BleepingComputer has successfully reproduced the issue, first reported by researcher Maximilian Golla.

Founded in 1947 and headquartered in NYC as a non-profit, The Association for Computing Machinery (ACM) is the world's largest scientific and educational computing society. As of 2019, ACM's membership comprises nearly 100,000 students and professionals involved in the field of computing.

Research paper "violates" Google Drive policies

Germany-based PhD researcher, Maximilian Golla of Max Planck Society was frustrated on seeing one of his Google Docs files restricted by Google.

The file, according to Golla, contained links to ACM research papers, but "violates" Google's Terms of Service as per a screenshot shared by the researcher:

And, it's not just Google Drive. Google Search is acting funny too, Golla points out.

BleepingComputer confirmed Google Search results for the ACM website, ACM Digital Library research papers, and contact pages are also treating links to ACM domains as malicious.

In our tests, clicking on any of the acm.org, dl.acm.org or libraries.acm.org links appearing in the results led to an "interstitial" hosted on Google's redirection page, warning visitors that the link might be harmful.

This issue is essentially blocking any and all traffic to ACM domains from Google Search results. ACM visitors will instead have to manually copy-paste the intended link in their web browser's address bar:

These warnings are typically shown by Google to visitors who may inadvertently be navigating to compromised sites or domains hosting adware, MageCart scripts, or other types of malware. Thus far, there is no indication that ACM's domains are compromised or serving malware. BleepingComputer has reached out to ACM to ensure that is indeed the case.

"For detailed information about the problems that we found, visit Google's Safe Browsing diagnostic page for this site," advises Google's warning message. But, BleepingComputer observed the "diagnostic page" indicated that ACM's website was safe:

Third time's a charm

Although the blocking of ACM links across Google Search and Drive seems erratic, this isn't the first time Google Drive has erroneously flagged materials for being in violation of its Terms of Service when there is none.

In January, Google Drive was seen restricting nearly empty files for 'copyright infringement'. These files contained no data other than some numbers or a single digit, such as '1'.

Google Drive documents that contain phishing links, even for personal research purposes have, on occasion, also been automatically marked to be in violation of terms and had their sharing features restricted.

BleepingComputer has reached out to Google to understand what is causing the issue with ACM domains and we will update the story once we hear back.

Google blocks site of largest computing society for being ‘harmful’

This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems.

"The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer researcher Ryan Robinson said in a new report published today.

Central to the malware is a downloader ("kbioset") and a core ("kkdmflush") module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component.

In addition, the downloader is also responsible for establishing the persistence of the framework's main module. "The main function of the downloader module is to fetch the other components and execute the core module," Robinson noted.

The core module, for its part, establishes contact with the command-and-control (C2) server to fetch necessary commands required to execute the plugins, while also taking care to hide its own presence in the compromised machine.

Some of the notable commands received from the server enable the malware to fingerprint the machine, run shell commands, upload files to the C2 server, write arbitrary data to file, and even update and remove itself from the infected host.

It further sets up persistence by creating an initialization script that's executed upon system boot, effectively allowing the downloader to be automatically launched.

"The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux," Robinson pointed out.

The discovery of Lightning Framework makes it the fifth Linux malware strain to be unearthed in a short period of three months after BPFDoor, Symbiote, Syslogk, and OrBit.

Source

The security update is already available. Most Chrome browsers will receive the update automatically, thanks to the built-in automatic updating functionality. Chrome users may speed up the installation of the security update on desktop versions of Chrome by loading chrome://settings/help in the browser's address bar.

The current version is displayed on the page and Chrome runs a check for updates to find out if a new version is available. If not installed already, Chrome will download and install the security update. A restart is required to complete the upgrade. The Android version of Chrome does not support such an option, as updates are distributed exclusively via Google Play.

Google Chrome 103 security fixes

Google published an article on the Chrome Releases Blog to inform Chrome users and administrators about the update. The blog post confirms that 11 different security issues are patched in the new Chrome release. Six of these, all reported by third-party researchers, are mentioned specifically on the blog. Google does not list security issues that it found internally on the blog.

The maximum severity rating of all 11 security issues is high, the second highest after critical. Here is the full list as reported by Google:

• [$16000][1336266] High CVE-2022-2477 : Use after free in Guest View. Reported by anonymous on 2022-06-14
• [$7500][1335861] High CVE-2022-2478 : Use after free in PDF. Reported by triplepwns on 2022-06-13
• [$3000][1329987] High CVE-2022-2479 : Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
• [$NA][1339844] High CVE-2022-2480 : Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
• [$TBD][1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
• [$7000][1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21

Google makes no mention of attacks in the wild. It is still recommended to update Chrome to the latest version as soon as possible.

Google released the first Chrome 103 release earlier this month; this update included a fix for a 0-day vulnerability that was exploited in the wild.

Now You: do you use Google Chrome?

Google Chrome 103 update fixes 11 security issues

Frontpaged:   Google Chrome 103.0.5060.134

Today, cybersecurity firm Malwarebytes disclosed that they discovered a "major" malvertising campaign abusing Google ads.

When searching for "YouTube" related keywords, the first advertisement shown in search results is titled, 'YouTube - Best of YouTube Videos' or 'YouTube.com - YouTube - Best of YouTube videos for You.'

Looking at the advertisement, there is nothing that looks suspicious, as it contains the correct youtube.com URL and also shows additional advertising elements underneath the ad, as shown below.

However, clicking on the advertisement would not bring you to YouTube but rather to a tech support scam pretending to be a security alert from Windows Defender.

From tests conducted by BleepingComputer, the tech support scams are located on the URLs http://matkir[.]ml and http://159.223.199[.]181/ and warn visitors that 'Windows was blocked due to questionable activity' and that Windows Defender detected a Trojan Spyware named 'Ads.financetrack(2).dll.'

For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site.

When we called the number listed on the scam site, we were connected to an overseas call center where the "support technician" prompted us to download and install TeamViewer on our devices.

While we did not allow the installation to continue, they would likely have used TeamViewer to take control of our computer to "fix" the error.

In most cases, the scammers would lock your computer somehow or tell you that your computer is infected and that you need to purchase a support license. Either way leads to an expensive support contract that provides no benefit to the victim.

The malvertising campaign is still running on Google Search at this time as demonstrated by a tweet from Malwarebytes.

What makes this malvertising campaign so scary is that it shows that threat actors can create ads that impersonate companies to distribute malware, phishing pages, or other types of attacks.

BleepingComputer has reached out to Google with questions about the advertisement but has not heard back at this time.

Convincing ‘YouTube’ Google ads lead to Windows support scams

Air-gapped systems are used in critical environments that need to be physically isolated from less secure networks, such as those connected to the public internet.

They are typically seen in military, government, and nuclear development programs, as well as industrial control systems in critical sectors (e.g. oil, gas, financial, electric power).

Dubbed “SATAn”, the attack was discovered by Mordechai Guri, the Head of R&D of The Cyber Security Research Labs at Ben-Gurion University in Israel, and could theoretically help an adversary steal sensitive information.

SATAn attack

For a SATAn attack to succeed, an attacker first needs to infect the target air-gapped system. While this is not an easy task, there are reports of physical initial compromise since 2010, Sutxnet being the most notorious one.

The piece of malware planted on an air-gapped network can target the sensitive information and prepare it for exfiltration by modulating and encoding it.

The researcher found that SATA cables in computers can deliver over a radio channel between 5.9995 and 5.9996 GHz electromagnetic signals that correspond to specific characters.

The SATA interface can emit radio signals during certain read and write operations. Malware used in SATAn attacks can hijack legitimate software processes to perform very specific read/write functions that reflect the content of the stolen data.

During the research, Guri was able to generate electromagnetic signals to deliver the word 'SECRET' from an air-gapped system to a nearby computer. The receiver needs to identify the start of a valid transmission from SATA 3 cables.

“In a real attack scenario, the receiver might be implemented as a process in the nearby computer or embedded in a dedicated hardware receiver,” the researcher explains in a technical paper.

Attack limitations

Through experimentation with various systems and settings, the researcher has determined that the maximum distance from the air-gapped computer to the receiver cannot be greater than 120 cm (3.9 ft), or the bit error rate increases too much to ensure the integrity of the message (above 15%).

The distance between the transmitter and the receiver also influences the time required to send the data. Depending on the gap, "sequences of three bits with 0.2 sec, 0.4 sec, 0.6 sec, 0.8 sec, 1.0 sec, and 1.2 sec have been modulated and received."

Also, the researcher has found that when virtual machines are abused to perform the data-translating read/write operations, the signal quality on the SATA cable is reduced significantly.

An interesting countermeasure proposed in the paper is that of a SATA jammer, which monitors for suspicious read/write operations from legitimate applications and adds noise to the signal.

However, excessive disk usage for generating the jamming signal accelerates hardware wear, and distinguishing between legitimate and malicious operations would be challenging in a runtime environment.

Mordechai Guri is has been involved in more than two dozen projects researching various channels that allow stealing data from air-gapped networks covertly.

Over the years, Guri and his team demonstrated that isolated networks can still allow leaking of sensitive information via signals (light, vibrations, sound, heat, magnetic or electromagnetic fields) generated by components present in the systems like monitors, speakers, cables, CPU, HDDs, cameras, keyboards.

Air-gapped systems leak data via SATA cable WiFi antennas

Google seems to have quietly launched Google Wallet, a seemingly powerful, but rather limited edition of e-wallet for Android devices. Google Pay (GPay), a pre-existing product, will continue to work and retain all its features and functions.

An updated version of Google Wallet, Google's fourth rebrand of its payment system, is available for a few Android smartphone users. Google had indicated it will launch a revamped version in July, but there doesn’t seem to be a formal announcement of the actual launch.

Only a few Redditors, and an installer APK file available for sideloading, have confirmed the existence of the latest version (v2.150.460235810) of Google Wallet. Google has, however, launched some support pages for its Wallet app.

The updated app is named “Wallet”. Google apparently wants the app to become a single destination for the majority of physical instruments of payments. Additionally, according to 9To5Google, the Wallet app could take over not only the duties of credit and debit cards, but also serve as a replacement for travel tickets, flight boarding passes, gift/loyalty cards, and vaccination records. Even virtual car keys and student IDs could be incorporated within the Wallet app.

Google Wallet started its journey as Android Pay, which was later rebranded as Google Pay or GPay. But Google seems to have settled on naming the app Wallet. Perhaps Google wants to subtly remind users about the platform’s multiple functions and support for several types of authentication and payment methods.

The newer Google Pay app, on the other hand, seems to be a development focused on offering cardless and contactless payments through smartphones. However, even GPay’s rollout is rather confusing. It already has a rather limited fork called “Google Pay (Tez)”.

Ars Technica reports that the package name for Google Wallet is “com.google.android.apps.walletnfcrel,” which suggests “Google Wallet is an in-place upgrade for the old Google Pay app”. It seems Google has determined that Google Pay and Google Wallet apps will live alongside each other for now. The Google Play Services backend will handle tap-and-pay, while in the U.S., the new Google Pay will handle P2P payments.

For the time being, Google Pay will compete with Apple Pay. Meanwhile, Google Wallet will roll out as an update to the old GPay. The updated Wallet app currently supports tap-to-pay cards that appear in a carousel, with the aforementioned support for other types of cards expected to arrive sometime later.

Updated Google Wallet will securely store tap-to-pay cards, will co-exist with GPay, for now

Intel's "Software Guard Extension" (SGX) is a widely used technology to protect sensitive data from misuse. It helps developers in shielding a certain memory area from the rest of a computer. A password manager, for example, can be executed safely in such an enclave, even if the rest of the system is corrupted by malware.

However, it is not uncommon for errors to creep in during the programming of the enclaves. Already in 2020, the paluno team from Prof. Dr. Lucas Davi discovered and published several vulnerabilities in SGX enclaves. Now, together with partners form the CASA cluster of excellence, the researchers have achieved another breakthrough in the analysis techniques: Their latest development enables the fuzz testing of enclaves, which is much more effective than the previously used symbolic execution. The idea behind fuzz testing is to feed a large number of inputs into a program in order to gain insights into the structure of the code.

"As enclaves are meant to be non-introspectable, fuzzing cannot easily be applied to them," paluno scientist Tobias Clooster explains the challenge.

"Moreover, fuzzing requires nested data structures, which we dynamically reconstruct from the enclave code." His research partner Johannes Willbold from from the research college SecHuman from the Ruhr-Universität Bochum adds: "This way, the shielded regions can be analyzed without accessing the source code."

Thanks to modern fuzzing technology, the researchers were able to detect many previously unknown security problems. All tested fingerprint drivers as well as wallets for storing cryptocurrency were affected. Hackers could exploit these vulnerabilities to read biometric data or steal the entire balance of the stored cryptocurrency. All companies were informed. Three vulnerabilities have been added to the publicly available CVE directory.

Source

The Tor Browser has been created specifically for accessing sites through The Onion Router (Tor) network to offer users anonymity and privacy when accessing information on the internet.

It achieves this by routing traffic through nodes on the network and encrypting it at every step. The connection reaches the destination through an exit node that is used to relay the information back to the user.

Auto block bypassing

The updates in Tor Browser 11.5 focus on circumventing censorship, a process that started a year ago in version 10.5 with improving the Tor connection experience.

In the new version, users no longer have to manually try out bridge configurations to unblock Tor.

Tor Browser version 11.5 comes with a new feature called “Connection Assist”, which assigns automatically the bridge configuration known to work best for the user’s location.

“Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent),” explains the release announcement.

“It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.”

Since Connection Assist is still in an early stage of development (v1.0), the Tor team welcomes user feedback and reports, which would help them iron out any kinks and improve on the system.

HTTPS on by default

Another important new feature in version 11.5 is making ‘HTTPS-Only Mode’ the default browsing mode, so that the connection is through a secure tunnel.

This ensures that all data exchange between the user and the server hosting the website will be encrypted, to defend against man-in-the-middle (MitM) attacks and to protect users from SSL stripping on malicious exit relays.

The Tor team assures users that SecureDrop will continue to work as intended despite the deprecation and replacement of the HTTPS-Everywhere extension that served as an onion name interpreter.

The only exception to replacing HTTPS-Everywhere with the new HTTPS-Only Mode is Android, which has generally fallen behind.

Tor’s development team admitted this and promised to do more about Android, releasing updates more frequently, fixing the many bugs that have accumulated, and catching up with the Fenix (Firefox for Android) releases.

Better settings

The third significant improvement in Tor Browser 11.5 is a heavily revamped Network Settings menu, now called “Connection Settings”, which should make it easier to find and understand specific settings.

Most notably, bridge configuration and connection options have been redesigned to enable quick and easy review and management.

Using emojis on the saved Bridges, the new interface offers visualization for the configuration for the first time, making it easy to identify the right bridge and select it when needed.

You can download the latest Tor Browser from the official download portal as an installable package or a portable binary for your OS architecture.

Tor Browser now bypasses internet censorship automatically

Frontpaged:   Tor Browser 11.5

The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284.

The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.

While the size of the campaign is impressive, with 1,599,852 unique sites being targeted, only a small portion of them are running the vulnerable plugin.

Researchers at Defiant, the maker of the Wordfence security solution for WordPress, observed an average of almost half a million attack attempts per day against customer sites they protect.

Indistinct large-scale attacks

Based on Wordfence telemetry data, the attacks started on July 4 and continue to this day. and are still ongoing today at an average of 443,868 attempts every day.

The attacks originate from 10,215 distinct IP addresses, with some having generated millions of requests while others are limited to lower numbers, the reearchers say.

The attackers send a POST request to ‘wp-admin/admin-ajax/php’, attempting to use the plugin’s ‘uploadFontIcon’ AJAX function to upload a malicious ZIP payload that contains a PHP file.

This file, in turn, fetches the NDSW trojan, which injects code in legitimate Javascript files present on the target sites to redirect visitors to malicious destinations like phishing and malware-dropping sites.

Some filenames the attackers use for the ZIP payloads are ‘inject.zip’, ‘king_zip.zip’, ‘null.zip’, ‘plugin.zip’, and ‘***_young.zip’.

These files or the presence of the “; if(ndsw==” string in any of your JavaScript files indicates that you have been infected.

If you’re still using the Kaswara Modern WPBakery Page Builder Addons plugin, you should remove it immediately from your WordPress site.

If you’re not using the plugin, you are still recommended to block the IP addresses of the attackers. For more details on the indicators and the most prolific sources of requests, check out Wordfence’s blog.

Attackers scan 1.6 million WordPress sites for vulnerable plugin

The attack peaked at 26 million requests per second that came from 5,067 devices. The previous record was held by Mēris botnet, which launched an attack that spiked at 21.8 million requests per second.

DDoS mitigation company Cloudflare, has been tracking Mantis botnet attacks against one thousands of its customers.

Not your ordinary botnet

Cloudflare explains in a report today that its analysts named the botnet Mantis after the Mantis Shrimp that can deliver devastating blows with its claws while being roughly 10 cm (4 inches) long. Similarly, the botnet is extremely powerful despite relying on a small number of devices.

Typical botnets need to compromise a large number of connected devices to accumulate sufficient firepower to deliver disrupting attacks against protected targets.

Mantis targets focuses on servers and virtual machines, which come with significantly more resources.

Generating many HTTPS requests is a resource-demanding process, so the more powerful the devices that constitute the botnet swarm, the more potent the DDoS attacks they can launch.

The previous record holder, Mēris, achieved particularly strong attacks by recruiting MikroTik devices, which feature powerful hardware.

Mantis victims

Mantis targets entities in the IT and telecom (36%), news, media, and publications (15%), finance (10%), and gaming (12%) sectors. Over the past 30 days, Mantis launched 3,000 DDoS attacks against almost a thousand Cloudflare customers, the company notes.

Most of the targets are organizations in the United States (20%) and the Russian Federation (15%), while victims in Turkey, France, Poland, Ukraine, the UK, Germany, Netherlands, and Canada account for percentages between 2.5% and 5%.

To help admins prepare for DDoS attacks, Cloudflare has issued a set of best preventative measures and guidance on how to respond to the attacks.

Mantis botnet behind the record-breaking DDoS attack in June

"This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos said in a report shared with The Hacker News.

Also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, the Transparent Tribe actor is suspected to be of Pakistani origin and is known to strike government entities and think tanks in India and Afghanistan with custom malware such as CrimsonRAT, ObliqueRAT, and CapraRAT.

But the targeting of educational institutions and students, first observed by India-based K7 Labs in May 2022, indicates a deviation from the adversary's typical focus.

"The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state," Cisco Talos researchers told The Hacker News. "APTs will frequently target individuals at universities and technical research organizations in order to establish long term access to siphon off data related to ongoing research projects."

Attack chains documented by the cybersecurity firm involve delivering a maldoc to the targets either as an attachment or a link to a remote location via a spear-phishing email, ultimately leading to the deployment of CrimsonRAT.

"This APT puts in a substantial effort towards social engineering their victims into infecting themselves," the researchers said. "Transparent Tribes' email lures try to appear as legitimate as possible with pertinent content to convince the targets into opening the maldocs or visiting the malicious links provided."

CrimsonRAT, also known as SEEDOOR and Scarimson, functions as the staple implant of choice for the threat actor to establish long-term access into victim networks as well as exfiltrate data of interest to a remote server.

Courtesy of its modular architecture, the malware allows the attackers to remotely control the infected machine, steal browser credentials, record keystrokes, capture screenshots, and execute arbitrary commands.

What's more, a number of these decoy documents are said to be hosted on education-themed domains (e.g., "studentsportal[.]co") that were registered as early as June 2021, with the infrastructure operated by a Pakistani web hosting services provider named Zain Hosting.

"The entire scope of Zain Hosting's role in the Transparent Tribe organization is still unknown," the researchers noted. "This is likely one of many third-parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation."

Source

Intezer Labs security researchers have identified a sophisticated new malware that targets Linux devices.

OrBit is rather nasty and can hide its presence in network activity by manipulating logs. The module hooks functions called in shared libraries, which is pretty common for malware, but it implements “advanced evasion techniques” and “remote capabilities over SSH.”

OrBit extracts the output of executed commands in specific files on the targeted machine. It accepts arguments to customize the installation path and other configurations such as payload content. OrBit has two installation modes: /lib/ for persistence and /dev/shm/ (shim-memory) for volatile.

The dropper prepares the environment and writes Python scripts that interact with the filesystem to deliver the payload and execute it with high privileges. It uses the environment variable LD_PRELOAD to hijack shared libraries. This approach can be found in other Linux malware, such as Symbiote. It also stores stolen data in specific files on the targeted machine.

The module “hooks multiple functions to prevent them from outputting information that might reveal the existence of the malicious shared library in the running processes or the files that are being used,” the researchers wrote.

However, by hooking functions in the Linux Pluggable Authentication Module to steal information from SSH connections, attackers can gain remote access while hiding network activity. The malware is hard to remove while the machine is running because of the two methods used to achieve persistence “in case one of them goes away.”

If administrators delete the file or restore the original version, the malware will either recreate or repatch it. In addition, the malware can monitor its own network activity and filter its own traffic. To achieve that, it hooks functions such as bind, connect, or pcap_packet_callback to log IP addresses and ports in the .ports file within the malware folder.

Classic antivirus software can't catch threats like OrBit that are specifically meant to evade them. Threat actors behind the malware seem to master Linux internals, as you would expect from such hackers, and their approach might inspire other groups. Some security vendors have updated their mapping after Intezer’s publication, but others are still not detecting the threat.

Source

New working speculative execution attack sends Intel and AMD scrambling

Scammers are getting so good at it that even cybersecurity experts are taken in.

One of us (Oliver Buckley) recalls that in 2018 he received an email from the pro-vice chancellor of his university. "This is it, I thought. I'm finally getting recognition from the people at the top. Something wasn't right, though. Why was the pro-vice chancellor using his Gmail address? I asked how I could meet. He needed me to buy £800 worth of iTunes gift cards for him, and all I needed to do was scratch off the back and send him the code. Not wanting to let him down, I offered to pop down to his PA's office and lend him the £5 note I had in my wallet. But I never heard back from him."

The infamous "prince of Nigeria" emails are falling out of fashion. Instead, scammers are scouring social media, especially business-related ones like LinkedIn, to target people with tailored messages. The strength of a relationship between two people can be measured by inspecting their posts and comments to each other. In the first quarter of 2022, LinkedIn accounted for 52% of all phishing scams globally.

Human tendencies

Psychologists who research obedience to authority know we are more likely to respond to requests from people higher up in our social and professional hierarchies. And fraudsters know it too.

Scammers don't need to spend much time researching corporate structures. "I'm at the conference and my phone ran out of credit. Can you ask XXX to send me report XXX?" runs a typical scam message.

Data from Google Safe Browsing shows there are now nearly 75 times as many phishing sites as there are malware sites on the internet. Almost 20% of all employees are likely to click on phishing email links, and, of those, a staggering 68% go on to enter their credentials on a phishing website.

Globally, email spam cons cost businesses nearly US$20 billion (£17 billion) every year. Business consultant and tax auditor BDO's research found that six out of ten mid-sized business in the U.K. were victims of fraud in 2020, suffering average losses of £245,000.

Targets are normally chosen based on their rank, age or social status. Sometimes, spamming is part of a coordinated cyber attack against a specific organization so targets are selected if they work or have connections to this organization.

Fraudsters are using spam bots to engage with victims who respond to the initial hook email. The bot uses recent information from LinkedIn and other social media platforms to gain the victim's trust and lure them into giving valuable information or transferring money. This started over the last two to three years with the addition of chatbots to websites to increase interactions with customers. Recent examples include the Royal Mail chatbot scam, DHL Express, and Facebook Messenger. Unfortunately for the public, many companies offer free and paid services to build a chatbot.

And more technical solutions are available for scammers these days to conceal their identities such as using anonymous communication channels or fake IP addresses.

Social media is making it easier for scammers to craft believable emails called spear phishing. The data we share every day gives fraudsters clues about our lives they can use against us. It could be something as simple as somewhere you recently visited or a website you use. Unlike general phishing (large numbers of spam emails) this nuanced approach exploits our tendency to attach significance to information that has some connection or for us. When we check our full inbox, we often pick out something that strikes a chord. This is referred to in psychology as the illusory correlation: seeing things as related when they aren't.

How to protect yourself

Even if you're tempted to bait email scammers, don't. Even confirming your email address is in use can make you a target for future scams. There is also a more human element to these scams compared with the blanket bombing approach scammers have favored for the last two decades. It's eerily intimate.

One simple way to avoid being tricked is to double-check the sender's details and email headers. Think about the information that might be out there about you, not just about what you receive and who from. If you have another means of contacting that person, do so.

We should all be careful with our data. The rule of thumb is if you don't want someone to know it, then don't put it online.

The more advanced technology gets, the easier it is to take a human approach. Video call technology and messaging apps bring you closer to your friends and family. But it's giving people who would do you harm a window into your life. So we have to use our human defenses: gut instinct. If something doesn't feel right, pay attention.

Source

The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.

"Based on feedback, we're rolling back this change from Current Channel," the company notified admins in the Microsoft 365 message center (under MC393185 or MC322553) on Thursday.

"We appreciate the feedback we've received so far, and we're working to make improvements in this experience. We'll provide another update when we're ready to release again to Current Channel. Thank you."

The change began rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022, with general availability to be reached in June 2022, as BleepingComputer previously reported.

This was a welcome and highly expected change, given that VBA macros are a popular method to push a wide range of malware strains (including Emotet, TrickBot, Qbot, and Dridex) via phishing attacks with malicious Office document attachments.

With VBA macros blocked by default, everyone was expecting attacks that delivered malware (such as information-stealing trojans and malicious tools used by ransomware groups) to be automatically thwarted.

On systems where VBA macros aut0blocking is enabled, customers see a "SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted" security alert.

If clicked, the warning sends users to an article containing information about the security risks behind threat actors' use of Office macros and instructions on enabling these macros if absolutely necessary.

Mockup of new Office macros security alert (BleepingComputer)

Confused users asking for an explanation, more transparency

Microsoft's customers were the first to notice that Microsoft rolled back this change in the Current Channel on Wednesday, with the old 'Enable Editing' or 'Enable Content' buttons shown at the top of downloaded Office documents with embedded macros.

"Is it just me or have Microsoft rolled this change back on the Current Channel?" one Microsoft Office user asked in the comments of Microsoft's February blog post announcing that VBA macros will be disabled.

"It feels like something has undone this new default behaviour very recently... maybe Microsoft Defender is overruling the block?"

"Based on feedback received, a rollback has started. An update about the rollback is in progress," replied Angela Robertson, a Principal GPM for Identity and Security on the Microsoft 365 Office team.

"I apologize for any inconvenience of the rollback starting before the update about the change was made available."

Another customer complained about Microsoft's "lack of communication" after announcing this change and asked the company to share more info on this rollback "elsewhere."

"Your standard SMB and even mid-sized businesses are going to implode if this gets fully implemented in it's current form," the customer said.

"You seem to be catering to enterprises now that have very large teams of people to manage your products, and that's simply not the case for most of the user base. It needs to be simplified before it's released, and moreso, it needs to be effectively communicated."

"Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management," another added.

While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros.

Other admins felt that the decision was a problem for end-users who would find it burdensome to unblock files that they download every day, if not multiple times per day.

A Microsoft spokesperson was not immediately available for comment when BleepingComputer reached out earlier today.

Microsoft rolls back decision to block Office macros by default

Today, Microsoft has released an updated version of Edge to patch the same issue too. This is because the 0-day exploit affects Chromium, so any browser based on that project is affected. As such, both Edge and Chrome are impacted equally.

Microsoft hasn't gone into details about the fix either and has just noted in Edge's changelog that:

This update contains a fix for CVE-2022-2294, which has been reported by the Chromium team as having an exploit in the wild.

The most updated version of Edge Stable is now version 103.0.1264.48. If the browser doesn't update automatically for you, click on the three-dotted menu on the top-right corner of your browser window and navigate to Help and feedback > About Microsoft Edge to trigger the update.

Following Chrome, Edge gets emergency update for high severity 0-day exploit too

Currently, nine states have almost entirely banned abortion, and more are expected to follow suit. Many Republican lawmakers in these states are discussing the possibility of preventing people from traveling across state lines to obtain an abortion. If such plans are enacted and withstand legal scrutiny, one of the key technologies that could be deployed to track people trying to cross state lines is automated license plate readers (ALPRs). They’re employed heavily by police forces across the US, but they’re also used by private actors.

ALPRs are cameras that are mounted on street poles, overpasses, and elsewhere that can identify and capture license plate numbers on passing cars for the purpose of issuing speeding tickets and tolls, locating stolen cars, and more. State and local police maintain databases of captured license plates and frequently use those databases in criminal investigations.

The police have access to not only license plate data collected by their own ALPRs but also data gathered by private companies. Firms like Flock Safety and Motorola Solutions have their own networks of ALPRs that are mounted to the vehicles of private companies and organizations they work with, such as car repossession outfits. Flock, for instance, claims it’s collecting license plate data in roughly 1,500 cities and can capture data from over a billion vehicles every month.

“They have fleets of cars that have ALPRs on them that just suck up data. They sell that to various clients, including repo firms and government agencies. They also sell them to police departments,” says Jay Stanley, a senior policy analyst at the ACLU. “It’s a giant, nationwide mass surveillance system. That obviously has serious implications should interstate travel become part of forced-birth enforcement.”

In a statement to WIRED, a Flock Safety spokesperson said the company does not provide customer data to third parties. “We will never share or sell customer data to any third parties. While we cannot speak for any other vendors, we have never and will never sell data to repossession companies or third-party organizations, including anti-abortion groups," the company said. 

However, anyone can become a first party by purchasing the company's cameras. (Its customers often include neighborhoods and home owners associations.) Flock Safety says its cameras are installed in more than 1,500 cities in 42 states, which are connected to Flock's centralized camera network. A March 2021 Vice investigation based on Flock-related emails obtained from nearly 20 police departments allows anyone who administers a Flock camera to “make the data Flock captures available to, say, the police, the home owner association's board, or the individual members of an entire neighborhood.” In addition to private customers, Flock has also reportedly partnered with hundreds of police departments across the US.

Motorola Solutions did not respond to a request for comment prior to publication.

Stanley says that ALPRs are more concentrated in metropolitan areas, but they’re also common in rural areas. If someone is traveling out of state to get an abortion, police could likely repeatedly identify where their license plate was scanned during the trip and the times it was scanned. With that information, they may be able to sketch out that person’s travel patterns. Police don’t need a warrant to obtain this information because license plates are out in the open and can be seen by anyone, which is not necessarily the case when the police want to obtain someone’s location data from their phone or use another tracking method.

“The more densely situated ALPR scanners are, the more they come to resemble GPS tracking,” Stanley says.

Once the person seeking an abortion has left the state, a police department could look for license plate data in another state through the private databases, or they could obtain this data via a police department in that state. Police departments around the country regularly share ALPR data with each other, and the data is often shared with little oversight.

“It’s a huge problem that people are sharing data without really being deliberate about who they’re sharing it with and why,” says Dave Maass, director of investigations for the Electronic Frontier Foundation (EFF).

Maass notes that police aren’t the only ones who could utilize ALPR data to track people seeking abortion access. Thanks to the passage of Texas Senate Bill 8 (SB 8), he says anti-abortion groups could use license plate data in litigation against whole swaths of people. That law allows anyone in the US to sue abortion providers, anyone who “aids or abets” someone seeking an abortion after a fetal heartbeat is detected (typically around six weeks)—or anyone with intent to help someone receive an illegal abortion in the state. Anti-abortion groups have also been known to write down people’s license plate numbers at abortion clinics over the years, Maass notes, so they may even have a database of license plate numbers already available to them that they could search through.

“One of the things I’m concerned about is this big private database that is operated by DRN Data. It’s not necessarily law enforcement but individual actors who might be trying to enforce abortion laws under things like Texas’ SB 8,” Maass says.

DRN Data operates a license plate reader database that receives its data from repo trucks and other vehicles equipped with ALPRs. (DNR Data did not yet respond to WIRED’s request for comment.) Regardless of who’s operating them, there’s no shortage of license plate scanners, and both Maass and Stanley say it would be extremely difficult for someone seeking an abortion to avoid being surveilled along the way.

“You could take an Uber, but that’s going to create a different data trail. You could rent a car, but that’s a different data trail. You could ride the bus, but that’s a different data trail,” Maass says.

One policy change that could help address this issue is if states would adopt the same kind of legislation that New Hampshire has, Stanley says. Its statute states that ALPR data “shall not be recorded or transmitted anywhere and shall be purged from the system within three minutes of their capture, unless the number resulted in an arrest, a citation, or protective custody or identified a vehicle that was the subject of a missing or wanted person broadcast.” This type of law would prevent police departments from retaining data that could be utilized for long periods.

Like abortion laws, ALPR regulations vary state by state. New Hampshire isn’t storing this data for long, but Arkansas—which last month criminalized nearly all abortion care—allows the data to be stored for 150 days. Other states may limit license plate data storage to between 21 and 90 days. Georgia, whose pending law would ban abortions after the detection of fetal cardiac activity, allows police to store license plate data for up to 30 months after collection. Maass says these issues will have to be addressed throughout the country.

“Legislators need to be looking at this. Law enforcement needs to talk to their city council members about how they’re going to address this,” Maass says. “Attorneys general who are claiming they’re going to protect abortion access need to look at their data systems. A lot of this is going to have to be dealt with in a policy context.”

ALPRs are just one of the many surveillance tools police departments and anti-abortion groups will have available to them, but they’ll become one of the most powerful tools available if states manage to make it illegal to cross state lines to obtain an abortion. For states that seek to safeguard access to abortion care, there’s little time to assess how this technology is being utilized and whether policies need to be altered to limit its use.

Update 1:24 pm ET, July 7: Added comment from Flock Safety and additional contextual details about the company's data collection ecosystem.

The Danger of License Plate Readers in Post-Roe America

(May require free registration to view)

End-to-end encryption’s central role in modern self-defense

The statement was given at MI5's headquarters by MI5 director-general Ken McCallum and FBI director Christopher Wray. Excerpts from the rather blunt conference can be read below:

The Chinese government is set on stealing your technology—whatever it is that makes your industry tick—and using it to undercut your business and dominate your market. They're set on using every tool at their disposal to do it.

 [...] We want to send the clearest signal we can on a massive shared challenge—China, if we are to protect our economies, our institutions and our democratic values.

 [...] We’ve seen China looking for ways to insulate their economy against potential sanctions, trying to cushion themselves from harm if they do anything to draw the ire of the international community. In our world, we call that kind of behavior a clue.

China has responded strongly to the accusations as well, with an embassy spokesperson in Washington describing the move as politicians who are destroying China's image with false claims. The Chinese government has essentially condemned the claims made by the intelligence firms and noted that it does not engage in state-sponsored cyberattacks and is actually a victim of them. It demanded the U.S. to be a "truly responsible actor in cyberspace" and called it out for mass online surveillance as well.

The FBI and MI5 clarified that their words are not targeted at the Chinese public, they are aimed squarely at the Chinese government. The FBI claims that it opens an investigation into China's activities every 12 hours on average and the MI5 says that the number of its investigations into the country's interference is seven times more now than it was in 2018.

Although the intelligence firms have not demanded that western tech organizations to stop doing business in China completely, they have asked such firms to be re-evaluate the risk in this space and be vigilant because Chinese laws make them vulnerable to state-sponsored interference.

Source: WSJ (paywall)

Source

The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion techniques and hooks key functions to maintain persistence on the infected systems. OrBit allows operators to achieve remote access capabilities over SSH, harvests credentials, and logs TTY commands.

“Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.” reads the analysis published by the experts. “Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Experts noticed similarities between the threat and the recently disclosed Symbiote malware which is designed to infect all of the running processes on the compromised machines.

Unlike Symiote that leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods. In the first method, the shared object is added to the configuration file that is used by the loader, in the second one the binary of the loader is patched to load the malicious shared object.

The malicious payload is a shared object (.SO file) that can be placed either in persistent storage, for example /lib/libntpVnQE6mk/, or in shim-memory under /dev/shm/ldx/. Placing the payload in the first path will allow the threat to gain persistence, otherwise, it is volatile.

The backdoor hooks the read and write functions to log data that is being written by the executed processes on the infected machine.

The attack chain starts with an ELF dropper that extracts the payload (“libdl.so”) and adds it to the shared libraries that are loaded by the dynamic linker.

“The shared object hooks functions from 3 libraries: libc, libcap and Pluggable Authentication Module (PAM). Existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, allowing the malware to infect the whole machine and harvest credentials, evade detection, gain persistence and provide remote access to the attackers.” continues the experts.

The experts pointed out that the malware outstands for its almost hermetic hooking of libraries. Linux threats continue to evolve, recently other sophisticated Linux malware were spotted by the researchers in the wild such as Symbiote and Syslogk.

“Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.” concludes the report.

Source

"I am a super hacker that is here to bring revenge upon Disney land," he wrote alongside a photo of what appears to be himself, saying that he is sick of employees mocking him. "...Who's the tough guy now Jerome?"

Along with repeatedly using the N-word in his posts, the hacker repeatedly said he "invented covid."

The hacker also posted on the account's Instagram story.

Disneyland has 8.4 million followers on Instagram and its page is otherwise filled with photos of families, children and activities at the California resort.

The account was temporarily taken down shortly after the incident and reemerged without any of the hacked posts.

Disneyland's other social media pages seem to be unaffected and the company has not yet made a statement about the incident. CBS News has reached out for comment.

Source

Why Lockdown mode from Apple is one of the coolest security ideas ever

According to the company, Lockdown Mode has been created with certain people in mind who are targeted by advanced attacks created by the likes of NSO Group and other private firms working on state-sponsored malware. Once enabled, Lockdown Mode will offer the following protections:

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Over time, Apple will continue to strengthen Lockdown Mode and is actively soliciting feedback from the security community. The Apple Security Bounty programme has a new section now for researchers looking for flaws in Lockdown Mode and all the bounties are doubled – this means you can earn up to $2,000,000 for finding the most serious vulnerabilities.

Apple's upcoming operating systems will feature ultra-secure Lockdown Mode

•  Hackers duped a senior engineer at Axie Infinity into applying for a job at a fictitious company.
•  The scheme resulted in the loss of $540 million in crypto earlier this year.
•  Details of how the hack was carried out are being reported for the first time by The Block.

Rarely has a job application backfired more spectacularly than in the case of one senior engineer at Axie Infinity, whose interest in joining what turned out to be a fictitious company led to one of the crypto sector’s biggest hacks.

Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.

The Block can now reveal that a fake job ad was Ronin’s undoing.

According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.

Axie Infinity was huge. At its peak, workers in Southeast Asia were even able to earn a living through the play-to-earn game. It boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs in November last year — although both numbers have since plummeted.

Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.

After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package.

The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.

In a post-mortem blog post on the hack, published April 27, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”

Validators fulfill various functions in blockchains, including the creation of transaction blocks and the updating of data oracles. Ronin uses a so-called “proof of authority” system for signing transactions, concentrating power in the hands of nine trusted actors.

An April blog post on the incident from blockchain analysis firm Elliptic explains: “Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.”

But after successfully infiltrating Ronin’s systems through the fake job ad, the hackers had control of just four out of the nine validators — meaning they needed another in order to take control.

In its post-mortem, Sky Mavis revealed that the hackers managed to use the Axie DAO (Decentralized Autonomous Organization) — a group set up to support the gaming ecosystem — to complete the heist. Sky Mavis had asked the DAO for help dealing with a heavy transaction load in November 2021.

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked,” said Sky Mavis in the blog post. “Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”

A month after the hack, Sky Mavis had increased the number of its validator nodes to 11, and said in the blog post that its long-term goal was to have more than 100.

Sky Mavis declined to comment on how the hack was carried out when reached. LinkedIn didn’t respond to multiple requests for comment.

Earlier today, ESET Research published an investigation showing that North Korea’s Lazarus had abused LinkedIn and WhatsApp by posing as recruiters to target aerospace and defense contractors. But the report did not tie that technique to the Sky Mavis hack.

Sky Mavis raised $150 million in a round led by Binance in early April. The proceeds will be used alongside the company’s own funds to reimburse users affected by the exploit. The company said recently that it would begin returning funds to users on June 28. After coming to a sudden halt at the time of the hack, Ronin’s Ethereum bridge also relaunched last week.

The rate of DeFi hacks has accelerated rapidly this year, topping $2 billion in total funds lost, according to The Block Research data. On January 1, the number stood at $760 million.

< View the chart at the source page. >

Source

ReversingLabs found more than two dozen npm modules dating back six months. They contained obfuscated Javascript designed to steal form data from the apps they were deployed to.

Attackers appear to have used typosquatting techniques to trick developers into downloading their malicious packages.

They impersonated high-traffic npm modules like “umbrellajs,” renamed “umbrellaks,” and packages published by ionic.io.

“Packages created by the npm ionic-io author … show that the author published 18 versions of an npm package named ‘icon-package’ containing the malicious form stealing code,” ReversingLabs wrote.

“That was a glaring attempt to mislead developers into using this package instead of ‘ionicons,’ a popular, open source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.”

All the packages were designed to collect form data using jQuery Ajax functions and then exfiltrate that data to domains controlled by the threat actors.

The full extent of the campaign has yet to be revealed, but it already highlights systemic challenges facing developers who use open source components to accelerate time-to-market.

“It is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component,” argued ReversingLabs.

“The success of this attack – with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks – underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.”

Source