espionage-oriented operations, Woody RAT sports a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems.

"The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group," Malwarebytes researchers Ankur Saini and Hossein Jazi said in a Wednesday report.

"When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload."

In one instance, the hacking group attempted to strike a Russian aerospace and defense entity known as OAK based on evidence gleaned from a fake domain registered for this purpose.

Attacks leveraging the Windows flaw as part of this campaign first came to light on June 7, 2022, when researchers from the MalwareHunterTeam disclosed the use of a document named "Памятка.docx" (which translates to "Memo.docx") to deliver a CSS payload containing the trojan.

The document purportedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor.

Besides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.

Also embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively.

Furthermore, the malware makes use of the process hollowing technique to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.

Malwarebytes has yet to attribute the attacks to a specific threat actor, citing a lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past.

Source

The AiTM technique, as the name suggests, places an adversary in the middle to intercept the authentication process between the client and the server to steal credentials during the exchange. This means the MFA information is also stolen. Basically the adversary in the middle acts like the server to the real client and the client to the real server. The image below, ironically from Microsoft itself, shows how AiTM works:

The analysis of this phishing campaign was done by Zcaler's ThreatLabz and it has summarized the attack into the following key points below:

Key points

• Corporate users of Microsoft's email services are the main targets of this large-scale phishing campaign.
• All these phishing attacks begin with an email sent to the victim with a malicious link.
• The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
• In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
• Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
• A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
• Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
• Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
• Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.

Zscaler also notes some attacker-registered domains which were typo-squatted versions of legitimate Federal Credit Unions in the US:

You can find more technical details in the official blog post on Zscaler's website here.

Beware: Microsoft email users, even with MFA on, are unsafe from this new phishing attack

The company already has the requisite groups to hunt for weaknesses in its code (the “red team") and develop mitigations (the “blue team”). But recently, that format evolved again to promote more collaboration and interdisciplinary work in the hopes of catching even more mistakes and flaws before things start to spiral. Known as Microsoft Offensive Research & Security Engineering, or Morse, the department combines the red team, blue team, and so-called green team, which focuses on finding flaws or taking weaknesses the red team has found and fixing them more systemically through changes to how things are done within an organization.

“People are convinced that you cannot move forward without investing in security,” says David Weston, Microsoft’s vice president of enterprise and operating system security who’s been at the company for 10 years. “I’ve been in security for a very long time. For most of my career, we were thought of as annoying. Now, if anything, leaders are coming to me and saying, ‘Dave, am I OK? Have we done everything we can?’ That’s been a significant change.”

Morse has been working to promote safe coding practices across Microsoft so fewer bugs end up in the company’s software in the first place. OneFuzz, an open source Azure testing framework, allows Microsoft developers to be constantly, automatically pelting their code with all sorts of unusual use cases to ferret out flaws that wouldn’t be noticeable if the software was only being used exactly as intended.

The combined team has also been at the forefront of promoting the use of safer programming languages (like Rust) across the company. And they’ve advocated embedding security analysis tools directly into the real software compiler used in the company’s production workflow. That change has been impactful, Weston says, because it means developers aren’t doing hypothetical analysis in a simulated environment where some bugs might be overlooked at a step removed from real production.

The Morse team says the shift toward proactive security has led to real progress. In a recent example, Morse members were vetting historic software—an important part of the group’s job, since so much of the Windows codebase was developed before these expanded security reviews. While examining how Microsoft had implemented Transport Layer Security 1.3, the foundational cryptographic protocol used across networks like the internet for secure communication, Morse discovered a remotely exploitable bug that could have allowed attackers to access targets’ devices.

As Mitch Adair, Microsoft’s principal security lead for Cloud Security, put it: “It would have been as bad as it gets. TLS is used to secure basically every single service product that Microsoft uses.”

The stakes are indescribably high when your job is to catch mistakes before someone else does in a product that’s used by more than a billion people around the world. Anything you let slip by could play a role in the next global cybersecurity crisis. But Weston says the Morse team self-selects for people who view that reality as a driving motivation, rather than a paralyzing specter.

“This is a game of inches; you can be amazing 99.9 percent of the time and introduce the wrong code at the wrong time and it can have dire consequences,” Weston says. “If you work on the top of a tall building all day, you don’t even notice it. But one day you might look down and go, ‘whoa, I’m pretty high up here, that’s scary.' But there are only a couple of places where you can do things at a billion scale, so the nice thing is we rarely have someone coming in who doesn’t find that exciting rather than scary.”

Perhaps most importantly, Weston says the tradeoff for living with Microsoft’s scale and the accompanying responsibility is that anything is possible at the company in a way that is only true at a small handful of the biggest tech giants.

“In some companies it’s like, well, we build a web application, we’re sort of constrained on the tools we have or the expertise in the company,” he says. “At Microsoft, we have everything from silicon to compilers to the operating system. You don’t really have good excuses for why you can’t do something.”

For the Morse team, though, this means there’s no room to squander that rarified position.

The Microsoft Team Racing to Catch Bugs Before They Happen

(May require free registration to view)

"Windows 11 with smart app control blocks iso and lnk files that have mark of the web just like Macros," David Weston, Microsoft's VP for Enterprise and OS Security, tweeted on Tuesday.

When blocking a dangerous file using SAC, the system will open a foreground dialog with the following message: "Smart App Control blocked an app that may be unsafe. This file was blocked because files of this type from the internet can be dangerous."

While testing Weston's claims, security expert Will Dormann also found that SAC automatically stops IMG, VHD, and VHDX files from opening.

After a bit of digging, BleepingComputer also discovered that .appref-ms, .bat, .cmd, .chm, .cpl, .js, .jse, .msc, .msp, .reg, .vbe, .vbs, .wsf files would also be blocked.

This info comes after Microsoft once again started blocking macros in Office files downloaded from the Internet, forcing attackers to switch to new file types to deliver their malicious payloads on victims' devices, including ISO, RAR, and Windows Shortcut (LNK) files.

Microsoft announced Smart App Control in April, with Weston describing it as a "major enhancement to the Windows 11 security model" designed to allow only safe and reliable apps to open.

He also added that "devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature."

Comes with its fair share of kinks

However, although obviously helpful to defend against attacks by working in tandem with security software like Microsoft Defender, Smart App Control also comes with its fair share of downsides and problems.

The most obvious of them is the fact that, at the moment, it can only be tested by Windows Insiders on systems running Windows 11.

It can also only be used on clean installs of Windows 11 to ensure there aren't already untrusted apps running on the device, forcing users to reinstall or reset their devices to try the new feature.

Microsoft's documentation is also still lacking. For instance, there is no mention of SAC blocking specific file types, as Weston revealed. Before this, the feature was advertised as a built-in security capability focused on protecting against malicious or unsigned applications.

Also, quite confusingly, Redmond says on its support website that the feature can be re-enabled after turning it off by reinstalling Windows (for example, with ‘Reset this PC’).

However, in BleepingComputer’s tests, Windows dialogs do not describe this, indicating that it is disabled permanently instead.

Microsoft also says SAC might be turned off automatically on some systems after an “evaluation mode” is performed to check if your device is a “good candidate” (i.e., that it's not ruining your user experience by getting in your way with frequent interruptions).

While in evaluation mode, SAC will be disabled and won't block anything until you get the "good candidate" seal of approval.

Last but not least, although something one should expect, there is no SAC exclusion list that would prevent it from triggering when trying to open a specific app or file.

All in all, besides some kinks that Microsoft should iron out until the feature reaches general availability for all Windows 11 customers (maybe Windows 10, too), Smart App Control is a welcome addition to Windows 11, with a lot of promise.

Windows 11 Smart App Control blocks files used to push malware

The regular reports from antivirus testing companies around the world are extremely helpful when I’m evaluating a new or updated antivirus program. I know all the players, so receiving an email from a lab’s executive team is no surprise, but the request in one such recent email was unusual. Andreas Marx, CEO and co-founder of AV-Test Institute(Opens in a new window), wanted to know if I had any inside contacts at Twitter. It turned out that AV-Test Institute's main Twitter handle, @avtestorg(Opens in a new window), had been hacked, and his attempts to get help from Twitter were going unanswered.

How could this happen in a company with more than 15 years of experience in the security industry? Speaking with Marx and with Maik Morgenstern, technical director of AV-Test and its other CEO, I learned that even when you do everything right, you can still get hacked. As of this writing, the AV-Test account is still posting and retweeting random NFT spam, rather than providing support for AV-Test’s business and its customers.

After an account takeover, a Twitter feed is replaced by spam.

The Background of a Twitter Account Takeover

Neil J. Rubenking: How did you first learn the account was hacked?

Andreas Marx: I got a WhatsApp message from a well-known security researcher, just about 10 minutes after the account was hacked on July 25, with screenshots of the compromised Twitter account. Shortly thereafter, we got further notifications from other parties.

What was your first reaction to the hack?

Well, I tried to log in to my mobile device with the Twitter account, but the @avtestorg account was no longer accessible. I tried to check the account on my PC, but I was not able to log in and just saw the compromised Twitter account there, too. (Twitter actually asked me to create a new account!)
In my email Inbox, I saw three mails from Twitter, all in Russian. One e-mail message from Twitter said, "Пароль был изменён" ("Password has been changed") with the information "Недавно вы изменили пароль своей учетной записи @avtestorg." ("You recently changed your @avtestorg account password."). Just two minutes later, this email message arrived: "Адрес электронной почты для @avtestorg изменен" ("Email address for @avtestorg changed"). It said to confirm by following a link sent to the new email and ended, “If you haven't made these changes, please contact Twitter support immediately."

Password change warning in Russian (Credit: PCMag)

I'm a German, and I've used Twitter in German language for the last decade, so it appears to me that someone changed the default language first.

To my surprise, the new email address for the account was blanked out (not fully visible), and I saw the message that only the new address needs to be confirmed. So, Twitter doesn't even ask if the person behind the current email address agrees with the account change.

What techniques did you use to try regaining access?

We immediately contacted the Twitter support and opened a case, “Regain access - Hacked or compromised," providing all details to reclaim our account. When nothing happened after two days we filed another case, with the same result so far: nothing.

What does Twitter recommend in a case like this?

Twitter suggests you contact their support via the website "I’m having problems with account access(Opens in a new window)."

What was Twitter’s response?

There is no response from Twitter so far, neither from the initial report via the website, nor from a second request two days later. We also tried to contact the support via @TwitterSupport, and tried to contact Twitter via email.

Well, “no response” is not entirely true. I've received a response from a bot who asked me, "Twitter would like your feedback. It should only take 2 minutes!" but that's from a third party.

What did you learn from this experience?

I have to admit that I'm still feeling totally lost. More than one week has passed by, and there has been no reaction. I actually expected a response from Twitter after my reports somehow, as the changes to the account and the postings are very unusual. At least the account should have been blocked in the short term, until further verification. The account is still there, and we have no access to it, so it might still be in use by the malicious actors.

Any advice for others to protect their Twitter accounts?

We used a strong password and 2FA (two-factor authentication) for protecting the account, but it looks like this was not enough. Maybe the attacker hasn't stolen the password, but taken over an active session, so they were already logged in and most of the security features are disabled then. I still don't understand why changing the email account wouldn't trigger a 2FA request. That's definitely a weakness of Twitter; other social networks handle this much better.

My strong recommendation is actually for Twitter, not for other users. Before changing an email address for an account, please ensure that the current person behind this email address agrees to the transfer. For many other websites and social media platforms, a confirmation link or code is sent before the account can be transferred, or another form of 2FA is required to ensure that the account cannot easily be hijacked.

 And, Twitter, please be kind and respond to messages.

What Can You Do to Protect Your Own Accounts?

When even the experts can’t prevent an account takeover, you may figure that you’re just out of luck. In truth, there’s quite a bit you can do to make sure your Twitter account and other important accounts remain secure. Start with the basics. If you don’t already have a password manager, get one. Use it to change the passwords for your sensitive accounts to something unique and random. Don’t worry; the password manager remembers them for you.

< Watch the video at the source page. >

Even though the hackers in this story seem to have done an end-run around multi-factor authentication, that doesn’t mean it’s not valuable. When you engage multi-factor for your important accounts, you make it a lot harder for anyone to hack into them. Chances are good that a random hacker will skip your account and go for something easier, like an account that has a password of “password” with no added authentication.

(Credit: PCMag)

Marx mentioned that the hacker might have gained access through an active, unlocked Twitter session. You can help your security by always logging out when you’re done using Twitter, or at least making sure your computers and smart devices are thoroughly secured. You can also view active and past sessions directly from your Twitter account and click a simple link to shut down all sessions except your current one.

So, what are you waiting for? Log into your Twitter account right now and make sure you have multi-factor authentication protecting it. Check those other sessions—if any of them look wonky, pull the plug and shut 'em all down. And be sure you're protecting that account with a strong password, not your birthday or your dog's name.

Source

Also:  In a major embarrassment, AV-TEST's Twitter remains hacked after more than a week.

During the pandemic, when school went virtual, districts spent billions on devices and software for students to use while at home. Now, many are back in the classroom.

But a report out today from the Center for Democracy and Technology finds the use of tracking software is expanding – 89% of American public school teachers say their school uses software to keep track of students online, according to that new report.

“Schools are under unbelievable pressure to keep students safe from harming themselves or harming others,” said Elizabeth Laird, one of the authors.
Parents and kids say they support monitoring – if it’s used, for example, to identify students who are suicidal.

But the survey found it was more common to flag a student for things like cheating or cyberbullying.

Laird said that’s more likely to hurt kids who are Black, Hispanic, or low-income and tend to rely on school-issued devices.

“If you don’t have an alternative, and you can’t opt out of this tracking, you would be subjected to more discipline than your peers,” she said.

Companies have said their software isn’t meant to be used in this way. But Amelia Vance, a consultant on child and student privacy issues, is concerned about potentially invasive data collection.

“There are more records kept than there ever was in the past,” she said.

Vance points out that federal policymakers are concerned about the monitoring, but are also considering requiring more of it.

Source

Also:  Education officials urged to curb student snoopware.

Digital rights and privacy experts shared similar concerns with Gizmodo and claimed these technologies, often implemented in the name of safety, actually make schools less safe for students. The letter comes on the heels of newly-released research from The Center for Democracy & Technology (CDT) which claims a staggering 89% of U.S. teachers report using software capable of tracking their students’ online activity.

The organizations, which includes the CDT, American Civil Liberties Union, and American Association of School Librarians, claim these monitoring tools, which exploded in use during the pandemic and have gained favor as a means of safety following the horrific Uvalde, Texas school shooting, are “often used in ways that discriminate against protected groups of students.” The groups cite the new CDT research, claiming the continued prevalence of monitoring software (often used even after normal school hours) can exacerbate disproportionately racial school disciplining, lead to increased student interactions with law enforcement for people of color, result in the “outing” of LGBTQ+ students, stifle speech, and exacerbate students’ mental health struggles. All of these factors, the groups argue, are more likely to affect low-income students and students of color, who previous research has shown are more likely to use school-provided technology.

Collectively, the groups called on the DOE to condemn the use of particular monitoring tools found to run afoul of student civil liberties, and issue a policy statement laying out the connections between civil rights laws and student monitoring activity.

In a phone interview with Gizmodo, ACLU Advocacy and Policy Counsel Chad Marlow said they understood why, at a time of escalating shootings, schools would be drawn to monitoring solutions, but warned those very same tools could lead vulnerable students to feel less comfortable turning to peers, counselors or other professional for help.

“These schools and school districts, in their understandable desire to help students, are actually hurting their students, not helping them and are being misled into thinking these interventions are helpful,” Marlow said. “Here we’re talking about really significant harms to kids.”

Those tech-based interventions, Marlow said, come with opportunity costs. For every dollar spent on software able to monitor key stories or cameras monitoring students’ footsteps, that’s one less dollar spent paying the salary of a mental health professional who may be better suited at identifying a struggling child, or a new teacher that could motivate a student.

“They [schools] are forgoing opportunities to bring in real help that will actually reduce violence, help kids feel more protected, and will help kids get the resources they need,” Marlow added.

The Department of Education did not immediately respond to Gizmodo’s request for comment.

“This type of invasive student surveillance makes our kids less safe, not more safe”

Teachers surveyed by CDT say insights gleaned from their tools are already leading to real-world consequences. Nearly half, (44%) of teachers surveyed say student monitoring activity has led to students being contacted by law enforcement. Over one in 10 students say they or someone they know has experienced nonconsensual outing of their sexual orientation or gender identity as a direct result of monitoring software. Another 46% of students say they were contacted by a mental health counselor or another adult questioning their mental health following content flagged by the monitoring tools.

“Our data shows that nearly half of teachers say they know of at least one student who has been contacted by law enforcement as a result of student activity monitoring,” CDT President and CEP Alexandra Reeve Givens said in a statement. “When you combine the resurgence of violence in schools with the mental health crisis among kids, schools are surveilling students’ activities more than ever. But these efforts to make students safer more often result in disciplining students instead.”

There are also early signs the pervasive nature of these tools may also quell student speech and creativity. Around half of all students said they felt unease expressing their true thoughts and feelings online if they knew they were monitored. That figure ticked up even higher for children with learning disabilities.

All of this is concerning to a majority of students and parents. 61% of parents and 57% of students surveyed said they were either very or somewhat concerned with the privacy and security of their data and how their school is using it. The CDT research, which offers the clearest glimpse yet on the state of remote surveillance technologies in U.S. schools, relied on surveys of students between grades 9-12, as well as teachers teaching between grades 6-10. Researchers also surveyed the parents of students between grades 6-12.

Gizmodo spoke to several digital rights and privacy groups who shared their concerns on the sharp uptick in commercial school surveillance software in recent years. Fight for the Future Director Evan Greer argued remote monitoring tools may actually make schools less safe for students and said some of the tools referenced in the report are in effect indistinguishable from “stalkerware” used to spy on dissidents in authoritarian regimes.

“They don’t just violate students’ privacy, they pose an enormous cybersecurity threat, and put students’ lives in danger,” Greer said.

Albert Fox Cahn, director of the Surveillance Technology Oversight Project, expressed particular fears the increased exposure to law enforcement resulting from these tools could exacerbate the U.S.‘s already straightened criminal justice system.

“With this technology, the school-to-prison pipeline can reach into students’ bedroom,” Fox Chan said. “No one should worry having the police at their front door because a google search gets flagged. The more surveillance we have, the more kids will be wrongly arrested.”

Both the report’s authors and the experts speaking with Gizmodo agree the current political climate, where conservative lawmakers in several states are fighting to restrict certain curricula involving race and LGBTQ+ topics and certain states are rushing to pass restrictive anti-abortion laws, make clear guidance around surveillance tools all the more urgent.

“In a world where extremist state officials are criminalizing abortion and directing schools to investigate students who seek gender affirming health care, these monitoring tools can and will be weaponized to deprive young people of their basic human rights,” Greer said. “School districts, teachers, parents, and students should reject this software and refuse to use it. We have to draw a line in the sand before it’s too late.”

Greer added that the Biden administration should immediately issue guidance on K-12 schools against the use of the software and said Congress should consider passing laws banning use of the tech, both in and out of schools.

“It’s terrifying to imagine how this sort of student tracking will be weaponized against pregnant teens seeking abortions and trans kids,” Fox Cahn of S.T.O.P said. “In states that criminalize abortion and gender-affirming care, the school surveillance state will become another ways these invasive laws are enforced.”

More broadly, Marlow of the ACLU says the escalation of these technologies risk fundamentally altering the way children grow and develop in school systems. Constant, monitoring, Marlow warned could turn students into a type of surveilled prisoner.

“When your school starts to feel like a prison and you feel like you are being watched like an inmate, that’s not conducive to a strong academic environment, it’s not good for social and emotional growth, and it actually can end up harming kids.”

Source

Microsoft has launched two security services that aim to boost the intelligence capabilities of an organization's security operations center (SOC) rather than solely protect devices.

Microsoft has launched Defender Threat Intelligence and Defender External Attack Surface Management (EASM) — two new products that merge technology Microsoft gained after acquiring security firm RiskIQ last July for $500 million.

There may appear to be some overlap between Microsoft's existing services, such as its Azure-powered Sentinel security information and event management (SIEM) service and Microsoft Defender Experts for Hunting, a managed threat hunting service, and its Defender Experts for XDR, a managed extended detection and response (XDR) service.

But Microsoft says these RiskIQ-based threat intel service offerings differ in that they provide customers with "direct access to real-time data" from Microsoft's security signals. Microsoft chief Satya Nadella last week said the firm receives 43 trillion security signals each day.

Besides signals, Microsoft says its new threat intel service is based on intel merged between RiskIQ, Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC, pronounced 'Mystic'), and the Microsoft 365 Defender security research team.

Rob Lefferts, corporate VP of Microsoft Modern Protection and SOC unit, tells ZDNet the threat intel service is about "connecting SOCs with Microsoft's own researchers from MSTIC".

Meanwhile, Microsoft Defender External Attack Surface Management is about "how do we make sure that you get to see the whole world the way that the attacker would," says Lefferts.

"We're gonna scan the internet and help you understand what do you present out on the public internet and what exposure does that mean for your company."

The attack surface management service could be useful given that attackers start scanning the internet for exposed vulnerable devices within 15 minutes of a major flaw's public disclosure and generally continue scanning the internet for older flaws, such as last year's nasty Exchange Server flaws, ProxyLogon and ProxyShell.

This service discovers a customer's unknown and unmanaged resources that are visible and accessible from the internet – giving defenders the same view an attacker has when they select a target. Defender EASM helps customers discover unmanaged resources that could be potential entry points for an attacker.

Across MSTIC and Microsoft 365 Defender Research, Microsoft is tracking 250 different actors and ransomware families.

"We're providing intelligence across all of them and bringing that into your security team — not just to learn the latest news… but also to explore it, so if I see an indicator, I might explore where that might live on the network and connect that to what I'm seeing in my company. It's like a workbench for analysts inside a company," says Lefferts.

Microsoft's security business is growing at a rapid clip. It was worth $10 billion a year in 2021, and as of April had grown to become a $15 billion a year business. At its Q4 FY 2022 earnings update, Nadella said Microsoft's "security revenue increased 40 percent" and that its security business now spans 50 categories, well beyond its Defender antivirus for Windows PCs.

Other recent acquisitions include IoT security firms CyberX and ReFirm Labs to boost its cybersecurity offerings.

Microsoft rebranded its Defender lineup in 2020 to bring Microsoft Threat Protection, Defender ATP, Azure Security Center, and others brought under the Microsoft Defender monicker. Microsoft Defender would become its XDR product, while Azure Sentinel became its SIEM line.

Lefferts says the two new Defender-branded services are standalone products.

"This is different to protecting endpoints. It's about improving your security team, giving them new views and perspectives. If you think about a game of chess, if you turn it around and look at it from your opponent's point of view, this is a tool that is designed to help analysts do that by giving them that different perspective," he says.

Source

Driver 473.81 is available only to systems running Windows 7 and 8, and it contains no new features or game-related fixes. According to the release notes, the driver brings only security patches, and all the details will soon be available on the Nvidia Product Security Page. Nvidia says users with supported hardware need to update to Windows 10 and 11 to receive performance enhancements, new features, bugfixes, and game-specific improvements.

Hardware-wise, Nvidia GeForce 473.81 driver supports desktop graphics cards from the GTX 600 to RTX 3000 Series and mobile GPUs from the GeForce 800 Series to RTX 3000 Series. Users can download the latest release from the official Nvidia website.

On the AMD side, owners of older Radeon GPUs received an unofficial driver that enables AMD's latest AI-based noise suppression technology. Official drivers allow using the new tech only on the Radeon 6000 Series, but you can get it using a third-party driver from NimeZ without investing into a new graphics card.

Nvidia issues driver security update for unsupported systems with Windows 7 and 8

In case you didn't know, Proton rebranded its services under a unified branding called Proton.me a couple of months ago. While your email address remains the same (e.g. username@protonmail.com), the website itself has moved to Proton.Me. If you try to visit Protonmail.com, it will redirect you to Proton.me.

Microsoft Edge's SmartScreen is flagging ProtonMail's website as malicious

Try to visit https://proton.me/ in Edge, it will load the page normally. This applies to most of the links on the site, including the login portal, account.proton.me. You can sign in to your account too, but that's where the issue occurs. If you try to access https://mail.proton.me/, you will be greeted by a red screen with a warning that reads,

"This site has been reported as unsafe Hosted by mail.proton.me. Microsoft recommends you don't continue to this site. It has been reported to Microsoft for containing phishing threats which may try to steal personal or financial information."

When a user sees a message like that, they could panic and assume that the website has been hacked or infected with malware. That's how SmartScreen is designed to work.

The website for the company's cloud storage service, Proton Drive, is also impacted by the issue. On the other hand, Proton Calendar and ProtonVPN's websites seem to be unaffected. Proton Status' website only shows some issues related to the company's VPN services, i.e., the e-mail service is fully operational.

So, the question is has Proton been hacked?

No. Proton says that a bug in Microsoft Edge's SmartScreen is flagging the URLs incorrectly, and that it has contacted the Redmond company to fix the issue. Proton also took a cheeky swipe at Microsoft Edge by recommending users to use a different/better browser, as a workaround.

Speaking of other browsers, I had no trouble accessing ProtonMail in Firefox, Safari, Vivaldi, Waterfox, and Chrome. They all load the same servers, so this problem is isolated to Edge, and not limited to the OS, i.e. when I tried to access it, Edge blocked the sites in both Windows and macOS.

I don't think it is a good idea to disable SmartScreen, because you never know when a website could really be dangerous. If you really need to access your inbox in Edge without turning the security feature off, visit Proton's site, and then click on the ! Dangerous icon in the address bar. Select the button that says "Show unsafe content", and it should load your inbox. The issue is, you will have to do this every time you access the site.

Warning: I wouldn't advise following the above method every time you run into blocked sites, for security reasons.

On a sidenote, the Proton Drive app for Android is now available on the Google Play Store for beta testing. The iOS app's beta program The Per the roadmap which we wrote about, Proton Drive for Windows and iOS

Do you use ProtonMail in Microsoft Edge?

Microsoft Edge's SmartScreen is flagging ProtonMail's website as malicious

As the company added, starting with today's builds (22621.450 and 22622.450), the enterprise endpoint security platform also gets better at detecting and intercepting what Redmond calls "advanced attacks."

"We enhanced Microsoft Defender for Endpoint's ability to identify and intercept ransomware and advanced attacks," Microsoft's Amanda Langowski and Brandon LeBlanc said.

When asked for additional details on what enhancements were added to Defender for Endpoint, LeBlanc declined to share more info besides what was shared in today's blog post.

The new builds add several other improvements, including storage replication over low bandwidth or congested wide area networks (WAN) and file compression if Server Message Block (SMB) Compression is configured.

They also address issues triggering 0x80070026 errors when copying files from network drives and causing Microsoft Edge to freeze when using IE mode.

Windows Subsystem for Android updates

Today, the Windows Insider Program Team also rolled out updates for Windows Subsystem for Android to all Windows 11 Insider channels.

"This update (version 2206.40000.15.0) includes several new updates such as updates for input compatibility in apps such as games, networking and windowing improvements, and reliability updates," Microsoft said.

For instance, starting today, Windows Subsystem for Android Settings app allows users to toggle on compatibility for games with joysticks (mapped to WASD), gamepads in games, and aiming and sliding with arrow keys.

While Microsoft has also updated Windows Subsystem for Android in July to enable Windows 11 Insiders to use their VPN's IP address with Android apps, users are now asked to disable Advanced Networking in settings when using VPNs if they lose network connectivity.

The Windows Subsystem for Android is available in public preview for United States users starting in February 2022.

Microsoft Defender now better at blocking ransomware on Windows 11

Since the Apple M1 series launched around 2021 and the M2 series in June 2022, they are relatively new. The series comes with faster CPU performance and improved GPU and Neural Engines, but ExpressVPN states that many applications do not have native support on these Apple Silicon Macs. It claims that even when the Rosetta 2 software translates apps initially for Macs with intel processors, they do not work well as the native apps on the Apple Silicon Macs.

In its announcement, the company said:

“ExpressVPN users with Apple silicon Macs can now enjoy the full effects of improvements to their computers’ reliability, performance, speed, and battery life—just by updating to the latest version of our Mac app.”

For Mac users with intel processors, the ExpressVPN will continue to work the same; however, Apple Silicon Mac users will be able to access the native ExpressVPN app by updating it.

Source: ExpressVPN via 9to5Mac

ExpressVPN announces native app for Apple Silicon Macs

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

Abusing legitimate domains

Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

VirusTotal detected 2.5 million suspicious files downloaded from 101 domains belonging to Alexa’s top 1,000 websites.

The most notable abuse case is Discord, which has become a hotbed of malware distribution, with hosting service and cloud service providers Squarespace and Amazon also logging large numbers.

Using stole code-signing certificates

Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host.

Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

The most common certification authorities that are used to sign the malicious samples submitted to VirusTotal include Sectigo, DigiCert, USERTrust, and Sage South Africa.

Disguised as popular software

Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022.

Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware.

The most mimicked applications (by icon) are Skype, Adobe Acrobat, VLC, and 7zip.

The popular Windows optimization program CCleaner that we saw in a recent SEO poisoning campaign is among the hackers’ prominent choices and features an exceptionally high infection ratio for its distribution volume.

Lacing legitimate installers

Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground.

This process helps in tricking the victims and also evades some antivirus engines that don’t scrutinize PR resource structure and content in executables.

Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

How to stay safe

When looking to download software, either uses your OS’s built-in app store or visit the application’s official download page. Also, beware of promoted ads on search results that may rank higher as they can easily be spoofed to look like legitimate sites.

After downloading an installer, always perform an AV scan on the file before executing it to ensure they are not malware in disguise.

Finally, avoid using torrent sites for cracks or keygens for copyrighted software, as they commonly lead to a malware infection.

Wolf in sheep’s clothing: how malware tricks users and antivirus

Post-quantum encryption contender is taken out by single-core PC and 1 hour

As much as humanly possible, I try to stay off social media. I use Twitter for work, but otherwise I’m pretty much MIA when it comes to the big sites. I haven’t used Facebook for years (too many scandals)—and I keep a healthy distance from Instagram and TikTok (they seem like attention-sucking blackholes). But recently, my ears perked up when I heard about an alternative social media platform—one that supposedly prioritized a civil and authentic social experience. There was a weird catch, though: the site was created by a mysterious hacker whose identity has never been publicly revealed.

Americans are increasingly disenchanted with social platforms—many view them as detrimental to our politics and culture. From polarization to eating disorders to January 6th, there isn’t much that Facebook and Twitter can’t be blamed for these days. Personally, I’m not against the idea of engaging with online communities, but the notion of supporting platforms that seem so toxic is something that I find increasingly difficult to justify. Is it possible that someone who should, theoretically, be untrustworthy could actually restore trust in social media?

What Is CounterSocial?

Back in 2017, the pseudonymous hacktivist known as “The Jester” decided that he was sick of social media’s noxious ways—the disinformation, the internecine verbal sparring, the endless rage and fury. In particular, he found himself concerned about “influence operations,” the propaganda campaigns that have become so common online—and that seem to be swiftly driving us all collectively insane.

Instead of quitting social media outright, though, Jester decided to do something slightly different.

In a matter of months, he had spun up CounterSocial, an alternative social media site that was designed to “counter” the disinformation, trolls, influence operations and harassment prevalent on other platforms. He wanted to create a controlled environment—a walled garden where ugliness and toxicity could be moderated out. Today, the site has approximately 100,000 users and continues to see steady growth. The hacker says that he uses a variety of techniques to keep his platform safe and, according to him, it’s supposed to be a place where you can actually have civil conversations with people, where community is a real thing, and where people act like decent human beings instead of sociopaths and attention-seeking jackals.

But for Jester to be the inventor of this happy little place is kind of funny. Why? Because until CounterSocial, he spent most of his time destroying websites, not creating them.

Jester’s Identity

Jester first gained prominence back in 2010, when he took credit for hacking a number of jihadist websites that were attempting to recruit new members. This act quickly garnered Jester a reputation as a “patriotic hacker”—a digital vigilante who hacked “for good.” Jester didn’t stop with would-be terrorists. During his heyday, he claims to have hacked a broad array of targets that he felt threatened America—everyone from fellow hacktivist groups like Wikileaks and Anonymous, to the rightwing cretins at the Westboro Baptist Church, to the blackhat hacking group Lulzsec, among others. His self-stated mission was to obstruct the communication lines of “bad guys” everywhere, and his calling card—a cartoonish but creepy Jester mascot —would be right at home in a comic book or a Hollywood hacker movie.

If you’re wondering who’s behind that creepy mask, you’ll find no satisfaction here. A 2012 study suggests that, prior to his hacking career, Jester may have been a member of the U.S. Special Forces, or may have worked as a contractor for them. If he did, that could explain his technical abilities (the Army has a number of cyber divisions where such skills can be acquired). However, others accuse him of “hoaxing” his attacks and allege his real skill is disinformation, not hacking. Others wonder if he’s actually more than one person: a 2017 FOIA release from the NSA notes that it is “unknown if the Jester is in fact an individual working alone or a group of hackers” who hide behind a single online persona. Every once in awhile, somebody claims to have doxxed Jester or even alleges that they are him—after which Jester typically pops up to deny these claims. In short: the guy is pretty much a total mystery.

At the same time, he’s also sort of an open book. In fact, to follow him on Twitter (which is the only mainstream social media platform that he uses) is to know that he’s something of a notorious shit-poster. A fan of former president Donald Trump and potential Twitter buyer Elon Musk he is not. He also doesn’t suffer fools gladly: some of his favorite insults include “chode,” “fucking idiot,” and “thistledick,” designations he reserves for his least favorite trolls. On any given day, you can read his vulgarity-filled tweets, which are often jarring, offensive, and occasionally funny. In other words: he’s one of the most outspoken enigmas you’ll ever meet.

After hearing about CounterSocial, I wanted to meet Jester (online, at least) and get to know him a little bit. I was afraid that this would be difficult, since he’s notoriously secretive. But after downloading Keybase, the encrypted chat platform that he prefers to communicate with, I got a quick response: “I’d love to talk to you guys,” he said. Over the course of several days, I was able to have a relaxed, wide-ranging conversation with the mysterious hacker about the vision he has for his ever-growing pet project. He also agreed to set me up with an account so that I can check out his little experiment.

Fixing Social Media

“The inspiration [for CounterSocial] pretty much came from seeing all the misinformation and foreign influence operations happening on the current social media offerings. And the fact that nothing was being done to curb it,” Jester tells me, during one of our conversations.

It’s no secret that such companies have taken a turn for the sinister in recent years. Just read Gizmodo’s own coverage of the Facebook Papers, where you can see that Meta (the parent company of Facebook) has a host of problems that it has no idea how to solve. Beset by noxious financial incentives, most social platforms are algorithmically structured to encourage the worst psychological impulses in their users. They also lack any real long-term strategies for how to fix the endless disinformation and misinformation campaigns that spawn like deranged rabbits on their platforms.

The generous view would be that platforms like Twitter or Facebook are effectively too big to moderate or control, but Jester doesn’t seem to have much sympathy for that position. “It’s not that they are ‘too big’ - they have the resources. They just seem unwilling to deploy them effectively,” he says. In other words, while they may have the resources, they ultimately lack the will to do anything about it. Fortunately, Jester seems to have plenty.

Using CounterSocial

After making myself a COSO account, Jester upgraded it to a PRO account so that I could get the full user experience. PRO accounts are typically paid accounts ($4.99 a month) and allow users to access a host of features that are off-limits to free users. Setting up an account is easy. I enter some basic information (an email and a password), give myself the lame username “Tech Journo” and upload a profile picture. And that’s it. I am officially a COSONAUT, as the site refers to its users. I’m ready to get started.

When you log onto CounterSocial the first thing you notice is that its layout is a little intense. The best thing to compare it to visually might be TweetDeck, Twitter’s dashboard feature that allows you to manage and monitor multiple accounts at one time. CounterSocial is a series of vertical feeds, which you can customize and arrange to your liking. Weirdly, there are also CNN news banners that scroll across the top of the screen—presumably to keep you informed about what’s happening in the world on that day. The view from my Pro account looks like this:

Screenshot: Lucas Ropek/CounterSocial

If you find yourself overwhelmed by COSO’s layout, you can actually turn on something called “Ostrich mode,” which disables the CNN banners and several other visual assets, allowing for a sparser, more simplified view. But I don’t mind the layout for the most part, so I keep Ostrich mode off and commence with poking around.

If platforms like Twitter and Facebook are mega-corporations that feel like vast digital cities, CounterSocial feels very much like one of the internet’s small towns. Poking around on it gives you roughly the same feeling you might have entering a local bookstore. A banner in the corner of the screen notes: “CounterSocial stays online and ad-free because of YOU! Please consider helping to keep it that way by using the support options below. Thanks!”

In other words: the whole thing is kind of quaint.

Meanwhile, the features that Jester seems to have integrated into CounterSocial are probably the biggest selling point for a lot of people—and a lot of them are pretty cool.

As you can see from the site’s drop down menu, COSO PRO supports a host of features that are pretty typical: You can DM people, join or start group conversations, and even audio/video call people with the COSOCall feature. For the privacy-focused, Jester says he has also integrated a “warrant canary” feature. Warrant canaries are supposed to warn users if a government has requested or subpoenaed data on them—a nice thing to have, given how much governments seem to do it these days.

One of the most unique features that CounterSocial boasts, however, is its virtual reality “realms,” which Jester says is his response to “‘the metaverse’” from Facebook. “Awhile back I heard that Facebook was going to ‘break new ground’ with [its] MetaVerse VR stuff. So I set about integrating something similar for COSO. And managed to get it released a whole month before Facebook/Meta. With...[Realms] users can join other folks public spaces, or create their own, from a ‘remixable’ that someone else made, or by using our integrated CreativeSuite.”

Inside “The Shining” realm on CounterSocial.
Screenshot: Lucas Ropek/CounterSocial

The realms that Jester has set up are pretty interesting, even if the animation probably isn’t going to win any awards. In one, you can wander around in the Overlook Hotel—the haunted stately manse from Stanley Kubrick’s The Shining adaptation. In another, you can shuffle around “Doc’s garage” from Back to the Future. There is also a campsite realm, a movie theater realm, and several others. But you can also create your own realms, which adds an element of interactivity to COSO that you probably wouldn’t find in other “metaverse” playgrounds. A headset will allow you to chat with other people inside of COSO “realms,” though, when I enter the Overlook, nobody else is in there except for me. I wander around the hotel for a few minutes, stare at the walls, briefly get stuck in a corner, then hop back out.

How Does CounterSocial ‘Counter’ Disinformation?

Then there are COSO’s anti-disinformation measures, which are the platform’s claim to fame. According to Jester, he deploys a variety of security mechanisms designed to keep trolls, bots, and assholes off of his site. The most drastic thing he does is ban IP addresses from six different countries. These include Russia, China, North Korea, Iran, Syria, and Pakistan. Jester’s logic here is that these are the countries from whence a vast majority of disinformation originates. “The nations blocked by our network are well known to be origin points of an overwhelming majority of bots and trolls that are used to engage in influence operations against not only the West but their own neighbors, as well as attempts to disenfranchise and divide social media users worldwide,” an FAQ on the site reads. When chatting with him, I point out that a dedicated disinformant could just use a VPN to mask their true location and then launch PsyOps from a Westernized IP address. He admits this is true, but says that “there’s more to” his efforts “than that.”

“I also ban over 100K VPN endpoints and Tor exit nodes that are known to be used by nefarious actors,” he tells me. “On top of that, they almost always give themselves away as soon as they post anything,” he says, explaining that he feels he can identify a propagandist as soon as they enter his site. The thing about the “endpoints list” is pretty interesting but Jester won’t reveal to me where this supposed list comes from. “‘Hackers’ either know about or know how to find out about these kind of things,” he says cryptically. “It’s a compilation of different lists, and is currently... proprietary to us.”

On top of this, CounterSocial also offers other features designed to mitigate potential disinformation aimed at users. “We teamed up with BotSentinel and Factlayer to provide our users with optional tools they can enable to help fight disinformation,” Jester tells me. BotSentinel is a free dashboard that tracks and provides information about social media accounts that are known for spreading disinformation. Factlayer, meanwhile, is a Chrome plugin that is designed to provide automated context about the websites that you visit. “Both those technologies are fully integrated into COSO,” he says.

An Army of One

All of this seems like a handful to manage, so you’d be forgiven for wondering just how many people are helping to keep this hefty little project running. According to Jester, it’s a team of exactly one—that is, just him: “Okay, right now, and I know this is gonna sound insane, but I am lead developer, moderation, CISO, CIO, first line support, second line support, marketing, security operations, infrastructure engineer, everything,” he says. It does sound sort of unworkable, but stranger things have happened in the ever-changing tech industry.

According to Jester, the site’s infrastructure “has been designed to scale up and down very quickly to meet demand and we’re just under 100,000 users as of right now, growing every day.” For comparison, Twitter has around 7,500 employees—a number that might seem a little ridiculous for a platform that has only intermittently changed since its launch.

This inspires a lot of questions. For one thing, how does one person monitor 100,000 people? If you’re hellbent on moderating disinformation, wouldn’t you need a few more eyes than just your own? Similarly, where does the hardware come from to support that many users?

Apparently having a solo startup isn’t as impossible as it sounds. Called “one person unicorns,” such ventures have become somewhat common in recent years. Still, I ask Jester how he imagines being able to scale up the platform to a much larger user base, to which he tells me that securing more PRO accounts is potentially the answer: “I funded the initial rollout [of COSO] myself, with my savings. Then as we grew and the feature set expanded, I introduced the PRO account upgrade option so that folks could help me out,” Jester said. “We literally doubled in size the day Elon Musk announced he was buying Twitter a few weeks back,” he tells me. “We have been steadily growing and upgrading infrastructure as we have gone along.”

“We don’t have any Venture Capital funding, and it’s been manageable, but that day, I had to make significant upgrades just to stay up, which I did and we’ve been stable ever since,” he adds.

Is CounterSocial Safe to Use?

Right about now you might be thinking: Okay, this all sounds pretty interesting, but is a platform run by a pseudonymous hacker actually trustworthy?

It’s a good question. The short answer is: Uh, we don’t know, for certain. Gizmodo was not able to conduct a security review of COSO’s code (the site’s user policy expressly forbids security testing by users without permission—which we were unable to secure). Jester expressed concern that a penetration test conducted by an unskilled person might damage the site—which is a real concern with pentests. But, interestingly enough, folks in the cybersecurity community seem to like COSO quite a bit. The word of mouth about the platform among the infosec crowd has been mostly positive, Christopher Budd, the director of threat research at the IT security firm Sophos, told us. Budd himself has an account.

“It’s something that I’d heard a lot of things about,” he says, in a Zoom call. Jester “is known within the [security] industry and within the security/privacy space and has good credibility with a lot of folks,” Budd added. “Enough people I know have a positive opinion [of COSO]—you know, it’s the ol’ circle of trust thing.” Budd also said that he appreciates the platform’s attempts to rid the user experience of bots and disinformation.

Adriel Desautels, another user of the site, is the CEO and founder of penetration testing firm Netragard. Desautels recently opened a COSO account for himself and has been enjoying it. Like Budd, Desautels says that he has faith in COSO and Jester and that he has seen more and more security folks expressing interest in the platform. “It becomes tiring to not trust anything you see anywhere just because most of it is junk,” said Desautels, of the information on platforms like Facebook and Twitter. “It’s kind of refreshing to see a platform that intends—and I say intends because I can’t prove that’s what he’s actually doing—to deliver more trustworthy information.”

Another plus is that a lot (but not all) of CounterSocial’s code is open source. Transparency (or a lack of it) has been a big issue with a lot of social media sites (just look at the hubbub over Twitter’s algorithm, for instance), so it’s nice to see a platform that’s at least interested in being straight with users.

“CounterSocial is comprised of many elements, both open source and proprietary code,” the site’s licensing page reads. The open source elements include code from Mastodon, Mozilla, Apache Jitsi and MIT code via Rocketchat. But the site also uses unspecified proprietary code, something Jester doesn’t really address during our chats. And, of course, there’s the obvious irony: a site that emphasizes transparency is also run by an internet mystery man whose identity will probably never be known.

Eventually, I ask Jester directly why users should trust him, given the fact that he’s a notorious hacker. “That’s a great question,” he says, noting that the only “personal information I need for them [the users] to create an account is an email address.” It’s true that very limited information needs to be shared to make a free account, though ostensibly the site could be collecting additional information about the user (the site claims that it does not “collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device”)

Of course, a lot of the most exciting features of COSO are provided through PRO accounts, which are paid and necessitate forking over some form of financial information. Jester says that he doesn’t see any of the financial information personally and that it’s handled by a professional payment processor. However, he is unwilling to tell me which payment processor that COSO has a relationship with. “There’s some things I’m just not comfortable with volunteering. I have a lot of enemies, and they are gonna read this article to glean any tidbit they can get,” he explained. Ostensibly, if users are truly worried about providing financials, there are ways around it (using virtual cards, for instance).

Building an Alternative

If you trust Jester (and, for some people, that’s probably a big “if”), there’s definitely something endearing about his project. CounterSocial is clearly something he cares deeply about. There’s an element of world-building to it—and he clearly enjoys playing the role of the creator.

He also seems to be accomplishing what he set out to do. In my time on the platform, I didn’t see much evidence of vulgarity, bullying, or the partisan sparring that are so routine on other social platforms. This might be because there’s just less people on CounterSocial and, therefore, less overall engagement between users. But there’s also a sense that people don’t want to fight on this platform. For one, thing there isn’t really any incentive to—it’s not going to win you any followers or advance your career. Unlike the other major platforms, COSO sorta feels like a real community.

It also seems like something that people are interested in. After Elon Musk announced that he was thinking about buying Twitter in May, CounterSocial saw so many new users that it temporarily gave the site some trouble, according to Jester. Clearly, the hunger for alternative online ecosystems is growing. And Jester claims that he has big plans for his platform—that he wants to scale it up and broaden the community.

“I guess [I] do (eventually) need COSO to make some money - but right now it’s a bit of a labor of love,” the hacker told me. “I am not so arrogant to think that COSO will ever become as big as Twitter or Facebook, but I would like it to ‘counter’ some of the far right platforms that have sprung up recently. I’m talking your Gab, Parler, GETTR, Frankspeech, and Trumps ‘Truth’ Social,” he says, in reference to the MAGA-verse alternatives that appear on a monthly basis. If this all sounds quixotic, Jester doesn’t seem to mind. “I hear God loves a trier,” he quips.

Source

Microsoft has launched two security services that aim to boost the intelligence capabilities of an organization's security operations center (SOC) rather than solely protect devices.

Microsoft has launched Defender Threat Intelligence and Defender External Attack Surface Management (EASM) — two new products that merge technology Microsoft gained after acquiring security firm RiskIQ last July for $500 million.

There may appear to be some overlap between Microsoft's existing services like its Azure-powered Sentinel security information and event management (SIEM) service and Microsoft Defender Experts for Hunting, a managed threat hunting service, and its Defender Experts for XDR, a managed extended detection and response (XDR) service.

But Microsoft says these RiskIQ-based threat intel service offerings differ in that they provide customers with "direct access to real-time data" from Microsoft's security signals. Microsoft chief Satya Nadella last week said the firm receives 43 trillion security signals each day.

Besides signals, Microsoft says its new threat intel service is based on intel merged between RiskIQ, Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC, pronounced 'Mystic'), and the Microsoft 365 Defender security research team.

Rob Lefferts, corporate VP of Microsoft Modern Protection and SOC unit tells ZDNet the threat intel service is about "connecting SOCs with Microsoft's own researchers from MSTIC".

Meanwhile, Microsoft Defender External Attack Surface Management is about "how do we make sure that you get to see the whole world the way that the attacker would," says Lefferts.

"We're gonna scan the internet and help you understand what do you present out on the public internet and what exposure does that mean for your company."

The attack surface management service could be useful given data that attackers start scanning the internet for exposed vulnerable devices within 15 minutes of a major flaw's public disclosure and generally continue scanning the internet for older flaws like last year's nasty Exchange Server flaws, ProxyLogon and ProxyShell.

This service discovers a customer's unknown and unmanaged resources that are visible and accessible from the internet – giving defenders the same view an attacker has when they select a target. Defender EASM helps customers discover unmanaged resources that could be potential entry points for an attacker.

Across MSTIC and Microsoft 365 Defender Research, Microsoft is tracking 250 different actors and ransomware families.

"We're providing intelligence across all of them and bringing that into your security team — not just to learn the latest news… but also to explore it, so if I see an indicator, I might explore where that might live on the network and connect that to what I'm seeing in my company. It's like a workbench for analysts inside a company," says Lefferts.

Microsoft's security business is growing at a rapid clip. It was worth $10 billion a year in 2021, and as of April had grown to become a $15 billion a year business. At its Q4 FY 2022 earnings update, Nadella said Microsoft's "security revenue increased 40 percent" and that its security business now spans 50 categories, well beyond its Defender antivirus for Windows PCs.

Other recent acquisitions include IoT security firms CyberX and ReFirm Labs to boost its cybersecurity offerings.

Microsoft rebranded its Defender lineup in 2020 to bring Microsoft Threat Protection, Defender ATP, Azure Security Center, and others brought under the Microsoft Defender monicker. Microsoft Defender would become its XDR product, while Azure Sentinel became its SIEM line.

Lefferts says the two new Defender-branded services are standalone products.

"This is different to protecting endpoint. It's about improving your security team, giving them new views and perspectives. If you think about a game of chess, if you turn it around and look at it from your opponent's point of view, this is a tool that is designed to help analysts do that by giving them that different perspective," he says.

Source

The discovery belongs to cybersecurity firm CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API.

When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.

As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them.

Building a Twitter army

CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released.

In these cases, the credentials are stored within mobile applications at the following locations:

• Read someone’s direct messages
• Perform retweets and likes
• Create or delete tweets
• Remove or add new followers
• Access account settings
• Change display picture

One of the most prominent scenarios of abuse of this access, according to CloudSEK, would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc.

Bad practices

CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API, but forget to remove them when the mobile is released.

In these cases, the credentials are stored within mobile applications at the following locations:

• resources/res/values/strings.xml
• source/resources/res/values-es-rAR/strings.xml
• source/resources/res/values-es-rCO/strings.xml
• source/sources/com/app-name/BuildConfig.java

CloudSEK recommends developers use API key rotation to protect authentication keys, which would invalidate the exposed keys after a few months.

Who is impacted?

CloudSEK shared a list of impacted applications with BleepingComputer, with apps between 50,000 and 5,000,000 downloads, including city transportation companions, radio tuners, book readers, event loggers, newspapers, e-banking apps, cycling GPS apps, and more.

Most applications publicly exposing their API keys haven't even acknowledged receiving CloudSEK's notices after a month since the cybersecurity firm alerted them, and most haven't addressed the issues.

As such, BleepingComputer will not disclose the list of apps as they are still vulnerable to exploitation and Twitter account takeover.

One notable exception was Ford Motors, which responded and deployed a fix on the 'Ford Events' app that was also leaking Twitter API keys.

Over 3,200 apps leak Twitter API keys, some allowing account hijacks