Cloudflare outlined several benefits to PATs, for users it makes accessing sites less cumbersome, for web and app developers it lets you know the user is on an authentic device and signed application, and for Cloudflare customers, it’s simple to get started using PATs as there’s no setup required.

Apple is one of the first major vendors to announce support for Private Access Tokens in iOS 16, iPadOS 16, and macOS 13. Luckily, other vendors are also expected to announce support in the near future so more people will be able to avoid CAPTCHAs in the future. On Cloudflare’s side, PATs have already been incorporated into its Managed Challenge platform so customers using this feature already support PATs on their website. Cloudflare said 65% of its customers already use Managed Challenge rather than the Legacy CAPTCHA as a response option in their Firewall rule.

The next version of macOS was released as a beta for developers on Monday and a public beta is due in July. The upgrade will begin being offered to everybody in the fall.

Cloudflare announces Private Access Tokens - verification without CAPTCHAs

Courtesy of Merryl Goldberg

Courtesy of Merryl Goldberg

Using a code she had developed herself, Goldberg had obscured names, addresses, and other details the group would need for their trip in handwritten compositions that looked, to an untrained eye, like the real melodies she’d written on other pages of the book. Goldberg and her colleagues didn’t want to give Soviet officials details of who they planned to see and what they planned to do on their trip. They were going to meet the Phantom Orchestra.

The group was a dissident ensemble that Goldberg describes as an amalgamation of Jewish refuseniks (Jews who were barred from emigrating out of the USSR), Christian activists, and Helsinki monitors—watchdogs who tracked Soviet compliance with the 1975 Helsinki Accords. The Americans’ trip was funded and coordinated by the nonprofit Action for Soviet Jewry (now Action for Post-Soviet Jewry), which works on humanitarian relief in the former Soviet Union and was focused on helping Soviet Jews emigrate to Israel and the United States. 

The trip was a rare and special opportunity for American and Soviet players to meet in the USSR and make music together. It was also an opportunity for the American musicians to smuggle information about aid efforts and plans to the Phantom Orchestra, and for the ensemble to send updates out, including details about individuals looking to escape the Soviet Union.

Courtesy of Merryl Goldberg

Goldberg and her colleagues, all of whom are Jewish, traveled to Moscow separately in two pairs to make it less likely that they would arouse suspicion as a group. They had received training on how to react to questioning and been told to expect surveillance, even run-ins with Soviet officials, throughout their trip. But first Goldberg needed to get her notebook past border control. 

“When we arrived, we were immediately pulled aside, and they went through everything in our luggage, to the point of unwrapping Tampax. It was crazy,” says Goldberg, who is presenting about the experience and her musical code at the RSA security conference in San Francisco today. “With my music, they opened it up and there were some real tunes in there. If you’re not a musician, you wouldn’t know what’s what. They went page by page through everything—and then they handed it back.”

Goldberg says that while the code worked and Soviet officials didn’t confiscate their music, they did interrogate all four travelers about what they planned to do while in the USSR. “We were brought into a room with a big burly guy who banged on the table and yelled at us,” remembers Goldberg, now a music education professor at California State University, San Marcos.

Musical note names span the letters A to G, so they don’t provide a full alphabet of options on their own. To create the code, Goldberg assigned letters of the alphabet to notes in the chromatic scale, a 12-tone scale that includes semi-tones (sharps and flats) to expand the possibilities. In some examples, Goldberg wrote only in one musical range, known as treble clef. In others, she expanded the register to be able to encode more letters and added a bass clef to extend the range of the musical scale. These details and variations also added verisimilitude to her encoded music. 

For numbers, Goldberg would simply write them between the staves, where sometimes you might see chord symbols. She also added other characteristics of composition, like rhythms (half notes, quarter notes, eighth notes, whole notes), key signatures, tempo markings, and articulation indicators like slurs and ties. Most of these were there to make the music look more legitimate, but some doubled as coded supplements to the letters hidden in the music notes. She even occasionally drew tiny diagrams that could be mistaken for charts to remind herself of where a meeting place was located or how to deliver something. 

While someone could technically have played the code as music, it would have sounded less like a tune and more like a cat walking across piano keys.

“I picked a note to start, and then I created the alphabet from there. Once you know it, it ends up being pretty easy to write things. I taught my friends on the trip the code, too,” Goldberg says. “We used it in order to take in people’s addresses and other information we would need to find them. And we coded things while we were there so we would be able to take out some information about people and their efforts to emigrate, as well as details we hoped could help other people ask to leave.”

The US musicians got their bearings in Moscow before heading to Tbilisi, the capital of Georgia. There and on their next stop in Yerevan, the capital of Armenia, they successfully met members of the Phantom Orchestra, many of whom spoke some English, and spent time getting to know each other, playing music together, and even staging small, impromptu concerts.

During eight days of travel, the musicians were tailed constantly by Soviet agents and were repeatedly stopped for questioning. Goldberg says that members of the Phantom Orchestra, all of whom faced similar treatment in their daily lives, gave her and her colleagues advice and encouragement. When the Americans would express concerns that their presence was endangering the activists, Goldberg says the Phantom Orchestra members were resolute about the importance of spending time together. She adds, though, that some of the activists were later arrested and even beaten, because of the interactions.

“On the second night, we were playing together and the KGB came in and everything got shut down. The electricity was turned off; it was a scary situation,” Goldberg says. “And yet, when we’re playing music no one can take away that sense of freedom and empowerment. Playing together and communicating with people through music is like nothing else. I was amazed by the strength it brought the people there. Music can be very comforting, but it also conveys a sense of feeling powerful.”

After their time in Yerevan, the American musicians had planned to go to Riga, the capital of Latvia, and then to Leningrad, now St. Petersburg in Russia. Finally, they were set to stop in Paris before returning to the United States. Instead, they were stopped and questioned again. The musicians were supposed to be placed under house arrest in Yerevan, but Goldberg says that Armenian officials bristled at the KGB intrusion and let them continue their trip. Eventually, though, the musicians were picked up and escorted back to Moscow, where Soviet agents confiscated their passports. Goldberg says the group was driven around Moscow for several hours, perhaps as a scare tactic, before finally being allowed to stay together in a dormitory room guarded by young Soviet men with machine guns.

Courtesy of Merryl Goldberg

“At that point, you’re thinking they’re going to take us to Siberia or something,” she says. “We were super freaked out. So we kept playing music for each other that night. And we played a beloved Russian folk tune, but out of tune, to annoy the young soldier outside our door. It gave us a sense of humor and empowerment.”

Finally, officials said the group would be deported to Sweden. They were heavily guarded and brought to a plane that had come from Sweden and was going to return without passengers. While officials searched their possessions again before letting them on the plane, no one ever flagged the sheet music. Goldberg points out that she even got the film from her camera back, perhaps thanks to a sympathizer.

“They were given no reason for their expulsion, and US officials are still waiting for information from the Soviet Foreign Ministry,” Reuters reported in a wire about the situation on May 31, 1985. “The spokesman said the expulsion appeared to be linked to their meeting with … Georgian dissidents.”

Goldberg says that while she later learned that some of the Soviet activists faced consequences for the visit, some of the people the musicians met on the trip were eventually able to permanently leave the USSR. She notes that while her musical code wouldn’t have been very difficult to crack if someone were focused on it, the obfuscation served its purpose, making it both an elegant and harmonious encryption scheme.

How a Saxophonist Tricked the KGB by Encrypting Secrets in Music

(May require free registration to view)

According to the latest anti-virus software ranking for home users released by AV-TEST, Defender has scored a total of 17.5 points out of 18 and has still managed to received the TOP PRODUCT approval. While that doesn't sound too bad, a lot of Microsoft's major rivals have continued to score the full 18 points.

In this round of ranking, Defender has lost 0.5 points in the Protection category. In case you're wondering, the three categories in AV-TEST's ranking are:

• Protection

• Performance

• Usability

   

You can view the full breakdown and scores of all the 18 tested programs including Defender in the image below:

The tests were run on Windows 10. You can find the full report at this link.

Source and image: AV-TEST GmbH (Twitter)

Microsoft Defender finally falters as it fails to woo AV-TEST in the latest rankings

The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions.

According to PIXM, a New York-based AI-focused cybersecurity firm, the campaign peaked in April-May 2022 but has been active since at least September 2021.

PIXM was able to trace the threat actor and map the campaign due to one of the identified phishing pages hosting a link to a traffic monitoring app (whos.amung.us) that was publicly accessible ithout authentication.

Massive scale of abuse

While it is unknown how the campaign initially started, PIXM states victims arrived at phishing landing pages from a series of redirects originating from Facebook Messenger.

As more Facebook accounts were stolen, the threat actors used automated tools to send further phishing links to the compromised account's friends, creating massive growth in stolen accounts.

"A user's account would be compromised and, in a likely automated fashion, the threat actor would log in to that account and send out the link to the user's friends via Facebook Messenger," explains PIXM in the report.

While Facebook has protection measures to stop the dissemination of phishing URLs, the threat actors used a trick to bypass these protections.

The phishing messages used legitimate URL generation services such as litch.me, famous.co, amaze.co, and funnel-preview.com, which would be a problem to block as legitimate apps use them.

After discovering that they could gain unauthenticated access to the phishing campaign stats pages, the researchers found that in 2021, 2.7 million users had visited one of the phishing portals. This figure went up to 8.5 million in 2022, reflecting the massive growth of the campaign.

By diving deeper, the researchers identified 405 unique usernames used as campaign identifiers, each having a separate Facebook phishing page. These phishing pages had page views ranging from only 4,000 views to some in the millions, with one as high as 6 million page views.

The researchers believe that these 405 usernames represent only a fraction of the accounts used for the campaign.

After the victim enters their credentials on the phishing landing page, a new round of redirections begins, taking them to advertising pages, survey forms, etc.

The threat actors receive referral revenue from these redirects, which are estimated to be millions of USD at this scale of operation.

Tracing the threat actor

PIXM found a common code snippet on all landing pages, which contained a reference to a website that has been seized and constitutes part of an investigation against a Colombian man identified as Rafael Dorado.

It is unclear who seized the domain and placed the notice on the site.

A reverse whois lookup revealed links to a legitimate web development company in Colombia and old sites offering Facebook "like bots" and hacking services.

PIXM shared the results of its investigation with the Colombian Police and Interpol, but as they note, the campaign is still ongoing, even though many of the identified URLs have gone offline.

Massive Facebook Messenger phishing operation generates millions

This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India.

The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.

A Black Hat SEO campaign

The threat actors follow Black Hat SEO techniques to rank their malware-distribution websites high in Google Search results so that more people will be tricked into downloading laced executables.

The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.

The poisoned search results take the victim through several websites that ultimately display a landing page offering a ZIP file download. This landing page is commonly hosted on a legitimate file hosting platform like filesend.jp or mediafire.com.

The ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

The file inside the archive is usually named “setup.exe” or “cracksetup.exe,” but Avast has seen eight different executables used in this campaign.

A dangerous info-stealing malware

The malware victims are tricked into installing attempts to steal information stored in web browsers, like account passwords, saved credit cards, and cryptocurrency wallet credentials.

Additionally, it monitors the clipboard for copied wallet addresses and replaces them with those under the malware operators’ control to divert payments. This clipboard hijacking feature works with various cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses.

The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very hard for the victim to detect or realize.

“Attackers were able to set up an IP address to download a malicious Proxy Auto-Configuration script (PAC),” explains Avast in the report.

“By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.”

This proxying mechanism is added via a new registry key in “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”.

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to Off.

The campaign is already widespread, and the infection rates are high, so avoid downloading cracked software from anywhere, even if the download sites rank high on Google Search.

Poisoned CCleaner search results spread information-stealing malware

VPN services aim to provide privacy to internet users by encrypting their network traffic and hiding their actual IP addresses behind those assigned to servers hosted at providers worldwide. This allows customers to select a country of their choice and route their traffic, so it appears as if they are in that country.

Moreover, VPN providers commonly offer a no-logs policy, meaning that they do not log a customer's IP address, browsing history, timestamps, network traffic, or session information.

"In short, Surfshark VPN does not keep track of your online whereabouts or actions in any way. The VPN server only keeps enough data to keep your VPN connection going, and nothing of it is kept after you’re done," explains SurfShark's no-logs policy.

However, India’s new provisions added into section 70B of the Information Technology (IT) Act, 2000, require VPN providers to abandon their core values by retaining usage details, allotted IP addresses, the purpose of using the services, user address, contact details, and more.

Surfshark says that India’s legal action is radical and harms the privacy of the country’s netizens instead of protecting it.

“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country,” reads Surfshark’s announcement.

“Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”

The popular VPN vendor says it will instead set up virtual servers located in Singapore and London, but which still appear as if they are based in India.

Surfshark promises that India-based users won’t notice any differences in using its VPN services, neither in speed nor website accessibility.

ExpressVPN already exited

ExpressVPN, one of the world’s largest VPN service providers, left the Indian market last week, refusing to comply with the new rules to keep user logs for extensive periods.

They, too, reverted to the solution of virtual servers with Indian IP addresses, which won’t be under Indian law jurisdiction. In fact, they commented that this would make connections more reliable in many cases.

The vendor called out the Indian government for extreme measures and rebuked the authorities for leaving plenty of opportunities for abuse by the involved agencies.

“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” boldly declares ExpressVPN’s announcement.

“As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.”

The changes to India’s law are sweeping, pushing VPNs outside the country, and more vendors will likely follow ExpressVPN and Surfshark.

Other prominent players in the market monitor the situation and hope that their pleads for last-minute changes will be heard as the deadline for the new law entering into force approaches.

Surfshark, ExpressVPN pull out of India over data retention laws

Gone in 130 seconds: New Tesla hack gives thieves their own personal key

Mobile devices, including phones, smartwatches and fitness trackers, constantly transmit signals, known as Bluetooth beacons, at the rate of roughly 500 beacons per minute.These beacons enable features like Apple's "Find My" lost device tracking service; COVID-19 tracing apps; and connect smartphones to other devices such as wireless earphones.

Prior research has shown that wireless fingerprinting exists in WiFi and other wireless technologies. The critical insight of the UC San Diego team was that this form of tracking can also be done with Bluetooth, in a highly accurate way.

"This is important because in today's world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices," said Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper's lead authors.

The team, which includes researchers from the Departments of Computer Science and Engineering and Electrical and Computer Engineering, presented its findings at the IEEE Security & Privacy conference in Oakland, Calif., on May 24, 2022.

All wireless devices have small manufacturing imperfections in the hardware that are unique to each device. These fingerprints are an accidental byproduct of the manufacturing process. These imperfections in Bluetooth hardware result in unique distortions, which can be used as a fingerprint to track a specific device. For Bluetooth, this would allow an attacker to circumvent anti-tracking techniques such as constantly changing the address a mobile device uses to connect to Internet networks.

Tracking individual devices via Bluetooth is not straightforward. Prior fingerprinting techniques built for WiFi rely on the fact that WiFi signals include a long known sequence, called the preamble. But preambles for Bluetooth beacon signals are extremely short.

"The short duration gives an inaccurate fingerprint, making prior techniques not useful for Bluetooth tracking," said Hadi Givehchian, also a UC San Diego computer science Ph.D. student and a lead author on the paper.

Instead, the researchers designed a new method that doesn't rely on the preamble but looks at the whole Bluetooth signal. They developed an algorithm that estimates two different values found in Bluetooth signals. These values vary based on the defects in the Bluetooth hardware, giving researchers the device's unique fingerprint.

Real-world experiments

The researchers evaluated their tracking method through several real-world experiments. In the first experiment, they found 40% of 162 mobile devices seen in public areas, for example coffee shops, were uniquely identifiable. Next, they scaled up the experiment and observed 647 mobile devices in a public hallway across two days. The team found that 47% of these devices had unique fingerprints. Finally, the researchers demonstrated an actual tracking attack by fingerprinting and following a mobile device owned by a study volunteer as they walked in and out of their house.

Challenges

Although their finding is concerning, the researchers also discovered several challenges that an attacker will face in practice. Changes in ambient temperature for example, can alter the Bluetooth fingerprint. Certain devices also send Bluetooth signals with different degrees of power, and this affects the distance at which these devices can be tracked.

Researcher were able to detect unique fingerprints for 47% of 647 devices. Credit: University of California San Diego

Researchers also note that their method requires an attacker to have a high degree of expertise, so it is unlikely to be a widespread threat to the public today.

Despite the challenges, the researchers found that Bluetooth tracking is likely feasible for a large number of devices. It also does not require sophisticated equipment: the attack can be performed with equipment that costs less than $200.

Solutions and next steps

So how can the problem be fixed? Fundamentally, Bluetooth hardware would have to be redesigned and replaced. But the researchers believe that other, easier solutions can be found. The team is currently working on a way to hide the Bluetooth fingerprints via digital signal processing in the Bluetooth device firmware.

Researchers are also exploring whether the method they developed could be applied to other types of devices. "Every form of communication today is wireless, and at risk," said Dinesh Bharadia, a professor in the UC San Diego Department of Electrical and Computer Engineering and one of the paper's senior authors. "We are working to build hardware-level defenses to potential attacks."

Researchers noticed that just disabling Bluetooth may not necessarily stop all phones from emitting Bluetooth beacons. For example, beacons are still emitted when turning off Bluetooth from the control center on the home screen of some Apple devices. "As far as we know, the only thing that definitely stops Bluetooth beacons is turning off your phone," Bhaskar said.

Researchers are careful to say that even though they can track individual devices, they are not able to obtain any information about the devices' owners. The study was reviewed by the campus' Internal Review Board and campus counsel.

"It's really the devices that are under scrutiny," said Aaron Schulman, a UC San Diego computer science professor and one of the paper's senior authors.

Source

Following Follina, another zero-day threat which was first reported two years ago has come to the surface, and like Follina, this one too apparently has been ignored by Microsoft since the company has deemed it as not meeting "requirement immediate service".

This vulnerability, which doesn't have a tracking ID or CVE yet, has been named "DogWalk" and it has been found to be path traversal vulnerability which lands a payload in the Windows Startup folder location:

C:\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

This means the malware is executed when the user logs into their system next time. The downloaded diagcab file has a Mark of the Web (MOTW) but MSDT ignores the warning and runs it anyway making users vulnerable to this potential exploit.

The micropatch by 0patch is simple 11 instructions long which basically blocks this MSDT file from running. And like Follina, it is available for the following Windows versions:

• Windows 11 21H2
• Windows 10 21H2
• Windows 10 21H1
• Windows 10 20H2
• Windows 10 2004
• Windows 10 1909
• Windows 10 1903
• Windows 10 1809
• Windows 10 1803
• Windows 7
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

To download the micropatch, head over to 0patch official blog post linked here. You can also find more technical details in the article.

Source

The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks.

In addition, the actors used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) said in a joint advisory.

The perpetrators, besides shifting their tactics in response to public disclosures, are known to employ a mix of open-source and custom tools for reconnaissance and vulnerability scanning as well as to obscure and blend their activity.

The attacks themselves are facilitated by accessing compromised servers, which the agencies called hop points, from China-based IP addresses, using them to host C2 domains, email accounts, and communicate with the target networks.

"Cyber actors use these hop points as an obfuscation technique when interacting with victim networks," the agencies noted, detailing the adversary's pattern of weaponizing flaws in telecommunications organizations and network service providers.

Upon gaining a foothold into the network via an unpatched internet-facing asset, the actors have been observed obtaining credentials for user and administrative accounts, followed by running router commands to "surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure."

Last but not least, the attackers also modified or removed local log files to erase evidence of their activity to further conceal their presence and evade detection.

The agencies did not single out a specific threat actor, but noted that the findings reflect Chinese state-sponsored groups' history of aggressively striking critical infrastructure to steal sensitive data, emerging key technologies, intellectual property, and personally identifiable information.

The disclosure also arrives less than a month after the cybersecurity authorities revealed the most routinely exploited initial access vectors to breach targets, some of which include misconfigured servers, weak password controls, unpatched software, and failure to block phishing attempts.

"Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program," the agencies said.

Source

Also:  China Is Still Busy Hacking Into Carrier Networks to Spy on Users, US Warns.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actually be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Apple Just Killed the Password—for Real This Time

(May require free registration to view)

Palermo is home to about 1.3 million people, the fifth most populous city in Italy. The area is visited by another 2.3 million tourists every year.

Although local IT experts have been trying to restore the systems for the past three days, all services, public websites, and online portals remain offline.

According to multiple local media outlets, the impacted systems include the public video surveillance management, the municipal police operations center, and all of the municipality’s services.

It’s impossible to communicate or request any service that relies on digital systems, and all citizens have to use obsolete fax machines to reach public offices.

Moreover, tourists cannot access online bookings for tickets to museums and theaters (Massimo Theater) or even confirm their reservations on sports facilities.

Finally, limited traffic zone cards are impossible to acquire, so no regulation occurs, and no fines are issued for relevant violations. Unfortunately, the historical city center requires these passes for entrance, so tourists and local residents are severely impacted.

Ransomware or DDoS?

Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service).

While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS.

The councilor for innovation in the municipality of Palermo, Paolo Petralia Camassa, has stated that all systems were cautiously shut down and isolated from the network while he also warned that the outage might last for a while.

This is a typical response to a ransomware attack, with networks being taken offline to prevent the malware from spreading to more computers and encrypting files.

If this cyberattack turns out to be ransomware, the gang responsible for it might have managed to steal data to conduct double-extortion, which commonly accompanies these attacks.

In that case, Palermo could face the prospect of a severe data breach affecting a large number of individuals and potentially also incurring fines for GDPR violations.

Bleeping Computer has reached out to the company that responded to the incident and currently performs the IT services restoration, SISPI, and we will update this post as soon as we receive a response.

Italian city of Palermo shuts down all systems to fend off cyberattack

In July of 2017, a global law enforcement sting known as Operation Bayonet took down AlphaBay’s sprawling narcotics-and-cybercrime bazaar, seizing the site’s central server in Lithuania and arresting its creator, Alexandre Cazes, outside his home in Bangkok. Yet in August of last year, AlphaBay’s number-two administrator and security specialist, publicly known only as DeSnake, suddenly reappeared, announcing AlphaBay’s resurrection in a new and improved form. Now, 10 months later, thanks in part to a tumult of takedowns and the mysterious disappearances of competing dark web markets, DeSnake’s reincarnated AlphaBay is now well on its way to its former heights atop the digital underworld. By some measures, it appears to have already regained that spot.

“Yes, AlphaBay is the #1 darknet marketplace right now,” says DeSnake, writing to WIRED in a text-based conversation last week. “I did tell you we were going to be #1 before,” he added, referring to our interview with AlphaBay’s new admin at the time of its relaunch last summer. “As I have told you, I do what I say.”

DeSnake’s boast is at least partly true: As of last week, AlphaBay had more than 30,000 unique product listings—largely drugs, from ecstasy to opioids to methamphetamines—but also thousands of listings for malware and stolen data, like Social Security numbers and credit card details. That’s up from a mere 500 listings in September of last year. Another older market called ASAP displays more than 50,000 listings. But ASAP is known to allow vendors to post duplicate listings. And according to security firm Flashpoint, which closely tracks the competing markets, AlphaBay had more than 1,300 active vendors in roughly the first six months of this year, compared to about 1,000 for ASAP. According to Flashpoint’s data, AlphaBay’s listings also appear to be growing significantly faster.

Other markets touted in dark web forums like Archetyp and Incognito, meanwhile, have only a few thousand or just a few hundred listings. All of that suggests AlphaBay may already be the most popular market for dark web vendors to list their wares for sale.

AlphaBay’s tens of thousands of product listings are still a tiny fraction of the more than 350,000 it offered before its 2017 takedown, when it was the biggest dark web market ever seen. By the FBI’s estimate, it was 10 times the size of the legendary Silk Road drug market. DeSnake concedes that the new AlphaBay's revenue hasn’t yet come close to the level of its 2017 peak, when blockchain analysis firm Chainalysis estimates that AlphaBay generated as much as $2 million a day in sales. (DeSnake declined to share current sales numbers but said they are “in the big digits.”)

Also, unlike most competitors, the new version of AlphaBay only allows users to buy and sell in the privacy-focused cryptocurrency Monero, not Bitcoin, transactions of which can often be tracked through blockchain surveillance. That makes the site’s sales difficult to measure and may mean it has fewer sales per listing, since many users prefer to trade in Bitcoin.

But even accounting for that difference and other unknowns in a side-by-side analysis of dark web markets, AlphaBay appears to be the leading marketplace, or will be soon, says Ian Gray, a dark web-focused analyst at security firm Flashpoint. “The writing is on the wall that AlphaBay is probably going to regain that spot as the most popular marketplace,” says Gray, “And it already seems like it’s the biggest in terms of volume of vendors.”

AlphaBay’s quick growth—or regrowth—has been fueled in part by what Gray calls “the Great Cyber Resignation.” At least 10 dark web markets have dropped offline for various reasons in the last 18 months. Some have been busted by law enforcement, like Dark Market, which was the target of a Europol-led takedown operation early last year; or Hydra, the massive Russian-language drug and money-laundering market whose servers were seized in a law enforcement raid in April. Others, like Dark0de and World Market, are believed to have pulled “exit scams,” disappearing suddenly with their users’ money. Still others, like Cannazon and White House Market, staged more considerate and organized exits, giving users time to pull out any funds held on the sites.

Dark web market product listing data shows how the new AlphaBay market has survived a mass exodus of competitors. (Data does not include ASAP data for the last two days of the analyzed time period.)

Flashpoint

Until late May, that left a site called Versus as the last leading market standing. But then, just two weeks ago, DeSnake published a post on the dark web market forum Dread with evidence that pointed to a security vulnerability in Versus—provided to him, DeSnake claimed, by a user named “threesixty”—that exposed Versus’ IP address, potentially leaving its users vulnerable to hackers or law enforcement. “Both threesixty and myself have the best intentions,” DeSnake wrote in his post. “We hope to have a fruitful conversation about security on marketplaces.”

Versus responded by immediately announcing its retirement. “We will say that there was a clear agenda behind the way this was originally handled,” wrote the site’s administrator, who went by the name William Gibson, “but we leave you to draw your own conclusions.”

DeSnake, meanwhile, maintained both on Dread and to WIRED that he doesn’t have any personal or professional connection to threesixty, the hacker whose vulnerability discovery took down AlphaBay's largest remaining competitor. “We handled it the best possible way, due to the severity of the issue,” DeSnake says.

Aside from the circumstances around Versus’ exit, the recently dwindling number of dark web markets is perhaps due to the generally hostile environment they face, says Flashpoint’s Ian Gray. Markets are often under bombardment from distributed denial of service attacks launched by competitors using waves of junk traffic to knock them offline and have to deal with constant disputes among buyers and sellers. Market administrators also feel the ever-present threat of law enforcement looming in the background. All of this incentivizes a take-the-money-and-run approach for any dark web administrator who achieves a certain level of success—and has allowed DeSnake, who appears to be more ambitious and persistent in his goals, to elevate AlphaBay back to the top. “With all these other shutdowns, you have so few players in the space,” says Gray. “There’s really only one that’s fairly well established, and that’s AlphaBay.”

When AlphaBay first reappeared, Gray and other dark web analysts and users expressed suspicion that DeSnake might be compromised by law enforcement. Although he seemed to prove his identity as the former AlphaBay’s right hand by signing messages with the same PGP cryptographic key he’d used in the past, many dark web denizens were wary that he might be controlled by a police agency as part of an undercover operation, as when Dutch police secretly took over the Hansa dark web drug market in 2017.

After nearly a year back online, though, DeSnake says he feels “vindicated,” given that few if any undercover operations have lasted that long. “For majority of vendors and customers the question has been put to rest,” DeSnake says.

If DeSnake has proven himself to be the legit heir to AlphaBay—and doesn’t pull an exit scam himself—he still faces the risk of a law enforcement takedown, which only grows as the reborn market takes the limelight. “It’s Russian roulette running a dark web marketplace, particularly with all the information we got from the AlphaBay takedown,” says Grant Rabenn, a former federal prosecutor who led the investigation that resulted in AlphaBay’s 2017 bust and the arrest of its original admin, Alexandre Cazes, who was later found dead in a Thai jail of an apparent suicide. (DeSnake has claimed, without proof, that Cazes was murdered.)

Rabenn hints that the 2017 case also resulted in US law enforcement obtaining a “fair amount of information” on AlphaBay’s staff. As the dark web market grows, that previous investigation might provide leads on DeSnake’s identity, with federal agencies refocusing their attention on AlphaBay and its new boss. “It’s definitely putting a target on your back, not only from the historical conduct and connections but also being the top one,” Rabenn says. “Everyone’s going to look for that one.”

DeSnake tells WIRED, however, that he’s developed a few forms of protection that give him confidence he’ll continue to stay a step ahead of the feds. Perhaps most importantly, he claims to be based in a former Soviet country that has no extradition treaty with the US. His choice for AlphaBay to use only Monero, rather than Bitcoin, may make the sort of blockchain analysis that contributed to the original site’s takedown far more difficult. And he claims to have built complex technical protections that include redundant infrastructure in multiple countries, along with a system called AlphaGuard that’s designed to automatically relaunch the site on new servers in the case of a bust. “We will be back and running within a few days and without a cent lost,” DeSnake says.

DeSnake has announced that he eventually hopes to develop a “decentralized marketplace network” where dark web markets are hosted across hundreds or thousands of servers—a kind of uncensorable, unseizable Bittorrent to the current markets’ Napster. He claims a test version of that decentralization scheme is planned for the end of this year, and that AlphaBay will move to it sometime in 2023. “First we want to reach the scale we did before in 2017 that is our milestone. Second, we want to launch a beta of the decentralized project,” says DeSnake “Then migrate step by step fully to allow AlphaBay to exist for many years ahead and usher the [darknet market] scene into a new golden era like we did before.”

It’s far from clear whether that plan—or DeSnake’s self-described invulnerability—is real or a mirage. But he does appear to have followed through—or will soon—on his first promise: to regain the dark web’s crown. And another period of AlphaBay’s reign may be just beginning.

AlphaBay Is Taking Over the Dark Web—Again

(May require free registration to view)

The adversarial collective is said to have targeted entities in tech, transportation, government, and education sectors located in the U.S., Middle East, and India.

"Bohrium actors create fake social media profiles, often posing as recruiters," Amy Hogan-Burney of the DCU said in a tweet. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

According to an ex parte order shared by the tech giant, the goal of the intrusions was to steal and exfiltrate sensitive information, take control over the infected machines, and carry out remote reconnaissance.

To halt the malicious activities of Bohrium, Microsoft said it took down 41 ".com," ".info," ".live," ".me," ".net," ".org," and ".xyz" domains that were used as command-and-control infrastructure to facilitate the spear-phishing campaign.

The disclosure comes as Microsoft revealed that it identified and disabled malicious OneDrive activity perpetrated by a previously undocumented threat actor codenamed Polonium since February 2022.

The incidents, which involved the use of OneDrive as command-and-control, were part of a larger wave of attacks the hacking group launched against over 20 organizations based in Israel and Lebanon.

Source

Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace.

Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27).

"TeaBot is targeting 410 of the 639 applications tracked," mobile security company Zimperium said in a new analysis of Android threats during the first half of 2022. "Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft."

Aside from TeaBot (Anatsa) and Octo (Exobot), other prominent banking trojans include BianLian, Coper, EventBot, FluBot (Cabassous), Medusa, SharkBot, and Xenomorph.

FluBot is also considered to be an aggressive variant of Cabassous, not to mention hitching its distribution wagon to serve Medusa, another mobile banking trojan that can gain near-complete control over a user's device. Last week, Europol announced the dismantling of infrastructure behind FluBot.

These malicious remote access tools, while hiding behind the cloak of benign-looking apps, are designed to target mobile financial applications in an attempt to carry out on-device fraud and siphon funds directly from the victim's accounts.

In addition, the rogue apps are equipped with the ability to evade detection by often hiding their icons from the home screen and are known to log keystrokes, capture clipboard data, and abuse accessibility services permissions to pursue their objectives such as credential theft.

This involves the use of overlay attacks, pointing a victim to a fake banking login page that's displayed atop legitimate financial apps and can be used to steal the credentials entered.

Consequences of such attacks can range from data theft and financial fraud to regulatory fines and loss of customer trust.

"In the past decade, the financial industry moved completely to mobile for its banking and payments service and stock trading," the researchers said.

"While this transition brings increased convenience and new options to consumers, it also introduces novel fraud risks."

Source

A new bipartisan privacy bill offers a compromise along the lines of what many tech companies and even some privacy advocates have said we need to get something—anything—out of Congress and into statute: federal privacy protection that preempts most state privacy laws.

The American Data Privacy and Protection Act, announced Friday(Opens in a new window) by Reps. Frank Pallone, Jr. (D-N.J.), Cathy McMorris Rodgers (R-Wash.), and Sen. Roger Wicker, (R-Miss.), remixes many existing concepts and proposals; policy ingredients that other legislators have yet to turn into a recipe that can emerge from the Congressional kitchen.

As covered the bill’s 64-page draft (PDF(Opens in a new window)) and 10-page outline (PDF(Opens in a new window)), it would would require most companies to comply with data-minimization guidelines. That means they can’t collect, process, and hoard a wide variety of personal data—from financial details to stored communications to their activity at social and entertainment sites—for reasons unrelated to providing the product or service they offer.

The bill would apply higher standards to such especially sensitive items as Social Security numbers, geolocation records, biometric information, browsing history, and genetic data, in most cases requiring a person’s upfront permission.

The act would further require companies to operate along privacy-by-design principles and ban them from charging extra for any of the privacy rights granted by the bill. And it would require them to provide clear, plain-language documentation of how they collect, use, and monetize data—something that would be mandated more strictly by a bill announced in January.

The act would then grant customers a variety of opt-out rights, including a choice to decline most targeted advertising (the bill bans that when aimed at anybody under 17 years old, while a Democratic bill introduced in January would prohibit “surveillance advertising” for everybody). It would establish an individual right to data ownership and control that would let people see what data a company has collected about them, have it corrected, deleted, or exported to them for their own use, and veto the sale or transfer of their data.

Data brokers—called “third-party collecting entities” in the draft text—must register with the Federal Trade Commission, allow audits of their collection and use of data, and collectively honor “Do Not Collect” requests by individuals. This section appears to borrow heavily from a bipartisan data-broker bill introduced in February.

The bill would assign enforcement to the FTC, which today brings privacy cases under its authority(Opens in a new window) to investigate “unfair or deceptive acts or practices.” States could also bring cases under the law, but individual people could not for the law’s first four years and would then only be able to file suit for certain violations.

The act would preempt such state laws as the California Consumer Privacy Act but not those covering data breaches and employee, student, and medical privacy, among a few others. It also specifically waives Illinois laws on biometric and genetic privacy as well a 2020 California law(Opens in a new window) that lets people sue for damages when poor account-security practices at companies lead to breaches of their data.

The preemption part may be the bill’s trickiest’s section. Tech companies don’t want to operate under a patchwork of state statutes, and many market-minded Republicans want to avoid that as well. But many Democrats don’t want to shut down state attempts to do something when Congress has done nothing on privacy for so long and have their own bills(Opens in a new window) out or in the works that would leave state laws alone.

That’s a lot to consider in this new proposal. But one thing it doesn’t have much of is Congressional time before the midterm elections(Opens in a new window). The next chapter in this proposal might be one that privacy advocates have heard a lot: Wait ‘til next year.

Source

The company added that it also blocked over 34,500 applications from getting indexed on the App Store because they were using undocumented or hidden features.

Apple also removed 155,000 more apps for bait-and-switch tactics, such as adding new features or capabilities after approval.

Throughout 2021, the App Review team stopped more than 1.6 million risky or vulnerable apps and updates from landing on the App Store and potentially defrauding users.

Last year, in the company's first fraud prevention analysis report, Apple said that almost 1 million problematic new apps and nearly 1 million app updates were rejected or removed by the App Review team.

Apple says that its efforts to protect customers from fraud attempts require the monitoring and vigilance of multiple teams focused on several areas, from App Review to Discovery Fraud.

"Apple is dedicated to keeping the App Store a safe and trusted place for people to discover and download apps," the company said in this year's report.

"A key pillar in that effort is Apple's ongoing work detecting and taking action against bad actors who seek to defraud developers and users."

Apple's efforts to protect users from fraud are welcome, seeing that scammy apps known as fleeceware are still a big problem on the iOS App Store, as discovered by researchers at Avast last year.

Such apps lure customers with promises of free trials but will instead require excessive subscription costs of thousands of dollars per year.

As Avast reported, roughly 200 such fleeceware apps with total estimated revenue of more than $400 million across Apple's and Google's app stores.

One year before, Sophos researchers also spotted dozens of fleeceware apps downloaded by iOS users approximately 3,680,000 times and listed among the top-grossing apps on the App Store. 

$1.5 billion potentially fraudulent transactions prevented

Apple also added that it was able to protect its customers from $1.5 billion in potentially fraudulent transactions throughout 2021.

It also blocked the use of more than 3.3 million stolen cards on Apple's online store platforms and banned almost 600,000 accounts from ever making transactions again across its platforms.

"For many people, no data is more sensitive than their financial information. That's why Apple has invested enormously in creating more secure payment technologies like Apple Pay and StoreKit," Apple added.

"These technologies are used by more than 905,000 apps to sell goods and services on the App Store. For example, with Apple Pay, credit card numbers are never shared with merchants — eliminating a risk factor in the payment transaction process."

Apple blocked 1.6 millions apps from defrauding users in 2021

In an attempt to combat the plague of spam calls, India’s telecom regulator is in the process of drafting a consultation paper supporting a mechanism that would allow phones to display the name of a caller even if the number is not saved on that person's phone. This name will be sourced from the Know Your Customer (KYC) data that telecom operators are required to collect from users before providing them with a SIM card.

“We are in the process of preparing a consultation paper,” Syed Tausif Abbas, an advisor to Telecom Regulatory Authority of India, tells WIRED. “It will take maybe one month at least. Once the paper is [ready], it will be in public domain for the comments of stakeholders.”

India has witnessed a sharp rise in spam calls over the past year. According to a report by Swedish company Truecaller—which counts India as its biggest market—the country was the fourth-highest spammed of the 20 it surveyed in 2021, climbing from ninth-highest the year before. Over 200 million calls came from just one spammer between January and October 2021, according to the company. Even though the majority of the calls were spam, over 1 percent of them were scams in which the callers pretended to be from a bank or a financial technology startup and asked customers for their personal details. Over the past few years, Indians have had to deal with a barrage of fraudulent calls that have caused some to lose money.

While Truecaller—and similar apps—can help identify the caller’s identity in some cases, the information may not be accurate, as it is crowdsourced rather than based on official data. And while India’s attempt to fight spam and scam callers on a larger scale may help make citizens more aware of who’s calling them, some policy experts say the effort will be futile and raises questions of privacy.

Pranesh Prakash, policy director of the Center for Internet and Society, says knowing who a number is connected to and being able to dodge spam or scam calls would in some ways be helpful. “It might be good for people to know they are talking to so and so, or the cell phone is registered under so and so’s name, [especially] if they have been subject to fraud or something like that. So it might actually be useful from that perspective,” says Prakash. But he’s not entirely sold on the idea.

His biggest concern about this proposal is the sharing of KYC data with the government in the absence of a comprehensive data protection law in India. “There’s an anemic provision of the IT [Information Technology] Act, which acts as a data protection provision, so what the government does with the data that you have entrusted to it isn’t actually governed by a law,” says Prakash. That said, the data privacy draft law is expected to be discussed in the Indian Parliament soon, and if passed it could provide a layer of protection for user data.

But there are other concerns. Shalini Sivasubramanian, a senior researcher with the Centre for Policy Research, questions the overall utility of the plan: If the intention is just to let people know who is calling, it does not address the underlying problem of spam. “What purpose is it serving if it just notifies the caller that this person is calling,” she says. “It’s not fully solving the problems of spam calling.” 

Sivasubramanian points to the US’s Truth in Caller ID Act, which President Barack Obama signed into law in 2010, as an approach India could draw on. This legislation outlaws ID spoofing and prosecutes robocallers, and it also has an authentication function to automatically identify robocalls. “The US has protocols on how to authenticate calls which filter out the robocalls, and [then] they have prosecution for that,” says Sivasubramanian. “Here [in India], by just displaying caller ID, yes I will know the number, but will it cause any less frustration just because I can see a name associated with that spam call? I don’t think so.”

The Fight Against Robocall Spam and Scams Heats Up in India

(May require free registration to view)

Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

"When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts," GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.

Also resolved by GitLab in versions 15.0.1, 14.10.4, and 14.9.5 are seven other security vulnerabilities, two of which are rated high, four are rated medium, and one is rated low in severity.

Users running an affected installation of the aforementioned bugs are recommended to upgrade to the latest version as soon as possible.

Source

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "moderate confidence."

The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.

Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.

In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.

"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.

This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.

Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a "subordinate element" within MOIS.

The victim overlaps lend credence to earlier reports that MuddyWater is a "conglomerate" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.

Source

"This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection."

Known to be active since 2008, organizations targeted by LuoYu are predominantly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies.

LuoYu's use of WinDealer was first documented by Taiwanese cybersecurity firm TeamT5 at the Japan Security Analyst Conference (JSAC) in January 2021. Subsequent attack campaigns have used the malware to target Japanese entities, with isolated infections reported in Austria, Germany, India, Russia, and the U.S.

Other tools that are part of the adversary's malware arsenal include PlugX and its successor ShadowPad, both of which have been used by a variety of Chinese threat actors to enable their strategic objectives. Additionally, the actor is known to target Linux, macOS, and Android devices.

WinDealer, for its part, has been delivered in the past via websites that act as watering holes and in the form of trojanized applications masquerading as instant messaging and video hosting services like Tencent QQ and Youku.

But the infection vector has since been traded for another distribution method that makes use of the automatic update mechanism of select legitimate applications to serve a compromised version of the executable on "rare occasions."

WinDealer, a modular malware platform at its core, comes with all the usual bells and whistles associated with a traditional backdoor, allowing it to hoover sensitive information, capture screenshots, and execute arbitrary commands.

But where it also stands apart is its use of a complex IP generation algorithm to select a command-and-control (C2) server to connect to at random from a pool of 48,000 IP addresses.

"The only way to explain these seemingly impossible network behaviors is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed," the company said.

A man-on-the-side attack, similar to a man-in-the-middle attack, enables a rogue interloper to read and inject arbitrary messages into a communications channel, but not modify or delete messages sent by other parties.

Such intrusions typically bank on strategically timing their messages such that the malicious reply containing the attacker-supplied data is sent in response to a victim's request for a web resource before the actual response from the server.

The fact that the threat actor is able to control such a massive range of IP addresses could also explain the hijacking of the update mechanism associated with genuine apps to deliver the WinDealer payload, Kaspersky pointed out.

"Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the internet," security researcher Suguru Ishimaru said.

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies."

Source

Authorities in Russia have confirmed a that a new crackdown to prevent citizens from accessing VPN services is underway. Telecoms regulator Roscomnadzor says that "measures" are being taken to limit access to VPN services that violate Russian law, which can simply mean providing access to content previously deemed illegal by the government.

New VPN Crackdown Underway in Russia, Government Confirms

According to messages exchanged between members of the cybercrime syndicate, Conti developers had created proof-of-concept (PoC) code that leveraged Intel’s Management Engine (ME) to overwrite flash and gain SMM (System Management Mode) execution.

The ME is an embedded microcontroller within Intel chipsets running a micro-OS to provide out-of-band services. Conti was fuzzing that component to find undocumented functions and commands they could leverage.

From there, Conti could access the flash memory that hosted UEFI/BIOS firmware, bypass write protections, and perform arbitrary code execution on the compromised system.

The final goal would be to drop an SMM implant that would run with the highest possible system privileges (ring-0) while practically undetectable from OS-level security tools.

It is important to note that contrary to TrickBot’s module that targeted UEFI firmware flaws, aiding Conti infections and later undertaken by the ransomware group, the new findings indicate that the malicious engineers were striving to discover new, unknown vulnerabilities in the ME.

Firmware attacks in ransomware

For a firmware attack to be possible, the ransomware actors would first need to access the system via a common pathway such as phishing, exploiting a vulnerability, or performing a supply chain attack.

After compromising the ME, the attackers would have to follow an attack plan based on what “out-of-write protection” regions they are allowed to access, depending on the ME implementation and various restrictions/protections.

Eclypsium says these could be either access to overwrite the SPI Descriptor and move the UEFI/BIOS outside the protected area or direct access to the BIOS region.

There’s also the scenario of the ME not having access to either, in which case the threat actors could leverage Intel's Management Engine to force a boot from virtual media and unlock PCH protections that underpin the SPI controller.

Conti could use this attack flow to brick systems permanently, gain ultimate persistence, evade anti-virus and EDR detections, and bypass all security controls at the OS layer.

Conti gone, but code still alive

While the Conti operation appears to have shut down, many of its members have moved to other ransomware operations where they continue to conduct attacks.

This also means that all the work done to develop exploits like the one spotted by Eclypsium in the leaked chats will continue to exist.

As the researchers explain, Conti had a working PoC for these attacks since last summer, so it’s likely that they already had the chance to employ it in actual attacks.

The RaaS might return in a rebranded form, the core members might join other ransomware operations, and overall, the exploits will continue to be used.

To protect from the threats, apply the available firmware updates for your hardware, monitor ME for configuration changes, and verify the integrity of the SPI flash regularly.

Conti ransomware targeted Intel firmware for stealthy attacks

Modern Windows versions, such as 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. The user can set a URI with the remote host address and the display name to appear on the title bar of the search window. Windows can launch personalized search windows using various methods, such as a web browser or Run (Win + R).

BleepingComputer says a bad actor can utilize the protocol handler to create, for example, a fake Windows Update directory and trick the user into clicking a malware disguised as a legitimate update. Still, execution requires an action from the target, and modern browsers, such as Microsoft Edge, have additional security warnings. This is where other flaws come into play.

As it turned out, one can combine the search-ms protocol handler with a new flaw in Microsoft Office OLEObject. It allows bypassing Protected View and launching URI protocol handlers without user interaction. @hackerfantastic demonstrated the idea by crafting a Word document that automatically opens a Windows Search window and connects to a remote SMB. Because search-ms allows renaming search windows, hackers can prepare "personalized" searches to mislead their targets.

 Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx
 — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Another proof-of-concept shows an RTF document that does the same. This time, it does not even require launching Word. A new search window launches when File Explorer creates a preview on the Preview Pane.

Here is the same search-ms attack being leveraged through an RTF document when Windows Preview Pane is enabled... 😉 pic.twitter.com/AmOeGWltjm
 — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Users can protect their systems by doing what Microsoft recommends to mitigate the MSDT vulnerability. Removing the search-ms protocol handler from Windows Registry will help secure a system:

1.  Press Win + R, type cmd and press Ctrl + Shift + Enter to run Command Prompt as Administrator.
2.  Type reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg and press Enter to create a backup of the key.
3.  Type reg delete HKEY_CLASSES_ROOT\search-ms /f and press Enter to remove the key from Windows Registry.

Microsoft is working on fixing the vulnerabilities in protocol handlers and related Windows features. Still, experts claim hackers will find other handlers to exploit, and Microsoft should focus on making it impossible to launch URL handlers in the Office apps without user interaction. A similar situation happened last year with PrintNightmare when Microsoft fixed one component just for researchers to uncover other vulnerabilities.

Source

"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K."

The development comes as the CERT-In has enforced new controversial data retention requirements that are set to come into effect on June 27, 2022, and mandate VPN service providers to store subscribers' real names, contact details, and IP addresses assigned to them for at least five years.

The logged user data, CERT-In emphasized, will only be requested for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."

The agency has since clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to "general Internet subscribers/users."

"The new data law [...], intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users' online activity private," ExpressVPN said. "The law is also overreaching and so broad as to open up the window for potential abuse."

The rules, dubbed Cyber Security Directions, also mandate firms to report incidents of security lapses such as data breaches and ransomware attacks within six hours of noticing them.

Source