Starting from as early as September 2014, 41-year-old Hao Kuo Chi from La Puente, California, started marketing himself as "icloudripper4you," someone capable of breaching iCloud accounts and stealing anything contained in the linked iCloud storage (in what he referred to as "ripping").

"This man led a terror campaign from his computer, causing fear and distress to hundreds of victims," FBI agent David Walker said.

"The FBI is committed to protecting the American people by exposing these cybercriminals and bringing them to justice."

To compromise a targeted account, Chi used emails that would allow him to impersonate Apple customer support representatives and trick targets into handing over their Apple IDs and passwords, according to court documents.

After compromising an iCloud account, he would look for and steal nude photographs and videos from victims' online storage (referred to as "wins"), sharing them with conspirators who later published them online.

Chi also shared some of the compromising photos and videos on a now-defunct revenge porn website (Anon-IB) without his victims' consent and intending "to intimidate, harass, or embarrass."

Hundreds of compromised iCloud accounts

Until caught, Chi gained unauthorized access to hundreds of targets' iCloud accounts from all over the United States, including Arizona, California, Florida, Kentucky, Louisiana, Maine, Massachusetts, Ohio, Pennsylvania, South Carolina, and Texas.

"Chi's email accounts contained the iCloud credentials of approximately 4,700 victims. These accounts also revealed that he had sent content stolen from victims to conspirators on more than 300 occasions," the Department of Justice revealed today.

He stored 3.5 terabytes of stolen content from over 500 victims on cloud and physical storage, with roughly 1 terabyte of the cloud storage dedicated to stolen nude photographs and videos.

"Chi victimized hundreds of women across the country, making them fear for their safety and reputations," said U.S. Attorney Roger Handberg.

"This sentence reflects the resolve of the U.S. Attorney's Office to hold cybercriminals responsible for their crimes."

Source

Microsoft customers may visit the Adv220002 support page, Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities, for information. Intel published a support page on the company's Security Center website.

The following four vulnerabilities affect certain Intel processors:

• CVE-2022-21123 - Shared Buffer Data Read (SBDR)? -- "Incomplete cleanup of multi-core shared buffers for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21125 - Shared Buffer Data Sampling (SBDS) -- "Incomplete cleanup of microarchitectural fill buffers on some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update) -- "Incomplete cleanup in specific special register read operations for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21166 - Device Register Partial Write (DRPW) -- ": Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access"

The list of affected Intel processors is available here. It includes Intel 7th generation to 12th generation processors, Intel Atom processors, Intel Pentium Gold series processors, and Intel Celeron processors.

Intel published microcode updates, which administrators may install on affected systems to protect the devices. The company recommends that users update to the latest version provided by the system manufacturer.

Microsoft confirmed the issue and provided a description of a potential attack:

An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

Windows client customers need to install the microcode update and software updates. Microsoft has not released the updates via Windows Update at the time of writing. German computer site WinFuture notes that Microsoft will release the updates soon.

Intel Firmware updates for Memory Mapped I/O security vulnerabilities

Facebook is receiving sensitive medical information from hospital websites

This new cross-device security solution is available for all Microsoft 365 customers with Personal ($6.99/month) or Family ($9.99/month) subscriptions starting today.

First unveiled for Windows 11 Insiders in March, Defender for Individuals provides malware and phishing protection for Windows, macOS, iOS, and Android mobile and desktop devices.

It is designed to work as a central dashboard from which you can monitor the security status of your family members' devices.

Defender for Individuals also provides safety alerts and recommendations, including real-time warnings about device security changes and suggestions on keeping data and devices secure.

Microsoft says the malware protection feature is only available on Windows, macOS, and Android phones. In contrast, web protection is available on iOS and Android phones (on Windows, web protection is provided by the built-in Windows Security solution).

"It was built on our Microsoft Defender for Endpoint technology, leveraging the same trusted security that enterprises rely on," said Vasu Jakkal, Microsoft's Corporate Vice President for Security, Compliance, Identity, and Management.

"It joins our comprehensive set of security products and services as the newest member of our family of Microsoft Defender solutions and extends the protection already built into Windows Security."

A short list of security capabilities bundled with Microsoft Defender for Individuals includes:

• Manage your security protections and view security protections for everyone in your family from a single easy-to-use, centralized dashboard.
• View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
• Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.
• Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.

You can download the Microsoft Defender app for Windows from the Microsoft Store, for iPhones in the Apple App Store, and Android phones in Google Play, and directly download the macOS from here. 

Defender for Individuals is not currently available in all Microsoft 365 regions. You can find a list of all areas where it's not available by going here.

Microsoft 365 Personal plan allows subscribers to use Defender for Individuals on up to 5 devices with the same account and up to 30 devices simultaneously with the Family plan.

In May, Redmond also announced the general availability of its Microsoft Defender for Business, the company's standalone enterprise-grade endpoint security solution for small to medium-sized businesses.

New cloud-based Microsoft Defender for home now generally available

There is no shortage of examples, ranging from the 2007 attacks against Estonia digital services and 2008 cyber-attack against a nuclear power plant in Georgia to WannaCry and NotPetya, two ransomware attacks that encrypted data and demanded ransom payments, and the ransomware cyber-attack on the US Colonial Pipeline, a U.S. oil pipeline system that provides fuel to South-eastern States.

When analyzing cyber-attacks' ethical and legal implications, it is crucial to distinguish the actors involved, since the permissibility of certain actions depends also on the actors involved.

My work focuses mostly on state vs state cyber-attacks. One of the most recent examples of this type of attack were those launched against Ukraine's military forces and attributed to the UNC1151, a Belarus military unit, ahead of the Russian invasion of Ukraine.

Observers looked at the Russian invasion and expected cyber to be a key element. Many feared a "cyber-Pearl Harbor," i.e., a massive cyber-attack which would have disproportionate destructive outcome and would lead to an escalation of the conflict.

Thus far, the invasion of Ukraine has proved highly destructive and disproportionate, but cyber has played little, if no role at all, in the delivery of these outcomes. Does this mean a cyber-Pearl Harbor will never happen? More importantly, does this mean cyber-attacks are a secondary capability in war, and we can continue to leave their use under-regulated?

The short answer to both questions is no, but there are nuances. So far, cyber-attacks have not been used to cause massive destruction; a cyber-Pearl Harbor, as some commentators argued in early 2000. The lack of the cyber element in Ukraine is not a surprise, given how violent and destructive the Russian invasion has been. Cyber-attacks are disruptive more than destructive. They are not worth launching when actors are aiming at massive kinetic damage. Such destruction is achieved more effectively with conventional means.

However, cyber-attacks are neither victimless nor harmless and can lead to unwanted, disproportionate damage which can have serious negative consequences for individuals and for our societies at large. For this reason, we need adequate regulations to inform state use of these attacks.

For many years, the international debate on this topic has been led by a myopic approach. The rationale was to regulate interstate cyber-attacks insofar as they have similar outcomes to an armed (conventional) attack. As a result, the majority of inter-state cyber-attacks has been left unregulated.

This is the failure of what I dubbed the "analogy-approach" to the regulation of cyber warfare, which aims to regulate such warfare only to the extent it resembles kinetic warfare, i.e. if it leads to destruction, bloodshed, and casualties. In effect, it fails to capture the novelty of cyber-attack, which is disruptive more than destructive, and the severity of the threats that they pose to a digital society. Underpinning this approach is the failure to recognize the ethical, cultural, economic, infrastructural value digital assets have for our—digital—societies.

It is reassuring that, after the 2017 failure, in 2021, the UN Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security group could agree that interstate cyber-attacks should be regulated in agreement with the principles of International Humanitarian Law (IHL).

Although this in the right direction, it is only a first, and overdue, step. Indeed, the principles of IHL, and the ethical principles of Just War Theory, are still valid when considering cyberwarfare. We need interstate cyber-attacks to be proportionate, necessary, and to distinguish combatants from non-combatants. However, the implementation of such principles is problematic in the context of cyber—for example, we lack a clear threshold for proportionate and disproportionate attacks, and criteria to assess damage to immaterial assets. We also lack rules to consider issues related to sovereignty and due diligence.

Philosophical and ethical analyses are needed to overcome this gap and understand the nature of a warfare which decouples aggression from violence, which targets non-physical objects and yet can cripple our societies. At the same time, we need to make sure that, as more defense institutions see digital technologies as a decisive asset to maintain superiority against the opponents, they invest in, develop and use these capabilities in line with the values underpinning democratic societies and to maintain international stability.

As digital technology continues to be integrated in the defense capabilities, see for example artificial intelligence (AI), more conceptual and ethical questions emerge concerning their governance. To this end, it is important that defense institutions identify and address the ethical risks and opportunities that these technologies bring about and work to mitigate the former and leverage the latter.

Yesterday, the Ministry of Defense in the U.K. issued a policy paper: Ambitious, safe, responsible: our response to the delivery of AI-enabled capability in Defense, containing an appendix giving Ethical Principles for use of AI in defense. It is a step in the right direction. The principles are broad, and more work needs to be done to implement them in specific defense contexts. However, they set an important milestone, as they show the commitment of the MoD to focus on the ethical implications of using AI and to address them coherently with the values of democratic societies.

These principles arrive two years after those published by the U.S. Defense Innovation Board. Between the two sets of principles, there is some converges which may hint at the emergence of a shared view among allies as to how use AI, and, more broadly, digital capabilities for defense. My hope is that these principles may be the seeds to develop a shared framework for the ethical governance of the use of digital technologies for defense purposes.

Source

Linux users need to be watch out of a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory.

The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.

But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai.

Using other people's hardware to mine cryptocurrency might not be as lucrative as it once was due to the crypto crash currently underway but Panchan's mining rig costs nothing for the troublemakers who use it.

Panchan is a cryptojacker that was written in the Go programming language. Cryptojackers abuse others' compute power to mine cryptocurrency.

Panchan's P2P protocol communicates in plaintext over TCP but can evade monitoring, according to Akamai. The malware features a "godmode" admin panel, protected with a private key, for remotely controlling and distributing mining configurations.

"The admin panel is written in Japanese, which hints at the creator's geolocation," notes Akamai's Steve Kupchik.

"The botnet introduces a unique (and possibly novel) approach to lateral movement by harvesting of SSH keys. Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network."

Panchan's authors are apparently fans of the Go programming language, which was created by Google engineers in 2007. Whoever wrote Panchan compiled the malware using Go version 1.18, which Google released in March.

As for the P2P network, Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.

Why is the education more impacted by Panchan?

Akamai guesses this could be because of poor password hygiene, or that the malware moves across network with stolen SSH keys.

"Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization/network. Strengthening that hypothesis, we saw that some of the universities involved were from the same country (e.g.,Spain) and others were from the same region (e.g., Taiwan and Hong Kong)," notes Kupchik.

The malware's worm features rely on SSH that are acquired by seeking existing SSH keys or trying easy-to-guess or default credentials.

Source

Under the hood, Microsoft Defender for individuals is built on Microsoft Defender for Endpoint technology. This has already been protecting millions of businesses and enterprises across the world against the latest online threats.

“We must evolve our security solutions to meet unique customer needs at home and work by bringing together existing technologies in a new way. That is why we are introducing Microsoft Defender for individuals,” said Vasu Jakkal, corporate vice president for Microsoft Security, Compliance, Identity & Privacy.

Heading into the future, Microsoft is planning additional features for Microsoft Defender for individuals. Identity theft protection and secure online connection are just two things that are already in the works, according to Jakkal.

To try out this new Microsoft service today, download the Microsoft Defender app on Windows, MacOS, iOS, and Android. You might already be familiar with the app, however, as it has been in preview over the past few months, with feedback from early beta testers helping build the final product.

Source

In this month's Patch Tuesday update for Windows 7, 8.1, 10, and 11, Microsoft released a bunch of improvements and security fixes for its operating systems. Talking about the latter, we have good news and bad news.

Starting off with the good news, Microsoft has patched lots of security issues including Follina. The bad news is that its updates apparently don't cover all reported 0-days, as DogWalk remains unpatched.

Details about Follina emerged last month when it was revealed that the wonky handling of URL protocols in Microsoft Support Diagnostic Tool (MSDT) meant that an application like Microsoft Word could invoke it to trigger remote code execution (RCE), potentially with admin privileges.

This issue affected virtually all versions of Windows, so Microsoft awarded it a "high" severity and recommended some mitigations. However, June's Patch Tuesday updates released yesterday offer a more permanent fix for this problem. In its corresponding CVE-2022-30190 tracking report, Microsoft has noted that:

The update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

Meanwhile, DogWalk is another 0-day vulnerability that was widely reported last week. It basically utilizes a path traversal vulnerability which lands a payload in the Windows Startup folder location. This means the malware is executed when the user logs into their system next time. The downloaded diagcab file has a Mark of the Web (MOTW) but MSDT ignores the warning and runs it anyway making users vulnerable to this potential exploit.

Although some third-party security firms have released micropatches for DogWalk, Microsoft has downplayed the issue and says that it does not require "immediate service". It hasn't been assigned a CVE either.

And if you're wondering if the latest Patch Tuesday update would fix the issue, you'd be mistaken. According to security researchers on Twitter, DogWalk is still open for exploitation:

It remains to be seen if Microsoft will eventually fix the issue in the near future, but based on the recent updates on this matter, chances don't look good. We'll let you know if the situation evolves in the future.

June Patch Tuesday: Microsoft fixes Follina vulnerability but not DogWalk

PrivacyTests is a free website that runs tests regularly to check privacy features and protections in browsers. The organization checks desktop and mobile browsers, development builds of browsers, and the private browsing modes of the browsers.

If you look at the test results, you will notice that bare bones Chromium-based browsers are not doing too well. Google Chrome is a prime example of a browser that is failing most tests. Other Chromium-based browsers, including Edge, Opera and Vivaldi, do not fare a lot better in their default configurations.

In fact, the only two Chromium-based browsers of the tests that perform better are Brave and Ungoogled Chromium.

Firefox protects users better than default Chromium-based browsers, but LibreWolf and Tor offer better privacy protections still; this will change once Total Tracking Protection is enabled for more users. Safari is doing better than the default selection of Chromium-based browsers, but it too is not offering good protections for the most part.

Test results get better when you look at the browser's private modes and how they protect users. Often, tracking protection features are enabled automatically when these modes are used.

Chromium-based browsers get a few extra protections, but Chrome and many other Chromium-based browsers are still inferior when it comes to overall privacy protection. The browsers that do best are Brave, LibreWolf and Tor, followed by Firefox and Safari.

On Android, Chromium-based browsers that use the default configuration are again the worst from a privacy perspective. Google Chrome is not a good choice when it comes to that. Other browsers, including Brave, Firefox Focus, Tor and Bromite are leading the list. Firefox is doing better than the Chromium-based browsers, as is DuckDuckGo.

On iOS, browsers are more limited, but Brave, DuckDuckGo and Firefox Focus are offering the best protection.

Finally, Nightly build tests see Brave and Tor perform best, followed by Firefox and Safari. Edge is doing better than Chrome Canary, Opera and Vivaldi.

All web browsers have privacy weaknesses. Even Brave and LibreWolf, the three browsers that do best on the desktop, lack protections in some areas, but they do a lot better than all the other browsers.

You may click on a test to find out more about it; this may help you determine whether this is a potential issue. A click on a browser's specific test result displays information about the expected data and the returned data.

Internet users may improve privacy, for example, by changing default configurations or installing privacy extensions.

The website is run by Arthur Edelstein, who became an employee of Brave after the creation of the site, according to the About page on the site. Edelstein claims that the site is run independently of Brave and that there is "no connection with Brave marketing efforts".

Now You: how is your browser doing in comparison? Did you make changes to it that improved privacy?

PrivacyTests reveals how your web browser does privacy-wise

The operation was led by Interpol with the assistance of police in 76 countries and focused on social engineering crimes involving telephone deception, romance scams, business email compromise (BEC) scams, and related money laundering.

Social engineering is a generic term describing the manipulation of victims by threat actors, typically through human interaction, to trick them into performing some act or disclosing sensitive information.

Typically, the threat actors develop a convincing, realistic hook and then contact that person via phone or email to manipulate them.

Social engineering actors usually present an excuse to request a payment, but they may also use the stolen information to sell it to other crooks, gain access to networks/systems, perform blackmail, and more. 

The FTC says that people in the US have lost $547 million to romance scams in 2021 and the FBI reports that BEC scams have led to almost $2.4 billion in reported losses.

Operation First Light 2022

Interpol’s First Light 2022 operation targeted romance scams, email deception, scamming frauds, and telephone deception, all closely linked to financial crimes.

The results of the operation, which lasted two months, between March and May 2022, are the following:

• 1,770 locations raided worldwide
• Some 3,000 suspects identified
• Some 2,000 operators, fraudsters, and money launderers arrested
• Some 4,000 bank accounts frozen
• Some USD 50 million worth of illicit funds intercepted

Highlighted cases presented by Interpol include a Chinese national who had defrauded 24,000 victims out of $35,700,000 and a fake kidnap case that demanded a payment of $1,575,000 from the victim’s parents.

Another point that Interpol highlights are Ponzi-like job scams posing as e-commerce affiliations and e-shop business opportunities that appear to be on the rise.

“As part of Operation First Light 2022, the Singapore Police Force arrested eight suspects linked to Ponzi-like job scams. Scammers would offer high-paying online marketing jobs via social media and messaging systems where victims would initially make small earnings, and subsequently, be required to recruit more members to earn commissions.” - Interpol.

One more 2022 trend identified by Interpol’s analysts is the impersonation of the agency’s officials, threatening random people to pay the fake agents money to stop an investigation against them.

While there is massive financial loss related to these scams, there are also life-threatening consequences to social engineering crimes.

Interpol says there is a notable rise in human trafficking on social media platforms, where people are lured with lucrative job offers that lead to forced labor, sexual slavery, or captivity in casinos or fishing vessels.

Interpol seizes $50 million, arrests 2000 social engineers

Botched and silent patches from Microsoft put customers at risk, critics say

•  Stealthy Linux malware.
•  Aoqin Dragon targets Southeast Asia and Australia.
•  Iranian spearphishing campaign.
•  BlackCat RaaS described.

Stealthy Linux malware.

Researchers at Intezer and BlackBerry have discovered a very stealthy strain of Linux malware dubbed "Symbiote." Notably, the malware is a shared object library that infects all running processes on a machine:

"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability."

The researchers believe Symbiote was designed to target the financial industry in Latin America.

Aoqin Dragon targets Southeast Asia and Australia.

SentinelOne has published a report on a Chinese threat actor dubbed "Aoqin Dragon" (pronounced, roughly, "ow-keen') that's conducting cyberespionage in Southeast Asia and Australia:

"We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.... The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project."

Iranian spearphishing campaign.

Check Point observed an Iranian spearphishing campaign that targeted "former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens." The attackers set up a fake URL shortening service, "Litby[.]us," to redirect users to a phony Yahoo login page:

"One of the straightforward purposes of this campaign is to gain access to the inboxes of its victims, specifically for Yahoo inboxes from the flows we observed. The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page. It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records. We suspect that once the victim enters his account ID, the phishing backend server would send a password recovery request to Yahoo, and the 2FA code would allow the attackers to gain access to the victim’s inbox."

BlackCat RaaS described.

Microsoft has published a report on the BlackCat ransomware-as-a-service operation. The researchers stated, "BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats. BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered."

Source

This is because, starting today, Mozilla is rolling out and enabling its Total Cookie Protection set of privacy improvements for all Firefox users worldwide.

Total Cookie Protection forces all websites to keep their cookies in separate "jars," thus blocking attempts to track you across the web and building browsing profiles.

First introduced with the release of Firefox 86 in February 2021, this privacy feature was only active until now in private browsing or when users would manually enable ETP Strict Mode in the web browser's settings.

"Total Cookie Protection offers strong protections against tracking without affecting your browsing experience," said Mozilla today.

"Total Cookie Protection is Firefox's strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site."

By creating a separate cookie jar for every website, Firefox will automatically block any attempts to use cookies to track the users while they're browsing the web.

Total Cookie Protection (Mozilla)

Ongoing fight against ad-tech tracking efforts

Today's announcement further highlights Mozilla's ongoing fight against ad tech companies' online tracking efforts that started in 2018 when it first introduced the Enhanced Tracking Protection feature.

One year later, Mozilla toggled on Enhanced Tracking Protection in Firefox by default to automatically block cookies from known trackers.

After the launch of Firefox 72 in January 2020, Mozilla's web browser also started auto-blocking scripts used by fingerprinting companies for browser fingerprinting via cross-site tracking.

In January 2021, starting with version 85, Firefox also comes with supercookie protection which blocks hidden trackers from keeping tabs on your web browsing activity.

With the rollout of Total Cookie Protection, Mozilla now protects more than 211 million monthly active users and 3,26% of the browser market share worldwide from cross-site tracking attempts.

Firefox now blocks cross-site tracking by default for all users

The record-breaking attack occurred last week and targeted one of Cloudflare's customers using the Free plan.

The threat actor behind it likely used hijacked servers and virtual machines seeing that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers.

According to Cloudflare, the attacker also used a rather small yet very powerful botnet of 5,067 devices, each capable of generating roughly 5,200 rps when peaking.

"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," revealed Cloudflare Product Manager Omer Yoachimik.

"The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.

This is one of several massive volumetric attacks detected by Cloudflare throughout the last several years, with the company recording a short-lived HTTP DDoS attack that peaked at 17.2 million requests per second (rps) in August 2021.

The company also mitigated a 15.3 million rps attack in April 2022 that used approximately 6,000 bots to target a Cloudflare customer operating a crypto launchpad.

Also noteworthy is that the June and April attacks were volumetric attacks that used gigantic junk requests to exhaust the targeted server's resources (CPU and RAM) and were both carried out over HTTPS.

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained.

"Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale."

The botnet used in this month's record-high 26 million rps DDoS attack generated over 212 million HTTPS requests within 30 seconds via requests from more than 1,500 networks in 121 countries worldwide.

Microsoft also disclosed that it mitigated in November another massive and record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.

Cloudflare mitigates record-breaking HTTPS DDoS attack

Matthew Gatrel of St. Charles, Ill. was found guilty for violations of the Computer Fraud and Abuse Act (CFAA) related to his operation of downthem[.]org and ampnode[.]com, two DDoS-for-hire services that had thousands of customers who paid to launch more than 200,000 attacks.

Despite admitting to FBI agents that he ran these so-called “booter” services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Gatrel’s co-defendant and partner in the business, Juan “Severon” Martinez of Pasadena, Calif., pleaded guilty just before the trial.

After a nine-day trial in the Central District of California, Gatrel was convicted on all three counts, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Prosecutors said Downthem sold subscriptions allowing customers to launch DDoS attacks, while AmpNode provided “bulletproof” server hosting to customers — with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers,” prosecutors wrote in a memorandum submitted in advance of his sentencing. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

The U.S. and United Kingdom have been trying to impress on would-be customers of these booter services that hiring them for DDoS attacks is illegal. The U.K. has even taken out Google ads to remind U.K. residents when they search online for terms common to booter services.

The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in 2018, when the FBI joined law enforcement partners overseas to seize 15 different booter service domains.

Those actions have prompted a flurry of prosecutions, with wildly varying sentences when the booter service owners are invariably found guilty. However, DDoS experts say booter and stresser services that remain in operation continue to account for the vast majority of DDoS attacks launched daily around the globe.

“Downthem” DDoS-for-Hire Boss Gets 2 Years in Prison

A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys

"The Syslogk rootkit is heavily based on Adore-Ng but incorporates new functionalities making the user-mode application and the kernel rootkit hard to detect," Avast security researchers David Álvarez and Jan Neduchal said in a report published Monday.

Adore-Ng, an open-source rootkit available since 2004, equips the attacker with full control over a compromised system. It also facilitates hiding processes as well as custom malicious artifacts, files, and even the kernel module, making it harder to detect.

"The module starts by hooking itself into various file systems. It digs up the inode for the root filesystem, and replaces that inode's readdir() function pointer with one of its own," LWN.net noted at the time. "The Adore version performs like the one it replaces, except that it hides any files owned by a specific user and group ID."

Besides its capabilities to hide network traffic from utilities like netstat, housed within the rootkit is a payload named "PgSD93ql" that's nothing but a C-based compiled backdoor trojan named Rekoobe and gets triggered upon receiving a magic packet.

"Rekoobe is a piece of code implanted in legitimate servers," the researchers said. "In this case it is embedded in a fake SMTP server, which spawns a shell when it receives a specially crafted command."

Specifically, Syslogk is engineered to inspect TCP packets containing the source port number 59318 to launch the Rekoobe malware. Stopping the payload, on the other hand, requires the TCP packet to meet the following criteria -

•  Reserved field of the TCP header is set to 0x08

•  Source port is between 63400 and 63411 (inclusive)

•  Both the destination port and the source address are the same as that were used when sending the magic packet to start Rekoobe, and

•  Contains a key ("D9sd87JMaij") that is hardcoded in the rootkit and located in a variable offset of the magic packet

For its part, Rekoobe masquerades as a seemingly innocuous SMTP server but in reality is based on an open-source project called Tiny SHell and stealthily incorporates a backdoor command for spawning a shell that makes it possible to execute arbitrary commands.

Syslogk adds to a growing list of newly discovered evasive Linux malware such as BPFDoor and Symbiote, highlighting how cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks, and other illicit activity.

"Rootkits are dangerous pieces of malware," the researchers said. "Kernel rootkits can be hard to detect and remove because these pieces of malware run in a privileged layer."

Source

"Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42, said in a new write-up.

HelloXD surfaced in the wild on November 30, 2021, and is based off leaked code from Babuk, which was published on a Russian-language cybercrime forum in September 2021.

The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of double extortion to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threatening to publicize the information.

The implant in question, named MicroBackdoor, is an open-source malware that's used for command-and-control (C2) communications, with its developer Dmytro Oleksiuk calling it a "really minimalistic thing with all of the basic features in less than 5,000 lines of code."

Hello XD Ransomware

Notably, different variants of the implant were adopted by the Belarusian threat actor dubbed Ghostwriter (aka UNC1151) in its cyber operations against Ukrainian state organizations in March 2022.

MicroBackdoor's features allow an attacker to browse the file system, upload and download files, execute commands, and erase evidence of its presence from the compromise machines. It's suspected that the deployment of the backdoor is carried out to "monitor the progress of the ransomware."

Unit 42 said it linked the likely Russian developer behind HelloXD — who goes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further malicious activities such as selling proof-of-concept (PoC) exploits and custom Kali Linux distributions by piecing together the actor's digital trail.

"x4k has a very solid online presence, which has enabled us to uncover much of his activity in these last two years," the researchers said. "This threat actor has done little to hide malicious activity, and is probably going to continue this behavior."

The findings come as a new study from IBM X-Force revealed that the average duration of an enterprise ransomware attack — i.e., the time between initial access and ransomware deployment — reduced 94.34% between 2019 and 2021 from over two months to a mere 3.85 days.

The increased speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem has been attributed to the pivotal role played by initial access brokers (IABs) in obtaining access to victim networks and then selling the access to affiliates, who, in turn, abuse the foothold to deploy ransomware payloads.

"Purchasing access may significantly reduce the amount of time it takes ransomware operators to conduct an attack by enabling reconnaissance of systems and the identification of key data earlier and with greater ease," Intel 471 said in a report highlighting the close working relationships between IABs and ransomware crews.

"Additionally, as relationships strengthen, ransomware groups may identify a victim who they wish to target and the access merchant could provide them the access once it is available."

Source

Vytal uses the chrome.debugger API, which the developer believes makes the use of the extension undetectable by websites and will spoof the data during the initial loading of webpages as well as in iframes and web workers.

One of the main ideas behind Vytal was to give VPN users a tool at hand to match location-based identifiers to the VPN's location. Sites may use scripts to find discrepancies between the VPN's location, based on the IP address, and other location data, which the browser may provide.

The Vytal extension is available in the Chrome Web Store. Just visit its profile page there and install it, just like any other Chrome extension. You may check the source code of the extension on GitHub.

Installation adds an icon to Chrome's main toolbar that you may interact with. A click displays the available options and information about the current IP address and region. The profile menu lists dozens of regional profiles that you may apply manually, e.g., to spoof your location, timezone and locale to Houston, Jersusalem, or Bangkok.

You also find an option to match the regional settings to the active IP address; this is what VPN users may want to activate, as it automates the process of matching the VPN server location to the spoofed data of the browser.  A custom option is available next to that, to enter data manually into the fields.

There is an option to randomize the data every 60 minutes, or any other period that you set the randomizer to.

Last but not least, you may also set a different user agent, but none appears to be provided, which means that you need to set it manually.

Vytal has two shortcomings that users need to be aware of. Chromium-based browsers display a "started debugging this browser" message at the top when extensions are active that use the debugging API. The notification is displayed at the top in the browser when Vytal is being used.

Chrome and other Chromium-based browsers support the command line switch --silent-debugger-extension-api, which supresses the message in the browser.

The second issue weights more heavily. There is a slight delay between opening a new tab and the start of the debugger. Sites may use this delay to retrieve information before the actual spoofing takes place. Since this is tab-based, users might get around this by loading safe sites in tabs first before loading sites that might detect spoofing this way.

The browser extension is not available for Firefox, as the browser does not support the debugging API according to the developer.

Closing Words

The browser extension Vytal may be useful to Internet users who run into location-based issues when using sites; this may affect users who are abroad on vacation or because of their job, and users who use VPN's to access content in different locations in the world.

Sites have other means to block access to content, for example, by detecting that IP addresses that are linked to a VPN service are being used.

Still, it may be worth a shot for users who can't use certain services because of their location.

Now you: do you use VPNs to spoof your location?

Vytal: browser extension to spoof your location and user agent

Most Chromium-based web browsers appear to be affected, including Google Chrome. Microsoft Edge was tested for the weakness and it was affected by it, too. A quick test on a local Windows 11 system confirmed that browsers such as Brave and Mozilla's Firefox web browser are affected by the issue as well.

Physical access to the target machine is not required, as remote access or access to software that is running on the target machine is sufficient to extract the data. Extracting can be done from any non-elevated process that runs on the same machine.

While it is necessary for the user to enter credential data such as usernames and passwords before they can be extracted, Zeev Ben Porat notes that it is possible to "load into memory all the passwords that are stored in the password manager".

Two-factor authentication security may not be sufficient to protect user accounts either, if session cookie data is also present in memory; extraction of the data may lead to session hijacking attacks using the data.

The security researcher describes several different types of clear-text credential data that can be extracted from the browser's memory.

• Username + password used when signing into a targeted web application
• URL + Username + Password automatically loaded into memory during browser’s startup
• All URL + username + password records stored in Login Data
• All cookies belonging to a specific web application (including session cookies)Testing your browsers

The issue was reported to Google and it received the "wont fix" status quickly. The reason given is that Chromium won't fix any issues that are related to physical local access attacks.

Zeev Ben Porat published a follow-up article on the CyberArk blog, which describes mitigation options and different types of attacks to exploit the issue.

How to test your browsers

Windows users may use the free tool Process Hacker to test their browsers. Just download the portable version of the program, extract its archive and run the Process Hacker executable to get started.

Enter a username, password or other sensitive data in the browser that you want to test.

1. Double-click on the main browser process in the process listing to display details.
2. Switch to the Memory tab.
3. Activate the Strings button on the page.
4. Select OK on the page.
5. Activate the Filter button in the window that opens, and select "contains" from the context menu.
6. Type the password or other sensitive information in the "Enter the filter pattern" field and select ok.
7. Process Hacker returns the data if it is found in process memory.

Now You: is your browser affected by this? What is your take on the issue?  (via Born)

Your browser stores passwords and sensitive data in clear text in memory

he trial is underway of an accused hacker who prosecutors say downloaded the personal information of 100 million Capital One customers, including 140,000 Social Security numbers.

According to the New York Times, the defendant is a former Amazon employee who claimed she was doing legitimate research. She’s been charged with ten counts of computer fraud, wire fraud, and identity theft, and the trial is taking place in federal court in Seattle.

“They are interpreting a statute so broadly that it captures conduct that is innocent and as a society, we should be supporting, which is security researchers going out on the internet and trying to make it safer,” the woman’s lawyer told the newspaper.

The U.S. attorney, however, claims that the woman was “motivated both to make money and to gain notoriety in the hacking community and beyond,” according to a legal filing reported by the newspaper.

In other news related to Social Security-involved crimes:

A sixty-nine-year-old West Virginia woman has pled guilty to charges of theft of government benefits and making materially false statements to federal agents.

According to the U.S. Attorney’s office for the Southern District of West Virginia, the woman has admitted that she collected Social Security benefits meant for a deceased relative. The collections took place over a four-year period between 2016 and 2020, and she collected $46,356 in federal benefits.

The woman also, per the prosecutors, has admitted that she lied to federal investigators, first lying that she was her sister, and then claiming that she would be out of town for a month. She is scheduled to be sentenced in September, facing a maximum of fifteen years in prison.

And in Indiana, a woman was accused of stealing nearly $70,000 in Social Security funds that were meant for her deceased sister, as reported by the Greenfield Reporter, citing a Social Security Administration (SSA) report.

The woman was charged with a Level 5 felony count of theft and a Level 5 felony count of welfare fraud.

Per the newspaper article, the woman “had a scheme to defraud the Social Security Disability Benefits Program.” After her sister passed away, the woman did not notify authorities but rather received  $69,056 through direct deposit.

The woman, the newspaper said, spent the money on “household bills, furniture, a Capital One credit card and transferred much of it to her own personal bank account.” Officials said the woman, when interviewed by federal officials last September and admitted to what she had done. She also claimed that “she tried to get SSA to stop sending the money, but they kept depositing funds into the account.”

Source

Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise.

Discovered by researchers at MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem.

To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses.

"PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer," the researchers explained.

"PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle."

While Apple can't patch the hardware to block attacks using this exploitation technique, the good news is that end-users don't need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN.

"PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.

While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs.

Apple: No immediate risk to users

The MIT CSAIL researchers reported their findings and shared proof-of-concept attacks and code with Apple, exchanging info with the company since 2021.

Apple says this new side-channel attack doesn't represent a danger to Mac users, given that it also requires other security vulnerabilities to be effective.

"We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," an Apple spokesperson told BleepingComputer.

"Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."

Security experts have argued that the attack doesn't come with "real-world utility," which was confirmed by Joseph Ravichandran, an MIT Ph.D. student and one of the four researchers behind PACMAN.

You can find more technical details about this novel hardware attack on the dedicated site and in the "PACMAN: Attacking ARM Pointer Authentication with Speculative Execution" paper [PDF] that will be presented at the International Symposium on Computer Architecture on June 18.

New PACMAN hardware attack targets Macs with Apple M1 CPUs

Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.…

Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

"Since it is extremely evasive, a Symbiote infection is likely to 'fly under the radar.' In our research, we haven't found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks," the researchers wrote in their report.

Source

Addressing cybersecurity from this point of view is precisely the objective of the European Interdisciplinary Cybersecurity Conference to be held on 15 and 16 June in Barcelona. The conference is being coordinated by two researchers from the Universitat Oberta de Catalunya (UOC): professor David Megías, director of the Internet Interdisciplinary Institute (IN3), and Helena Rifà, a researcher at the IN3 and director of the Master's Degree in Cybersecurity and Privacy, of the Faculty of Computer Science, Multimedia and Telecommunications.

The cybersecurity situation in 2022

The data are clear: cyberattacks have been on the rise in recent years and the cybersecurity situation is increasingly complex.

According to the latest report from ENISA, the European Union Agency for Cybersecurity, attacks increased in 2020 and 2021, not only in terms of vectors and number but also in terms of their impact. And according to McAfee, ransomware-like attacks (attacks asking for a ransom in exchange for stopping or releasing the hijacked information) are the most common.

"Over the past two years, we haven't only had a health pandemic but there has been a genuine pandemic of cyberattacks and cybercrime," said David Megías, leader of the K-riptography and Information Security for Open Networks (KISON) research group.

"Cybercriminals have taken advantage of the pandemic in many ways. In addition, with the increase in teleworking, cybercriminals have had easier access to computers that weren't as well protected as those of companies. And, undoubtedly, the most common form of attack during these two years was ransomware, affecting institutions of all kinds: banks, energy suppliers, telecommunications companies, universities and public services."

The big cybersecurity challenges in 2022

"Cybersecurity is not just a technical discipline; it takes in many fields of knowledge and affects many different departments and practices in companies," said Helena Rifà, also a researcher in the KISON group. This being the case, the great challenges in the field of cybersecurity are not only technical but transcend the frontiers of technology. According to UOC experts, these are the main challenges.

1. Awareness-raising, the first line of defense

More than 90% of cyberattacks are made possible, to a greater or lesser extent, by human error, according to IBM data. Therefore, despite technological advances to minimize threats, the first major line of defense is the awareness and good practices of users.

"Many of the cybersecurity issues companies face come about as a result of well-known vulnerabilities. If we all did our homework better, it'd be easier to reduce online threats. We all use electronic devices, and we all have to put in place a minimum of cybersecurity," explained Helena Rifà.

2. A new generation of hybrid threats

Cyber-physical systems are increasingly present in our daily lives, from industrial control systems and energy infrastructure to home automation. The technological revolution they are fostering, which has generated multiple business opportunities, carries its own threats, combining both complex technological and human aspects. The rise of hybrid cyber threats will be the central theme of one of the two keynote presentations at the European Interdisciplinary Cybersecurity Conference, which will be given by Fulvio Valenza, an assistant professor at the Politecnico di Torino.

3. And more sophisticated defense tools

Faced with the increasing complexity of threats, artificial intelligence (AI) and machine learning are becoming increasingly important as protection tools. "The greatest scientific challenge today is trying to stay ahead of the increasingly sophisticated threats," added Rifà. "AI is increasingly being used both to quickly identify attacks and vulnerabilities and to resolve them."

4. Towards sustainable cybersecurity

We are all responsible for managing and protecting the resources in our environment for future generations. The basic definition of sustainability is also relevant in the field of cybersecurity. "In this sense, sustainability is understood as the mechanisms that allow the interactions of stakeholders (users, service providers and device manufacturers) with the technological ecosystem to be deliberate and with full knowledge of their consequences on the security and stability of the system," said David Megías.

The Internet of Things is generating an unprecedented increase in the number of devices sharing users' sensitive data and information. In addition, 5G and other telecommunications technologies allow broadband connectivity for an almost unlimited number of devices, multiplying the internet infrastructure. "As a result, technological infrastructure is becoming unsustainable due to various malicious threats and unintentional mistakes. It's imperative to achieve a more sustainable ICT infrastructure by providing solutions that are secure and ensure privacy," Megías added.

5. The Great Privacy Battle

Cyberattacks are not the only way in which users' personal data can be compromised. On many occasions, data are exposed by the architecture of the platforms themselves or by the ignorance of netizens. For Helena Rifà, there are still many problems for technology to solve in order to better protect data, such as being able to send only the precise information for each purpose, better anonymization of databases and ensuring privacy for all the data stored on the web.

"At the social level, we also have to provide usability methodologies so that people know how to act on social media and the internet in general, what can be shared and what can't," she said. "In the end, the big challenge is to make data security and privacy compatible so that technology is usable, and we can work comfortably with it while protecting our systems and data."

Source

Researchers have come across a stealthy Linux backdoor that uses sophisticated techniques to hide itself on compromised servers and steal credentials. Dubbed Symbiote because it injects itself into existing processes, the threat has been in development since at least November 2021 and seems to have been used against the financial sector in Latin America.

"Symbiote is a malware that is highly evasive," researchers from BlackBerry said in a new report. "Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not “infected” by userland rootkits."

Why Symbiote is a parasitic infection

The Symbiote malware is not deployed as an executable but as a shared object (.so file), which is essentially loaded by programs on execution. The attackers set the LD_PRELOAD environment variable to load the malicious library into all running processes, since this variable tells the linker to load the shared object before any other legitimate library.

To prevent its presence from being discovered, for example in the output of the ldd command that can be used to list a running process's dependencies, the malware intercepts calls to this command by hooking execve and then scrubs itself from the output.

In addition to hiding itself, Symbiote is designed to hide the presence of other malware programs that attackers might deliver or files that are used to store stolen credentials in. The researchers found that the malware will remove the following entries from the output when an application is trying to access running processes: certbotx64, certbotx86, javautils, javaserverx64, javaclientex64 and javanodex8. "Some of the file names match the file names used by Symbiote but also names of other files for tools likely deployed on the infected machines," the researchers said.

The malware goes even further and hides its network activity as well. This is achieved in three ways. First, it will intercept any calls to /proc/net/tcp by hooking fopen and fopen64 and will scrub any network connections to specific ports it wants to hide from the output.

The second method involves the use of the extended Berkeley Packet Filter (eBPF) feature of the kernel. The eBPF has been abused by malware in different ways in the past, but Symbiote only uses it to hide its network connections from packet capture programs. The way in which it achieves this involves manually written bytecode which suggests a skilled developer, the researchers said.

The third method involves hooking libpcap functions to hook UDP traffic to specific domain names the malware has in a list. The domains found in the analyzed samples impersonate the domain names of major banks in Latin America, which suggests those banks might have been the targets and the attackers wanted to blend in the traffic in case it was discovered at the network level.

Using the domain names the researchers managed to find another sample on VirusTotal that was using one of them. That was a DNS tunneling tool which was likely deployed by Symbiote.

Backdoor access and credential harvesting

Symbiote's goal is to provide remote access to the system to attackers, hide additional tools that they might use and to harvest credentials from the ssh or scp remote access services. The credentials are stored in header files and are encrypted before being exfiltrated to one of the domain names used by the attackers.

"Remote access to the machine is achieved by hooking a few Linux Pluggable Authentication Module (PAM) functions," the researchers said. "When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password. If the password provided is a match, the hooked function returns a success response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any service that uses PAM. This includes remote services such as SSH."

The malware also provides a mechanism for hackers authenticated via the backdoor to obtain root privileges. This is set up by abusing the HTTP_SETTHIS variable when Symbiote is first loaded.

The researchers noticed a similarity in some of the used techniques between Symbiote and an older Linux malware called Ebury or Windigo. However, there is very little shared code between the two, suggesting that Symbiote is a completely new malware threat that hasn't been detected until now. While the samples seen so far appeared to target financial institutions in Latin America, there are no guarantees that additional targets aren’t out there or that the group behind this threat will limit itself to targeting only organizations in this region.

BlackBerry's report includes several indicators of compromise that can be used to detect if the malware is present on systems, including file names and hashes, domain names and port numbers for network activity that the malware attempts to hide.

Source

Also: 

(1) New Symbiote malware infects all running processes on Linux systems.

(2) Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector