Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

"Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target's VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," the researchers concluded.

"While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited."

Source

Kernel-level privileges are the highest rights in Windows, allowing threat actors to execute any command at the Kernel level, including manipulating drivers and accessing the BIOS.

The flaws are tracked as CVE-2021-3808 and CVE-2021-3809, and both have a CVSS 3.1 base score of 8.8, giving them a high severity rating. At this time, HP has provided no technical details about these flaws.

The list of affected products includes business notebooks like Zbook Studio, ZHAN Pro, EliteBook, ProBook, and Elite Dragonfly, business desktop PCs like the EliteDesk and ProDesk, retail PoS computers like the Engage, workstations like the Z1 and Z2, and thin client PCs.

For a complete list of all the affected models and the corresponding SoftPaqs to use in each case, check the security advisory page and look for your device. Note that not all of the listed products have received a fixing patch yet.

Researcher discloses more

Nicholas Starke, the researcher who discovered these flaws in November 2021, and reported them to HP, explains the problem in greater detail in a separate blog post.

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks.” explains a report by Starke.

The problem appears to be that an SMI handler can be triggered from the OS environment, for example, through the Windows kernel driver.

An attacker needs to locate the memory address of the “LocateProtocol” function and overwrite it with malicious code. Finally, the attacker can trigger code execution by instructing the SMI handler to execute.

It's important to underline that to exploit the vulnerability, an attacker would need to have root/SYSTEM level privileges on the target system, and execute code in System Management Mode (SMM).

The ultimate goal of such an attack would be to overwrite the UEFI Implementation (BIOS) of the machine with attacker controlled BIOS images. This means an attacker could plant persistent malware that can't be removed by antivirus tools, and not even with OS reinstalls.

Finally, it's also crucial to highlight that some HP computer models have mitigations that the attacker would need to bypass in order for the exploit to work, like the HP Sure Start system for example.

The researcher explains that HP Sure Start can detect tampering of this kind and shut down the host upon the memory corruption act. Then, at first startup, a warning will be displayed to the user along with a prompt to approve the system boot.

HP’s latest fixes come only two months after the computer maker plugged 16 UEFI firmware bugs and three months after addressing a different set of BIOS flaws.

As such, if you haven’t applied the security updates yet, make sure to take a backup of your data on a separate system and do so now.

HP fixes bug letting attackers overwrite firmware in over 200 models

DuckDuckGo has once again taken issue with Google’s plan to replace third-party cookies in Chrome by calling out the search giant’s new Topics and FLEDGE tracking and ad targeting methods.

While Topics uses your browsing history in Chrome to automatically collect information about your interests to share with tracking companies and other businesses, FLEDGE enables Google’s browser to target users with ads based on their browsing history.

Although Google’s intentions behind replacing third-party cookies with Topics and FLEDGE may be good, DuckDuckGo points out in a new blog post that tracking, targeting and profiling will still occur once Privacy Sandbox is rolled out in Chrome.

The company also notes that targeting in this way enables manipulation by exploiting personal vulnerabilities, discrimination since users may not see certain job posts based on their personal profiles and filter bubbles or echo chambers that can further divide people online. Additionally, Topics will be made available to third-party trackers and not just websites themselves.

At the same time, Topics can be combined with an IP address or other fingerprinting attributes so that it is easier for users to be tracked individually by third-party trackers. Although Google has promised to address this issue at some point through a so-called “privacy budget”, experts have already called the company’s approach into question.

How to opt out of Topics and FLEDGE

The easiest and simplest way for privacy-conscious users to opt out of both Topics and FLEDGE is to simply stop using Chrome by switching to another modern browser instead. While DuckDuckGo recommends using its mobile browser on iOS and Android or its recently launched Desktop browser for Mac, Brave, Vivaldi and Microsoft Edge are good Chrome alternatives as well.

However, what if you can’t switch to another browser? In that case, DuckDuckGo suggests using its updated Privacy Essentials Chrome extension (version 2022.4.18) which can now block Topics and FLEDGE interactions on websites.

Alternatively, you can also change your Chrome and Google settings to opt out of Topics and Fledge at least for now. To do so, click on Chrome’s three dots menu and head to Settings. From here in the “Privacy and security” tab navigate to “Privacy Sandbox” and disable the Privacy Sandbox trial. You will then need to sign out of Chrome, turn off Chrome sign-in and choose not to sync your history data with Chrome. Meanwhile, in Google Activity Controls you need to disable “Web & App Activity” as well as “Ad Personalization” in Google Ad Settings.

Topics and FLEDGE are coming to Chrome whether you like it or not but at least DuckDuckGo has provided users of Google’s browser with a Chrome extension to block the company’s new tracking and ad targeting methods.

Source

The scam, which gets its name from the expression "pulling the rug out," involves a developer attracting investors to a new cryptocurrency project, then pulling out before the project is built, leaving investors with a worthless currency. It's part of a long history of investment schemes.

"This isn't a crypto-only phenomenon. This is a people phenomenon. Crypto is just the latest way to do it," says Adam Blumberg, a Houston-based certified financial planner who specializes in digital assets. But cryptocurrencies have particular risks due to loose regulations for fundraising and their emphasis on decentralization.

Cryptocurrency projects often use "smart contracts," agreements that are governed by computer software, not the legal system. This setup can be a benefit when it reduces transaction costs, but it also leaves little recourse if things don't work out.

Rug pulls have been particularly common in decentralized finance, or DeFi, projects that aim to disrupt services such as banking and insurance. NFTs, or non-fungible tokens, that provide digital ownership of art and other content, have also been involved in rug pulls.

Investors can protect themselves by choosing established cryptocurrency projects, making sure the code of any new project has been reviewed and verifying the developers' identities.

PICK ESTABLISHED PRODUCTS

Rug pulls are most common with new projects that haven't gotten the same scrutiny as more established cryptocurrencies.

Bitcoin has its risks, but countless people worldwide have used it and reviewed its inner workings, which are readily available online.

Newer projects don't have such a track record, which means there may be vulnerabilities that make it possible for their organizers to siphon value away from investors and keep it for themselves.

If you're struggling to break through the hype, one way to find established projects is to look at centralized exchanges such as Binance, Coinbase and FTX. While the presence of a cryptocurrency on a large exchange is by no means a guarantee of its quality or investment potential, these businesses often will review assets before listing them for sale.

The trade-off of investing primarily in more established assets: While cryptocurrency, in general, has seen periods of rapid price appreciation, the highest rewards may come from new projects where the risk is also higher. These are often listed on "decentralized exchanges," which don't rely on any centralized authority that would prevent unproven projects from joining.

Rex Hygate, founder of DeFiSafety, a company that reviews projects in the field, says scammers can prey on the fear of missing out that's generated by rare but true stories of mind-blowing returns.

"It is seductive. People have made a lot of money. That is a fact," Hygate says. "The hope is real, albeit small, (and) therefore criminal organizations in an organized and regular manner are making these rug pulls."

KNOW THE CODE

The fate of any investment in cryptocurrency or blockchain projects rests on the integrity of the project's computer code. You may not be a computer programmer, but you should at least understand how a product works before investing in it.

One way to evaluate a potential investment without going under the hood yourself is to see if it's been audited by a professional organization that is respected in the industry. Projects that have gotten good marks from auditors will often promote the results themselves.

RESEARCH THE PEOPLE

Some of the biggest red flags in the cryptocurrency world come down to human factors.

While it's not unheard of for people to use pseudonyms in cryptocurrency, reputable developers often have websites and references that can establish their credentials.

But even if you do your homework, there's no guarantee of success. For example, the founder of Rugdoc.io, a service that reviews new projects, says she wound up getting scammed herself on an NFT that was supposed to be a ticket for an event.

Diversification is as important in cryptocurrency as anywhere else in finance. Projects can fail due to technical glitches or business blunders, even without malicious intent.

"Assume whatever you're investing in is going to have a problem," says Leah, the Rugdoc.io founder, who asked that her full name not be used to protect her identity from scammers seeking retribution. "If you plan for failure, if it doesn't fail you're going to have a very good day. And if it fails, you're probably not going to be ruined."

Source

Malware researchers warn about a stealthy backdoor program that has been used by a Chinese threat actor to compromise Linux servers at government and private organizations around the world. While the backdoor is not new and variants have been in use for the past five years, it has managed to fly under the radar and have very low detection rates. One reason for its success is that it leverages a feature called the Berkeley Packet Filter (BPF) on Unix-based systems to hide malicious traffic.

BPFdoor was named by researchers from PwC Threat Intelligence who attribute it to a Chinese group they call Red Menshen. The PwC team found the threat while investigating several intrusions throughout Asia last year and included a short section about it in their annual threat report released late last month[.]

This short mention didn't get a lot of attention until independent security researcher Kevin Beaumont shared the link to a malware sample with low detection rate on VirusTotal a few days ago. This prompted confirmation by the PwC team that what Beaumont found was a controller for the passive BPFdoor backdoor. This prompted a more detailed write-up by Beaumont who was also independently tracking the malware since last year.

"I swept the internet for BPFDoor throughout 2021 and discovered it is installed at organizations in across the globe -- in particular the U.S., South Korea, Hong Kong, Turkey, India, Viet Nam and Myanmar, and is highly evasive," Beaumont said in a blog post. "These organizations include government systems, postal and logistic systems, education systems and more."

How BPFdoor abuses BPF

While the PwC researchers plan to share more details about the backdoor at a conference in June, other researchers, including Beaumont, have already located more samples on VirusTotal potentially uploaded by victims or other parties over the years. In addition to the samples, the source code of an older variant of the backdoor was posted online and was analyzed by Linux intrusion detection and incident response firm Sandfly Security.

"The BPFDoor source is small, focused and well written," the Sandfly researchers said. "While the sample we reviewed was Linux specific, with some small changes it could easily be ported to other platforms (a Solaris binary reportedly exists). BPF is widely available across operating systems and the core shell functions would likely work across platforms with little modification."

To be deployed on a system effectively, the malware needs to be executed with root privileges. This suggests that the attackers are compromising the infected servers using other techniques, potentially by exploiting vulnerabilities.

Once executed, the backdoor first performs several detection-evasion and anti-forensics steps. This involves copying itself to the Linux ramdisk, altering timestamps, setting itself up to masquerade as a legitimate process running on the system, and deleting certain environment data for process execution that could be useful to forensics tools. According to the Sandfly researchers, the backdoor doesn't have a persistence mechanism or routine built-in, so this is likely achieved by attackers manually by deploying persistence scripts.

Once running on a system, the backdoor loads a BPF filter, which allows it to monitor network packets arriving on the system on various protocols such as ICMP (ping), TCP and UDP. The goal of this filter is to discard all packets and only process ones that have a magic value in their header accompanied by a password. These packets are used by the attackers to open remote shells on the infected systems.

"The relevance of the BPF filter and packet capture is that it is sniffing traffic at a lower level than the local firewall," the researchers explained. "This means that even if you run a firewall the implant will see, and act upon, any magic packet sent to the system. The firewall running on the local host will not block the implant from having this visibility. This is an important point to understand."

What it means in practice is that if for example, the system firewall is configured to only allow connections to a web application running on the server on port 443 (HTTPS), for example, external attackers can use this to send a so-called magic packet and activate the backdoor without the firewall being able to block it. In other words, it piggybacks on legitimate network traffic that's already allowed on the system.

Furthermore, when the encrypted magic packet is received the backdoor will open a root shell on a high port locally on the system and will use the iptables Linux firewall to set a rule that redirects all traffic originating from the attacker's IP address to the shell port. So once the backdoor is activated, if the attackers connect again to the system over port 443, they will instead be greeted with a root shell instead of the web application. Requests from all other IP addresses and legitimate users will continue to be handled normally and be sent to the web application.

Instead of waiting for attackers to connect to the shell, the backdoor can also set up a reverse shell that actively connects back to the attackers, but this is more easily detected if the system is configured to block outgoing connections.

"The use of BPF and packet capture provides a way to bypass local firewalls to allow remote attackers to control the implant," the researchers said. "Finally, the redirect feature is unique and very dangerous as it can make malicious traffic blend in seamlessly with legitimate traffic on an infected host with exposed ports to the internet.

How to detect BPFdoor

According to PwC's report, the Red Menshen group uses a variety of post-exploitation tools for lateral movement inside corporate networks after gaining a foothold with BPFdoor. This includes custom variants of the Mangzamel and Gh0st Windows Trojan programs, as well as open-source tools such as Mimikatz and Metasploit. The attackers use virtual private servers hosted at well-known providers to control the BPFDoor implants and also rely on compromised routers in Taiwan to connect to and manage those servers.

Beaumont and researcher Florian Roth have both shared YARA rules that can be used to scan for different BPFDoor samples inside environments. The Sandfly Security researchers have also shared indicators of compromise and hunting tactics in their analysis warning that simply searching for file hashes is not reliable since malicious binaries can easily be recompiled and changed on Linux.

It's also worth noting that the abuse of BPF, while rare, is not new. In February, a Chinese cybersecurity firm called Pangu Lab released a report on a backdoor implant they attributed to the U.S. National Security Agency (NSA) and dubbed Bvp47. That implant also relied on BPF to establish a covert communication channel. Beaumont warned at the time that the cybersecurity industry seemed to ignore the significance and potential dangers of BPF and eBPF (extended BPF) being used to evade detection.

Source

"New cybersecurity threats over the last two years have been a 'collateral damage' of the COVID-19 pandemic and the acceleration of digitalisation it induced," Alessandro Profumo said at the opening of the Cybertech Europe 2022 conference in Rome.

"Cyberattacks have grown in number, sophistication and impact—in 2021 the global cost of cybercrime exceeded $6 trillion."

The figures came from Clusit, the Italian association for information security, and compare to an estimate of losses of $1 trillion in 2020.

One fifth of the total attacks was directed at Europe, Profumo said, but the continent lacked at least 200,000 cybersecurity professionals.

Speaking to foreign journalists in Rome last month, he said cybersecurity issues had increased following Russia's invasion of Ukraine.

"We are noticing additional pressure," said the boss of Leonardo, which has a specialised branch dedicated to cybersecurity.

Source

An unprecedented discovery made by Kaspersky could have serious consequences for those using Windows operating systems. The cybersecurity company published an article on May 4 detailing that — for the first time ever — hackers have placed shellcode into Windows event logs, hiding Trojans as fileless malware.

The malware campaign used a wide array of techniques, such as commercial penetration testing suites and anti-detection wrappers, which included those compiled with the programming language Go as well as several last stage Trojans.

The hacking groups employed two types of Trojans for the last stage, gaining further access to the system. This was delivered through two different methods, both via HTTP network communications and by engaging the named pipes.

How hackers dispatched the Trojan into event logs

The earliest instance of this malware hiding taking place occurred in September 2021, according to Kaspersky. The attackers were able to get a target to download an .rar file through an authentic website, which then unpacked .dll Trojan files into the intended victim’s hard drive.

“We witnessed a new targeted malware technique that grabbed our attention,” said Denis Legezo, lead security researcher at Kaspersky. “For the attack, the actor kept and then executed an encrypted shellcode from Windows event logs. That’s an approach we’ve never seen before and highlights the importance of staying aware of threats that could otherwise catch you off guard. We believe it’s worth adding the event logs technique to MITRE Matrix’s Defense Evasion and Hide Artifacts section. The usage of several commercial pentesting suites is also not the kind of thing you see every day.”

The HTTP network method saw the malicious file target the Windows system files, hiding a piece of malware by creating a duplicate of an existing file with “1.1” added to the the string, which is assumed by Kaspersky to be the malicious version of a file.

“Before HTTP communications, the module sends empty (but still encrypted) data in an ICMP packet to check connection, using a hardcoded 32-byte long RC4 key,” Legezo said. “Like any other strings, this key is encrypted with the Throwback XOR-based algorithm. If the ping of a control server with port 80 available is successful, the aforementioned fingerprint data is sent to it. In reply, the C2 shares the encrypted command for the Trojan’s main loop.”

The other method is known as the Named-Based Pipes Trojan, which locates the Microsoft Help Data Services Module library within Windows OS files and then grabs an existing file to overwrite it with a malware version that can execute a string of commands. Once the malicious version is run, the victim’s device is scraped for architecture and Windows version information.

How to avoid this type of attack

Kaspersky offers the following tips to Windows users hoping to avoid this type of malware:

•  Use a reliable endpoint security solution.
•  Install anti-APT and EDR solutions.
•  Provide your security team with the latest threat intelligence and training.
•  Integrate endpoint protection and employ dedicated services that can help protect against high-profile attacks.

While the methods used by hackers continue to become harder to detect, it’s as important as ever to ensure devices are secure. The responsibility for protecting devices falls just as much onto the shoulders of the IT team as it does the user of a Windows device. By employing endpoint security and zero-trust architecture, the next big malware attack can be stopped in its tracks, preventing the loss of sensitive data and personal information.

Source

Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information.

Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected.

"They're usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name," Kaspersky researcher Igor Golovin said in a report published last week.

The trojanized apps, taking the place of their removed counterparts, often appear as messaging, health tracking, and PDF scanner apps that, once installed, request permissions to access text messages and notifications, abusing them to subscribe users to premium services.

A sneaky trick used by Joker to bypass the Google Play vetting process is to render its malicious payload "dormant" and only activate its functions after the apps have gone live on the Play Store.

Three of the Joker-infected apps detected by Kaspersky through the end of February 2022 are listed below. Although they have been purged from Google Play, they continue to be available from third-party app providers.

•  Style Message (com.stylelacat.messagearound),
•  Blood Pressure App (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health), and
•  Camera PDF Scanner (com.jiao.hdcam.docscanner)

This is not the first time subscription trojans have been uncovered on app marketplaces. Last year, apps for the APKPure app Store and a widely-used WhatsApp mod were found compromised with malware called Triada.

Then in September 2021, Zimperium took the wraps off an aggressive money-making scheme called GriftHorse, following it up with yet another case of premium service abuse called Dark Herring earlier this January.

"Subscription trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers' own non-existent services," Golovin said.

"To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware."

Even when downloading apps from official app stores, users are advised to read the reviews, check the legitimacy of the developers, the terms of use, and only grant permissions that are essential to perform the intended functions.

Source

According to Microsoft, its security division in 2021 alone blocked over 9.6 billion malware threats and over 35.7 million phishing/malicious emails. It also tracks more than 35 ransomware families and 250 unique threat actors. Microsoft's technologies help the company block more than 900 brute-force password theft attempts every second. Microsoft has vast knowledge and extensive expertise in cybersecurity, and it wants to expand its existing security services under a new category called "Microsoft Security Experts".

Microsoft Security Experts combines modern security technology with "human-led" services to help organizations secure their networks and minimize the risks and damages from cyberattacks. It augments existing security teams with help from Microsoft and its partners to meet each organization's unique needs and circumstances.

Microsoft Security Experts consists of three new managed services to bolster existing security teams within organizations:

• Microsoft Defender Experts for Hunting will help companies with existing security teams proactively "hunt" for potential threats. Microsoft experts and partners will use Microsoft Defender data, endpoints, Office 365, cloud applications, and identity to detect potential threats. Organizations will have the option to contact a security expert with a single click and get specific recommendations about improving security. Microsoft Defender Experts for Hunting will be available this summer, and companies can sign up to participate in the preview.
•  Microsoft Defender Experts for XDR (extended detection and response) is a service for those who want to expand and strengthen their security operations centers. Defender Experts for XDR provides human expertise to respond to incidents alongside existing security teams.
•  Microsoft Security Services for Enterprise is an expert-led service to protect all cloud environments and platforms. Customers will have dedicated Microsoft security experts for managing onboarding, daily interactions, practice modernization, and incident responses.

Microsoft says its ultimate goal is to provide customers with world-class security products and access to critical human expertise from the best cybersecurity experts. The company wants to use industry-leading technology, Microsoft's best defenders and partner community, and the most comprehensive threat intelligence to build a safer world for everyone. Microsoft Security Experts is a big step in that direction.

Source

HOR differs from traditional ransomware because it targets specific weaknesses in your system, discovered manually by humans. An example is exploiting a service that has elevated privileges in your environment. Microsoft states that HOR involves human input in every stage of the attack and system flaws or human errors could be used to elevate privileges, get access to more sensitive data, and ultimately result in a bigger payout. What makes HOR even more dangerous is that attackers typically do not leave the network even after payment. They keep trying to monetize their access by deploying new malware until they are completely purged.

Microsoft has highlighted that RaaS has recently started gravitating towards a double extortion model where your data is not only encrypted but attackers also threaten to make it public until you pay them. The firm has also noted that HOR campaigns typically take advantage of legacy configurations and misconfigurations, as well as poor credential hygiene to elevate their privileges. As such, security experts in organizations need to transition to a Zero Trust model where they are not only on the lookout for single alerts but have a holistic view of their entire security posture and incidents.

Microsoft has also warned organizations about the RaaS affiliate model, described below:

 In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built/managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

 [...] RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims.

 [...] RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.

In order to combat these growing and sophisticated threats, Microsoft has recommended that organizations should migrate to a Zero Trust model, build credential hygiene, audit credential exposure, perform cloud hardening, prioritize deployment of Active Directory updates, reduce the attack surface, mitigate security blindspots, and harden perimeters - especially internet-facing resources. Lastly, it has also encouraged customers to use Microsoft 365 Defender's unified investigation capabilities and cross-domain visibility to detect and proactively respond to threats. Microsoft plans to talk about this area in more detail at the Microsoft Security Summit digital event on May 12, you can register for it here.

Source

The case was referred to the Commerce Department by the Department of Justice last year, a fourth person said, but Commerce made little progress on it until the White House and other administration officials urged them to move forward in March, the three people added.

At issue is the risk that the Kremlin could use the antivirus software, which has privileged access to a computer's systems, to steal sensitive information from American computers or tamper with them as tensions escalate between Moscow and the West.

Access to the networks of federal contractors and operators of critical U.S. infrastructure such as power grids are seen as particularly concerning, the three people said.

U.S. regulators have already banned federal government use of Kaspersky software, and could ultimately force the company to take measures to reduce risks posed by its products or prohibit Americans from using them altogether.

The probe, which has not previously been reported, shows the administration is digging deep into its tool kit to hit Moscow with even its most obscure authorities in a bid to protect U.S. citizens and corporations from Russian cyber attacks.

The authorities are "really the only tool that we have to deal with the threat (posed by Kaspersky) on an economy-wide commercial basis, given our generally open market," said Emily Kilcrease, a former deputy assistant U.S. Trade Representative.

Other regulatory powers stop short of allowing the government to block private sector use of software made by the Moscow-headquartered company, long seen by U.S. officials as a serious threat to U.S. national security.

The departments of Commerce and Justice, and Kaspersky declined to comment. The company has for years denied wrongdoing or any secret partnership with Russian intelligence.

AUTHORITIES TARGET 'FOREIGN ADVERSARIES'

The ramped-up probe is being executed using broad new powers created by the Trump administration that allow the Commerce Department to ban or restrict transactions between U.S. firms and internet, telecom and tech companies from "foreign adversary" nations including Russia and China.

For Kaspersky, Commerce could use the authorities to ban its use, the purchase of its software by U.S. citizens, or prohibit the download of updates via a regulation in the Federal Register.

The tools are largely untested. Former President Donald Trump used them to try to bar Americans from using Chinese social media platforms TikTok and WeChat, but federal courts halted the moves.

A top Justice Department official said last year that the agency was examining dozens of Russian companies, including "a known connection between a particular company and the Russian intelligence services," to see whether they threatened the U.S. supply chain. The department could refer some of the cases to Commerce for further action, then-Assistant Attorney General John Demers said at the time.

Reuters could not learn whether the companies under review included Kaspersky, which made an estimated $95.3 million in U.S. revenue in 2020 according to market research firm Gartner Inc, accounting for nearly 15% of its global revenue that year.

It was not clear whether that figure included Kaspersky products sold by third parties under different branding, a practice which generates confusion about software's origin, according to U.S. national security officials.

In 2017, the Department of Homeland Security banned Kaspersky's flagship antivirus product from federal networks, alleging ties to Russian intelligence and noting a Russian law that lets its intelligence agencies compel assistance from Kaspersky and intercept communications transiting Russian networks.
The perceived threat has taken on greater urgency since Russia's invasion of Ukraine on Feb. 24, which Moscow describes as a "special military operation."

In March, German authorities warned the Kremlin might coerce the Moscow-based company to participate in cyberattacks, or Russian government agents could clandestinely use its technology to launch cyberattacks without its knowledge.

Kaspersky said in a statement then that it was a privately-managed company with no ties to the Russian government, and described the German warning as politically motivated.

Reuters has reported that the U.S. government began privately warning some American companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Kaspersky to cause harm.

The White House asked the Treasury Department to prepare sanctions against the company, the Wall Street Journal reported last month, adding that some officials pushed back out of concern it could increase the risk of Russian cyberattacks.

(Reporting by Alexandra Alper; Additional reporting by Christopher Bing, Raphael Satter and Karen Freifeld; Editing by Chris Sanders and Daniel Wallis)

Source

Credit card skimmers are malicious scripts that are injected into hacked e-commerce websites that quietly wait for customers to make a purchase on the site.

Once a purchase is made, these malicious scripts steal the credit card details and send them back to remote servers to be collected by threat actors.

Threat actors then use these cards to make their own online purchases or sell the credit card details on dark web marketplaces to other threat actors for as little as a few dollars.

The Caramel skimmer-as-a-service 

The new service was discovered by Domain Tools, which states that the platform is operated by a Russian cybercrime organization named “CaramelCorp.” 

This service supplies subscribers with a skimmer script, deployment instructions, and a campaign management panel, which is everything a threat actor needs to launch their own credit card stealing campaign.

The Caramel service only sells to Russian-speaking threat actors, using an initial vetting process that excludes those using machine translation or are inexperienced in this field.

A lifetime subscription costs $2,000, which is not cheap for budding threat actors, but promises Russian-speaking hackers full customer support, code upgrades, and evolving anti-detection measures.

The sellers make unverified claims that Caramel can bypass protection services from Cloudflare, Akamai, Incapsula, and others.

The buyers are provided with a “quick start” guide on JavaScript methods that work particularly well in specific CMS (content management systems).

As the credit card skimming scripts are written in JavaScript, Caramel offers subscribers a variety of obfuscation techniques to prevent them from being easily detected.

The credit card data collection is done through the “setInterval()” method, which exfiltrates data between fixed periods. While this doesn’t seem like an effective method, it can help steal details of even abandoned carts and incomplete purchases.

Finally, the administration of the campaigns is done through a panel where the subscriber can oversee the compromised e-shops, manage the gateways for the reception of the stolen data, and more.

Operating since 2020

Skimming campaigns aren’t new, and neither is Caramel. Bleeping Computer was able to find the first dark web posts offering the kit for purchase back in December 2020.

However, continuous development and promotion have helped Caramel grow more popular in the underground community.

The existence of Caramel and other skimming services of this kind removes the technical barrier to setting up and operating large-scale card skimming campaigns, potentially making skimmer campaigns even more common.

For customers of e-commerce platforms, you can protect yourself from credit card skimmers by using one-time private cards, setting up charging limits and restrictions, or just using online payment systems instead of cards.

Caramel credit card stealing service is growing in popularity

Image: Blog.google

 

The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

Sampath Srinivas, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

As ZDNet notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.

Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.

Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”

“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.

Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.

Your Phone May Soon Replace Many of Your Passwords

Up to $10 million of this reward are offered for info on Conti leaders' identity and location, and an additional $5 million for leading to the arrest and/or convictions of individuals who conspired or attempted to participate in Conti ransomware attacks.

According to a statement issued by State Department spokesman Ned Price, Conti has hit more than 1,000 victims who paid over $150 million in ransoms until January 2022. 

"The Conti ransomware group has been responsible for hundreds of ransomware incidents over the past two years," Price said Friday.

"The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented."

In November, the US State Department has also offered rewards of up to $15 million for information on the REvil (Sodinokibi) and Darkside ransomware operations.

The rewards are offered as part of the Department of State's Transnational Organized Crime Rewards Program (TOCRP). Since 1986, the Department has paid over $135 million in rewards under this program.

Those who can provide this information can submit tips to the FBI at https://tips.fbi.gov or using the FBI's Electronic Tip Form.

The Conti ransomware group

Conti is a Ransomware-as-a-Service (RaaS) operation linked to the Russian-speaking Wizard Spider cybercrime group (also known for other notorious malware, including Ryuk, TrickBot, and BazarLoader).

The cybercrime gang's victims include Ireland's Health Service Executive (HSE) and its Department of Health (DoH), asking the former to pay a $20 million ransom.

The FBI also warned in May 2021 that Conti operators tried to breach over a dozen US healthcare and first responder organizations.

In August 2021, a disgruntled affiliate leaked Conti's training materials, including info on one of its operators, a manual on deploying various malicious tools, and numerous help documents allegedly provided to the group's affiliates.

According to analysts from multiple cybersecurity firms, Conti is now managing various side businesses meant to sustain its ransomware operations or pay for initial network access when needed.

One such side operation is the recently emerged Karakurt data extortion group, active since at least June 2021 and recently linked to Conti by researchers from Advanced Intelligence, Infinitum, Arctic Wolf, Northwave, and Chainalysis, as the cybercrime gang's data extortion arm. 

US offers $15 million reward for info on Conti ransomware gang

Apple caused a small panic among marketers in September 2021 by effectively making this tracking impossible in the default Mail app on iPhone, iPad, and Mac. I, personally, switched to Apple Mail as soon as the feature was announced. You might feel the same way, but marketers feel as though they've lost a useful tool.

"If I start a conversation with somebody and they're not responding to me, I'm going to stop talking to them at some point," says Simon Poulton, vice president of digital intelligence at marketing agency Wpromote. "But if someone is nodding along, I'm going to keep talking."

Tracking email opens, to Poulton, is a way for marketers to see who is, and isn't, listening—and adjust their strategy accordingly.

Privacy advocates feel differently. Bill Budington, senior staff technologist at the Electronic Frontier Foundation, says tracking is bad for privacy, and he's pleased that “Apple Mail now provides tools to take your privacy back.”

Let’s talk more about what, exactly, this feature does—and what it means for you.

If you're really freaking old—36, say—you might recall some ’90s email clients couldn't open certain emails with formatting. You'd instead be prompted to open the email in your web browser. There's a reason for this.

Email dates back to the ’70s, when computers couldn't display much in the way of graphics. Because of this, email protocols are more or less designed for simple text messages with attachments—which works until you want to add things like colors and images. By the ’90s, a workaround showed up: adding HTML code to an email message that points to images hosted on servers.

I bring this history up only because it's what makes modern email tracking possible. Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address. This quirk of internet history means that marketers can track exactly when you open an email and your IP address, which can be used to roughly work out your location.

So, how does Apple Mail stop this? By caching. Apple Mail downloads all images for all emails before you open them. Practically speaking, that means every message downloaded to Apple Mail is marked “read,” regardless of whether you open it. Apples also routes the download through two different proxies, meaning your precise location also can't be tracked.

So did this catch marketers off guard? Kind of.

“The Apple Mail thing specifically kind of came out of left field,” Poulton tells me, “but the whole idea of the de-identification of users is something we've been planning on for a while. This is a multipronged attack from Apple.”

Poulton points to a few other Apple features, including iCloud's Hide My Email and Intelligent Tracking Prevention in Safari and iOS, as other prongs in this attack. These features make it harder, for example, for marketing departments to use your shopping behavior on their website to show a targeted ad on Facebook.

“Apple's goal is to prevent any kind of digital identity stitching across environments,” says Poulton, which is exactly what privacy advocates have been pushing for—the ability for users and individuals to determine whether marketing firms can connect their activities on one platform to their identities on others. I should note, Poulton argues that consumers are worse off without this tracking, which he says makes for more relevant ads.

“The internet has always been on a track toward personalization,” he says. “If it can just predict my needs and desires before I get there, that's better. I don't want to have to go out and make decisions. Sometimes I don't even know what I'm searching for.”

Myself? I switched to Mac Mail entirely because of this feature, and not only because I value my privacy. Less relevant ads mean I'm less likely to buy crap I don't need, which means I have more money to save or donate to organizations that need it. It also makes the world feel just a little less dystopian, which I personally like. But that's possibly just a matter of preference.

Apple Mail Now Blocks Email Tracking. Here’s What It Means for You

(May require free registration to view)

In a blog post, Microsoft's Corporate Vice President, Security, Compliance, Identity, and Management Vasu Jakkal writes that passwords are the most common attack surface for malicious actors and there are 921 attempts on them every second - this frequency has doubled since last year. Additionally, passwords are hard to remember and keep track of, especially if you're working in a heterogeneous environment.

Last year, the Redmond tech giant rolled out the capability to remove passwords from your Microsoft Account and yesterday, it also partnered with Google and Apple through the FIDO Alliance and the World Wide Web Consortium to develop and support a common password-less standard.

For now, Microsoft is encouraging customers to consider ditching passwords completely and instead using Windows Hello, security keys, and multi-factor and password-less authentication via the Microsoft Authenticator app.

However, if you do intend to keep using passwords in the near future, Microsoft has recommended the use of Password Generator in Microsoft Edge as well as the following criteria for any new password you configure:

• At least 12 characters long
• A combination of uppercase and lowercase letters, numbers, and symbols
• Not a word that can be found in a dictionary, or the name of a person, product, or organization
• Completely different from your previous passwords
• Changed immediately if you suspect it may have been compromised

The third tip in the list above is rather interesting because last year, the UK government was actually encouraging people to use passwords that are a combination of three random, but real, words. Another interesting approach that Microsoft has recommended is that people should give off-topic answers to security questions to throw off attackers. For example, in a security question about your birthplace, you could answer with "Green". This ensures that even if an attacker has access to some of your basic info, they probably won't be able to answer your security questions. That said, the difficulty in this approach also relates to memorizing off-topic answers.

Overall, Microsoft has still reiterated that password-less sign-in will soon become the norm so it's better to start adjusting to this new reality right now.

Microsoft: Please ditch passwords completely

Once implemented, these new Web Authentication (WebAuthn) credentials (aka FIDO credentials) will allow the three tech giants' users to log in to their accounts without using a password.

Instead of using passwords, they will have the option to opt for verifying their identity using PINs or biometric authentication (fingerprint or face).

"To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access," said Sampath Srinivas, Google PM Director for Secure Authentication.

"Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off."

The new capabilities should become available across leading platforms, devices, websites, and apps operated by Microsoft, Apple, and Google platforms over the coming year.

"These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords," added Microsoft Identity Division Vice President Alex Simons.

When available, passkeys will remove the requirement of having to sign in to each app or website on every device, adding additional capabilities for more seamless passwordless sign-ins:

1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account.
2. With passkeys on your mobile device, you can sign in to an app or service on nearly any device, regardless of the platform or browser the device is running.

Moving away from using passwords to sign into accounts will make the web more secure since they're the most common point of entry used by attackers to hijack online identities.

As Vasu Jakkal, Microsoft's Corporate Vice President, Security, Compliance, Identity, and Management, revealed today, "there are 921 password attacks every second—nearly doubling in frequency over the past 12 months."

Passwordless sign-in push

Of the three companies, Microsoft has been pushing for passwordless sign-ins across many of its platforms and services for several years now.

In December 2020, Microsoft reported that over 150 million users logged into their Azure Active Directory and Microsoft accounts without using passwords.

The company began rolling out passwordless login support for all Microsoft accounts in September, allowing its customers to log into their Microsoft accounts without using a password.

In October, the Microsoft Detection and Response Team (DART) said it detected an increase in password spray attacks targeting privileged cloud accounts and high-profile identities.

One year before, Simons revealed that password spray attacks were among the most popular authentication attacks, as they were behind over a third of enterprise account compromises.

"I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers," said CISA Director Jen Easterly.

"Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords."

Microsoft, Apple, and Google to support FIDO passwordless logins

This new system is up and running in the Tor protocol version 0.4.7.7, the latest stable release available since last week.

Congestion Control "will result in significant performance improvements in Tor, as well as increased utilization of our network capacity," say the maintainers of the project.

Tor and congestion

Tor (The Onion Router) is a volunteer-run overlay network consisting of thousands of relays that serve as bouncing points for encrypted user network traffic and exit nodes that are essentially the gateways to the public internet.

The project's mission is to conceal users' real location and browsing interests, aiming for ultimate internet user privacy and anonymity.

One of the downsides of such a system is slow browsing speeds, which are crippled by traffic congestion on the Tor network's nodes and the queues on the exit relays.

Regulating traffic congestion on the Tor network is challenging without making concessions on the privacy-preserving mechanisms. However, after nearly two decades of looking for solutions, the project finally introduced Congestion Control.

The new system implements three algorithms, namely Tor-Westwood, Tor-Vegas, and Tor-NOLA, which collectively help reduce memory consumption and stabilize and minimize queue delay and latency:

• Tor Westwood - minimizes packet loss in large pipes
• Tor-Vegas - estimates queue length and introduces balancing elements
• Tor-NOLA - works as a bandwidth-delay estimator.

Results and implementation

The Tor project has run simulations to compare versions 0.4.6 and 0.4.7, and the results are impressive across the board with smoother and improved browsing free of speed limitations and bottlenecks, without adding any burden on end-to-end latency.

Throughput graph comparison (Tor)

However, for the entire community to benefit from the improvements, exit relay operators will have to upgrade to 0.4.7 of the Tor protocol.

Operators of internal Tor nodes do not need to upgrade but will have to set bandwidth limits. That's because traffic patterns will change as Congestion Control is expected to utilize relays at their full capacity.

The more clients upgrade to version 0.4.7 (or later), the more apparent the performance increase on the network will become for everyone, but the first results are already notable.

Increase in advertised relay bandwidth (Tor)

For the next major stable release, version 0.4.8, the Tor project plans to implement a traffic splitting mechanism that should improve network speeds even more.

Tor project upgrades network speed performance with new system

"It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination," NIST said in a statement.

The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.

The development follows an Executive Order issued by the U.S. President on "Improving the Nation's Cybersecurity (14028)" last May, requiring government agencies to take steps to "improve the security and integrity of the software supply chain, with a priority on addressing critical software."

It also comes as cybersecurity risks in the supply chain have come to the forefront in recent years, in part compounded by a wave of attacks targeting widely-used software to breach dozens of downstream vendors all at once.

According to the European Union Agency for Cybersecurity's (ENISA) Threat Landscape for Supply Chain Attacks, 62% of 24 attacks documented from January 2020 to early 2021 were found to "exploit the trust of customers in their supplier."

"Managing the cybersecurity of the supply chain is a need that is here to stay," said NIST's Jon Boyens and one of the publication's authors. "If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."

Source

Mountain View, California, MAY 5, 2022  – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.

The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.  

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.  

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS. 

An Expansion of Passwordless Standard Support 

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms. 

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins: 

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account. 
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. 

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year. 

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S.

Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

Source

"These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded," SentinelOne researcher Kasif Dekel said in a report shared with The Hacker News.

Tracked as CVE-2022-26522 and CVE-2022-26523, the flaws reside in a legitimate anti-rootkit kernel driver named aswArPot.sys and are said to have been introduced in Avast version 12.1, which was released in June 2016.

Specifically, the shortcomings are rooted in a socket connection handler in the kernel driver that could lead to privilege escalation by running code in the kernel from a non-administrator user, potentially causing the operating system to crash and display a blue screen of death (BSoD) error.

Worryingly, the flaws could also be exploited as part of a second-stage browser attack or to perform a sandbox escape, leading to far-reaching consequences.

Following responsible disclosure on December 20, 2021, Avast addressed the issues in version 22.1 of the software released on February 8, 2022. "Rootkit driver BSoD was fixed," the company said in its release notes.

While there is no evidence that these flaws were abused in the wild, the disclosure comes merely days after Trend Micro detailed an AvosLocker ransomware attack that leveraged another issue in the same driver to terminate antivirus solutions on the compromised system.

Update: SentinelOne notes that the bug dates back to version 12.1, which it claims was released in January 2012. However, Avast's own release notes show that version 12.1 was shipped in June 2016. We have reached out to SentinelOne for further comment, and we'll update the story once we hear back.

Source

As he dug further, Ojha realized that the app seemed to have pulled data from the grocery app Big Basket, which Ojha uses frequently. Like Big Basket, Tata Neu is owned by the almost 155-year-old Tata Group. One of India’s largest conglomerates and a household name, the Tata Group sells everything from salt to software and recently forayed into the world of consumer tech through a slew of acquisitions.

“Frankly, I was quite shocked that Tata had picked up my personal details from one of the apps they owned and used it for this new app,” Ojha says. “In effect they have shared my personal details with the whole Tata Group companies without my permission.”

Another user based in the southern Indian city of Bangalore was equally shocked when he saw multiple addresses (including the address of his old home, where he doesn’t live anymore) and his date of birth already preloaded on Tata Neu when he signed up for it using his phone number and a one-time password. What he found more perplexing was that his wife’s Tata Neu also had her old office address, which he says they never used for any purpose. “Personally I am a very big fan of Tata Group, and there is trust when it comes to the Tata brand,” says Naren, who requested to be quoted under a pseudonym, fearing backlash from the company. “But that trust is lost when they do these sorts of sneaky things under the name of user experience.”

Tata Neu was launched in the first week of April and has had at least 2.2 million downloads. The app houses all of the company’s brands ranging across industries such as ecommerce, financial services, airline tickets, grocery, medicines, and hotels. But the inclusion of preloaded personal data in a new app means that the Tata Group has managed to save customer data across its online and offline companies and create their profiles. According to privacy advocates, this is problematic because it happened without users giving explicit consent and in the absence of a comprehensive data-protection law in India.

The Tatas, with a market cap of over $300 billion at current exchange rates, have had a strong offline presence across a wide range of sectors. But, until relatively recently, consumer tech remained an untapped market. So a few years ago, in a bid to compete with tech biggies like Amazon and Walmart-owned Flipkart, Tata started building its digital profile by acquiring startups like Alibaba-backed online grocery firm Big Basket and medicine delivery startup 1mg, along with an investment in health-and-fitness startup Cult.Fit.

Some customers of these startups acquired by Tata received an email with updated terms and conditions. Others, including the author of this piece, received no email and are unaware of any other form of notice. And while previous privacy policies of these apps vaguely said that they may share customer data with partner companies or other third parties in the event of an acquisition, experts say it’s the lack of explicit consumer consent coupled with the fact that this is data collected from acquired companies which, according to long-time privacy advocate Nikhil Pahwa, makes it “an ethical failure on the part of the Tata Group.”

“All super apps already do this [data sharing] but the difference for Tata Neu is the fact that they have acquired companies and then connected all of this data together,” says Pahwa, founder of digital media portal Medianama. “There is a different threshold of accountability for them, because customers who were using an app or service before acquisition naturally didn’t expect that the data would be linked to data from multiple different apps when an acquisition takes place.”

In response to queries sent by WIRED, a Tata spokesperson defended the company’s business practices and asserted that it is committed to user privacy and security.

“Respecting and safeguarding our customers' privacy is vital to our business at Tata Digital. We take great care to maintain the confidentiality of their information,” the spokesperson said. “Tata Digital complies with, and will continue to comply with, applicable data regulations, both in letter and spirit.”

Last year, WhatsApp—for which India is the largest market—updated its privacy policy to require users to accept sharing their data with its parent company, Facebook (now known as Meta). This led to an outrage among its users, many of whom abandoned WhatsApp (if only temporarily) and moved en masse to other messaging apps like Signal and Telegram.

The Competition Commission of India, India’s antitrust agency, soon initiated regulatory action against WhatsApp for the unilateral changes to its privacy policy on the grounds of abuse of dominance. But antitrust and privacy lawyers say it may be difficult to make the argument of unfair policy terms as a form of abuse of dominance in the case of a new entrant like Neu, because it has a relatively small market share so far. “However, if any of the Tata affiliates hold a clear dominance in the markets that they operate in, then any sort of coercive data sharing with Neu could potentially raise competition law issues for that entity,” says Smriti Parsheera, a tech policy researcher with the think tank National Institute of Public Finance and Policy.

Tata’s data sharing stands against the void of a lack of a comprehensive data protection law in India. The closest thing the country has is now a finalized Data Protection Bill, 2021. But the legislation hasn't been passed and relies on “informed” consent as one of the main grounds of data processing—meaning companies could still bury alerts about how their data could be used under a mountain of legalese while giving people no opt-out beyond not using the service.

“Merely having the new law would not completely solve the problem,” says Parsheera. “But it will create a framework of accountability where the new regulator can take actions, and consumers can seek redress.” The new regulator would also be expected to frame regulations around the tools that can be used to make privacy policies more understandable to users.

Ojha, for one, is not waiting for the Indian government to bring a legal framework for data protection. He decided to delete the app the same day it first resided on his phone’s home screen. “I found it very cumbersome and absolutely zero value addition to me,” he says. “Also, I was uncomfortable that they were using my personal information without my explicit permission.”

India’s New Super App Has a Privacy Problem

(May require free registration to view)

Threat analysts at the cybersecurity firm Mandiant have uncovered a new APT29 cyber attack once again aimed at diplomats and government agencies.

APT29 is a cyber espionage group widely believed to be sponsored by the Russian Foreign Intelligence Service, the SVR. APT29 is also publicly referred to as Nobelium by Microsoft, Mandiant said. APT29 is the group responsible for the 2021 SolarWinds supply chain attack.

While Mandiant has been tracking APT29 phishing activities aimed at diplomats around the globe since early 2020, this year’s attackers are using two new malware families, BEATDROP, BEACON and BOOMMIC to carry out attacks. APT29 malware uses Atlassian’s popular Trello project management tool for command and control (C2), storing victim information and retrieving AES-encrypted shellcode payloads.

“For anyone involved in politics, it is critical to understand that they may be targeted due to information they have, or even just the contacts they may have,” said Erich Kron, security awareness advocate, at cybersecurity training firm KnowBe4. “In situations like embassies, which act as sovereign soil in foreign countries, and for the diplomats within them, the information about activities occurring within the region would be a gold mine for adversaries.”

To trick victims into downloading malware-laden files, APT29 sent spear-phishing emails disguised as embassy administrative updates, Manidant said in a blog post about the attacks. To get past spam filters, APT29 used legitimate email addresses from other diplomatic entities and targeted large publicly available lists of embassy personnel.

The emails used the malicious HTML dropper ROOTSAW (also known as EnvyScout) to deliver and decode IMG or ISO files, either of which can be written to disk and execute a malicious .DLL file that contains the BEATDROP downloader. APT29 also is using the BEACON downloader for similar purposes.

Once BEATDROP or BEACON open backdoors to the victim’s network, they quickly deploy BOOMMIC to gain deeper access into the victim’s environment. BOOMMIC (also called VaporRage by Microsoft), is a shellcode downloader that communicates using HTTP to a C2 server. Once activated, its main job is to download shellcode payloads into memory on a target machine, Mandiant said.

BEACON is a multi-purpose tool that also captures keystrokes and screenshots and can act as a proxy server. It may also harvest system credentials, conduct  port scanning and enumerate systems on a network.

Once inside the network, attackers are able to escalate privileges and move laterally within hours using Kerberos tickets in Pass the Ticket attacks, exploiting misconfigured certificate templates to impersonate admins, and creating malicious certificates to escalate directly from low level privileges to domain admin status. Malicious certificates can also give the attacker long-term persistence with the victim’s environment. APT29 performs extensive reconnaissance of hosts and the Active Directory environment looking for credentials, Mandiant said.

“This campaign highlights the importance of implementing a culture of cybersecurity that goes beyond relying on first line preventative controls,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Controls like [network] segmentation, proactive system and application hardening, and restricting users’ access to only what’s necessary for their job functions make an attacker’s job much more difficult. In-depth monitoring for suspicious activities and threat hunting likewise increases the chances an attacker can be quickly detected and eradicated by the incident response team before widespread damage can be done.”

Source

In the final Awards rating, Defender was barely able to secure the "Standard" rating as it came in second-last in the evaluation alongside Total Defense Anti-Virus. In all, the following anti-malware products were tested:

• Avast Free Antivirus 22.3
• AVG Free Antivirus 22.3
• Avira Prime 1.1
• Bitdefender Internet Security 26.0
• ESET Internet Security 15.1
• G Data Total Security 25.5
• K7 Total Security 16.0
• Kaspersky Internet Security 21.3
• Malwarebytes Premium 4.5
• McAfee Total Protection 25.5
• Microsoft Defender 4.18
• NortonLifeLock Norton 360 Deluxe 22.22
• Panda Free Antivirus 21.01
• TotalAV Antivirus Pro 5.16
• Total Defense Essential Antivirus 13.0
• Trend Micro Internet Security 17.7
• VIPRE Advanced Security 11.0

The following real-world tests were done using an up-to-date Windows 10 21H2 64-bit system with Intel Core-i3, 4GB of RAM, and SSD. The i3 and 4GB RAM was used to simulate typical lower-end PCs which generally are impacted most by anti-virus programs.

• File copying
• Archiving / unarchiving
• Installing / uninstalling applications - using silent install mode
• Launching applications - Microsoft Office (Word, Excel, PowerPoint) and Adobe Acrobat Reader
• Downloading files
• Browsing Websites - using Google Chrome

The total score received in the above tests is being referred to as "AV-C Score". Other than the real world tests listed above, the PC Mark 10 Professional Testing Suite synthetic benchmark was also run.

Here is how all the products have performed in the tests. The image on topshows the AV-C performances while the image on the bottom shows the total scores which also includes the PC Mark scores:

If you are wondering what the "Impact Score" is, the column basically represents how far off the total obtained score is from the full marks of 190. Therefore, bigger the Impact Score, the greater performance impact an anti-malware program had on the tested system. For example, if we take Microsoft Defender, it has an Impact Score of 24.6, which implies it has scored 24.6 points less than the full score of 190, ie, 165.4. You can read the original report on AV-Comparatives' site here.

If you are wondering how Defender and the other products has done in case of general protection, you can read this article here.

AV-Comparatives' latest test finds Microsoft Defender hogs your system real bad

Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.

Exploit code available

Analyzing malware strains from these ransomware gangs, a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.

For each malware piece analyzed, the researcher provides a report that describes the type of vulnerability found, the hash of the sample, a proof-of-concept (PoC) exploit, and a demo video.

DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need.

A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.

For vulnerable ransomware samples from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker, the researcher says that their exploit allows executing code to “control and terminate the malware pre-encryption.”

To leverage the vulnerabilities in the malware from the above gangs, the researcher created exploit code that needs to be compiled into a DLL with a specific name so that the malicious code recognizes as its own and loads it to start encrypting the data.

Below is a video of the researcher exploiting a DLL hijacking vulnerability in REvil ransomware to terminate the malware before the encryption process begins.

To defend against these ransomware families, hyp3rlinx says that the DLL can be placed in a location where cybercriminals are likely to run their ransomware, such as a network location with important data.

Once the exploit DLL is loaded, the ransomware process should terminate before starting the data encryption operation.

The researcher notes that while malware can terminate security solutions on the compromised machine, it can’t do anything against DLLs since they are just files stored on the host’s disk, inert until loaded.

It is unclear what versions of the ransomware malware hyperlinx found to be vulnerable to DLL hijacking.

If the samples are new, it is likely that the exploit will work only for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space.

Even if these findings prove to be viable for a while longer, companies targeted by ransomware gangs still run the risk of having important files stolen and leaked, as exfiltration to pressure the victim into paying a ransom is part of this threat actor's modus operandi.

However, hyperlinx's exploits could prove useful at least to prevent operational disruption, which can cause significant damage.

More vulnerable malware

hyp3rlinx’s tracks their work under the Malvuln project, which focuses on finding vulnerabilities in various malware pieces, from trojans and backdoors to spyware and infostealers.

The latest report from the researcher on vulnerabilities in malware is for RedLine, an information stealer that has become widely popular on hacker forums

It collects sensitive information such as logins from web browsers, messaging platforms (Telegram, Discord), FTP clients, Steam, and it also targets cryptocurrency wallets.

Here are the vulnerability reports for the analyzed ransomware samples: Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker.

Conti, REvil, LockBit ransomware bugs exploited to block encryption