Modern Windows versions, such as 11, 10, and 7, allow Windows Search to browse files locally and on remote hosts. The user can set a URI with the remote host address and the display name to appear on the title bar of the search window. Windows can launch personalized search windows using various methods, such as a web browser or Run (Win + R).

BleepingComputer says a bad actor can utilize the protocol handler to create, for example, a fake Windows Update directory and trick the user into clicking a malware disguised as a legitimate update. Still, execution requires an action from the target, and modern browsers, such as Microsoft Edge, have additional security warnings. This is where other flaws come into play.

As it turned out, one can combine the search-ms protocol handler with a new flaw in Microsoft Office OLEObject. It allows bypassing Protected View and launching URI protocol handlers without user interaction. @hackerfantastic demonstrated the idea by crafting a Word document that automatically opens a Windows Search window and connects to a remote SMB. Because search-ms allows renaming search windows, hackers can prepare "personalized" searches to mislead their targets.

 Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx
 — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Another proof-of-concept shows an RTF document that does the same. This time, it does not even require launching Word. A new search window launches when File Explorer creates a preview on the Preview Pane.

Here is the same search-ms attack being leveraged through an RTF document when Windows Preview Pane is enabled... 😉 pic.twitter.com/AmOeGWltjm
 — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Users can protect their systems by doing what Microsoft recommends to mitigate the MSDT vulnerability. Removing the search-ms protocol handler from Windows Registry will help secure a system:

1.  Press Win + R, type cmd and press Ctrl + Shift + Enter to run Command Prompt as Administrator.
2.  Type reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg and press Enter to create a backup of the key.
3.  Type reg delete HKEY_CLASSES_ROOT\search-ms /f and press Enter to remove the key from Windows Registry.

Microsoft is working on fixing the vulnerabilities in protocol handlers and related Windows features. Still, experts claim hackers will find other handlers to exploit, and Microsoft should focus on making it impossible to launch URL handlers in the Office apps without user interaction. A similar situation happened last year with PrintNightmare when Microsoft fixed one component just for researchers to uncover other vulnerabilities.

Source

"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K."

The development comes as the CERT-In has enforced new controversial data retention requirements that are set to come into effect on June 27, 2022, and mandate VPN service providers to store subscribers' real names, contact details, and IP addresses assigned to them for at least five years.

The logged user data, CERT-In emphasized, will only be requested for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."

The agency has since clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to "general Internet subscribers/users."

"The new data law [...], intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users' online activity private," ExpressVPN said. "The law is also overreaching and so broad as to open up the window for potential abuse."

The rules, dubbed Cyber Security Directions, also mandate firms to report incidents of security lapses such as data breaches and ransomware attacks within six hours of noticing them.

Source

What's new in Bitwarden 2022.05.0 Update

Bitwarden now supports SimpleLogin, AnonAddy, and Firefox Relay for generating usernames. Users can take advantage of the email forwarding services to protect their privacy. So now the usernames that it generates are not only unique, but also mask the real email address to prevent it from being leaked in data breaches.

Note: The latest version of the Bitwarden extensions for Firefox, Chrome, Edge, are not yet available on the stores, at the time of writing this post.

The announcement article on the company's blog illustrates how to use email aliases in Bitwarden. The username generator will allow users to select one of the three mail forwarding services. You will need to have an account with one of the services, and provide the API Key for your account in order for Bitwarden to register the created email alias with it. The password manager previously added the option to allow people to use plus email addresses, like example+notmyrealid@simplelogin.io. If your provider supports a catch-all inbox, you can use that too.

Image courtesy: Bitwarden

The email alias feature is available in the Desktop apps and the browser add-ons. The Web Vault will also support the services at launch, except for Firefox Relay, which will be added in the future. The best part of course is that the email aliases for the username generator is available for all plans, i.e. free and paid users can make use of it.

How to use Bitwarden with SimpleLogin or AnonAddy

1. Go to your Bitwarden Vault, and access the Tools page.

2. Switch to the Generator Tab.

3. Select generate "Username".

4. Toggle the option for the service that you would like to use. I'm using SimpleLogin in this example.

5. Enter the API Key from your email forwarding service's account. You can get it from this page.

6. Click the Regenerate username button and Bitwarden will generate an alias with your selected service.

The change-log on the project's GitHub reveals some more features that have been added in this update. The browser extension will split the credit card numbers in groups of 4, which is the standard formatting used across most payment gateways. The Bitwarden extension's performance has been improved, and you should see a reduction in its CPU and memory usage.

Bitwarden has changed its version numbering system. The latest one is Bitwarden 2022.05.0. The format represents the year, month and release number of the version. For reference, the previous version of the browser extensions is 1.58.0, while the desktop client's build number is 1.33.0.

Bitwarden Web Vault

The Bitwarden Web Vault has also received some improvements. Users who have a Self-hosted Enterprise Organization can issue Sponsorship for Families Organization via Billing Sync. There are new filters for organization, and the company says that this is the first phase of its plans to update the Web Vault UI for all users.

The Web Vault gains a new feature called Vault item linking. You can share items by copying its URL (link with the CipherID) with members who have access to your vault. When they click on the link, it will directly open the corresponding item.

The Bitwarden mobile app for Android now lets you switch accounts from the auto-fill flow. Let's say you are on a website's login page, but Bitwarden can't find the entry in your vault, you can tap the avatar bubble, and switch to your other account directly. HCaptcha image challenges can be bypassed using the accessibility option.

Bitwarden's username generator now supports SimpleLogin, AnonAddy, and Firefox Relay email alias services

The security issue can be leveraged because Windows supports a URI protocol handler called 'search-ms' that allows applications and HTML links to launch customized searches on a device.

While most Windows searches will look on the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

For example, the popular Sysinternals toolset allows you to remotely mount live.sysinternals.com as a network share to launch their utilities. To search this remote share and list only files matching a particular name, you could use the following 'search-ms' URI:

search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

As you can see from the command above, the search-ms 'crumb' variable specifies the location to search, and the 'displayname' variable specifies the search title.

A customized search window will appear when this command is executed from a Run dialog or web browser address bar on Windows 7, Windows 10, and Windows 11, as shown below.

Notice how the window title is set to the 'Searching Sysinternals' display name we specified in the search-ms URI.

Threat actors could use this same approach for malicious attacks, where phishing emails are sent pretending to be security updates or patches that need to be installed.

They can then set up a remote Windows share that can be used to host malware disguised as security updates and then include the search-ms URI in their phishing attachments or emails.

However, it would not be easy to get a user to click on a URL like this, especially when it displays a warning, as shown below.

But Hacker House co-founder and security researcher Matthew Hickey found a way by combining a newly discovered Microsoft Office OLEObject flaw with the search-ms protocol handler to open a remote search window simply by opening a Word document.

Microsoft Office takes it to the next level

This week, researchers discovered that threat actors were utilizing a new Windows zero-day vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). To exploit it, threat actors created malicious Word documents that launched the 'ms-msdt' URI protocol handler to execute PowerShell commands simply by opening the document.

Identified as CVE-2022-30190, the flaw makes it possible to modify Microsoft Office documents to bypass Protected View and launch URI protocol handlers without interaction by users, which will only lead to further abuse of protocol handlers.

This was seen yesterday when Hickey converted existing Microsoft Word MSDT exploits to use the search-ms protocol handler we described earlier.

With this new PoC, when a user opens a Word document, it will automatically launch a 'search-ms' command to open a Windows Search window that lists executables on a remote SMB share. This share can be named whatever the threat actor wants, such as 'Critical Updates,' prompting the users to install the listed malware.

Like the MSDT exploits, Hickey also showed that you could create RTF versions that automatically open a Windows Search window when the document is rendered in the Explorer preview pane.

By using this type of malicious Word document, threat actors can create elaborate phishing campaigns that automatically launch Windows Search windows on recipients' devices to trick them into launching malware.

While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns.

Although we've already found ways threat actors could exploit this new flaw in the wild, we're not going to share this information for obvious reasons.

To mitigate this vulnerability, Hickey says you can use the same mitigation for ms-msdt exploits - delete the search-ms protocol handler from the Windows Registry.

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg"
3. Execute the command "reg delete HKEY_CLASSES_ROOT\search-ms /f"

A Windows ProtocolNightmare

Both the MSDT and search-ms abuse examples are not new, initially disclosed by Benjamin Altpeter in 2020 in his thesis about Electron application security.

However, it wasn't until recently that they started to be weaponized in Word documents for phishing attacks without user interaction, which turned them into zero-day vulnerabilities.

Based on Microsoft's guidance for CVE-2022-30190, the company appears to be tackling the flaws in the protocol handlers and their underlying Windows features, rather than the fact that threat actors can abuse Microsoft Office to launch these URIs without user interaction.

As CERT/CC vulnerability analyst Will Dormann says, these exploits actually utilize two different flaws. Without fixing the Microsoft Office URI issue, further protocol handlers will be abused.

Hickey also told BleepingComputer that he believes that this not necessarily a flaw in the protocol handlers, but rather a combination leading to a 'Microsoft Office OLEObject search-ms Location Path Spoofing Vulnerability.'

"The next best thing is to fix the search abilities title and location setting messages to prevent such spoofing attacks or disable it as a URI handler," explained Hickey in a conversation about the flaws.

In June, researchers accidentally disclosed the technical details and a proof-of-concept (PoC) exploit for a Windows Spooler RCE vulnerability named PrintNightmare.

While the RCE component was quickly fixed, a wide range of local privilege elevation vulnerabilities were discovered that continued to be disclosed under the 'PrintNightmare' classification.

It wasn't until Microsoft made some drastic changes to Windows Printing that they finally got control of this vulnerability class, even though it caused numerous printing problems for some time.

By tackling the problem only at the protocol handler/Windows feature side, Microsoft is facing a whole new 'ProtocolNightmare' classification where researchers will continue to find new URI handlers to abuse in attacks.

Until Microsoft makes it impossible to launch URI handlers in Microsoft Office without user interaction, be prepared for a whole series of similar news articles as new exploits are released.

New Windows Search zero-day added to Microsoft protocol nightmare

Google Messages users in India have reported receiving a deluge of unwanted ads in recent weeks using Rich Communication Services (RCS), and Google has employed a response strategy: turn them all off. Company spokesperson Kaori Miyake confirmed to The Verge that Google has disabled the feature in India: “We are aware that some businesses are abusing our anti-spam policies to send promotional messages to users in India. We are disabling this feature in India while we work with the industry to improve the experience for users.”

The ads in question were delivered by way of RCS’ business messaging feature, which allows verified businesses to send messages to customers that go beyond a typical text, with images and interactive features. Google pitches it as a way for brands to communicate with established customers — messages you might actually want on your phone. But people using RCS in India have experienced it quite differently. They’ve seen frequent messages coming in from businesses pushing credit cards and gambling apps, among other things.

Until now, people reported that the only way to avoid the onslaught of ads was to turn off RCS altogether — not an ideal experience. Google’s move to turn off business messaging is a better alternative in the short term, but it’s clearly not a long-term fix. In 2019, Android Messages product management director Sanaz Ahari told us that the company’s vision for RCS was “a great, simple user experience that just works for every Android user.” RCS has come a long way since then, but there’s obviously still some work to do.

Update June 1st, 4:00PM ET: Updated to include a statement from Google.

Rampant spam has forced Google to turn off RCS ads in India

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app."

TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox.

The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code.

Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer.

While the bug gained widespread attention last week, evidence points to active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.

The company, however, did not deem it a security issue and closed the vulnerability submission report, citing reasons that the MSDT utility requires a passkey provided by a support technician before it can execute payloads.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.

"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros," Malwarebytes' Jerome Segura noted.

Although there is no official patch available at this point, Microsoft has recommended disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been advised to turn off the Preview Pane in File Explorer.

"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely," Nikolas Cemerikic of Immersive Labs said.

"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack."

Source

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

Other Android security fixes in May include 15 high-severity and one critical-severity vulnerability in Qualcomm components, two denial-of-service flaws in the Android System, and three high-severity issues in MediaTek components.

Google Pixel and Samsung users, in particular, should look out for the May update, as additional vulnerabilities have been fixed on these devices. The update has so far reached Android devices, including the Samsung Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra, as well as the Galaxy Tab S8 series, the Galaxy Watch 4 series, and the Galaxy S21 series.

Another month, another major Google Chrome security update, this time for 32 issues, of which one is rated as critical and eight are deemed high severity. The critical issue, CVE-2022-1853, impacts the IndexedDB feature, while the high-rated flaws affect areas that include DevTools, UI foundations, and the user education function.

None of the flaws fixed in Chrome 102 have been exploited, Google says. This is in contrast to April, when the company issue emergency updates to fix several already exploited vulnerabilities in its Chromium-based browser.

Earlier in May, Google released 13 fixes in Chrome v101.0.4951.61 for Android, with eight of these rated as having a high-severity impact.

Cisco has fixed multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software that could allow an attacker to escape from the guest virtual machine to the host machine, inject commands that execute at the root level, or leak system data from the host to the virtual machine.

It goes without saying that these high-severity issues—tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780—are serious, so it’s a good idea to update as soon as possible.

Chip manufacturer Nvidia issued a security update in mid-May for its Nvidia GPU display driver to fix flaws that could allow denial of service, information disclosure, or data tampering. The list of 10 vulnerabilities includes issues in the Kernel mode layer on Windows and Linux devices. The updates themselves can be found on Nvidia’s downloads website.

Video conferencing app Zoom has released version 5.10.0 to fix an issue found by security researchers at Google’s Project Zero in February. The flaw in messaging protocol XMPP doesn’t require any interaction from the user in order to execute the attack. “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” says security researcher Ivan Fratric, who describes how the attacker can force the victim client to connect to a malicious server, resulting in arbitrary code execution.

Cloud provider VMWare has released patches to fix multiple issues, including a privilege escalation vulnerability (CVE-2022-22973) and an authentication bypass flaw (CVE-2022-22972), the latter of which it says must be applied immediately as “the ramifications are serious.”

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

(May require free registration to view)

However, Microsoft has now issued an advisory about a remote code execution (RCE) vulnerability present in MSDT. The security flaw affects virtually all supported versions of Windows and Windows Server, including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

The issue in question is being tracked under CVE-2022-30190 and has a high severity level. Although Microsoft hasn't gone into the full details - likely because the flaw has not been patched yet -, it has explained that RCE can happen when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word.

The attacker will be able to run arbitrary code that can view, delete, or alter your files through the privileges of the calling application. So, for example, if MSDT is invoked through Microsoft Word running with admin privileges, an attacker would get the same admin privileges - which is obviously not good.
For now, Microsoft has recommended disabling MSDT through the following commands that you can run in Command Prompt:

•  Run Command Prompt as Administrator
•  To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
•  Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"

However, if you later find out that you'd rather take the risk because MSDT is critical to your workflow, you can revert the workaround through the following process:

•  Run Command Prompt as Administrator.
•  To reimport the registry key, execute the command "reg import filename"

As it currently stands, Microsoft is still working on a fix. It has highlighted that the security flaw is being exploited in the wild so it is important to enable cloud-delivered protection and automatic sample submission through Microsoft Defender. Meanwhile, Microsoft Defender for Endpoint customers should also configure policies to reduce the attack surface from child processes of Office apps.

Source

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

•  A Python module to download dependencies and compile the malware for different OS architectures

•  The core botnet section

•  An obfuscation segment designed to encode and decode the malware's strings, and

•  A command-and-control functionality to receive attack commands and fetch additional payloads

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing [a] shell command," the researchers said, pointing to a new "adb_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

•  CVE-2022-22947 (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway

•  CVE-2021-4039 (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel

•  CVE-2022-25075 (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router

•  CVE-2021-36356 (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware

•  CVE-2021-35064 (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare

•  CVE-2020-7961 (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Source

Linux is a coveted target. It is the host operating system for numerous application backends and servers and powers a wide variety of internet of things (IoT) devices. Still, not enough is done to protect the machines running it.

"Linux malware has been massively overlooked," says Giovanni Vigna, senior director of threat intelligence at VMware. "Since most of the cloud hosts run Linux, being able to compromise Linux-based platforms allows the attacker to access an enormous amount of resources or to inflict substantial damage through ransomware and wipers."

In recent years, cybercriminals and nation-state actors have targeted Linux-based systems. The goal was often to infiltrate corporate and government networks or gain access to critical infrastructure, according to a recent VMware report. They leverage weak authentication, unpatched vulnerabilities, and server misconfigurations, among others.

Linux malware is becoming not just more prevalent but also more diverse. Security company Intezer looked at the code uniqueness of malware strains to see how innovative authors are. It found an increase in most malware categories in 2021 compared to 2020, including ransomware, banking trojans, and botnets. "This increase in Linux targeting may be correlated to organizations increasingly moving into cloud environments, which frequently rely on Linux for their operation," according to a report. "The level of innovation of Linux malware came close to that of Windows-based malware."

As Linux malware continues to evolve, organizations need to pay attention to the most common attacks and harden security every step along the way.

"While Linux can be more secure than other operating systems, it's important to note that an operating system is only as secure as its weakest link," says Ronnie Tokazowski, principal threat advisor at Cofense.

These are the six types of attacks on Linux to watch for:

1. Ransomware targets virtual machine images

In recent years, ransomware gangs have started to peek at Linux environments. The quality of the malware samples varies greatly, but gangs such as Conti, DarkSide, REvil and Hive are quickly upgrading their skill sets.

Typically, ransomware attacks against cloud environments are carefully planned. According to VMware, cybercriminals try to fully compromise their victim before starting to encrypt the files.

Recently, groups like RansomExx/Defray777, and Conti began to target Linux host images used for workloads in virtualized environments. "This new and worrisome development shows how attackers look for the most valuable assets in cloud environments to inflict the maximum damage," the VMware report read.

Encrypting virtual machine images hosted on ESXi Hypervisors is of particular interest to these gangs because they know they can significantly impact operations. It's "a common theme in the ransomware landscape to develop new binaries specifically to encrypt virtual machines and their management environments," a report by security company Trellix read.

2. Cryptojacking is on the rise

Cryptojacking is one of the most prevalent types of Linux malware because it can quickly produce money. "The intent of this software is to use computational resources to generate cryptocurrencies for an attacker," typically Monero, says Tokazowski.

One of the first notable attacks happened in 2018 when Tesla's public cloud fell victim. "The hackers had infiltrated Tesla's Kubernetes console, which was not password protected," according to cloud monitoring company RedLock. "Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment, which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry."

Cryptojacking has become more prevalent, with XMRig and Sysrv being some of the most prominent cryptominer families. A report by SonicWall showed that the number of attempts rose by 19% in 2021 compared to 2020. "For government and healthcare customers, this increase was in the triple digits, with cryptojacking growing 709% and 218% respectively," according to the document. The security company counted an average of 338 cryptojacking attempts per customer network, on average.

To target their victims, many gangs use lists of default passwords, bash exploits, or exploits that intentionally target misconfigured systems with weak security, according to Tokazowski. "Some of these misconfigurations can include directory traversal attacks, remote file inclusion attacks, or rely on misconfigured processes with default installs," he says.

3. Three malware families—XorDDoS, Mirai and Mozi—target IoT

The IoT runs on Linux, with few exceptions, and the simplicity of the devices can help turn them into potential victims. CrowdStrike reported that the volume of malware targeting gadgets operating on Linux increased by 35% in 2021 compared to 2020. Three malware families account for 22% of the total: XorDDoS, Mirai, and Mozi. They follow the same pattern of infecting devices, amassing them into a botnet, and then using them to perform DDoS attacks.

Mirai, a Linux Trojan that uses Telnet and Secure Shell (SSH) brute-forcing attacks to compromise devices, is seen as the common ancestor to many Linux DDoS malware strains. Once its source code became public in 2016, multiple variants emerged. In addition, malware authors learned from it and implemented Mirai features into their own Trojans.

CrowdStrike noticed that the number of Mirai malware variants compiled for Intel-powered Linux systems more than doubled in the first quarter of the year 2022 compared to Q1 2021, with the largest increase in variants targeting the 32-bit x86 processors. "Mirai variants continuously evolve to exploit unpatched vulnerabilities to expand their attack surface," according to the report.

Another prosperous Linux Trojan is XorDDoS. Microsoft found that this threat rose by 254% in the last six months. XorDDoS uses variants of itself compiled for ARM, x86 and x64 Linux architectures to increase the likelihood of a successful infection. Like Mirai, it uses brute-force attacks to gain access to its targets and, once inside, scans for Docker servers with port 2375 open to gain remote root access to the host without the need for a password.

Mozi compromises its targets in a somewhat similar manner but to prevent other malware from taking its place, it then blocks the SSH and Telnet ports. It creates a peer-to-peer botnet network and uses the distributed hash table (DHT) system to hide its communication with the command-and-control server behind legitimate DHT traffic.

The activity of the most successful botnets remains consistent over time, according to Fortinet's Global Threat Landscape Report. The security company discovered that malware authors devote plenty of effort to ensuring that the infection is persistent in time, which means that rebooting the device should not erase the control the hacker has over the infected target.

4. State-sponsored attacks target Linux environments

Security researchers monitoring nation-state groups have noticed that they increasingly target Linux environments. "A lot of Linux malware has been deployed with the onset of the Russian-Ukraine war, including wipers," says Ryan Robinson, security researcher at Intezer. Russian APT group Sandworm allegedly attacked Linux systems of UK and U.S. agencies a few days before the attack started, according to Cyfirma.

ESET was among the companies that closely followed the conflict and its cybersecurity implications. "A month ago, we've been looking at Industroyer2, an attack against a Ukrainian energy provider," says Marc-Étienne Léveillé, senior malware researcher at ESET. "This attack included Linux and Solaris worms that spread using SSH and perhaps stolen credentials. This was a very targeted attack which clearly had the objective of destroying data from databases and file systems."

The Linux wiper "destroys the whole content of the disks attached to the system by using shred if available or simply dd (with if=/dev/random) otherwise," according to ESET’s paper. "If multiple disks are attached, data removal is done in parallel to speed up the process." Together with CERT-UA, ESET attributed the malware to the Sandstorm APT group, which had used Industroyer in 2016 to cut power in Ukraine.

As for other nation-state actors, Microsoft and Mandiant noticed that multiple groups backed by China, Iran, North Korea and others had been exploiting the infamous Log4j flaw on both Windows and Linux systems to gain access to the networks they target.

5. Fileless attacks are difficult to detect

Security researchers at AT&T's Alien Labs saw that multiple actors, including TeamTNT, have started to use Ezuri, an open-source tool written in Golang. Attackers use Ezuri to encrypt malicious code. On decryption, the payload is executed directly from memory without leaving any traces on the disk, which makes these attacks difficult to detect by antivirus software.

The main group associated with this technique, TeamTNT, targets Docker systems that are not configured properly, with the purpose of installing DDoS bots and cryptominers.

6. Linux malware targets Windows machines

Linux malware can also exploit Windows machines through Windows Subsystem for Linux (WSL), a feature of Windows that allows Linux binaries to run natively on this OS. WSL must be installed manually or by joining the Windows Insider program, but attackers can install it if they have elevated access.

Cloud security company Qualys examined the feasibility of carrying out attacks or gaining persistence on a Windows machine by using WSL. It analyzed two techniques so far, proxying execution and installing utilities, and concluded that both are highly feasible. According to the company's security experts, organizations that want to protect against this type of attack can disable virtualization and the ability to install WSL. It also helps to audit running processes in an ongoing manner.

Attackers also ported functionality from Windows tools to Linux, aiming to target more platforms. One example is Vermilion Strike, which is based on a popular penetration testing tool for Windows, CobaltStrike, but can be used to target both Windows and Linux. Vermilion Strike offers attackers remote access capabilities, including file manipulation and shell command execution. The tool was used against telecom companies, government agencies, and financial institutions, and the main intent of the attackers was to conduct espionage.

Researchers at Intezer say in their report that "Vermilion Strike may not be the last Linux implementation" of the CobaltStrike Beacon.

Protecting against malware that targets Linux environments

Security is the weakest when sysadmins and developers race against time and deadlines. Developers, for instance, may trust community-sourced code blindly; they copy/paste code from Stack Overflow, run software quickly after cloning a GitHub repository, or deploy an app from Docker Hub directly into their production environment.

Opportunistic attackers take advantage of this "economy of attention." They add cryptominers to Docker containers or create open-source packages with names that are almost identical to heavily used libraries, taking advantage of the occasional spelling mistake on the part of developers.

"Exploitation of open Docker and Kubernetes deployments is pretty interesting: careless people leave their container deployments open to the world, and these installations are easily taken over and used as a bridgehead for further attacks or for other monetization activity, such as Monero mining," says VMware's Vigna.

"I am an avid, evangelistic advocate of open-source software and culture, but one thing that really gives me the heebie-jeebies is the fragility of the chain of trust involved in public software repositories," says Ryan Cribelar, vulnerability research engineer at Nucleus Security. "This isn't a Linux-specific concern, of course, but a malicious library lurking in PyPi or NPM repositories, for example, will arguably cause the Linux admin and security teams the most sleep loss."

For Linux servers, misconfigurations are also a big issue, and it can happen at multiple points along one's infrastructure. "Commonly, firewall or security group settings are misconfigured to allow access to the wider internet, thus allowing external access to deployed applications on Linux servers," says Intezer’s Robinson.

Applications are commonly misconfigured to allow access without authentication or using default credentials. "Depending on the misconfigured application, attackers will be able to steal information or run malicious code on the Linux server," Robinson adds. "Common examples include misconfigured Docker daemons, allowing attackers to run their own containers or misconfigured applications that leak passwords and customer information, such as Apache Airflow." Robinson adds that Default configuration often does not equate to secure configuration.

Joel Spurlock, senior director of malware research at CrowdStrike, sees another issue: patching. He argues that organizations are "either unable or unwilling to keep machines up to date." Patching should be done regularly, and buzzwords like EDR and zero trust should also be on the menu.
Malware targeting Linux environments thrives in a vast playground of consumer devices and servers, virtualized environments, and specialized operating systems, therefore the security measures necessary to protect all these require focus and meticulous planning.

Source

source: Brave

Brave entered into a partnership agreement with Guardian to promote and integrate Guardian's firewall and VPN product into the browser.

The update to Brave 1.39 for Android is required before the new VPN link becomes available in the browser's main menu. Activation of the item in the menu displays basic information about the offer and the price.

Brave VPN is powered by Guardian, a company known for its firewall and VPN product. The product supports the blocking of trackers and advertisement, and secure connections using the WireGuard technology. Unlike several other browser integrated VPN solutions, Brave VPN works systemwide, which means that all applications benefit from it when it is enabled.

Brave VPN is available as a commercial product only. Users of Brave may pay $9.99 per month or $99.99 per year to subscribe to Brave VPN; Guardian Firewall is not available for Android officially, but the pricing matches the pricing of the standalone iOS version.

Compared to other VPN solutions, Brave VPN can't be described as a cheap option. Mozilla VPN, a VPN solution by Mozilla that is powered by Mullvad, is available for half the price. Popular VPN providers such as NordVPN or ExpressVPN are available for even less during sales, which seem to happen all-year-round. Some support the blocking of ads and trackers as well.

Is Brave VPN bringing anything to the table other than what other VPN apps and services support as well? Brave Software highlights its unique authentication system. While it is necessary to buy a subscription for Brave VPN to use the service, Brave is using a pseudonymous digital receipt to provide access to the VPN service, and "randomized, rotated identifiers" when connecting to VPN servers.

According to Brave, this system provides access to the VPN "in a manner that does not require Brave or Guardian to be aware of a user's identity". Guardian uses the same technology for its standalone application, as highlighted in the company's Privacy Policy.

Brave plans to roll out Brave VPN to all Brave users on Android devices, version 8 and up, over the coming days. Brave 1.39 is expected to become available by the time as well. The company plans to introduce Brave VPN in all desktop versions of the web browser in the "next several months" as well, so that it is available for all supported operating systems and device types.

Microsoft launched the free Secure Network browser VPN in its Edge browser for select customers recently. Browser makers have started to integrate VPNs into their browsers recently.

Now You: would you rather subscribe to a standalone VPN, or a VPN integrated into a browser?

Brave partners with Guardian to bring a paid VPN and Firewall to its browser

As the name of the feature implies, WSL allows running native Linux binaries to run on Windows in an environment that emulates the Linux kernel.

WSL-based malware samples discovered recently rely on open-source code that routes communication through the Telegram messaging service and gives the threat actor remote access to the compromised system.

RATs and shells

Malicious Linux binaries for WSL were first discovered over a year ago, with researchers at Lumen Technologies’ Black Lotus Labs publishing a report on this new type of threat in September 2021.

Since then, their number has grown constantly, with all variants enjoying low detection rates, despite being based on publicly available code.

Black Lotus Labs researchers told BleepingComputer this week that they have tracked more than 100 samples of WSL-based malware since last fall.

Some are more advanced than others, the researchers said, adding that threat actors “show continued interest” in the malware they are tracking.

Of the samples analyzed, two of them are more notable due to their capabilities to function as a remote access tool (RAT) or to establish a reverse shell on the infected host.

The two samples were discovered after the Black Lotus Labs report in March that warned about WSL becoming a favored attack surface for adversaries of various technical skills levels.

One of the more recent samples relied on a Python-based open-source tool called RAT-via-Telegram Bot that allows control over Telegram and comes with functions for stealing authentication cookies from Google Chrome and Opera web browsers, running commands, or downloading files.

Black Lotus Labs researchers told BleepingComputer that the malware came with a live bot token and chat ID, indicating an active command and control mechanism.

source: Lumen Technologies Black Lotus Labs

Additional functions in this variant include taking screenshots and grabbing user and system information (username, IP address, OS version), which helps the attacker determine what malware or utilities they can use in the next phase of the compromise.

When Black Lotus Labs analyzed the sample, only two antivirus engines out of 57 on Virus Total flagged it as malicious, the researchers noted.

A second recently discovered WSL-based malware sample was built to set up a reverse TCP shell on the infected machine to communicate with the attacker.

Looking at the code, the researchers noticed that it used an IP address from Amazon Web Services that had been used previously by several entities.

One particularity that the researchers observed with this sample was that it displayed a pop-up message in Turkish, which translated to: “you’re screwed and there’s not much you can do.”

However, neither the pop-up message, which could indicate Turkish-speaking targets nor the code provided a clue about the author of the malware.

Both malware pieces could be used for espionage purposes and can download files that would extend their functionality, the researchers said.

WSL-based malware taking off

Black Lotus Labs warned in the past that threat actors are exploring the WSL vector deeper, even if many of the samples analyzed “did not yet appear to be fully functional due to the use of internal or non-routable IPs.”

Nevertheless, malware authors are making progress and have already created variants that work on both Windows and Linux and can upload and download files, or execute attacker commands.

Unlike previous WSL-based malware, the latest samples that Black Lotus Labs analyzed “would prove effective with an active C2 [command and control] infrastructure in place given the low detection rates of AV providers.”

The general recommendation for defending against WSL-based threats is to keep a close eye on the system activity (e.g. SysMon) to determine suspicious activity and investigate commands.

Source

“These employees are idiots,” the hacker told Motherboard via chat. The hacker is seeking $250,000 in exchange for not leaking the database and said they are in contact with Verizon.

A Verizon spokesperson contacted Motherboard confirming the incident, saying, “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”

The hacker claims they nabbed the database by social engineering their way into remotely connecting to a Verizon employee’s computer. The hacker’s account, in an email sent to Vice, is that they posed as internal support, coerced the Verizon employee to allow remote access, and then launched a script that copied data from the computer.

The information that was stolen could still be harmful. If you’ve ever had to get support from a carrier over the phone, you might have had to deal with the different departments that handle activating your SIM card. If a purported hacker poses as an employee and spoofed their number as one from the database, they could continue to use social engineering for SIM swapping fraud. The technique has been used frequently over the years as attackers manipulated accounts through carriers like T-Mobile and AT&T to steal cryptocurrency or access to social media accounts, including one belonging to former Twitter CEO Jack Dorsey.

Source

To find out, we spoke to Lou Montulli, the engineer who invented cookies at age 23.

“I’m just like everybody else,” says Montulli. “I want that pop-up to go away as soon as possible. The idea of asking people about permissions every single time they go to a website is annoying.”

Every website you visit places cookies on your browser. The purpose of the cookie is to allow a website to recognize a browser. That’s why you can return to a site and be recognized, even if you don’t always log in. It’s why the stuff in your shopping cart is still there the next day, or that article remembers where you stopped reading. You don’t have to “introduce” yourself every time you visit a site, but is the convenience worth it?

With Montulli’s help, here are some of the most frequently used terms those annoying permissions boxes are asking you about, and what you might want to choose when you see them.

First, let’s explain what some of the types of cookies you’ll see really do:

• Session Cookies are temporary. These aren’t saved when you quit your browser.
• Persistent Cookies will stay on your hard drive until you delete them, or your browser does. These have an expiration date written into their code. That expiration date varies depending on the site or service that issued them and is chosen by the website that places them on your browser.
• First-Party Cookies are those placed directly onto your device by the website you’re visiting.
• Third-Party Cookies are placed on your device but not by the website you’re on, aka the first party. Instead, they’re put onto your device by advertisers, data partners, or any analytics tools that track visitors (usually at the request of that first party. Think Google Analytics for your favorite tech magazine website, for example.)
• Strictly Necessary Cookies allow you to view a website’s content and use its features.
• Preference Cookies, aka Functionality Cookies, allow a website to remember data you typed: for example, your user ID, password, delivery address, email, phone, and preferred method of payment.
• Statistics Cookies, aka Performance Cookies, record how you used a website. Although these see links clicked and pages visited, your identity is not attached to these stats. These can include cookies from a third party. So if a website uses an analytics system from a third party to track what visitors do on that first-party website, it only divulges that tracking info to the website that hired the third party for analytics.

Montulli refers to the pop-up permissions box as “a really silly idea.” His preference would be a much more efficient and technical solution. For example, a user could choose their cookie preferences once in their browser, and every website they visit would honor that choice, similar to the design of Do Not Track. Montulli explained it like this: “Say I want to accept one type of cookie, but not that other cookie, or those cookies, any website could just ask the browser once what any user’s preferences are.” One and done.

That would be better, but what happens when you click “Accept All”—aside from thoughts like, Why does every website keep asking me these questions?

What many people (especially Americans) may not know is that in 2018, the European Union (EU) passed the General Data Protection Regulation (GDPR). And even if they have heard of it, they may not know enough to understand that this law is partially why cookie permission boxes are becoming more prevalent.

As part of GDPR, companies based outside Europe can be hit with enormous fines if they track and analyze EU visitors to their website. In other words, say your company resides in New York, but that company has European visitors and customers, or collects their data. If that’s the case, they can be penalized to the tune of tens of millions in fines if they don’t disclose their data collection and obtain the user’s consent.

Understandably, American companies want to avoid huge fines, which is why US users are seeing more and more of these permission boxes.

The boxes are designed to offer users more control over their data, as the EU law was put into place to protect all data belonging to EU citizens and residents. The confusion within the US market exists because the country doesn’t have similar laws to protect the privacy of its citizens.

In February 2022, Saryu Nayyar wrote a piece for Forbes that asks if it’s time for a US version of GDPR. Nayyar wrote that the point of such a law would be “gaining explicit consent for collecting data and deleting data if consent is withdrawn.” That sounds like an awesome idea, but after consulting Montulli, the privacy plot thickens.

Personally, I find it impossible to separate cookies and privacy online. I asked Montulli if it’s true that everything on the internet stays on the internet.

“No,” he says. That’s because information on the internet is detached from your current online presence. The purpose of the cookie is to allow a website to know when the same browser returns. The cookie may contain additional pieces of information. “But the predominant use of it is to pass an ID to your browser as an identifier,” he says.

“Therefore, they can see that this is the same browser that was here a few seconds ago or even a few months ago. But, once the cookie is cleared, there’s no longer any attachment to you.”

The lack of transparency about how cookies work and who manages the data collected from them is a big part of the problem. When you visit a primary website that has hired a third-party ad-tracking network, your browser can get a third-party cookie without your knowledge. “The lack of transparency means that another cookie by another website has added embedded content, without your knowledge.”

Montulli says that if you clear your browser’s cookies frequently there’s no longer any attachment to you and your personal data, at least for that first-party website. “When you return to that website after clearing your cookies, or even if you have a new set of cookies, there’s no association between your browser and the browser that connected to that site several months ago with that old cookie.”

To test the hypothesis, I tried managing and blocking cookies on random sites. I completely ignored the permission box on any that asked me to accept cookies. The majority of those sites allowed me access anyway. Only a few sites blocked me because I ignored the permissions box. In those cases, the only decision I had to make was whether to trust the site. Since I did not actually need to read any content from those sites, I simply moved on. Bottom line, it doesn't hurt to select the cookies you want to accept and those you want to block. Just be prepared to do it every time you visit, or every time you clear your cookies, which you should probably get used to doing regularly.

What Do Those Pesky 'Cookie Preferences' Pop-Ups Really Mean?

(May require free registration to view)

Total Cookie Protection separates cookies in the browser so that only the site that planted it in the browser has access to it. The protective feature limits cross-site tracking in the Firefox web browser. Some sites and services require third-party cookies to work properly; these providers get automatic permission to use cross-site cookies when Total Cookie Protection detects that a Firefox user intends to use that provider.

Mozilla describes Total Cookie Protection in the following way:

Total Cookie Protection builds a fence around cookies, limiting them to the site you're on so third parties can't use those same tracking beacons to follow you from one site to the next. For example, if you visit socialnetwork.example, the site won’t be able to view your activity on shopping.example, healthinsurance.example, or your cousin’s cooking blog later.

First introduced in Firefox 86 Stable, released in February 2021, Total Cookie Protection has been restricted to Firefox's strict tracking protection feature. Mozilla enabled the feature in Firefox 89 for the browser's private browsing mode.

The roll out in Firefox brings the feature to the default tracking protection configuration in the browser when enabled. Firefox users who get the prompt in the browser may activate the "turn on Total Cookie Protection" button to add the protective feature to the browser.

When they do that, a new checkbox appears in the privacy settings to toggle the functionality.

Total Cookie Protection is in early access currently according to Mozilla. No additional data is collected when the feature is enabled. Mozilla states that the rollout helps the organization improve the feature before it is enabled by default for all users of the web browser in a future version.

Firefox users may activate the Shield icon on sites with broken functionality, after enabling Total Cookie Protection, to turn off the feature for the site and optionally inform Mozilla about that.

Firefox users who do not get the prompt or the setting in the browser may set the preference browser.privacySegmentation.preferences.show to TRUE on about:config to display it in the browser.  According to Mozilla, it may also be possible to enable this by setting network.cookie.cookieBehavior to 5 on about:config. Others may prefer to enable the Strict privacy setting, as it includes the new functionality already.

How does it differ from blocking third-party cookies outright? If you enable the setting, sites are blocked from setting third-party cookies; this may break some site functionality, unless exceptions are set. Total Cookie Protection allows the setting of third-party cookies, but it restricts access to these cookies.

Mozilla has yet to reveal when the feature will become available as a default for all users of the web browser.

Now You: what is your take on Total Cookie Protection?

Mozilla is rolling out Total Cookie Protection to more Firefox users

Google Project Zero has previously reported major issues in Google's own products as well as those belonging to others, such as Windows, iPhone, Qualcomm Adreno GPUs, GitHub, and more. Now, it has publicly disclosed a bug in Chrome OS following the associated team's failure to fix it within the allotted 90 days.

The issue in question deals with how Chrome OS handles USB devices when the device is locked. Essentially, Chrome OS uses USBGuard to configure allowlists and blocklists for USB devices. However, incorrect configurations of this framework can lead to unauthenticated USB devices to be able to access the PC's kernel and storage.

As Google Project Zero security researcher Jann Horn describes, USBGuard in Chrome OS has a blocklist that does not authenticate USB devices with specific class interface descriptors on a locked screen. However, after this validation, all other interfaces are allowed.

What this means is that while an unauthenticated USB device will be blocked correctly on the lock screen, other devices can emulate a mass storage device, modify the attacker kernel to not show up as a USB device, and be authenticated. This is because the USB class does not matter to a kernel so it will allow modification from a seemingly authenticated device too. Horn notes that:

Apart from the problem that there is a large amount of attack surface in drivers for devices that don't belong into those USB interface classes, there is another issue with this approach: The kernel often doesn't care what USB class a device claims to be. The way USB drivers tend to work, even for standardized protocols, is that the driver specifies with low priority that it would like to bind to standards-compliant devices using the proper USB interface class, but also specifies with high priority that it would like to bind to specific USB devices based on Vendor ID and Product ID, without caring about their USB interface class.

[...] If we use a Linux machine with appropriate hardware (I'm using a NET2380 dev board, but you could probably also do it with an unlocked Pixel phone or a Raspberry Pi Zero W or something like that) to emulate a USB Mass Storage device, using (this), and patch one line in the attacker kernel so that it claims to be a billboard, not a storage device.

This issue was flagged as a high severity vulnerability and privately reported to the Chrome OS team on February 24. However, after triaging the flaw, that team assigned it as a low severity vulnerability and stated on March 1 that it would fix the problem by matching based on drivers rather than class interface descriptors. On May 11, the Chrome OS team provided a progress update but since it was unable to fix the flaw in the allotted 90 days, the issue was publicly exposed on May 24.

It is unclear when a patch will be rolled out, but it is important to note that this is a local vulnerability that requires an attacker to manually insert a USB to tamper with the device and its kernel. It can't be exploited remotely but it does act as an attack vector for other exploits if you leave your Chrome OS PC unattended somewhere, even if it's locked.

Source

GhostTouch, as it's called, "uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it," a group of academics from Zhejiang University and Technical University of Darmstadt said in a new research paper.

The core idea is to take advantage of the electromagnetic signals to inject fake touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over remote control and manipulating the underlying device.

The attack, which works from a distance of up to 40mm, hinges on the fact that capacitive touchscreens are sensitive to EMI, leveraging it to inject electromagnetic signals into transparent electrodes that are built into the touchscreen so as to register them as touch events.

The experimental setup involves an electrostatic gun to generate a strong pulse signal that's then sent to an antenna to transmit an electromagnetic field to the phone's touchscreen, thereby causing the electrodes — which act as antennas themselves — to pick up the EMI.

This can be further fine-tuned by tweaking the signal and the antenna to induce a variety of touch behaviors, such as press and hold and swipe to select, depending on the device model targeted.

In a real-world scenario, this could play out in different ways, including swiping up to unlock a phone, connecting to a rogue Wi-Fi network, stealthily clicking on a malicious link containing malware, and even answering a phone call on the victim's behalf.

"In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table," the researchers said. "An attacker may embed the attack equipment under the table and launch attacks remotely."

As many as nine different smartphone models have been found vulnerable to GhostTouch, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020), the latter of which was used to establish a malicious Bluetooth connection.

To counteract the threat, the researchers recommend adding electromagnetic shielding to block EMI, improving the detection algorithm of the touchscreen, and prompting users to enter the phone's PIN or verify their faces or fingerprints prior to executing high-risk actions.

"GhostTouch controls and shapes the near-field electromagnetic signal, and injects touch events into the targeted area on the touchscreen, without the need for physical touch or access to the victim's device," the researchers said.

Source

VMware released security updates to address the CVE-2022-22972 flaw affecting Workspace ONE Access, VMware Identity Manager (vIDM), or vRealize Automation.

The company also shared temporary workarounds for admins who cannot patch vulnerable appliances immediately, requiring them to disable all users except one provisioned administrator.

Horizon3 security researchers released a proof-of-concept (PoC) exploit and technical analysis for this vulnerability today, following an announcement made on Tuesday that a CVE-2022-22972 PoC will be made available later this week.

"This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972," the researchers said.

"Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.

While Shodan only shows a limited number of VMware appliances exposed to attacks that would target this bug, there are several healthcare, education industry, and state government organizations with an increased risk of being targeted.

CVE-2022-22972 is a relatively simple 'Host' header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability," Horizon3 added.

Critical security flaw with "serious" ramifications

"This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014," VMware warned last week.

"The ramifications of this vulnerability are serious. Given the severity of the vulnerability, we strongly recommend immediate action."

The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw's severity level by issuing a new Emergency Directive that ordered Federal Civilian Executive Branch (FCEB) agencies to urgently update or remove VMware products from their networks.

In April, VMware has patched two more critical vulnerabilities, a remote code execution bug (CVE-2022-22954) and a 'root' privilege escalation (CVE-2022-229600) in VMware Workspace ONE Access and VMware Identity Manager.

Although the CVE-2022-22972 VMware auth bypass is not yet exploited in the wild, attackers have started abusing the ones addressed in April within 48 hours to backdoor vulnerable systems and deploy coin miners.

"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products," the cybersecurity agency said.

Exploit released for critical VMware auth bypass bug, patch now

"The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru said in a new report published Wednesday.

"The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling."

The U.S. cybersecurity company said it observed command-and-control (C2) IP addresses associated with malware such as Bumblebee, BlackGuard, and RedLine Stealer establishing connections to the downloads subdomain of Bablosoft ("downloads.bablosoft[.]com"), the maker of the Browser Automation Studio (BAS).

Bablosoft was previously documented by cloud security and application delivery firm F5 in February 2021, pointing to the framework's ability to automate tasks in Google's Chrome browser in a manner similar to legitimate developer tools like Puppeteer and Selenium.

Threat telemetry for the subdomain's IP address — 46.101.13[.]144 — shows that a vast majority of activity is originating from locations in Russia and Ukraine, with open source intelligence indicating that Bablosoft's owner is allegedly based in the Ukrainian capital city of Kyiv.

It's being suspected that the operators of the malware campaigns connected to the Bablosoft subdomain for purposes of downloading additional tools for use as part of post-exploitation activities.

Also identified are several hosts associated with cryptojacking malware like XMRig and Tofsee communicating with a second subdomain named "fingerprints.bablosoft[.]com" to use a service that helps the mining malware conceal its behavior.

"Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor's toolkit," the researchers said.

Source

According to court documents [PDF], Twitter asked over 140 million users for this information to protect their accounts starting in 2013, but it failed to inform them that the data would also be used to allow advertisers to target them with ads.

This is a direct violation of the FTC Act and a 2011 Commission administrative order which banned the company from misrepresenting its security and privacy practices and profiting from deceptively collected data.

The order was issued following a settlement for failing to safeguard its users' personal information after hackers gained admin control of Twitter between January and May of 2009.

"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue," said FTC Chair Lina M. Khan.

"The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy," added U.S. Attorney Stephanie M. Hinds.

Additional provisions of FTC's proposed order also would:

• prohibit Twitter from profiting from deceptively collected data;
• allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
• notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
• implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
• limit employee access to users’ personal data; and
• notify the FTC if the company experiences a data breach.

Twitter has agreed to settle the FTC's allegations by paying a $150 million civil penalty and implementing significant new compliance measures to improve its data privacy practices after the settlement is approved by a federal court.

Twitter apologized for using phone numbers and email addresses provided for account security like two-factor authentication for advertising in October 2019, saying they "may have been used accidentally for ad targeting."

"We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system," said the company at the time.

Twitter's Tailored Audiences is an advertising product that enables advertisers to send targeted ads to customers in their marketing lists based on information such as email addresses and phone numbers.

The Partner Audiences advertising system allows advertisers to target users from lists provided by their third-party partners.

Twitter apologized for this error and said that it would be taking measures to ensure that a similar mistake would not happen again.

Something very similar happened in 2018 when Facebook built complex advertising profiles for all its users with everything from their 2FA phone numbers to info harvested from their friends' profiles.

Facebook later used the users' 2FA phone numbers as an additional vector to deliver targeted ads.

FTC fines Twitter $150M for using 2FA info for targeted advertising

Tails (short for The Amnesic Incognito Live System) is a Linux distro focused on protecting the users' anonymity (e.g., activists and journalists) and helping them circumvent censorship by forcing all connections to and from the Internet through the Tor network.

"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the Tails developers warned.

This warning was prompted by two critical zero-day bugs in the Firefox JavaScript engine (tracked as CVE-2022-1802 and CVE-2022-1529), exploited during the first day of the Pwn2Own 2022 Vancouver hacking contest and patched by Mozilla two days later.

While the bugs have already been patched upstream, the developers cannot deliver patches for any of the included apps until the next release, given that Tails is a live Linux distro.

The vulnerabilities enable attackers to access info from other websites visited using Tor Browser if successfully exploited.

"For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session," the Tails advisory adds.

Tails still safe for some users

The Tails devs also explained that the flaws do not affect Tor Browser users when used on the Safest security level because it automatically disabled JavaScript while browsing.

Likewise, Thunderbird users are not impacted because the version bundled with the Tails Linux distro has JavaScript disabled by default.

Additionally, Tails users who don't use or access sensitive information through the Tor Browser can still use it safely since the security flaws don't break the encryption and anonymity of Tor connections.

"Mozilla is aware of websites exploiting this vulnerability already. This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier," the Tails team warned.

Tails 5.0 Linux users warned against using it "for sensitive information"

We reviewed DoNotSpy10 in 2015 when it was released for Microsoft's Windows 10 operating system. We found it to be a good tool to adjust Windows settings related to privacy quickly and efficiently. We did not like the included adware offer back then, but this is a thing of the past as it is no longer included.

DoNotSpy11 uses the core of the Windows 10 application. In fact, it supports Windows 10 and 11 systems alike.  The interface is identical, but that is not necessarily a bad thing, considering that users will feel right at home. It is streamlined and easy to use.

First thing you need to do is download the latest version of the application from the developer website. Windows 11 may throw a SmartScreen warning on first run; the developer states that it is thrown because the application is not signed.

All available tweaks are listed in the main interface. Tweaks are sorted into categories, and a search is provided that helps you filter the large list.

When you select a tweak, a description is provided that may provide additional information on the functionality of the feature that it controls.

Checked tweaks are enabled on the device already. Each tweak has a color assigned to it that provides safety information. Blue tweaks are safe to use, red tweaks not recommended for the majority of users. Orange tweaks have info text that provides explanation, and gray colored tweaks highlight changes since the last time the app was started.

DoNotSpy11 supports the manual creation of a system restore point via the Actions menu, but it will also display a system restore point before any changes are made.

As far as differences to DoNotSpy10 are concerned, there are some. DoNotSpy11 detects Office and will display Office-specific tweaks in the case of detection. The following Office-specific privacy tweaks are supported in the current version:

Tweak added: Office: Disable First Run Movie
Tweak added: Office: Disable Customer Experience Improvement Program
Tweak added: Office: Disable Feedback
Tweak added: Office: Disable Sending Personal Information
Tweak added: Office: Disable Telemetry
Tweak added: Office: Disable Connected Experiences That Analyze Content
Tweak added: Office: Disable Connected Experiences That Download Online Content
Tweak added: Office: Disable Additional Optional Connected Experiences
Tweak added: Office: Disable In-Product Surveys
Tweak added: Office: Block Signing Into Office
Tweak added: Office: Disable LinkedIn Features

Several Windows 11 specific tweaks are also available. Users may disable Search Highlights, Windows Spotlight on Desktop, or the display of Office.com Files in Explorer. You find the full changelog on the developer's website.

Closing Words

DoNotSpy11 is a well designed privacy application for Windows. It supports the latest Windows 10 and 11 builds, and is regularly updated with new tweaks.

Now You: do you use privacy applications to tweak your operating systems?

DoNotSpy11 for Windows 11 is now available

Software Updates:   DoNotSpy11 1.0.0.0

We are always hearing about ransomware that encrypts systems and then demands a payment from victims, usually in the form of cryptocurrency, to get their data back. But it appears that a new strain of ransomware has now emerged that asks users perform acts of good in order to decrypt their environments.

CloudSEK's Threat Intelligence Research team has recently identified a ransomware that goes by the name of "GoodWill". In order to receive a decryption key, the victim has to perform acts of kindness such as feed the less fortunate, provide them blankets, and offer money to people at hospitals. In total, there are three activities that a victim must engage in so they can recover their data.

As can be seen above, the first activity requires you to provide clothes and blankets to needy people on the side of the road and make a video of yourself doing this. This video also has to be posted to social media in order to encourage others. This information then has to be emailed to the attackers as evidence of completion.

Then, the second activity requires you to feed five children from fast food chains and treat them well while doing it. The victim also has to take selfies with them and again post these photos and video on social media. An image of the restaurant bill along with links to the social media posts then has to be sent to the attacker.

Finally, the third activity forces you to go to a hospital and pay for the medical treatment of those in need of financial assistance. Selfies have to be taken with these people too and the audio conversation has to be recorded as proof. Then, a "beautiful article" about this has to be posted on social media and you have to explain to people how becoming a ransomware of GoodWill was basically the best thing to have ever happened to you.

Once all the information has been verified by the attackers, they will send a decryption tool so that you can recover your files.

CloudSEK was able to trace IP addresses and the email address back to an IT company in India that purportedly manages end-to-end security. GoodWill has similarities with the HiddenTear ransomware but CloudSEK was also able to find strings in the code written in Hinglish such as "error hai bhaiya", which translates to "There is an error, brother".

Although CloudSEK hasn't gone into details about how the ransomware is spread, it has shared a lot of indicators of compromise (IOCs) and mitigation techniques in its blog post here.

This ransomware forces victims to do acts of goodwill to get their files back

DuckDuckGo is a search engine that prides itself on its privacy by not tracking your searches or your behavior while performing searches. Furthermore, instead of building user profiles to display interest-based advertisements, DuckDuckGo will use contextual advertisements from partners, like Ads by Microsoft.

While DuckDuckGo does not store any personal identifiers with your search queries, Microsoft advertising may track your IP address and other information when clicking on an ad link for "accounting purposes" but it is not associated with a user advertising profile.

DuckDuckGo also offers a privacy-centric web browser for iOS and Android that promotes many privacy features, including HTTPS-always encryption, third-party cookie blocking, and tracker blocking.

"Tracker Radar automatically blocks hidden third-party trackers we can find lurking on websites you visit in DuckDuckGo, which stops the companies behind those trackers from collecting and selling your data," explains the Apple App Store page for the DuckDuckGo Privacy Browser.

DuckDuckGo browser allows Microsoft trackers

However, while performing a security audit of the DuckDuckGo Privacy Browser, security researcher Zach Edwards discovered that while the browser blocks Google and Facebook trackers, it allowed Microsoft trackers to continue running.

Further tests showed that DuckDuckGo allowed trackers related to the bing.com and linkedin.com domains while blocking all other trackers.

In response to Edwards' long thread on the subject, DuckDuckGo CEO and Founder Gabriel Weinberg confirmed that their browser intentionally allows Microsoft trackers third-party sites due to a search syndication agreement with Redmond.

This has led to quite the uproar on Hacker News, where Weinberg has been defending the company's transparency surrounding the agreements with Microsoft.

However, Weinberg has made it clear that this restriction is only in their browser and does not affect the DuckDuckGo search engine.

"Tracking is tracking"

While DuckDuckGo has been transparent regarding the advertisement partnership with Microsoft, it is not clear why they did not disclose the allowing of Microsoft trackers until a security researcher discovered it.

This revelation comes at the wrong time, as DuckDuckGo recently went after Google for their new 'Topics' and 'FLEDGE' tracking methods, saying, "Google says they're better for privacy, but the simple fact is tracking is tracking, no matter what you call it."

After publication of this story, DuckDuckGo's Weinberg replied to our Tweet stating that they are working to remove this restriction from their agreement and to be more transparent in app store descriptions.

"In addition, we are working with Microsoft to remove this limited restriction the article refers to. We're also working on updates to our app store descriptions to have more information. Hope this is helpful context," tweeted Weinberg.

BleepingComputer was also sent the following statement from DuckDuckGo CEO Gabriel Weinberg, which is in its entirety below:

"We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft. 

What we're talking about here is an above-and-beyond protection that most browsers don't even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we're doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using Safari, Firefox and other browsers. This blog post we published gets into the real benefits users enjoy from this approach, like faster load times (46% average decrease) and less data transferred (34% average decrease). Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings." 

Microsoft declined our request for comment.

Update 5/24/22: Added Gabriel Weinberg's statement.

DuckDuckGo browser allows Microsoft trackers due to search agreement

If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

The zero-days have been fixed in Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.

Manfred Paul (@_manfp) earned $100,000 and 10 Master of Pwn points after demoing prototype pollution and improper input validation bugs on the first day of Pwn2Own.

The first vulnerability is a prototype pollution in Top-Level Await implementation (tracked as CVE-2022-1802) that can let an attacker corrupt the methods of an Array object in JavaScript using prototype pollution to achieve JavaScript code execution in a privileged context.

The second one (CVE-2022-1529) allows attackers to abuse Java object indexing improper input validation in prototype pollution injection attacks. 

"An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process," Mozilla explained.

The Cybersecurity and Infrastructure Security Agency (CISA) also encouraged admins and users on Monday to patch these security flaws, given that threat actors could exploit them to "take control of an affected system."

Mozilla patched these vulnerabilities two days after they were exploited and reported at the Pwn2Own hacking contest by Manfred Paul.

However, vendors don't usually hurry to release patches after Pwn2Own since they have 90 days to push security fixes until Trend Micro's Zero Day Initiative publicly discloses them.

Pwn2Own 2022 Vancouver ended on May 20 after 17 competitors earned $1,155,000 for zero-day exploits and exploit chains demonstrated over three days after 21 attempts.

Security researchers also earned $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed between April 19 and April 21 during the 2022 Pwn2Own Miami contest.

Mozilla fixes Firefox, Thunderbird zero-days exploited at Pwn2Own