"With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," Microsoft Threat Intelligence Center (MSTIC) said in a report on Tuesday.

Hive, which was first observed in June 2021, has emerged as one of the most prolific RaaS groups, accounting for 17 attacks in the month of May 2022 alone, alongside Black Basta and Conti.

The shift from GoLang to Rust makes Hive the second ransomware strain after BlackCat to be written in the programming language, enabling the malware to gain additional benefits such as memory safety and deeper control over low-level resources as well as make use of a wide range of cryptographic libraries.

What it also affords is the ability to render the malware resistant to reverse engineering, making it more evasive. Furthermore, it comes with features to stop services and processes associated with security solutions that may stop it in its tracks.

Hive is no different from other ransomware families in that it deletes backups to prevent recovery, but what's changed significantly in the new Rust-based variant is its approach to file encryption.

"Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension," MSTIC explained.

To determine which of the two keys is used for locking a specific file, an encrypted file is renamed to include the file name containing the key that's then followed by an underscore and a Base64-encoded string (e.g., "C:\myphoto.jpg.l0Zn68cb _ -B82BhIaGhI8") that points to two different locations in the corresponding .key file.

The findings come as the threat actor behind the lesser-known AstraLocker ransomware ceased operations and released a decryption tool as part of a shift to crytojacking, Bleeping Computer reported this week.

But in an indication that the cybercriminal landscape is in constant flux, cybersecurity researchers have discovered a new ransomware family called RedAlert (aka N13V) that's capable of targeting both Windows and Linux VMWare ESXi servers.

Source

Bitwarden to add support for passwordless login

One of the upcoming features that we can look forward to in Bitwarden is passwordless login. This probably isn't what you're thinking, it's not for websites. This option will allow you to approve a login to your Bitwarden vault on a new device from an existing one. Here's an example given by a Bitwarden employee, the passwordless login can be used to sign in to your browser extension by confirming it from your mobile phone.

Auto-type/Autofill for desktop apps

Autofill is probably one of the most popular features in a password manager. But this is usually limited to web browsers, because of the integration between browsers and the password manager app. Bitwarden wants to add support for Auto-type/Autofill for logging into other desktop apps.

Bitwarden 2022 Roadmap

Per the roadmap that has been published on its site, these features will make their way into the password manager sometime in the 2nd half of the year.

Bitwarden wants to introduce additional item types for users to add to the vault. Vault item labels is a tool that can help users organize their content. Though it sounds like Tags, it will actually be a replacement for vault folders. Vault item sharing will let users send items that they have in their vault to other users.

Enhanced Localization will provide a more efficient way for translators working on different languages. Bitwarden will get a notification center, though it is unclear what it will do, perhaps it might provide alerts for unsuccessful login attempts? Users will be able to gift Bitwarden premium subscriptions to others, and a referral system is coming.

The company will also update its desktop apps with new features. The main issue with the password manager is it's unusable offline unless you are already signed in to your account, but even that has some restrictions. This might change, as Bitwarden will include support for offline editing, which sounds good.

Not all of these features will be available for everyone. Passwordless login options, additional item types, and vault item labels will be available for free users, while the rest are heading to the premium tier.

You can watch the Bitwarden Vault Hours video on Crowdcast for more details (requires email). The Roadmap is discussed from the 29 minute to the 35th in the video.

Bitwarden overlay pop-up interface

The overlay pop-up interface is among the most discussed topics on Bitwarden's community forums. Bitwarden's CCO, Gary Ornstein, confirmed (around the 26th minute of the video) that the developers are working on improving the overlay pop-up interface of the password manager. He explained that there are limitations to what a browser extension can do, and that injecting an overlay pop-up interface in a web page is not a standard implementation on the web. A new style could be disruptive to the user, which explains why the company wants to take it slow and focus on the standard that is used by competitors.

I think offline editing should be made available to all users, and I hope Bitwarden improves the Windows Store version, it doesn't support browser integration, which is why I use the regular version.

Which of these features do you like the most?

Bitwarden to add support for passwordless login to vault, autofill for other desktop apps

The results reveal that in some countries up to 90% of these websites add third-party tracker cookies without users' consent. This occurs even in countries with strict user privacy laws.

The study

Previous studies have shown the widespread use of cookies to track users on websites on an unprecedented scale but this had not been studied so far on government sites.

The researchers considered studying the behavior of government websites and their compliance or non-compliance with data protection laws during the COVID-19 pandemic, a time when citizen information was provided through official websites of international organizations and governments. "Our results indicate that official governmental, international organizations' websites and other sites that serve public health information related to COVID-19 are not held to higher standards regarding respecting user privacy than the rest of the web, which is an oxymoron given the push of many of those governments for enforcing GDPR," says Nikolaos Laoutaris, research professor at IMDEA Networks.

A total of 5,500 websites of international organizations, official COVID-19 information, and governments of G20 countries were analyzed: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, UK, and the U.S..

Methodology: types of cookies

There are several types of cookies. "Two primary types of cookies: first-party cookies that are issued by the visited website, and third-party ones which are typically created by external parties embedded in a webpage," says Srdjan Matic, Researcher at IMDEA Software.

This paper also distinguishes between cookies by their duration: session cookies active only during the visit to the page or persistent cookies of short, medium or long duration.

Results: G20 government websites

Most of the websites of the G20 countries created at least one cookie without the user's consent. Japan is the country with the lowest percentage of websites with cookies, with 77.2%, and South Korea, Saudi Arabia, and Indonesia lead the ranking with almost 100%.

Credit: IMDEA Networks Institute

With respect to the third-party cookies, the paper differentiates between generic third parties (TP) and third-party cookies originating from known trackers (TPT). Overall TP cookies range from 30% in the case of Germany, up to 95% for countries such as Russia. Germany is the only country where this percentage decreases significantly, with only 9% of official websites including a TPT cookie.

Credit: IMDEA Networks Institute

In 16 of the 19 analyzed countries more than half of the TP cookies last at least one day.

Credit: IMDEA Networks Institute

In the figure below, cookies are grouped on their expiration time into first-party (FP), third-party (TP), and third-party tracking cookies (TPT). France and China lead the ranking with around 70% of TP and TPT cookies expiring after more than one year.

Credit: IMDEA Networks Institute

Results: International organizations websites

The study shows that around 95% of the websites of international organizations set cookies and around 60% of these websites use at least one third-party (TP) cookie. Matic explains that " it seems that there is no special care in designing those webpages since 52% of websites of international organizations set at least one TPT cookie."

Results: COVID-19 Websites

More than 99% of the websites analyzed in the COVID-19 information study add at least one cookie without the user's consent. In contrast, there is a lower presence of third-party (TP) cookies, at around 62%.

As Laoutaris points out, with this publication the research team aims to "put more pressure on governments to clean up their own house first and, by doing so, set an example and be more convincing about the importance of implementing the GDPR in practice."

Source

The Russian domestic intelligence service, the FSB, had caught 14 people from the gang. In this apprehension, the 14 members of the gang were found in possession of 426 million roubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars were brought to justice.

REvil Ransomware Gang- The Context

The financially-motivated cybercriminal threat group Gold Southfield controlled ransomware group known as REvil emerged in 2019 and spread like wildfire after extorting $11 million from the meat-processor JBS.

REvil would incentivize its affiliates to carry out cyberattacks for them by giving a percentage of the ransom pay-outs to those who help with infiltration activities on targeted computers.

In July 2021, hackers working under REvil exploited zero-day vulnerabilities in Managed Service Provider (MSP)service developed by a company called Kaseya. As is often the case, these vulnerabilities had not been patched and were therefore open for exploitation. The code change was deployed globally against over 30 MSPs worldwide and 1,000 business networks managed by those MSPs.

The hackers rented their ransomware to other cyber criminals so that a similar attack could occur and disrupt the activities of others. It's been reported how sustained ransomware attacks were conducted revealed that most hacking groups utilize Ransomware-as-service by renting out their services to other users (who often have easy access to the victim's systems, networks, and other personal information).

The famous Colonial Pipeline, the oil pipeline company, operating in the United States, was attacked by REvil as part of a Ransomware service.

In October 2021, a multi-country law enforcement operation seized control of REvil's main ransomware-related resources and dismantled the darknet campaign that was being conducted on anonymous ToR servers.

But thanks to the U.S.-Russian collaboration, the REvil gang was dismantled, and the group itself was hacked. The crime group's "Happy Blog" website, used to leak victim data and extort companies and provide an avenue for commending members involved in successful attacks, was forced offline.

ReVil Making a Comeback

Cybersecurity researchers have put forward samples of REvil ransomware. Their findings, based on the findings of samples which all showed identical creation dates and compilation strings along with several other attributes, which mean the same person/team probably makes it - strengthens their argument that they have indeed identified the original REvil ransomware developer and should logically, therefore, conclude that the self-exiled cybercriminal group known as REvil has returned. Recently, the latest Ransomware leak site was promoted through the Russian forum RuTOR – a website that allegedly markets leaked data to customers.

As Per Vines, REvil's Tor Sites Have Come Back to Life.

In late April of this year, security researchers noticed some malware found in previous attacks had resumed activity after a long period of quiet. Two researchers who are into the dark side of cybersecurity recently uncovered a blog on the dark web that is used to publish ransomware attacks, and it was enticing others to take part in this dangerous trend. They also came across news that attackers have taken it upon themselves to recruit more ghost hackers.

Ransomware sample confirms the return:

The latest sample has made use of longer GUID-type values, such as
3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4 for the SUB and PID options to track campaign and affiliate identities, respectively.

Is REvil Back? - How Can You Fight Back?

REvil is known for being particularly destructive ransomware, and its return means that businesses and individuals need to be on high alert for possible attacks. It is too early to tell if the REvil ransomware gang's comeback will be as effective as its predecessor.

But the fact that it surfaced soon after the takedown operation indicates that this may be their intent, and best ransomware protection and web security practices are suggested to be a regularity.

When it comes to safeguarding your website from hackers and criminals, there are several methodologies you can use - some of which include:

•  Using an automated web application scanner, manual penetration testing.

•  Setting up anti-malware & anti-virus programs for regular security scans and so on.

•  Implement security training programs – your end-users and employees should know the ransomware threat and how it is launched.

•  Enabling the principle of "least privilege" for application users will help you ensure that no one can access any part of your application that another user doesn't also have access to, which will allow them to avoid any security breaches from happening.

•  Support your information security department by introducing cyber threat awareness initiatives that teach end-users and employees how to recognize cyber criminals' modus operandi.

•  Ensure your business is protected from downloading any executable files attached to incoming or outgoing emails so your website's application isn't vulnerable to hackers.

•  To stop cyber attackers from breaking into your web applications, it is suggested to configure a Web Application Firewall (WAF) to block access to malicious IP addresses.

•  Furthermore, installing proper SSL certificates for protection against Man-In-The-Middle attacks or using login plugins that verify the client's security token can reduce the risk of succumbing to data breaches.

•  Bring in the support from trusted managed cybersecurity service providers like Indusface to stay ahead of emerging threats and assist in addressing real-time security issues. Make sure they have the appropriate certifications, keep up to date on the latest cybersecurity news, and are always available should you need in-the-field assistance.

Conclusion
It won't be a surprise if the REvil ransomware group resumes attacks as the original creator(s) of the previous incarnation still exist. Even those caught are likely to attempt it again in the future, which is especially scary if you think about how prepared these online crooks are.

Getting your customers' digital identities, servers, and data files stolen because of ransomware could mean losing a lot of time and money as these attacks only get worse with time.

Also, the importance of protecting your reputation or avoiding getting it damaged can arguably be beyond measure. Therefore, businesses must ensure that their brand, intellectual property, and personal or sensitive information are protected from cyber criminals who use ransomware attacks daily.

Source

"Google is aware that an exploit for CVE-2022-2294 exists in the wild.," the browser vendor explained in a security advisory published on Monday.

The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it's a matter of days or weeks until it reaches the entire userbase.

This update was available immediately when BleepingComputer checked for new updates by going into Chrome menu > Help > About Google Chrome.

The web browser will also auto-check for new updates and automatically install them after the next launch.

Attack details not revealed

The zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1.

The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.

Although Google says this zero-day vulnerability was exploited in the wild, the company is yet to share technical details or a any info regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

With this delayed release of more info on the attacks, Chrome users should have enough time to update and prevent exploitation attempts until Google provides additional details.

Fourth Chome zero-day fixed this year

With this update, Google has addressed the fourth Chrome zero-day since the start of the year.

The previous three zero-day vulnerabilities found and patched in 2022 are:

• CVE-2022-1364 - April 14th
• CVE-2022-1096 - March 25th
• CVE-2022-0609 - February 14th

The one fixed in February, CVE-2022-0609, was exploited by North Korean-backed state hackers weeks before the February patch, according to the Google Threat Analysis Group (TAG). The earliest signs of in the wild exploitation was found on January 4, 2022.

It was abused by two North Korean-sponsored threat groups in campaigns pushing malware via phishing emails using fake job lures and compromised websites hosting hidden iframes to serve exploit kits.

Because the zero-day patched today is known to have been used by attackers in the wild, is it strongly recommended to install today's Google Chrome update as soon as possible.

Google patches new Chrome zero-day flaw exploited in attacks

Frontpaged:   Google Chrome 103.0.5060.114

However, all is not bad for Microsoft though as the latter found that Defender did exceptionally well in the Advanced Threat Protection Test Against Ransomware for February 2022. In both the tests for home users as well as for enterprise, Microsoft Defender was one of the best performers in terms of ransomware detection and blocking.

Here's how AV-TEST describes its advanced ransomware test:

The Advanced Threat Protection tests provide vendors and users with substantial findings as to how securely a product can protect against ransomware in real-life scenarios.

 [..] All the products have to successfully defend against ransomware in 10 real-life scenarios under Windows 10. The test involves threats such as files containing hidden malware in archives, PowerPoint files with scripts or HTML files with malicious content.

The following 12 products tested in the home user or consumer category:

•  Avast
•  AVG
•  Bitdefender
•  F-Secure
•  G DATA
•  K7 Computing
•  Kaspersky
•  Microsoft
•  Microworld
•  NortonLifeLock
•  PC Matic
•  VIPRE Security

And here are the 14 products tested in the business category:

•  Acronis
•  Avast
•  Bitdefender (two versions)
•  Comodo
•  F-Secure
•  G DATA
•  Kaspersky (two versions)
•  Microsoft
•  Seqrite
•  Symantec
•  Trellix (McAfee)
•  VMware

The following images show the performance of Defender for home users in the 10 tested scenarios. Defender was able to detect the infection in the very first initial access phase in all but one case.

Meanwhile, Microsoft Defender's performance is even more impressive in the test for business users as it detected the infection in the initial access phase in all the 10 tested scenarios.

In the test for business users, McAfee or Trellix did quite poorly as it wasn't able to fully block the attack in multiple scenarios:

Here are the final scores obtained by the anti-malware products given in the image below. The left image shows scores in the home user category while the right one shows the same for business users. In this test, the scores really don't mean much as the real observation via this test was to see how quickly the product can detect and successfully block the ransomware.

You can find the full report on AV-TEST's official website at this link.

Source

It turns out, however, that there are exceptions to every rule. Some biological worms are actually not welcome in most gardens. And some cyber worms, it seems, can use their powers for good …

Meet Hopper, The Good Worm

Detection tools are not good at catching non-exploit-based propagation, which is what worms do best. Most cybersecurity solutions are less resilient to worm attack methods like token impersonation and others that take advantage of deficient internal configurations - PAM, segmentation, insecure credential storage, and more.

So, what better way to beat a stealthy worm than with … another stealthy worm?

And thus was born Hopper! Hopper is a real worm, with command and control, built-in privilege escalation, and many more of wormkind's most devious capabilities. But contrary to most worms, Hopper was built to do good. Instead of causing harm, Hopper tells its White Hat operators where and how it succeeded in infiltrating a network. It reports how far it got in, what it found along the way, and how to improve defenses.

Up Close and Personal with Hopper

The development team at Cymulate based Hopper on a common malware stager – a small executable that serves as an initial payload, with its primary objective being to prepare a larger payload. Our stager also serves as a PE packer, a program that loads and executes programs indirectly, usually from a package.

Hopper's stager was written in such a way that the initial payload doesn't have to be changed if we make an update to Hopper. This means that excluding hashes on every update turned into history, and Hopper users only need to exclude the stager's hash once. Writing the stager in this way also opened up the path for executing other tools that Hopper needs.

To maximize Hopper's flexibility, our team added different initial execution methods, additional communication methods, various ways to fetch the first stage payload, different injection methods, and more. And, to create a very stealthy worm, we need to allow for maximum customization of stealthy features, so we made configurations almost entirely operator-controlled:

•  Initial payload configuration – fully configurable execution methods including executables, libraries, python scripts, shellcodes, PowerShell scripts, and more

•  First stage payload configuration – customizable package fetching methods and package injection methods (for example, reflective injection)

•  Second stage beacon configuration - tailored communication channels, keep alive timing and timeout, and jitter

•  API – over the air addition of new capabilities to allow easier future expansion of capabilities, including communication methods, spread methods, and exploits

Execution, Credential Management, and Spreading

Hopper's initial execution is in-mem and in stages. The first stage is a small stub with limited capability. This stub knows how to run a more significant piece of code instead of containing the code within itself - making it harder to flag this as a malicious file. For privilege escalation, we chose different UAC bypass methods, exploiting vulnerable services such as Spooler and using misconfigured services or autoruns to gain privilege elevation or persistency. The idea here is for Hopper to use the minimum privileges needed to achieve its goals.

For example, if a machine provides user access to our target machine, Hopper might not need to elevate privileges to spread to that target machine.

Hopper features centralized credentials management, which enables it to distribute credentials between Hopper instances by necessity - meaning that all Hoppers have access to credentials collected, eliminating the need to duplicate the sensitive credentials database across other machines.

To spread, Hopper prefers misconfigurations over exploits. The reason? Exploits can potentially crash systems, they stand out more and are easily identified by IPS/network monitoring products and EDR products. Misconfigurations, on the other hand, are not easily detected as malicious activity. For example, Active Directory misconfigurations may lead a user to gain access to a resource that he or she should not have had access to, and therefore lead to spreading. Similarly, software misconfigurations may allow a user to execute code remotely and therefore lead to spreading.

Stealth and C&C Communications

The Cymulate team chose in-memory execution for Hopper, since encrypting malware code in-memory once no longer in use can disrupt EDR products' ability to fingerprint in-memory content. Moreover, in-memory execution uses direct system calls instead of API calls, which may be monitored by EDR products. If Hopper does need to use API functions, it detects and unloads EDR hooks before doing so.

To maintain stealth, Hopper communicates with Command and Control during working hours by masking the activity with normal working hour activity in random timing patterns. It also communicates only with allow-listed servers or servers that aren't considered malicious, like Slack channels, Google Sheets, or other public services.

The Bottom Line

To preempt worm attacks, a White Hat worm-like Hopper is an ideal solution. By seeing the network from a worm's perspective, so to speak, Hopper turns the worm's greatest advantage to the defender's greatest advantage.

Source

A hacker by the name of "ChinaDan" may have just carried out one of the biggest data breaches in history, which if confirmed, would also be very embarrassing for the Chinese government.

As Reuters reports(Opens in a new window), the anonymous hacker is offering to sell the personal data of a billion Chinese citizens via Breach Forums for 10 bitcoins, which currently equates to a value of roughly $200,000. In total, ChinaDan claims to have grabbed 23TB of data from the Shanghai National Police (SHGA) database, which includes the name, address, birthplace, national ID number, mobile number, and all crime/case details of the billion Chinese citizens.

There's currently no way to verify if the breach, and therefore the data, is authentic. As you'd expect, the government and police department in Shanghai isn't commenting. Discussions about the breach on popular Chinese microblogging platform Weibo resulted in the term "data leak" being blocked by censors on the service.

Zhao Changpeng, CEO of cryptocurrency exchange Binance, tweeted yesterday(Opens in a new window) that the company's threat intelligence has detected the sale of the data on the dark web. He also suggested it was "Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc."

A follow-up tweet(Opens in a new window) today by Changpeng points out the breach apparently happened because a developer working for the government "wrote a tech blog on CSDN and accidentally included the credentials."

If the data leak does turn out to be legitimate, it's a serious blow to the Chinese government's efforts to improve data privacy for its citizens, and heads will surely roll in Shanghai. However, it may be that many citizens never find out their details were stolen such is the control the government imposes over information shared publicly within China.

Source

Also: 

Hacker claims to have obtained data on 1 billion Chinese citizens.

Hacker claims biggest Chinese data breach with 1 billion resident records stolen: Report.  

The company says the existing protections on DLC packs are being easily bypassed by game owners using publicly available tools to obtain premium content without actually paying for them. These can range from unlocking cosmetic items to entire expansion packs, and Irdeto says its new and 'first of its kind' digital rights management solution can put a stop to this.

As for how the solution will need to be introduced to game DLC, Irdeto described the process as small, simple, and API-based, with only minor source code modifications required by the developer:

The Denuvo SecureDLC requires a small and simple implementation based on the application program interface to the game code to address the problem. The platform API is revalidated by the SecureDLC API mechanism, preventing pirate attacks and blocking access when it shouldn’t be granted.

While no specific names were shared, Irdeto said SecureDLC is already in the hands of Denuvo-utilizing developers. "Our current clients, big and small, are ecstatic with the results and we are happy to help them maximize revenue and also enable new business models for these games they spent so much effort building," adds Denuvo managing director Reinhard Blaukovitsch.

Denuvo is now going after DLC pirates with its new DRM solution

Users exposed to phishing emails react differently, and one deciding factor is the subject line of the email according to research published by Kaspersky.

While it is nearly impossible to run scientific tests in real world environments, phishing simulators come close to the real deal. Security companies and organizations may use phishing simulators in employee trainings.

According to data from Kaspersky's Security Awareness Platform , subject lines that appear to be work or user related get the most clicks. System administrators may use Kaspersky's platform to mimic phishing emails, track results and use the data to raise awareness among employees. Kasperksy's study included results from over 29,500 employees from 100 countries.

Nearly one in five employees clicked on links in the the most effective fake phishing email: 18.5% of employees fell for the email with the subject "Failed delivery attempt – Unfortunately, our courier was unable to deliver your item".

The following table lists the phishing emails with the highest clickthrough ratios.

Kaspersky notes that other subjects, including booking reservation confirmations, order placement confirmations, or IKEA contest announcements, have high clickthrough ratios as well.

Emails that contain threats or "instant benefits" had lower clickthrough ratings according to Kaspersky. Emails that claimed to have hacked a user's computer and know the search history had a 2% clickthrough rating, while free Netflix offers and $1000 tricked only 1% of employees.

The difference may be partially explained by the work context in which the phishing simulation was carried out in. A Netflix offer may have more appeal to home users than employees. Similarly, threats that a computer has been hacked may weight more when it is a personal computer.

Kaspersky recommends that organizations intensify employee training to raise phishing email awareness. The teaching of basic phishing email signs, such as inconsistent sender addresses, suspicious links or dramatic subject lines, may weed out a good percentage of emails.

Well crafted phishing emails make it difficult to determine whether they are legitimate or not. Employees should contact the IT department when in doubt before opening the email or reacting to it.

Closing Words

It does not take a rocket scientist to come to conclude that phishing emails that users can relate to work best, but the click through numbers sound awfully high for this day and age. Phishing may lead to all sorts of issues, from planting malware in a company network to stealing authentication information and ransomware.

Now You: have you encountered phishing emails recently? How do you verify that emails are legit?

These phishing email subjects get the most clicks

Google hit with more privacy complaints for “deceptive” sign-up process [Updated]

A cyberattack targeting a third-party vendor has shut down online unemployment services across several US states.

The incident involves a Florida-based company called Geographic Solutions Inc. (GSI), which markets itself as a leading provider of employment software for government agencies. Starting on Tuesday, numerous state labor departments including those in California(Opens in a new window), Louisiana(Opens in a new window) and Tennessee(Opens in a new window) reported that an outage at Geographic Solutions had forced them to take their online unemployment services offline.

In a statement(Opens in a new window) to Tennessee officials, Geographic Solutions said it recently “identified anomalous activity” on the company’s network. However, Louisiana’s labor department offered more specifics and said the company actually discovered an “attempted malware attack,” which required Geographic Solutions to shut down its systems.

“The resulting outage from the attack is also impacting as many as 40 other states and Washington, D.C., which use GSI,” Louisiana’s labor department added.

As a result, the cyberattack risks preventing thousands of Americans from claiming their unemployment benefits on time. Louisiana’s labor department noted that 11,000 people currently rely on its online system to file unemployment claims, but it plans on issuing payments only after the department’s unemployment filing system comes back online.

It remains unclear what kind of malware attacked Geographic Solutions’ IT network, and if ransomware was involved. But Nebraska’s labor department has said: “GSI has indicated this attack affected only access to GSI online systems and there is no evidence of any user data being compromised.”

Geographic Solutions also told officials in Tennessee: “We are taking steps to help prevent this from happening again.”

“Our current focus is working around the clock to bring Jobs4TN back online. We anticipate that this will occur prior to the July 4th holiday,” the company added. In the meantime, the vendor’s main website remains offline.

Source

Also:  Cyberattacks on a software company have disrupted unemployment benefits in some states.

Google is updating its built-in password manager for Chrome and Android as it attempts to position it as an alternative to standalone services offered by 1Password and Bitwarden, the company announced today. Most significant is the ability to manually add passwords to the service, rather than simply relying on Chrome’s offer to save credentials when you use them. There had previously been signs of this feature on Chrome on desktop, but now Google says it’s making it available across “all platforms.”

The search giant also says it’s working to unify the design of the password manager between Chrome and Android with “a simplified and unified management experience” and says this includes a feature that will automatically group multiple passwords used on the same site. On Android, Google says a new “Touch-to-Login” feature lets users enter their credentials via an overlay at the bottom of the screen “to make logging in even quicker.”

Google says Touch-to-Login speeds up the process. Image: Google

Google’s password manager already includes the ability to check for weak and reused passwords (and automatically change them on Android) and autofill saved passwords across apps outside of Chrome on iOS. Google says it’s continuing to invest in its password manager to support emerging technologies like passwordless passkeys (which Apple also intends to bring to Safari).

Despite offering a feature set that’s increasingly comparable to standalone third-party password managers, Google seems reluctant to spin its password manager out into a standalone app. But, as of this month, 9to5Google reports that it’s possible to put a shortcut to Google’s password manager directly on your Android homescreen — a big improvement over having to dig through your Android settings to find it.

Chrome password manager update will let you manually add credentials on all platforms

Google says it recently blocked dozens of malicious websites that so-called “hacker-for-hire” services were using to try to phish users.
The company published a blog post(Opens in a new window) today intended to warn the public about the threat, which Google researchers have been tracking for years.

“We have seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk,” wrote Shane Huntley, director of Google’s Threat Analysis Group (TAG).

These hacker-for-hire companies can try to break into user accounts by circulating fake messages from Google or other companies, which have been designed to trick victims into visiting websites actually under a hacker's control.

The websites can masquerade as phony login pages. If you type in your password, the login credentials will be secretly sent to the hacker, allowing them to break into your account.

Thursday’s blog post covered hack-for-hire groups based in three countries: India, Russia, and the United Arab Emirates. According to Google, these hacker-for-hire services can openly advertise themselves on the internet or promote their businesses discreetly through third parties, such as private investigation firms.

In India, Google has been tracking several hacker-for-hire services. One tactic they've been using includes sending fake messages pretending to come from Amazon's AWS cloud service that can claim the user recently changed their password.

In Russia, the company has noticed one hacker-for-hire service using phony notifications from email providers including Gmail to trick users into visiting their malicious phishing pages. In some cases, the group will also spoof messages from local government organizations.

“Over the past five years, TAG has observed the group targeting accounts at major webmail providers like Gmail, Hotmail, and Yahoo! and regional webmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net,” Huntley said. In addition, the group once openly advertised its hacking services on a website, which included a price list.

Meanwhile, in the United Arab Emirates, one hacker-for-hire service has been using fake Google password-reset messages to phish unsuspecting victims.

According to Huntley, the hacker-for-hire services can target a wide range of sectors, including the government, healthcare, education, and nonprofits. “The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets,” he added.

The blog post goes on to say Google has identified 36 malicious pages these hacker-for-hire services were using. The company has since placed warning notices on the pages to ward away users from visiting them through a browser. "Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," Huntley said.

To stay safe, be careful around your email inbox and messages over social media. Users can also enroll in Google’s Advanced Protection Program, which is designed to stop the most sophisticated hackers from breaking into your account.

Source

The issue, which has been dubbed FabricScape (CVE-2022-30137), could be exploited on containers that are configured to have runtime access. It has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0.

Azure Service Fabric is Microsoft's platform-as-a-service (PaaS) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines.

"The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft said as part of the coordinated disclosure process. "Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack."

A Service Fabric cluster is a network-connected set of several nodes (Windows Server or Linux), each of which are designed to manage and execute applications that consist of microservices or containers.

The vulnerability identified by Unit 42 resides in a component called Diagnostics Collection Agent (DCA) that's responsible for gathering diagnostic information and relates to what's called a "symlink race."

In a hypothetical scenario, an attacker with access to a compromised containerized workload could substitute a file read by the agent ("ProcessContainerLog.txt") with a rogue symbolic link that could then be leveraged to overwrite any arbitrary file considering DCA runs as root on the node.

"While this behavior can be observed on both Linux containers and Windows containers, it is only exploitable in Linux containers because in Windows containers unprivileged actors cannot create symlinks in that environment," Unit 42 researcher Aviv Sasson said.

Code execution is subsequently achieved by taking advantage of the flaw to override the "/etc/environment" file on the host, followed by exploiting an internal hourly cron job that runs as root to import malicious environment variables and load a rogue shared object on the compromised container that grants the attacker a reverse shell in the context of root.

"In order to gain code execution, we used a technique called dynamic linker hijacking. We abused the LD_PRELOAD environment variable," Sasson explained. "During the initialization of a new process, the linker loads the shared object that this variable points to, and with that, we inject shared objects to the privileged cron jobs on the node.

Although there is no evidence that the vulnerability has been exploited in real-world attacks to date, it's crucial that organizations take immediate action to determine if their environments are susceptible and implement the patches.

Source

Numerous companies, including Facebook, Marketo, Olytics, and HubSpot, utilize custom URL query parameters to track clicks on links.

For example, Facebook appends a fbclid query parameter to outbound links to track clicks, with an example of one of these URLs shown below.

https://www.example.com/?fbclid=IwAR4HesRZLT-fxhhh3nZ7WKsOpaiFzsg4nH0K4WLRHw1h467GdRjaLilWbLs

With the release of Firefox 102, Mozilla has added the new 'Query Parameter Stripping' feature that automatically strips various query parameters used for tracking from URLs when you open them, whether that be by clicking on a link or simply pasting the URL into the address bar.

Once enabled, Mozilla Firefox will now strip the following tracking parameters from URLs when you click on links or paste an URL into the address bar:

• Olytics: oly_enc_id=, oly_anon_id=
• Drip: __s=
• Vero: vero_id=
• HubSpot: _hsenc=
• Marketo: mkt_tok=
• Facebook: fbclid=, mc_eid=

To illustrate how this works, BleepingComputer created a test page containing links to example.com with the above tracking parameters.

As you can see below, when I click on the link for https://example.com/?fbclid=12, it opens https://example.com but with the tracking parameter removed.

Demonstration of the Firefox Query Stripping featureSource: BleepingComputer

While this is a great start, there are additional trackers that are not being filtered, which privacy-focused Brave Browser currently blocks.

How to enable the new privacy feature

The new Query Parameter Stripping feature is part of Firefox's Enhanced Tracking Protection.

To enable Query Parameter Stripping, go into the Firefox Settings, click on Privacy & Security, and then change 'Enhanced Tracking Protection' to 'Strict.'

However, these tracking parameters will not be stripped in Private Mode even with Strict mode enabled.

To also enable the feature in Private Mode, enter about:config in the address bar, search for strip, and set the 'privacy.query_stripping.enabled.pbmode' option to true, as shown below.

It should be noted that setting Enhanced Tracking Protection to Strict could cause issues when using particular sites. 

If you enable this feature and find that sites are not working correctly, just set it back to Standard (disables this feature) or the Custom setting, which will require some tweaking.

New Firefox privacy feature strips URLs of tracking parameters

In a report today, security researchers at Lumen’s Black Lotus Labs who spotted the malware said that this highly targeted campaign's complexity and the attackers' tactics, techniques, and procedures (TTPs) are the hallmarks of a state-backed threat actor.

The start of this campaign roughly lines up with a quick shift to remote work after the start of the COVID-19 pandemic which drastically increased the number of SOHO routers (including ASUS, Cisco, DrayTek, and NETGEAR) used by employees to access corporate assets from home.

"This gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers – which are widely used but rarely monitored or patched – to collect data in transit, hijack connections, and compromise devices in adjacent networks," Lumen says.

"The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations."

Once deployed on a router (unpatched against known security flaws) with the help of an authentication bypass exploit script, the multi-stage ZuoRAT malware provided the attackers with in-depth network reconnaissance capabilities and traffic collection via passive network sniffing.

ZuoRAT also allows moving laterally to compromise other devices on the network and to deploy additional malicious payloads (such as Cobalt Strike beacons) using DNS and HTTP hijacking.

Two more custom trojans were delivered onto hacked devices during these attacks: one C++ based one named CBeacon targeting Windows workstations and a Go-based one dubbed GoBeacon that could likely infect Linux and Mac systems besides Windows devices.

ZuoRAT campaign (Lumen Black Lotus Labs

"The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multi-stage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," the researchers added.

The additional malware deployed onto systems within victims' networks (i.e., CBeacon, GoBeacon, and Cobalt Strike) provided the threat actors with the ability to download and upload files, run arbitrary commands, hijack network traffic, inject new processes, and gain persistence on compromised devices.

Some compromised routers were also added to a botnet and used to proxy command and control (C2) traffic to hinder defenders' detection efforts.

Based on the age of VirusTotal submitted samples and nine months' worth of Black Lotus Labs telemetry, the researchers estimate that the campaign has so far impacted at least 80 targets.

"Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research," said Mark Dehus, Black Lotus Labs' director of threat intelligence.

"This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available."

New ZuoRAT malware targets SOHO routers in North America, Europe

Fellow outlet TechPowerUp (TPU) also discovered something similar but more digging has revealed that the performance impact may have to do with a bug in Defender which adversely affects Intel processors while AMD CPUs seem to be unaffected.

TPU found that the MsMpEng exe file, which is the anti-malware service process for Microsoft Defender, eats up Intel CPU cycles, thus affecting the performance. The Cinebench R23 rendering benchmark, which is a heavily multi-threaded test, was used to ascertain this behavior. This behavior is perhaps similar to what AV-Comparatives observed as the tested system in that case was also an Intel system, an i3 one to be precise.

Three identical test runs were made in two scenarios, one with real-time protection enabled (Bad) and the other with real-time protection disabled (Good). It is seen that the Intel Comet Lake-S Core i9-10850K loses around 6% performance which is quite a lot for such a powerful CPU. Seeing this, it is not hard to imagine why Defender scored so poorly in AV-Comparatives' test with an i3, something which is far less capable than the i9 here.

Using Microsoft Sysinternals' Process Explorer feature, this observation was confirmed and looked at more closely.

TPU believes that a bug in Defender is causing it to use up more of Intel's Performance Counter Monitors (PCMs) than is necessary, which in turn is causing it to have conflicts with other processes. Intel PCM is basically responsible for measuring internal resource utilization for code executions in Core and Xeon processors.

The site says that its new Counter Control software can mitigate this bug which may be used as a temporary workaround until Microsoft releases an official fix for this issue. If you, however, are not affected or bothered by the impact then you can always choose to skip any workaround.

Source and images: TechPowerUp

Report: Microsoft Defender is hogging Intel CPUs while AMD Ryzen remains unscathed

TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations—but in what TrustPid calls “a secure and privacy-friendly way.” It’s that “privacy-friendly” part that has raised critics’ hackles.

The internet runs on advertising: Digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau (IAB). But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.

For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users’ data private. But not everyone agrees. Internet privacy experts have labeled TrustPid a supercookie—a piece of technology that links a crumb of data to a user’s IP address and mobile phone number—and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. Deutsche Telekom did not respond to WIRED’s request for comment. Vodafone says it’s all a misunderstanding.

“Let me stress that the TrustPid service is not a supercookie,” says Simon Poulter, senior manager of corporate communications at Vodafone Group, which is overseeing the German trial. Instead, the telco refers to the technology as being “based on digital tokens which do not include any personally identifiable information.” Each token, says Poulter, has a limited lifespan of 90 days that is specific to individual advertisers and publishers.

William Harmer, product lead at Vodafone, says the project isn’t a supercookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the US Federal Communications Commission (FCC) for having injected supercookies into users’ mobile browser requests for two years without consent. A 2015 investigation by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.

Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. “The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation,” says Poulter.

The TrustPid pilot came about because of the changing face of online advertising, says Harmer. “On the one hand, you have a lot of privacy measures being looked at for being anti-competitive,” he says. “Then you’ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet.” Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.

Vodafone says it has informed appropriate regulatory bodies of the trial, adding that it has met twice with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). BfDI spokesperson Christof Stein says the organization was “merely informed by Vodafone about its trial of TrustPid technology together with Deutsche Telekom, as we are the responsible data protection authority for those telco companies.” Stein also pointed out that the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK’s Information Commissioner’s Office (ICO). ICO spokesperson Debora Biasutti tells WIRED that “any proposal that continues to facilitate cross-web tracking without putting users firmly in control is unlikely to resolve the privacy issues prevalent in online advertising.” Harmer confirmed that TrustPid has not had a conversation with the UK data protection authority.

Stein confirmed that the BfDI has not been contacted by the independent company running TrustPid. As for whether it adheres to data protection rules, the BfDI says TrustPid could argue that its unique, pseudonymous network identifier is a value-added service under the EU’s ePrivacy Directive.

The key word is “could.” “Only an informed and voluntary given consent is an acceptable foundation for the use of this technology,” says Stein. “High standards must be set here, and we are skeptical that the current consent fulfills that aim.”

The BfDI has not yet made a final decision about the data processing in the German trial, Stein says. The GSM Association, an industry body with more than 1,200 members, including Vodafone’s German and UK arms, says it hasn’t been consulted about the TrustPid trial but will be asking its technical teams to look at how data is handled.

One former GSMA director of privacy has made up his mind, however. “It’s extremely disappointing to see mobile operators behave in this way,” says Pat Walshe, a data protection and privacy consultant who worked at the GSMA between 2009 and 2015. “They should be the custodians of the confidentiality of your communications and your data—but here it’s quite clear these operators see you as yet another source of revenue by mining your personal data and treating you as a digital billboard.” Walshe sees it as particularly troublesome because it comes a decade after he wrote a set of privacy principles for the GSMA and the industry that he thinks TrustPid’s approach would contradict.

Walshe isn’t alone. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” says Wolfie Christl, a researcher at Cracked Labs in Vienna, which investigates the data industry. “I consider the project an abuse of their very specific trusted position as communication network providers. It is a dangerous attack on the rights of millions.”

Walshe believes that TrustPid would struggle to claim it has obtained user consent to gather the data it does. “I don’t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on,” he says. “I don’t know anybody who would agree to that statement—and it would have to be that explicit.” TrustPid’s privacy policy outlines the types of information that it collects from users and follows two key guidelines, says Vodafone’s Harmer: that you can accept or reject the service easily, and that there’s a clear explanation of what data is processed and how.

Christl worries that TrustPid is trying to justify its deployment with “the misleading and meaningless pseudo-consent banners we have to deal with on websites every day.” (For his part, Harmer says that cookie banners are themselves problematic because they’re not easy enough for users to reject, and TrustPid is trying to steer clear of using them.) Christl says the project is “irresponsible and outrageous” and “undermines trust into communication technology, and thus should be stopped immediately.”

Whether you call it a digital token or a supercookie, TrustPid’s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners. Vodafone claims it wasn’t allowed to explain its side of the story in early coverage of the trial in German media. “There were assumptions that we were repeating some of the things that have happened elsewhere, which are in our view bad from a customer’s point of view,” says Harmer. That early coverage set the tone for what followed, the company believes. A second issue? “We are trying to facilitate digital advertising,” he says. “There is a limited exchange of data we think is required to make that take place between a customer and a website. Some people don’t believe that should take place at all.”

A successful trial for Vodafone would involve convincing content providers—or websites wanting to sell ads against their content—that it’s an idea worth pursuing. The company also recognized it needs to win advertisers over. “There probably won’t be enough scale in the pilot to say that this is redefining how things work, but [there could be enough] to give us some signs that it could help advertisers and publishers work,” says Harmer. The company is also conscious of consumer feedback—and that it’s been far from positive to date. For Walshe, that negative response is unsurprising. “I think it’s an arrogant view of customers,” he says, “as these passive individuals who don’t care about their data being used in this way.”

‘Supercookies’ Have Privacy Experts Sounding the Alarm

(May require free registration to view)

India’s new policy that requires VPN services to log and potentially turn over data on their customers was supposed to go into effect on Monday, but the country has decided to push back the date by three months.

The policy is now set to go into effect on Sept. 25. The Indian government settled on the new date, citing requests from companies asking for an extension.

“Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” Indian authorities announced(Opens in a new window) on Tuesday.

India introduced the policy back in May with the goal of helping the country fight cybercrime. Soon, all internet and cloud service providers will need to maintain logs of their systems, and report hacking incidents to India’s cyber authorities within six hours of detection.

However, India has also decided to apply the new policy to VPNs, which are designed to protect user’s privacy, not undermine it. The upcoming rules specifically call for all VPN providers serving users in the country to collect the IP addresses their subscribers use. Indian authorities can then request the data, along with a subscriber’s name, email address, and contact number.

The IP address data, in particular, could be used to map out a VPN subscriber’s browsing history if it’s coupled with information from other web providers. As a result, at least five major VPN providers have decided to remove their physical VPN servers in the country, saying India's data collection policy goes too far.

On Monday, PureVPN told us: “We are a strict no-log company. While we do not collect any identifiable information from our users, we cannot operate physical servers in a country where we will be forced to change our operating methods and compromise our users’ privacy and security.”

These VPN companies plan to continue to serve users in India. To replace the physical servers, some VPN providers have decided to offer virtual VPN servers for India. These VPN servers are physically based in another country, but have IP addresses assigned to the Indian market.

“We are not new to virtual servers, so users will not see any difference in terms of quality or experience when they connect to the India virtual server," PureVPN added. "Users will get the same privacy and security they did with physical servers. We are already running virtual servers for multiple locations such as Bangladesh, Bahrain, Egypt etc."

However, the country’s government has told VPNs to comply with the rules or potentially face consequences. “If you don’t maintain logs, this is not a good place to do business,” Rajeev Chandrasekhar, Minister of State for Electronics and IT, said last month.

Source

The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.

Security researcher Guido Vranken, who reported the bug at the end of May, said it "can be triggered trivially by an attacker." Although the shortcoming has been fixed, no patches have been made available as yet.

OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security (TLS) protocol. Advanced Vector Extensions (AVX) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD.

"I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. "It is just a serious bug making the 3.0.4 release unusable on AVX-512 capable machines."

On the other hand, Alex Gaynor pointed out, "I'm not sure I understand how it's not a security vulnerability. It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake)."

Xi Ruoyao, a postgraduate student at Xidian University, chimed in, stating that although "I think we shouldn't mark a bug as 'security vulnerability' unless we have some evidence showing it can (or at least, may) be exploited," it's necessary to release version 3.0.5 as soon as possible given the severity of the issue.

Source

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization's external surface –as well as its user identities– may be completely invisible.

Above all, these Shadow IDs remain unmanaged even after employees leave the organization. This may result in unauthorized access to sensitive customer data or other cloud-based services. Employee-created, but business-related identities are unseen for most IDM/IAM tools also. The graveyard of forgotten accounts belonging to ex-employees or abandoned applications is growing every day, to infinity.

And sometimes, the dead rise from their graves, as with the Joint Commission On Public Ethics, whose legacy system was breached this year, even though it's been out of use since 2015. They rightfully notified their legacy users because they understand that password reuse may stretch over several years, and according to Verizon, stolen credentials are still the top contributor to all sorts of breaches and attacks. So when Shadow IDs are left behind, they create an everlasting risk unseen and unmanaged by anyone.

How to Report on Shadow IT and Shadow IDs?

Unfortunately, network monitoring misses the mark, as those tools are designed to filter malicious traffic, provide data leakage protection and create category-based rules for browsing. However, they are completely blind to actual logins, and thus cannot differentiate browsing, private accounts, and corporate application signups, (or phishing sites for that matter). To discover and manage Shadow IDs and Shadow IT, there needs to be application and account-level monitoring in place, that can create a trusted, global source of truth across the organization.

Discovering these assets via monitoring business-related credential usage on any website enables a unified view of unsanctioned or unwanted applications. Inventories of apps and accounts provide visibility of the true scope of external services and identities used across the organization. Also, they allow the reviewing of third-party providers about their policies, security and authentication measures, and how they are managing and maintaining your data.

It is impossible to properly categorize all of the quarter-million new domains that are registered each day across the globe, so monitoring those that show up on our endpoints is the right approach. As a side-effect, revealing logins on suspicious or new apps will give visibility into successful phishing attacks that were not prevented on a gateway or client-side, and where employees gave away important credentials.

Scirge is a browser-based tool that provides complete visibility into Shadow IDs and Shadow IT, password hygiene for corporate and third-party business web accounts, and even real-time employee education and awareness. And it also has a completely free version for auditing your cloud footprint, so you can get an immediate view of the extent of Shadow IT amongst your employees.

Source

T-Mobile’s advertising business is offering a new way for marketers to pry into your app-using habits. Ad Exchanger reports that the un-carrier’s new program is called App Insights, and it’s now fully operational after spending a year in beta. The program allows third-party marketers to buy T-Mobile customer data and centers around a key piece of information that it has unique access to: what apps you use.

Customer data is anonymized, and it’s pooled together with others of similar interests and behaviors, so companies can’t buy a specific user’s app history. Still, it’s creepy. The company’s advertising segment touts this offering loud and clear on its website, with the phrase “Apps speak louder than words” splashed across the top of the page. It also invites prospective clients to “leverage app insights, the strongest indicator of consumer intent.” That’s gross. Thankfully, you can opt out.

Ah, that old adage. Image: T-Mobile Advertising Solutions

T-Mobile offers an Android and iOS app called “Magenta Marketing Platform Choices” that allows you to see which companies have your data and opt out entirely. You can also use App Choices if you don’t want to, you know, download a T-Mobile app to opt out of T-Mobile app tracking. According to Ad Exchanger, iOS users are excluded from the program even if they’ve opted in to app tracking.

This kind of creepy behavior from carriers isn’t new, and it’s not likely to get better. With companies like Google and Apple allowing people to opt out of tracking more easily, marketers are looking for different ways to peek into your online habits. Wireless carriers have eagerly jumped in to provide that information, and T-Mobile is only the latest to do so.

T-Mobile is selling your app usage data to advertisers — here’s how to opt out

To spread ransomware to a company, a hacker resorted to using a previously unknown vulnerability in a business phone VoIP device.

The finding comes from the security firm Crowdstrike. On Thursday, the company wrote a blog post(Opens in a new window) about a suspected ransomware intrusion against an unnamed customer.

Ransomware attacks often occur through phishing emails or poorly-secured computers. But in this case, the hacker had enough know-how to uncover a new vulnerability in a Linux-based VoIP appliance from the business phone provider Mitel.

The resulting zero-day exploit allowed the hacker to break into the company’s network through a VoIP device, which had limited security safeguards onboard. The attack was designed to essentially hijack the Linux-based VoIP appliance so that the hacker could infiltrate other parts of the network.

Fortunately, Crowdstrike was able to detect the hacker’s presence due to its security software spotting the unusual activity over the victim’s network. The company also reported the previously unknown vulnerability to Mitel, which supplied(Opens in a new window) a patch to affected customers back in April.

Still, the incident underscores the growing concern that ransomware groups will use zero-day exploits to attack more victims. Earlier this month, NSA Director of Cybersecurity Rob Joyce said some ransomware gangs are now rich enough to buy zero-day exploits from underground dealers or fund research into uncovering new software vulnerabilities.

Crowdstrike added: “When threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense.” To stay protected, companies should ensure perimeter devices, such as business VoIP appliances, remain isolated from their network’s most critical assets, the security firm said.

Companies that use Mitel's MiVoice Connect product should also implement the patch as soon as possible to prevent further exploitation.

Source

Also:  Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack.

Joe Grand, a computer engineer and hardware hacker known by many for recovering crypto from hard-to-reach places, spent hours breaking into a phone only to find a fraction of a Bitcoin.

In a YouTube video released on Thursday, Grand traveled from Portland to Seattle in an effort to potentially recover “millions of dollars” in Bitcoin (BTC) from a Samsung Galaxy SIII phone owned by Lavar Sanders, a local bus operator. Sanders originally purchased the BTC in July 2016 in a “super sketchy” way, paying a person at a cafe and storing the crypto in a wallet on the phone before putting it in storage and losing track of the device.

After finding the phone in 2021, Sanders couldn’t recall the swipe password, but remembered setting up the option of erasing the data if too many incorrect attempts were made. He and a friend connected with Grand after discovering his YouTube videos, allowing the white hat hacker to make several attempts to get into the phone’s memory and recover the crypto.

Following some micro soldering, downloading the memory and discovering the Samsung’s swipe pattern for access — which turned out to be the letter “L” — Sanders opened his MyCelium Bitcoin wallet and discovered only 0.00300861 BTC — worth $105 USD at the time, down to roughly $63 USD at the time of publication. Grand was later able to determine the bus operator purchased $400 worth of BTC in 2016, most of which went to a crypto mixing service called BitBlender, which was shut down in 2019.

“I’m a little devastated,” said Sanders. “We didn’t make money, but we definitely made new friends.”

Many crypto users have been locked out of their wallets or otherwise lost access to physical devices holding BTC over the years — one of the most famous examples being a Welsh man who in 2013 threw out a hard drive containing 7,500 Bitcoins, now worth more than $150 million. However, many hackers and engineers specializing in crypto recovery services have appeared in response.

Source