The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.

The technical details of a Quantum ransomware attack were analyzed by security researchers at The DFIR Report, who says the attack lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting devices.

Using IcedID as initial access

The attack seen by The DFIR Report used the IcedID malware as the initial access to the target's machine, which they believe arrived via a phishing email containing an ISO file attachment.

IcedID is a modular banking trojan used for the past five years, primarily for second-stage payload deployment, loaders, and ransomware.

The combination of IcedID and ISO archives has been used in other attacks recently, as these files are excellent for passing through email security controls.

Two hours after the initial infection, the threat actors inject Cobalt Strike into a C:\Windows\SysWOW64\cmd.exe process to evade detection.

At this phase, the intruders stole Windows domain credentials by dumping the memory of LSASS, which allowed them to spread laterally through the network.

"For the next hour, the threat actor proceeded to make RDP connections to other servers in the environment," details DFIR in the report.

"Once the threat actor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each host through the C$ share folder."

Eventually, the threat actors used WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices.

This attack only took four hours, which is quite fast, and as these attacks commonly occur late at night or over the weekend, it does not provide a large window for network and security admins to detect and respond to the attack.

For more details about the TTPs used by Quantum Locker, The DFIR Report has provided an extensive list of indicators of compromise as well as C2 addresses that IcedID and Cobalt Strike connected to for communication.

Who is Quantum Locker?

The Quantum Locker ransomware is a rebrand of the MountLocker ransomware operation, which launched in September 2020.

Since then, the ransomware gang has rebranded its operation to various names, including AstroLocker, XingLocker, and now in its current phase, Quantum Locker.

The rebrand to Quantum occurred in August 2021, when the ransomware encryptor began appending the .quantum file extension to encrypted file names and dropping ransom notes named README_TO_DECRYPT.html.

These notes include a link to a Tor ransom negotiation site and a unique ID associated with the victim. The ransom notes also state that data was stolen during the attack, which the attackers threaten to publish if a ransom is not paid.

While The DFIR Report states that they saw no data exfiltration activity in the attack they analyzed, BleepingComputer has confirmed in the past that they do steal data during attacks and leak it in double-extortion schemes.

The ransom demands for this gang vary depending on the victim, with some attacks demanding $150,000 to receive a decryptor, while others seen by BleepingComputer are multi-million dollar demands, as shown below.

Thankfully, Quantum Locker is not a very active operation like its previous incarnations, with only a handful of attacks each month.

However, while they may not be as active as other ransomware operations, such as Conti, LockBit, and AVOS, they are still a significant risk and it is important for network defenders to be aware of the TTPs related to their attacks.

Quantum ransomware seen deployed in rapid network attacks

The researchers analyzed data from over 200 billion daily transactions and 150 million daily blocked attacks, and released the findings in the 2022 ThreatLabz Phishing Report.

The report, which is available here for download after filling out a form, identifies key phishing trends and targets of 2021 and includes predictions for the years 2022 and 2023.

Phishing continues to be a major cyber threat

Phishing continues to be a dominant threat in the world, but it is evolving. The research team noticed a 29% increase of phishing attacks in 2021. It attributes the increase to several factors: from the low level barrier to running phishing campaigns to improved security systems that organizations and home users implement to protect against malware and other forms of malicious attacks.

Social engineering attacks are on the rise, as these are harder to detect and stop according to the researchers.

Another factor that plays a role in the rise of phishing attacks is automation and toolkits that attackers may use. Ready-made phishing kits do not require Deep technical know-how and include "everything
required to wage an effective low effort email or web-based phishing attack".

Phishing continues to be a global issue. While the United States continues to be the country that is targeted the most globally, with more than 60% of all blocked phishing attacks by Zscaler's Security Cloud, it is not the only country that is suffering from these attacks. Placed next in the ranking are Singapore, Germany, the Netherlands, the United Kingdom, Russian Federation, France, China, Hungary and Ireland.

Zscaler's system reported an increase in phishing attacks in 2021 for most countries in the top 10. Five countries saw an increase of over 100% each, with Singapore (829%) and Russian Federation (799%) leading the chart. Most, with the exception of Germany (40%), the United States (7%) and the Netherlands (-38%) saw large increases.

Via Zscaler

Phishing attacks target all industry sectors, but retail and wholesale, manufacturing, and services are targeted the most. Attacks on retail and wholesale targets saw an increase by 436% according to the report. Finance, government and all unspecified sectors saw increases by over 100% as well.

Attacks against these sectors capitalized on the worldwide pandemic and the consumer push to buying goods online.

Several industries saw a decline in phishing attacks in 2021. Zscaler's research term lists technology and communication, services and healthcare as the three sectors with reduced attacks.

Microsoft, Illegal Streaming and Covid-19 most targeted

Via Zscaler

More than 30% of all phishing attacks imitated Microsoft in 2021, 13.6% imitated illegal streaming sites, and 7.2% imitated Covid-19 sites. Illegal streaming phishing spiked during large sporting events, including the Tokyo Olympics in 2021. Covid-19 phishing emerged in 2020, the year the Covid Pandemic started, and continued to be a major threat in 2021.

The researchers provide no explanation for Microsoft's large percentage, but explain that Covid-19 and illegal streaming phishing attacks have "lower barriers" than phishing attacks that imitate established brands. Consumers have little or no expectation how Covid-19 or illegal streaming sites should look like or how they are accessed. The use of new domain names does not raise the same level of concern as the use of new domains for established brands.

Two additional Microsoft services are listed separately in the top 20 listing. Microsoft's file synchronization and hosting service OneDrive is placed sixth with a total of 3.6%, and Microsoft 365 is placed twelfths with 1.6% of attacks. Microsoft products make up more than a third of all attacks according to the chart. Telegram, Amazon, PayPal, Binance and Google are also included in the listing.

Evolving Phishing trends

Zscaler's research term saw increasing uses of safe domains and trusted platforms in phishing attacks. Threat actors use different methods to run their attacks. Advertising, the using of share sites like Evernote or Dropbox, and the posting of messages on forums, marketplaces or web blogs, are commonly used in attacks.

The list of top referring sites include google.com, adobe.com, evernote.com, luxherald.com, or googlesyndication.com.

Threat actors use different infrastructures to host phishing sites. More than 50% of all phishing sites use web hosting providers to blend in with legitimate sites, especially if IP addresses are shared between sites at the hoster.

Phishing as a Service got more traction in 2021. The use of phishing kits and open source tools has increased, and groups have been created that produce and update phishing toolkits. Attackers purchase toolkits to reduce costs and the time it takes to run phishing campaigns.

Besides requiring less technical knowledge to run, phishing toolkits include "sophisticated templates" that "have broadly eliminated the characteristic typos, spelling errors, bad grammar, and unsigned certificates previously relied on to identify phishing scams".

Smishing, SMS Phishing, is another evolving trend. While it is been around since 2006 at the very least, smishing has seen a 700% increase in the first quarters of 2021 alone according to one report. One explanation for the increase in smishing attacks is that the attack type is not as widely known as email phishing. While computer users may be aware of email phishing, they may be less aware of other types of phishing, include SMS phishing. Another reason for the increase is, that it may be more difficult to verify the sender and loaded websites in mobile web browsers. Covic-19 scams and crypto-related phishing is also evolving.

Best practices to improve phishing defenses

Phishing attacks will continue to be a major threat in 2022 and beyond. The training of employees may reduce the likelihood of successful attacks against an organization's infrastructure. A 2020 study by Stanford University reported that almost 88% of all data breaches were caused by human error.  End user awareness training is critical, according to Zscaler's report.

Organizations may implement technical defenses and policies to protect infrastructure and data against successful phishing attacks. Up to date antivirus software and advanced threat protection services, regular patching, email scanning, and encrypted traffic inspections are useful specifically.

The use of multi-factor authentication will stop most phishing attacks, as attackers can't use a user's username and password alone to sign-in to systems. The second layer of verification, which may be provided by an application or hardware gadget, blocks entry to systems. (via Born)

Phishing Attacks grew by 29% in 2021 overall. Smishing is on the rise

The EU has agreed on another ambitious piece of legislation to police the online world.

Early Saturday morning after hours of negotiations, the bloc agreed on the broad terms of the Digital Services Act, or DSA, which will force tech companies to take greater responsibility for content that appears on their platforms. New obligations include removing illegal content and goods more quickly, explaining to users and researchers how their algorithms work, and taking stricter action on the spread of misinformation. Companies face fines of up to six percent of their annual turnover for non-compliance.

“The DSA will upgrade the ground-rules for all online services in the EU,” said European Commission President Ursula von der Leyen in a statement. “It gives practical effect to the principle that what is illegal offline, should be illegal online. The greater the size, the greater the responsibilities of online platforms.”

Margrethe Vestager, the European Commissioner for Competition who has spearheaded much of the bloc’s tech regulation, said the act would “ensure that platforms are held accountable for the risks their services can pose to society and citizens.”

The DSA shouldn’t be confused with the DMA or Digital Markets Act, which was agreed upon in March. Both acts affect the tech world, but the DMA focuses on creating a level playing field between businesses, while the DSA deals with how companies police content on their platforms. The DSA will therefore likely have a more immediate impact on internet users.

Although the legislation only applies to EU citizens, the effect of these laws will certainly be felt in other parts of the world, too. Global tech companies may decide it is more cost-effective to implement a single strategy to police content and take the EU’s comparatively stringent regulations as their benchmark. While lawmakers in the US keen to rein in Big Tech with their own regulations have already begun looking to the EU’s rules for inspiration.

The final text of the DSA has yet to be released, but the European Parliament and European Commission have detailed a number of obligations it will contain:

• Targeted advertising based on an individuals’ religion, sexual orientation, or ethnicity is banned. Minors cannot be subject to targeted advertising either.
• “Dark patterns” — confusing or deceptive user interfaces designed to steer users into making certain choices — will be prohibited. The EU says that, as a rule, cancelling subscriptions should be as easy as signing up for them.
• Large online platforms like Facebook will have to make the working of their recommender algorithms (e.g. used for sorting content on the News Feed or suggesting TV shows on Netflix) transparent to users. Users should also be offered a recommender system “not based on profiling.” In the case of Instagram, for example, this would mean a chronological feed (as it introduced recently).
• Hosting services and online platforms will have to explain clearly why they have removed illegal content, as well as give users the ability to appeal such takedowns. The DSA itself does not define what content is illegal, though, and leaves this up to individual countries.
• The largest online platforms will have to provide key data to researchers to “provide more insight into how online risks evolve.”
• Online marketplaces must keep basic information about traders on their platform to track down individuals selling illegal goods or services.
• Large platforms will also have to introduce new strategies for dealing with misinformation during crises (a provision inspired by the recent invasion of Ukraine).

The DSA will, like the DMA, distinguish between tech companies of different sizes, placing greater obligations on bigger companies. The largest firm — those with at least 45 million users in the EU, like Meta and Google — will face the most scrutiny. These tech companies have lobbied hard to water down the requirements in the DSA, particularly those concerning targeted advertising and handing over data to outside researchers.

Although the broad terms of the DSA have now been agreed upon by the member states of the EU, the legal language still needs to be finalized and the act officially voted into law. This last step is seen as a formality at this point, though. The rules will apply to all companies 15 months after the act is voted into law, or from 1 January 2024, whichever is later.

Google, Meta, and others will have to explain their algorithms under new EU legislation

EU’s Digital Services Act seeks to bring greater transparency about the algorithms that govern the majority of content served to social media users. Specifically speaking, the new law effectively bans ads that target individuals based on their religion, sexual orientation, ethnicity, or political affiliation. Moreover, no internet company will be allowed to serve targeted ads to minors.

Speaking about algorithms, the Digital Services Act will seek information and clarity about the processes used to display content to users. Additionally, social media companies will need to offer alternative systems that are not based on profiling. In other words, platforms would need to offer chronological feeds instead of content that is arranged by optimization algorithms aiming to boost engagement and drive-up ad exposure.

Speaking about the Digital Services Act, European Commission President Ursula von der Leyen said:

Today's agreement on the Digital Services Act is historic, both in terms of speed and of substance. It will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses. It gives practical effect to the principle that what is illegal offline, should be illegal online.

Internet companies found violating the rules and regulations stipulated within the Digital Services Act could be fined up to six percent of their global turnover. Repeat offenders, or those companies that attempt to flout the guidelines, could also invite a temporary or permanent ban from operating or offering services within the EU.

Any company that has at least 45 million users in the EU will be required to comply with the Digital Services Act. Needless to add, aside from Google and Meta; Apple, Microsoft, Amazon, and Spotify too would have to comply with the new laws.

EU Digital Services Act tries to block profiling for targeted ads and seeks transparency

Hackers are exploiting 0-days more than ever

DHS awarded a total of $125,600 to over 450 vetted security researchers and ethical hackers, with rewards of up to $5,000 per bug, depending on the flaw's severity.

"The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited," said DHS Chief Information Officer Eric Hysen.

"We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses."

The 'Hack DHS' program builds upon the experience of similar efforts across the US federal government (e.g., the 'Hack the Pentagon' program) and the private sector.

DHS launched its first bug bounty pilot program in 2019, two years before 'Hack DHS,' after the SECURE Technology Act was signed into law, requiring the establishment of a security vulnerability disclosure policy and a bounty program.

Launched to develop a model for other govt organizations

The 'Hack DHS' bug bounty program was announced in December 2021. It requires the hackers to disclose their findings together with detailed information on the vulnerability, how it can be exploited, and how it can be used to gain access to data DHS systems.

All reported security flaws are then verified by DHS security experts within 48 hours and are fixed in 15 days or more, depending on the bug's complexity.

One week after the launch, the DHS expanded the scope of the 'Hack DHS' bounty program to allow researchers to track down DHS systems impacted by Log4j-related vulnerabilities.

The decision to expand the program came on the heels of a CISA emergency directive ordering Federal Civilian Executive Branch agencies to patch their systems against the critical Log4Shell bug until December 23.

"Organizations of every size and across every sector, including federal agencies like the Department of Homeland Security, must remain vigilant and take steps to increase their cybersecurity," added Secretary of Homeland Security Alejandro N. Mayorkas.

"Hack DHS underscores our Department's commitment to lead by example and protect our nation's networks and infrastructure from evolving cybersecurity threats."

'Hack DHS' bug hunters find 122 security flaws in DHS systems

LAPSUS$ is known for stealing data and then demanding a ransom not to publish or sell it. But the leaked chats indicate this mercenary activity was of little interest to the tyrannical teenage leader of LAPSUS$, whose obsession with stealing and leaking proprietary computer source code from the world’s largest tech companies ultimately led to the group’s undoing.

From its inception in December 2021 until its implosion late last month, LAPSUS$ operated openly on its Telegram chat channel, which quickly grew to more than 40,000 followers after the group started using it to leak huge volumes of sensitive data stolen from victim corporations.

But LAPSUS$ also used private Telegram channels that were restricted to the core seven members of the group. KrebsOnSecurity recently received a week’s worth of these private conversations between LAPSUS$ members as they plotted their final attacks late last month.

The candid conversations show LAPSUS$ frequently obtained the initial access to targeted organizations by purchasing it from sites like Russian Market, which sell access to remotely compromised systems, as well as any credentials stored on those systems.

The logs indicate LAPSUS$ had exactly zero problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to hack. The bigger challenge for LAPSUS$ was the subject mentioned by “Lapsus Jobs” in the screenshot above: Device enrollment. In most cases, this involved social engineering employees at the targeted firm into adding one of their computers or mobiles to the list of devices allowed to authenticate with the company’s virtual private network (VPN).

The messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal company tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a target’s mobile phone number to a device they controlled. These unauthorized sim swaps allow an attacker to intercept a target’s text messages and phone calls, including any links sent via SMS for password resets, or one-time codes sent for multi-factor authentication.

The LAPSUS$ group had a laugh at this screenshot posted by their leader, White, which shows him reading a T-Mobile news alert about their hack into Samsung. White is viewing the page via a T-Mobile employee’s virtual machine.

In one chat, the LAPSUS$ leader — 17-year-old from the U.K. who goes by the nicknames “White,” “WhiteDoxbin” and “Oklaqq” — is sharing his screen with another LAPSUS$ member who used the handles “Amtrak” and “Asyntax.”

The two were exploring T-Mobile’s internal systems, and Amtrak asked White to obscure the T-Mobile logo on his screen. In these chats, the user “Lapsus Jobs” is White. Amtrak explains this odd request by saying their parents are aware Amtrak was previously involved in SIM swapping.

“Parents know I simswap,” Amtrak said. “So, if they see [that] they think I’m hacking.”

The messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account — either because the employee tried to log in or change their password — they would just find or buy another set of T-Mobile VPN credentials. T-Mobile currently has approximately 75,000 employees worldwide.

On March 19, 2022, the logs and accompanying screenshots show LAPSUS$ had gained access to Atlas, a powerful internal T-Mobile tool for managing customer accounts.

LAPSUS$ leader White/Lapsus Jobs looking up the Department of Defense in T-Mobile’s internal Atlas system.

 

After gaining access to Atlas, White proceeded to look up T-Mobile accounts associated with the FBI and Department of Defense (see image above). Fortunately, those accounts were listed as requiring additional verification procedures before any changes could be processed.

Faced with increasingly vocal pleadings from other LAPSUS$ members not to burn their access to Atlas and other tools by trying to SIM swap government accounts, White unilaterally decided to terminate the VPN connection permitting access to T-Mobile’s network.

The other LAPSUS$ members desperately wanted to SIM swap some wealthy targets for money. Amtrak throws a fit, saying “I worked really hard for this!” White calls the Atlas access trash and then kills the VPN connection anyway, saying he wanted to focus on using their illicit T-Mobile access to steal source code.

A screenshot taken by LAPSUS$ inside T-Mobile’s source code repository at Bitbucket.

 

Perhaps to mollify his furious teammates, White changed the subject and told them he’d gained access to T-Mobile’s Slack and Bitbucket accounts. He said he’d figured out how to upload files to the virtual machine he had access to at T-Mobile.

Roughly 12 hours later, White posts a screenshot in their private chat showing his automated script had downloaded more than 30,000 source code repositories from T-Mobile.

White showing a screenshot of a script that he said downloaded all available T-Mobile source code.

 

In response to questions from KrebsOnSecurity, T-Mobile issued the following statement:

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

CONSIDER THE SOURCE

It is not clear why LAPSUS$ was so fixated on stealing source code. Perhaps LAPSUS$ thought they could find in the source clues about security weaknesses that could be used to further hack these companies and their customers. Maybe the group already had buyers lined up for specific source code that they were then hired to procure. Or maybe it was all one big Capture the Flag competition, with source code being the flag. The leaked chats don’t exactly explain this fixation.

But it seems likely that the group routinely tried to steal and then delete any source code it could find on victim systems. That way, it could turn around and demand a payment to restore the deleted data.

In one conversation in late March, a LAPSUS$ member posts screenshots and other data indicating they’d gained remote administrative access to a multi-billion dollar company. But White is seemingly unimpressed, dismissing the illicit access as not worth the group’s time because there was no source code to be had.

LAPSUS$ first surfaced in December 2021, when it hacked into Brazil’s Ministry of Health and deleted more than 50 terabytes of data stored on the ministry’s hacked servers. The deleted data included information related to the ministry’s efforts to track and fight the COVID-19 pandemic in Brazil, which has suffered a disproportionate 13 percent of the world’s COVID-19 fatalities. LAPSUS$’s next 15 victims were based either in Latin America or Portugal, according to cyber threat intelligence firm Flashpoint.

By February 2022, LAPSUS$ had pivoted to targeting high-tech firms based in the United States. On Feb. 26, LAPSUS$ broke into graphics and computing chip maker NVIDIA. The group said it stole more than a terabyte of NVIDIA data, including source code and employee credentials.

Dan Goodin at Ars Technica wrote about LAPSUS$’s unusual extortion demand against NVIDIA: The group pledged to publish the stolen code unless NVIDIA agreed to make the drivers for its video cards open-source. According to these chats, NVIDIA responded by connecting to the computer the attackers were using, and then encrypting the stolen data.

Like many high-tech firms whose value is closely tied to their intellectual property, NVIDIA relies on a number of technologies designed to prevent data leaks or theft. According to LAPSUS$, among those is a requirement that only devices which have been approved or issued by the company can be used to access its virtual private network (VPN).

These so-called Mobile Device Management (MDM) systems retrieve information about the underlying hardware and software powering the system requesting access, and then relay that information along with any login credentials.

In a typical MDM setup, a company will issue employees a laptop or smartphone that has been pre-programmed with a data profile, VPN and other software that allows the employer to track, monitor, troubleshoot or even wipe device data in the event of theft, loss, or a detected breach.

MDM tools also can be used to encrypt or retrieve data from connected systems, and this was purportedly the functionality NVIDIA used to claw back the information stolen by LAPSUS$.

“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM,” LAPSUS$ wrote in a post on their public Telegram channel. “With this they were able to connect to a [virtual machine] that we use. Yes, they successfully encrypted the data. However, we have a backup and it’s safe from scum!!!”

NVIDIA declined to comment for this story.

On March 7, consumer electronics giant Samsung confirmed what LAPSUS$ had bragged on its Telegram channel: That the group had stolen and leaked nearly 200 GB of source code and other internal company data.

The chats reveal that LAPSUS$ stole a great deal more source code than they bragged about online. One of White’s curious fascinations was SASCAR, Brazil’s leading fleet management and freight security company. White had bought and talked his way into SASCAR’s systems, and had stolen many gigabytes worth of source code for the company’s fleet tracking software.

It was bad enough that LAPSUS$ had just relieved this company of valuable intellectual property: The chats show that for several days White taunted SASCAR employees who were responding to the then-unfolding breach, at first by defacing the company’s website with porn.

The messages show White maintained access to the company’s internal systems for at least 24 hours after that, even sitting in on the company’s incident response communications where the security team discussed how to evict their tormentors.

SASCAR is owned by tire industry giant Michelin, which did not respond to requests for comment.

ENROLLMENT

The leaked LAPSUS$ internal chats show the group spent a great deal of time trying to bypass multi-factor authentication for the credentials they’d stolen. By the time these leaked chat logs were recorded, LAPSUS$ had spent days relentlessly picking on another target that relied on MDM to restrict employee logins: Iqor, a customer support outsourcing company based in St. Petersburg, Fla.

LAPSUS$ apparently had no trouble using Russian Market to purchase access to Iqor employee systems. “I will buy login when on sale, Russians stock it every 3-4 days,” Amtrak wrote regarding Iqor credentials for sale in the bot shops.

The real trouble for LAPSUS$ came when the group tried to evade Iqor’s MDM systems by social engineering Iqor employees into removing multi-factor authentication on Iqor accounts they’d purchased previously. The chats show that time and again Iqor’s employees simply refused requests to modify multi-factor authentication settings on the targeted accounts, or make any changes unless the requests were coming from authorized devices.

One of several IQOR support engineers who told LAPSUS$ no over and over again.

 

After many days of trying, LAPSUS$ ultimately gave up on Iqor. On Mar. 22, LAPSUS$ announced it hacked Microsoft, and began leaking 37 gigabytes worth of Microsoft source code.

Like NVIDIA, Microsoft was able to stanch some of the bleeding, cutting off LAPSUS$’s illicit access while the group was in the process of downloading all of the available source code repositories alphabetically (the group publicized their access to Microsoft at the same time they were downloading the software giant’s source code). As a result, LAPSUS$ was only able to leak the source for Microsoft products at the beginning of the code repository, including Azure, Bing and Cortana.

BETRAYAL

LAPSUS$ leader White drew attention to himself prior to the creation of LAPSUS$ last year when he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people.

Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database.

White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced — including videos filmed just outside his home where he lives with his parents in the United Kingdom.

The past and current owner of the Doxbin — an established cybercriminal who goes by the handle “KT” — is the same person who leaked these private LAPSUS$ Telegram chat logs to KrebsOnSecurity.

In early April, multiple news outlets reported that U.K. police had arrested seven people aged 15-21 in connection with the LAPSUS$ investigation. But it seems clear from reading these leaked Telegram chats that individual members of LAPSUS$ were detained and questioned at different times over the course of several months.

In his chats with other LAPSUS$ members during the last week in March, White maintained that he was arrested 1-2 months prior in connection with an intrusion against a victim referred to only by the initials “BT.” White also appeared unconcerned when Amtrak admits that the City of London police found LAPSUS$ Telegram chat conversations on his mobile phone.

Perhaps to demonstrate his indifference (or maybe just to screw with Amtrak), White responds by leaking Amtrak’s real name and phone number to the group’s public Telegram channel. In an ALL CAPS invective of disbelief at the sudden betrayal, Amtrak relates how various people started calling their home and threatening their parents as a result, and how White effectively outed them to law enforcement and the rest of the world as a LAPSUS$ member.

The vast majority of noteworthy activity documented in these private chats takes place between White and Amtrak, but it doesn’t seem that White counted Amtrak or any of his fellow LAPSUS$ members as friends or confidants. On the contrary, White generally behaved horribly toward everyone in the group, and he particularly seemed to enjoy abusing Amtrak (who somehow always came back for more).

“Mox,” one of the LAPSUS$ members who shows up throughout these leaked chats, helped the group in their unsuccessful attempts to enroll their mobile devices with an airline in the Middle East to which they had purchased access. Audio recordings leaked from the group’s private Telegram channel include a call wherein Mox can be heard speaking fluently in Arabic and impersonating an airline employee.

At one point, Mox’s first name briefly shows up in a video he made and shared with the group, and Mox mentions that he lives in the United States. White then begins trying to find and leak Mox’s real-life identity.

When Mox declares he’s so scared he wants to delete his iCloud account, White suggests he can get Mox’s real name, precise location and other information by making a fraudulent “emergency data request” (EDR) to Apple, in which they use a hacked police department email account to request emergency access to subscriber information under the claim that the request can’t wait for a warrant because someone’s life is on the line.

White was no stranger to fake EDRs. White was a founding member of a cybercriminal group called “Recursion Team,” which existed between 2020 and 2021. This group mostly specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ hail.

 

The Recursion Team was founded by a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

Everlynn advertising a warrant/subpoena service based on fake EDRs.

 

Bringing this full circle, it appears Amtrak/Asyntax is the same person as Everlynn. As part of the Recursion Team, White used the alias “Peter.” Several LAPSUS$ members quizzed White and Amtrak about whether authorities asked about Recursion Team during questioning. In several discussion threads, White’s “Lapsus Jobs” alias on Telegram answers “yes?” or “I’m here” when another member addresses him by Peter.

White dismissed his public doxing of both Amtrak and Mox as their fault for being sloppy with operational security, or by claiming that everyone already knew their real identities. Incredibly, just a few minutes after doxing Amtrak, White nonchalantly asks them for help in stealing source code from yet another victim firm — as if nothing had just happened between them. Amtrak seems soothed by this invitation, and agrees to help.

On Mar. 30, software consultancy giant Globant was forced to acknowledge a hack after LAPSUS$ published 70 gigabytes of data stolen from the company, including customers’ source code. While the Globant hack has been widely reported for weeks, the cause of the breach remained hidden in these chat logs: A stolen five-year-old access token for Globant’s network that still worked.

LAPSUS$ members marvel at a 5-year-old stolen authentication cookie still working when they use it against Globant to steal source code.

 

Globant lists a number of high-profile customers on its website, including the U.K. Metropolitan Police, software house Autodesk and gaming giant Electronic Arts. In March, KrebsOnSecurity showed how White was connected to the theft of 780 GB worth of source code from Electronic Arts last summer.

In that attack, the intruders reportedly gained access to EA’s data after purchasing authentication cookies for an EA Slack channel from the dark web marketplace “Genesis,” which offers more or less the same wares as the Russian Market.

One remarkable aspect of LAPSUS$ was that its members apparently decided not to personally download or store any data they stole from companies they hacked. They were all so paranoid of police raiding their homes that they assiduously kept everything “in the cloud.” That way, when investigators searched their devices, they would find no traces of the stolen information.

But this strategy ultimately backfired: Shortly before the private LAPSUS$ chat was terminated, the group learned it had just lost access to the Amazon AWS server it was using to store months of source code booty and other stolen data.

“RIP FBI seized my server,” Amtrak wrote. “So much illegal shit. It’s filled with illegal shit.”

White shrugs it off with the dismissive comment, “U can’t do anything about ur server seized.” Then Amtrak replies that they never made a backup of the server.

“FFS, THAT AWS HAD TMO SRC [T-Mobile source] code!” White yelled back.

The two then make a mad scramble to hack back into T-Mobile and re-download the stolen source code. But that effort ultimately failed after T-Mobile’s systems revoked the access token they were using to raid the company’s source code stash.

“How they noticed?” Amtrak asked White.

“Gitlab auto-revoked, likely,” White replied. “Cloning 30k repos four times in 24 hours isn’t very normal.”

Ah, the irony of a criminal hacking group that specializes in stealing and deleting data having their stolen data deleted.

It’s remarkable how often LAPSUS$ was able to pay a few dollars to buy access to some hacked machine at a company they wanted to break into, and then successfully parlay that into the theft of source code and other sensitive information.

What’s even more remarkable is that anyone can access dark web bot shops like Russian Market and Genesis, which means larger companies probably should be paying someone to regularly scrape these criminal bot services, even buying back their own employee credentials to take those vulnerable systems off the market. Because that’s probably the simplest and cheapest incident response money can buy.

The Genesis bot shop.

 

Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code

Right now, when you visit a Google-owned Internet site for the first time, you will see the before you continue cookie banner. The banner informs you about the use of cookies on the property. The classic banner has two buttons, one to customize the data collection and the "I agree" button.

Users who want to reduce the use of cookies and data collecting need to select the "customize" option to change the defaults. The "I agree" option gives Google full control over the collecting.

The customize page displays several options, including YouTube History, Search customization, or ad personalization, that can be turned on or off on the property.

Rolling out now in Europe is a new cookie banner that is giving users an easier option to block all cookies except necessary ones.

Google notes in the announcement that this is coming to Google Search and YouTube in Europe for visitors who are not signed-in to a Google account at the time or are in Incognito mode. The rollout has started in France and Google plans to bring the updated cookie banner to all member states of the European Economic Area, the United Kingdom and Switzerland soon (Google did not provide specifics).

The cookie overlay provides details on the use of cookies and the collection of data when users select the reject all or accept all buttons.

According to it, Google will use a base set of cookies and data regardless of the user choice. The data is used to "deliver and maintain Google services, "track outages and protect against spam, fraud and abuse", and to "measure audience engagement and site statistics".

The optional set of cookies and data is only used if the user selects "accept all" or keeps certain options on the customize page turned on. Users who select the new "reject all" button won't have these collected anymore:

• Develop and improve new services.
• Deliver and measure the effectiveness of ads.
• Show personalized content, depending on your settings.
• Show personalized ads, depending on your settings.

Closing Words

Some companies and organizations make it hard for users to reject all non-essential cookies. The introduction of an "reject all" option that is displayed as prominently as the "accept all" button is a step in the right direction.

Internet users have a number of options to deal with cookies and data collecting on their end. They may disable third-party cookies in their browsers, clear cookies regularly, use extensions to bypass and deny cookie prompts automatically, or use different services, e.g., Brave Search instead of Google Search, Invidious instead of Youtube. Extensions like Privacy Redirects help with that automatically.

Now You: how do you handle cookie and data collections on the Internet?

Google is rolling out new cookie popups with "reject all" option in Europe

ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes.

According to a report Check Point Research, this includes Qualcomm and MediaTek, two of the world's largest smartphone chip makers.

The sound of RCE

The analysts have not provided many details about the actual exploitation of the flaws yet but promised to do so at the upcoming CanSecWest in May 2022.

From the details available, the vulnerability enables a remote attacker to execute code on a target device by sending a maliciously crafted audio file and tricking the user into opening it. The researchers are calling this attack "ALHACK."

The impact of remote code execution attacks comes with severe implications, ranging from data breach, planting and executing malware, modifying device settings, accessing hardware components such as the microphone and camera, or account take over.

The ALAC flaws were fixed by MediaTek and Qualcomm in December 2021, and are tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score).

From the researchers analysis, the ALAC decoder implementations from Qualcomm and MediaTek suffer from possible out-of-bounds reads and writes, and improper validation of audio frames passed during music playback.

The possible consequences include information disclosure and elevation of privileges with no user interaction required.

BleepingComputer asked Qualcomm for a comment about the currennt risk for customers. A company spokesperson provided the statement below:

Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available

The case with audio codec flaws

Fixes of remote code execution flaws in closed-source audio processing units are present almost in every monthly Android security update.

However, exploiting them is rarely trivial, and the component vendors provide few technical details to reduce exploitation risk.

For example, Android patches from April included nine fixes for critical vulnerabilities in closed-source components. One of them is CVE-2021-35104 (9.8 severity score) - a buffer overflow that led to improper parsing of headers while playing FLAC audio clips.

The bug affected chipsets present in almost the entire range of products Qualcomm released over in the past several years.

How to stay safe

The standard security advice applies here, too: keep your devices up to date, in this case it means running the Android patch level "December 2021" or later.

If the device no longer receives security updates from the vendor, installing a third-party Android distribution that still provides Android patches is valid option.

Finally, when receiving audio files from unknown or suspicious sources/users, it is best not to open them since they could trigger the vulnerability.

Critical bug in Android could allow access to users' media files

Microsoft Authenticator customers who use the Autofill feature (announced exactly one year ago) can now utilize the app to create hard-to-crack passwords when making accounts or changing passwords in browsers or apps. Authenticator lets you customize a password with upper or lowercase letters, numbers, special characters, and password lengths. You can save the password in Microsoft Authenticator right after generating it.

If you do not use Autofill, Microsoft Authenticator still lets you generate and save a reliable password. Open the app, switch to the password section, tap the button with three dots (iOS) or a plus icon (Android), and select "Password Generator" to create something slightly more complex than "pa$$word1."

Microsoft Authenticator is available on iOS and Android as a standalone app. Also, you can use a Chrome extension to sync passwords across devices and browsers (Edge syncs passwords natively). With the latest update, you can use Microsoft Authenticator on your mobile device to create, change, and auto-fill passwords in apps and websites. The app is available for free and does not require a Microsoft 365 subscription.

Autofill in Microsoft Authenticator now can generate strong passwords

It is unclear who is behind the new REvil-connected operation but the new leak site lists a large catalog of victims from past REvil attacks plus two new ones.

New RaaS in the making

A few days back, however, security researchers pancak3 and Soufiane Tahiri noticed the new REvil leak site being promoted on RuTOR, a forum marketplace that focuses on Russian-speaking regions.

The new site is hosted on a different domain but leads to the original one REvil used when active, BleepingComputer confirmed today, while the two researchers captured the redirect.

The leak site provides details on the conditions for affiliates, who allegedly get an improved version of REvil ransomware and an 80/20 split for affiliates collecting a ransom.

The site lists 26 pages of victims, most of them from old REvil attacks, and just the last two appear to be related to the new operation. One of them is Oil India.

Security researcher MalwareHunterTeam in January, a couple of weeks after 14 alleged members of the gang were arrested in Russia, said that starting mid-December last year they noticed activity from a new ransomware gang that was related to REvil, although no connection was evident.

The researcher later observed the current REvil-related leak site being up between April 5 and April 10 but with no content and it started to be populated about a week after.

Another observation from MalwareHunterTeam is that the source for the RSS feed shows the string Corp Leaks, which has been used by the now-defunct Nefilim ransomware gang [1, 2].

The blog and payment sites are up and running on different servers. Looking at the former, BleepingComputer noticed that the new ransomware operation's blog drops a cookie named DEADBEEF, a computer term that was used as a filemarker by the TeslaCrypt ransomware gang.

A connection to a ransomware threat actor is not possible at this time as samples of the new REvil-based payload have to be analyzed and whoever is behind the new leak site has not claimed any name or affiliation, yet.

While under control of the FBI in November 2021, REvil’s data leak and payment sites showed a page titled “REvil is bad” and a login form, initially via TOR gateways and at the .Onion location.

The mystery of the redirects, both recent and from last year, deepens, as this suggests that someone other than law enforcement, has access to the TOR private keys that allowed them to make changes for the .Onion site.

On a popular Russian-speaking hacker forum, users are speculating between the new operation being a scam, a honeypot, or a legit continuation of the old REvil business that lost its reputation and has a lot to do to earn it back.

REvil's fall

REvil ransomware had a long run that started in April 2019 as a continuation of the GandCrab operation, the first that established the ransomware-as-a-service (RaaS) model.

In August 2019 the gang hit multiple local administrations in Texas and demanded a collective ransom of $2.5 million - the highest at that time.

The group is responsible for the Kaseya supply-chain attack that affected about 1,500 businesses and also led to their demise last year as law enforcement around the world intensified their collaboration to bring the gang down.

Soon after hitting Kaseya, the gang took a two-month break not knowing that law enforcement agencies had breached their servers. When REvil restarted the operation, they restored systems from backups, oblivious of the compromise.

In mid-January, Russia announced that it shut down REvil after identifying all members of the gang and arresting 14 individuals.

In an interview with Rossiyskaya Gazeta, the Deputy Secretary of the Security Council of the Russian Federation, Oleg Khramov, said that the Russian law enforcement agency started its investigation into REvil from the name Puzyrevsky and an IP address transmitted by the United States as belonging to the group’s main hacker.

At the moment, the U.S. has stopped collaborating with Russia on cybersecurity threats - attacks on critical infrastructure in particular, as a direct result of Russia invading Ukraine.

REvil's TOR sites come alive to redirect to new ransomware operation

LinkedIn, if you don't change the settings, will email you anytime anyone you know sneezes in a professional context. And the only way to change this isn't exactly straightforward. Here's what I did:

1. Clicked my profile picture in the top right corner.
2. Figured out that the notification settings were hidden under "Communications."
3. Headed to the "Email" section.
4. Toggled my email settings on seven different categories of notifications, each with its own page containing 10-plus different subcategories of notifications.

Novelist Douglas Adams wrote about planning documents being "on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'" The joke was that while it was possible for a concerned citizen to read the documents, it wasn't exactly likely.

LinkedIn's email settings are the software equivalent of putting planning documents behind a sign labeled “Beware of the Leopard.” Most people aren't going to bother digging through the settings long enough to change these settings.

LinkedIn, I have to imagine, knows this—and is counting on it. The more email I get about LinkedIn, the more likely I am to develop a habit of checking the service.

This is the power of default settings. It allows tech companies to steer people toward behavior they want and still argue that they're “giving users the choice.” Which is why you should always be skeptical of the default settings.

In an age long since passed, the marketing departments at software companies were separate from the people making the software. That's not the case anymore, and the term "growth hacking" is a big reason why.

I won't go into a lot of detail on what this term means, because doing so would involve a lot of marketing jargon, and my burning hatred for said jargon could melt most moons (and the bulk of some planets). To summarize: “Growth hacking” is how software companies refer to “features” in a product that are primarily there to encourage growth.

So LinkedIn, by default, emails you about everything. This might benefit you a little—it keeps you informed about new messages—but that's not why they do it. LinkedIn could, after all, show you the content of the messages, but they don't—they just say you got a message. That's because they want you to click. You clicking makes their numbers go up.

Numbers going up is important. Numbers going up is the only thing that makes software companies feel good about themselves—or, if we're honest, feel much of anything—anymore. They need those numbers to go up, so you're going to get a bunch of emails.

I'm picking on LinkedIn a lot here, they deserve it. But this kind of invasive growth hacking via default settings is everywhere:

• Slack, by default, notifies you every time anyone posts anything in any channel you join. This likely gets people to look at Slack more often (while also making them crazy).
• Google Maps, by default, keeps track of every single place you go, regardless of whether you have Google Maps open.
• Facebook makes just about everything public by default.

I could go on. The point is that the companies in question have reasons for making these settings the default, and those reasons may or may not line up with your priorities and values. It's worth noticing these defaults—and questioning them.

Tech companies are betting a lot on you not bothering to change the default settings. My advice: Change them, or at least look at them so you know what's going on.

I love digging around in the settings for a new piece of software. This is mostly because I'm a huge nerd, but it's also because it's the best way to figure out what it is that a piece of software prioritizes—and how those priorities line up with what I care about.

I'd encourage you to develop this habit. When you try a new application, open up the settings. See how easy it is to configure things. Notice when it's unnecessarily complicated to change things. Try to spot any dark patterns. And, generally, think about why something is the default. Is it to benefit you—or the company?

You Should Always Question the Default Settings

(May require free registration to view)

Google claims that AMP is improving the user experience by improving the performance when loading AMP-powered webpages. The pages are served from Google servers, and Google uses preloading techniques and its own servers to serve AMP content. Pages that are loaded using AMP look as if they come from the publisher's website, but that is actually not the case.

In the past, we have highlighted several techniques to avoid AMP pages. Anti-AMP extensions are available for most browsers. Firefox users may check out Redirect AMP to HMTL, Chromium-browser users the version of the extension for their browser.

Brave Software highlights the following issues of Google's AMP technology:

• AMP is harmful to privacy -- AMP pages give Google more insights, as content is served from Google. Google penalizes publishers for not using AMP through decreased search visibility.
• AMP is bad for security -- AMP content is loaded from Google, but AMP makes it look like as if the content is coming directly from the publisher.
• AMP furthers the monopolization of the Web -- AMP content gives Google more control over the Web, using "arbitrary non-standards". Google controls the layout and technology that AMP pages use, and this benefits the company's core business, advertising.
• AMP is bad for performance and usability -- Google's claim that AMP-powered pages load faster is only true for the "median of performance". AMP pages may load slower than regular pages served from a publisher's website (which Google revealed to the DOJ).

Google is working on AMP 2.0 already, even though it is not called that by Google. The next version uses Signed Exchange and WebBundle technologies, proposed by Google, and will result in "more of the Web to be served from Google's servers" and "give users less control over how they interact with that content" according to Brave.

Brave considers Signed Exchange and WebBundles to be problematic from a privacy, performance and user-control viewpoint.

Starting in Brave 1.38, and available in Beta and Nightly browser versions already, De-AMP is activated in Brave automatically by default.

With De-AMP enabled, Brave attempts to parse links directly to redirect the loading to the publisher's website immediately; this is the case for Google Search among other pages. Brave will also look for AMP HTML markup to identify AMP page loads. Brave intercepts the request and redirects it to the publisher's website automatically. The company notes that Brave does so before Google AMP scripts are fetched and loaded.

Brave Software plans to extend the protection in Brave 1.40 by extending the browser's debouncing privacy feature to include AMP URLs.

Now You: what is your take on AMP?

Brave's De-AMP feature redirects Google-hosted AMP pages to publisher pages

Security researcher monitoring the botnet are observing that emails carrying malicious payloads last month have increased tenfold.

Emotet is a self-propagating modular trojan that can maintain persistence on the host. It is used for stealing user data, performing network reconnaissance, moving laterally, or dropping additional payloads such as Cobalt Strike and ransomware in particular.

It has been spotted growing slowly but steadily since the beginning of the year, but its operators may be shifting up a gear now.

Spike in distribution

According to a report Kaspersky released today, Emotet activity is seeing a sharp rise from February to March, going from 3,000 to 30,000 emails.

The languages used in these messages include English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian, Spanish, and Chinese.

As for the themes, Emotet distributors are known for changing the topics regularly to take advantage of seasonal interest swifts. This time it’s the Easter celebration they're taking advantage of.

Check Point also released a report, which ranked Emotet as the number one most prevalent and active malware in March 2022.

Emotet email using Easter lures on many languages
(Check Point)

Kaspersky mentions that the ongoing Emotet email distribution campaigns also employ discussion thread hijacking tricks, seen in Qbot campaigns linked to the same operators.

“The aim of the email is to convince users to either (i) follow the link and download an archived document and open it – sometimes using a password mentioned in the email, or (ii) simply open an email attachment,” the researchers note.

Because the threat actors have access to previous correspondence, it is reasonably easy for them to present the attachment as something the recipient would expect as a continuation of the discussion with colleagues.

Switch to 64-bit

The Cryptolaemus security research group, who is keeping a sharp eye on Emotet botnet activity, said that the malware operators have also switched to 64-bit loaders and stealer modules on Epoch 4, one of subgroups of the botnet that run on separate infrastructure. Previously, it relied on 32-bit code.

#Emotet Update - Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today 2022/04/18 - Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously everything was 32-bit except for occasional loader shenanigans. 1/x— Cryptolaemus (@Cryptolaemus1) April 19, 2022

The switch is not visible on Epoch 5 but the delay is expected, since Epoch 4 typically serves as a development test-bed for the Emotet operators, researchers from Cryptolaemus say.

Already, the detection rate for Epoch 4 has dropped by 60%, which is believed to be a direct result of this change.

Emotet botnet switches to 64-bit modules, increases activity

Redmond first announced plans to disable SMBv1 in most versions of the Windows operating system in June 2017 after first disabling it for internal builds of Windows 10 Enterprise and Windows Server 2016.

SMBv1 is no longer installed in Microsoft's OS by default since Windows 10 version 1709 and Windows Server version 1709, with newer versions of Windows using SMBv3.

SMBv1 disabled in Windows 11 Home edition Dev builds

"I have a pretty big announcement: we've started the final phase of disabling SMB1 in Windows," said Ned Pyle, Principal Program Manager in the Microsoft Windows Server High Availability and Storage group.

"If you install a Windows Insider Dev channel build in any variant of Home Edition, the SMB1 client isn't installed."

This will also become the default behavior in the next Windows 11 major release after Windows Insiders will be able to test and provide feedback on the new change,

However, as the Microsoft expert further explained, this shift will not affect devices using SMBv1 following in-place upgrades, with admins still allowed to reinstall it.

"I am also announcing that we are going to remove the SMB1 binaries in a future release. Windows and Windows Server will no longer include the drivers and DLLs of SMB1," Pyle added.

"We will provide an out-of-band unsupported install package for organizations or users that still need SMB1 to connect to old factory machinery, medical gear, consumer NAS, etc."

Pyle also shared a list of vendors and products that require SMBv1 so users can avoid them and not get blocked from switching to newer and more secure versions of the SMB protocol.

Those interested in disabling SMBv1 on their servers can check this Microsoft support page for detailed instructions.

SMBv1 warnings

Microsoft has been recommending admins to remove support for SMBv1 on their network since 2016 since it does not feature additional security improvements added to newer versions of the SMB protocol.

These enhancements include pre-authentication integrity checks to prevent man-in-the-middle (MiTM) attacks, encryption, insecure guest authentication blocking, protection against security downgrade attacks, and more.

Two years ago, the Microsoft Exchange Team also urged admins to disable SMBv1 to protect servers from malware attacks.

These warnings came after the 2017 leak of multiple NSA exploits designed to exploit weaknesses in the SMBv1 protocol to execute commands on vulnerable servers with administrative privileges.

Some of these exploits, like EternalBlue and EternalRomance, were later deployed in the wild by TrickBot, Emotet, WannaCry, Retefe,  NotPetya, and Olympic Destroyer malware to infect more devices and launch destructive attacks or steal user credentials.

Microsoft disables SMB1 by default for Windows 11 Home Insiders

The data comes cybersecurity company Check Point, who recorded a dramatic uptick in LinkedIn brand abuse in phishing incidents in the first quarter of this year.

According to the company, in the last quarter of 2021, LinkedIn held the fifth spot on the list, the count for impersonating attacks being a much lower 8%.

The second most mimicked brand is German package delivery DHL, which previously was at the top of the list. A contributing factor for this was the increased shopping during the holiday season.

Combining DHL with FedEx, Maersk, and Ali Express, shipping-related phishing messages accounted for 21.8% in the first three months of 2022, still holding a significant portion.

In a LinkedIn impersonation sample that Check Point provided, the phishing email reaching the target’s inbox features LinkedIn logos and company-specific style, with a fraudulent request to connect with a made-up firm.

Clicking on the “Accept” button takes the victim to a phishing website that looks like an actual LinkedIn login page hosted on at an unofficial URL - carriermasr.com/public/linkedin.com/linkedin.com/login.php

Why is this happening?

Social media phishing is on the rise, as also reported Vade cybersecurity company recently. This is because the takeover of accounts on these platforms opens up a host of practical possibilities for the threat actors.

For example, the hackers may use compromised social media accounts to perform highly effective spear-phishing attacks, post links to malware-hosting sites, or send spyware directly to users who trust them.

In the case of LinkedIn, which is a professional-focused social media platform, the threat actors are likely aiming to perform spear-phishing attacks on high-interest targets, employees of specific companies and organizations.

Another potential exploitation scenario would be sending laced documents masqueraded as job offers to specific targets, convincing them to open the files and activate malicious macro code.

For example, North Korean hackers have launched multiple spear-phishing campaigns in the past that leveraged LinkedIn, which proved to be very effective.

However, the scale recorded by Check Point this time indicates that LinkedIn impersonation is no longer limited to advanced, narrow targeting threat groups like Lazarus.

LinkedIn brand takes lead as most impersonated in phishing attacks

Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár said in a report published today.

"Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated," Smolár added.

Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots.

CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode (SMM) of the firm, leading to the execution of malicious code with the highest privileges.

The three flaws were reported to the PC maker on October 11, 2021, following which patches were issued on April 12, 2022. A summary of the three flaws as described by Lenovo is below -

• CVE-2021-3970 – A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

• CVE-2021-3971 – A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.

• CVE-2021-3972 – A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

The weaknesses, which impact Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops, add to the disclosure of as many as 50 firmware vulnerabilities in Insyde Software's InsydeH2O, HP UEFI, and Dell since the start of the year.

"UEFI threats can be extremely stealthy and dangerous," Smolár said. "They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed."

Source

That's because Windows 11 back then was not available to the public but only to Insiders, who are presumably more tech-savvy and informed. However, Windows 11 has since been generally available making it a dangerous scenario nowadays.

A new malware campaign of similar nature was discovered by CloudSEK cybersecurity firm as it noticed a new impostor website that looks like Microsoft's, but in reality, distributes files containing what the researchers are calling "Inno Stealer" malware due to the use of Inno Setup Windows installer. This is a novel stealer malware as no similar sample was found on Virus Total.

The malicious website's URL is "windows11-upgrade11[.]com" and it appears that the threat actors of the Inno Stealer campaign took a page from another similar malware campaign a couple of months ago which was using the same trick to fool potential victims. The last one was already taken down at the time of reporting but the new one is still up so it is advised to readers to trade carefully.

CloudSEK says that upon downloading the infected ISO, multiple processes are run in the background to neutralize an infected user's system. It creates Windows Command Scripts to disable Registry security, adds Defender exceptions, uninstalls security products, and deletes shadow volumes.

Finally, an .SCR file is created which is the one which actually delivers the malicious payload, in this case, the novel Inno Stealer malware in the following directory of a compromised system:

C:\Users\\AppData\Roaming\Windows11InstallationAssistant

The name of the malware payload file is "Windows11InstallationAssistant.scr".

Here is the entire process explained in a diagram:

CloudSEK has identified the following targets, including browsers and crypto wallets, that the Inno info stealer malware is after. These are shown in the image below. First up we have the browsers followed by the crypto wallets:

Here is the official link to download Windows from the real Microsoft website. You can also follow reputed news websites like Neowin, among others, as we often link to official Microsoft ISO download pages when they are released by the Redmond firm.

Source and images: CloudSEK via BleepingComputer

Beware: Microsoft lookalike fake Windows 11 download website unsurprisingly downloads virus

On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.

Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.

But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.

Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.

Weiss said ransomware attacks from Ryuk/Conti have impacted hundreds of healthcare facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.

“The attacks resulted in the temporary or permanent loss of IT systems that support many of the provider delivery functions in modern hospitals resulting in cancelled surgeries and delayed medical care,” Weiss said in a declaration (PDF) with the U.S. District Court for the Northern District of Georgia.

“Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles,” Weiss wrote. “The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.”

The figures cited by Weiss appear highly conservative. A single attack by Ryuk/Conti in May 2021 against Ireland’s Health Service Executive, which operates the country’s public health system, resulted in massive disruptions to healthcare in Ireland. In June 2021, the HSE’s director general said the recovery costs for that attack were likely to exceed USD $600 million.

Conti ravaged the healthcare sector throughout 2020, and leaked internal chats from the Conti ransomware group show the gang had access to more than 400 healthcare facilities in the U.S. alone by October 2020.

On Oct. 28, 2020, KrebsOnSecurity broke the news that FBI and DHS officials had seen reliable intelligence indicating the group planned to ransom many of these care facilities simultaneously. Hours after that October 2020 piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

A report in February 2022 from Sophos found Conti orchestrated a cyberattack against a Canadian healthcare provider in late 2021. Security software firm Emsisoft found that at least 68 healthcare providers suffered ransomware attacks last year.

While Conti is just one of many ransomware groups threatening the healthcare industry, it seems likely that ransomware attacks on the healthcare sector are underreported. Perhaps this is because a large percentage of victims are paying a ransom demand to keep their data (and news of their breach) confidential. A survey published in February by email security provider Proofpoint found almost 60 percent of victims hit by ransomware paid their extortionists.

Or perhaps it’s because many crime groups have shifted focus away from deploying ransomware and toward stealing data and demanding payment not to publish the information. Conti shames victims who refuse to pay a ransom by posting their internal data on their darkweb blog.

Since the beginning of 2022, Conti has claimed responsibility for hacking a cancer testing lab, a medical prescription service online, a biomedical testing facility, a pharmaceutical company, and a spinal surgery center.

The Healthcare Information and Management Systems Society recently released its 2021 HIMSS Healthcare Cybersecurity Survey (PDF), which interviewed 167 healthcare cybersecurity professionals and found 67 percent had experienced a “significant security incident” in the past year.

The survey also found that just six percent or less of respondent’s information technology budgets were devoted to cybersecurity, although roughly 60 percent of respondents said their cybersecurity budgets would increase in 2022. Last year, just 79 percent of respondents said they’d fully implemented antivirus or other anti-malware systems; only 43 percent reported they’d fully implemented intrusion detection and prevention technologies.

The FBI says Conti typically gains access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials, and that it weaponizes Microsoft Office documents with embedded Powershell scripts — initially staging Cobalt Strike via the Office documents and then dropping Emotet onto the network — giving them the ability to deploy ransomware. The FBI said Conti has been observed inside victim networks between four days and three weeks on average before deploying Conti ransomware.

Conti’s Ransomware Toll on the Healthcare Industry

The attackers use social engineering to trick employees of cryptocurrency companies into downloading and running malicious Windows and macOS cryptocurrency apps.

The Lazarus operators then use these trojanized tools to gain access to the targets' computers, spread malware throughout their networks, and steal private keys that allow initiating fraudulent blockchain transactions and stealing the victims' crypto assets from their wallets.

"Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms," a joint advisory published on Monday reads.

"The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as TraderTraitor."

The trojanized TraderTraitor applications are Electron-based and cross-platform utilities developed using JavaScript and the Node.js runtime environment.

TraderTraitor apps are almost always pushed via websites featuring modern design advertising the fake crypto apps' alleged features.

CryptAIS website (CISA)

"Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads," the federal agencies added.

Among the malicious TraderTraitor cryptocurrency apps used in these campaigns, the joint advisory highlights:

• DAFOM: a "cryptocurrency portfolio application" (macOS)
• TokenAIS: claims to help "build a portfolio of AI-based trading" for cryptocurrencies (macOS)
• CryptAIS: claims to help "build a portfolio of AI-based trading" (macOS)
• AlticGO: claims to offer live cryptocurrency prices and price predictions (Windows)
• Esilet: claims to offer live cryptocurrency prices and price predictions (macOS)
• CreAI Deck: claims to be a platform for "artificial intelligence and deep learning" (Windows and macOS)

Last year, the FBI, CISA, and US Department of Treasury also shared information on malicious and fake crypto-trading applications injected with AppleJeus malware used by Lazarus to steal cryptocurrency from individuals and companies worldwide.

The list of apps trojanized using AppleJeus includes Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.

The U.S. Justice Department charged three Lazarus Group members for stealing $1.3 billion in money and cryptocurrency in multiple attacks against banks, the entertainment industry, cryptocurrency companies, and other organizations worldwide.

In 2019, a confidential United Nations report also said that North Korean operators stole an estimated $2 billion in at least 35 cyberattacks on banks and crypto exchanges across over a dozen countries.

The same year, the U.S. Treasury Department sanctioned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling the financial assets they stole in cyberattacks to the North Korean government.

US warns of Lazarus hackers using malicious cryptocurrency apps

The Russian cybersecurity firm has added support for decrypting files locked by the Yanluowang ransomware strain to its RannohDecryptor utility.

"Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack," the company said today.

This ransomware strain encrypts files bigger than 3GB and those smaller than 3GB using different methods: larger ones are partially encrypted in 5MB stripes after every 200MB, while smaller ones are entirely encrypted from start to end.

Because of this, "if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted."

To decrypt your files, you need at least one of the original files:

• To decrypt small files (less than or equal to 3 GB), you need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
• To decrypt big files (more than 3 GB), you need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.

To decrypt files encrypted by Yanluowang ransomware, you have to use the Rannoh decryption tool available for download from Kaspersky's servers.

Kaspersky RannohDecryptor (BleepingComputer)

Yanluowang attacks high-profile enterprise targets

Yanluowang ransomware, first spotted in October 2021, has been used in human-operated, highly targeted attacks against enterprise entities.

One month later, one of its affiliates was observed attacking US organizations in the financial sector since at least August, using the BazarLoader malware for reconnaissance.

Based on the tactics, techniques, and procedures (TTPs) used in these attacks, this Yanluowang affiliate was linked to the Thieflock ransomware operation developed by the Fivehands group (tracked by Mandiant as UNC2447).

Once deployed on compromised networks, Yanluowang stops hypervisor virtual machines, ends all processes, and encrypts files appending the .yanluowang extension.

It also drops ransom notes named README.txt that warn victims not to contact law enforcement or ask any ransomware negotiation firms for help.

If the attackers' requests are not met, the ransomware operators threaten to launch distributed denial of service (DDoS) attacks against the victims' networks and inform their employees and business partners they were breached.

They also say they'll breach the victims' networks again "in a few weeks" and delete their data, a common tactic ransomware gangs use to pressure their victims into paying the ransom.

Free decryptor released for Yanluowang ransomware victims

Your iOS app may still be covertly tracking you, despite what Apple says

Filed under CVE-2022-29072, the vulnerability is using the included 7-Zip Help file, 7-zip.chm, for the exploit. Attackers need to drag and drop files with the 7z extension on to the Help > Contents area in the 7-Zip interface.

Vulnerability details have been published on GitHub. The page provides technical information and a short demonstration video of the exploit.

It is unclear if and when 7-Zip will address the issue. The last update of the application dates back to the release of 7-Zip in December 2021

Users of the application may use the following workaround to mitigate the vulnerability on their devices. Since it is using the included Help file, one way of dealing with the issue is to delete the Help file.

1. Open the 7-Zip installation directory or folder on the system. On Windows, these are usually C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether the 64-bit or the 32-bit version of the application has been installed.
2. Locate the file 7-Zip.chm; this is the help file. You can open it directly to display its content.
3. Hit the delete button on the keyboard or right-click on the file and select the Delete context menu option, to remove it from the system.
4. You may get a prompt, File Access Denied. If that is the case, select Continue.

The file is moved to the recycle bin of the operating system by default. 7-Zip functionality is not reduced when you delete the help file. The Help file won't open anymore after the deletion, when you select Help > Contents in the 7-Zip File Manager or press the F1-key on the keyboard.

Closing Words

Deleting the Help file does not take longer than a minute. While it appears unlikely that the issue is exploited on large scale, most users may want to remove the Help file to protect their systems against exploits targeting the issue.

Now You: which archiver do you use? (via Deskmodder)

Workaround for security issue in 7-Zip until it is fixed

This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly.

"The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data," Swiss cybersecurity company PRODAFT said in an exhaustive report published last week.

PYSA, short for "Protect Your System, Amigo" and a successor of the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021.

Since September 2020, the cybercriminal gang is believed to have exfiltrated sensitive information belonging to as many as 747 victims until its servers were taken offline earlier this January.

Most of its victims are located in the U.S. and Europe, with the group primarily striking government, healthcare, and educational sectors. "The U.S. was the most-impacted country, accounting for 59.2% of all PYSA events reported, followed by the U.K. at 13.1%," Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.

PYSA, like other ransomware families, is known to follow the "big game hunting" approach of double extortion, which involves publicizing the stolen information should a victim refuse to comply with the group's demands.

Every eligible file is encrypted and given a ".pysa" extension, decoding which requires the RSA private key that can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have made digital payments.

PRODAFT, which was able to locate a publicly available .git folder managed by PYSA operators, identified one of the project's authors as "dodo@mail.pcc," a threat actor who is believed to be located in a country that observes daylight savings time based on the commit history.

At least 11 accounts, a majority of which were created on January 8, 2021, are said to be in charge of the overall operation, the investigation has revealed. That said, four of these accounts — named t1, t3, t4, and t5 — account for over 90% of activity on the group's management panel.

Other operational security mistakes made by the group's members also made it possible to identify a hidden service running on the TOR anonymity network — a hosting provider (Snel.com B.V.) located in the Netherlands — offering a glimpse into the actor's tactics.

PYSA's infrastructure also consists of dockerized containers, including public leak servers, database, and management servers, as well as an Amazon S3 cloud to store the encrypted files, which amount to a massive 31.47TB.

Also put to use is a custom leak management panel to search confidential documents in the files exfiltrated from victims' internal networks prior to encryption. Besides using the Git version control system to manage the development processes, the panel itself is coded in PHP 7.3.12 using the Laravel framework.

What's more, the management panel exposes a variety of API endpoints that enables the system to list files, download files, and analyze the files for full-text search, which is designed to categorize the stolen victim information into broad categories for easy retrieval.

"The group is supported by competent developers who apply modern operational paradigms to the group's development cycle," the researcher said. "It suggests a professional environment with well-organized division of responsibilities, rather than a loose network of semi-autonomous threat actors."

If anything, the findings are yet another indicator that ransomware gangs like PYSA and Conti operate and are organized like legitimate software companies, even including an HR department to recruit new hires and an "employee of the month" award for tackling challenging problems.

The disclosure also comes as a report from cybersecurity company Sophos found that two or more threat actor groups spent at least five months within the network of an unnamed regional U.S. government agency before deploying a LockBit ransomware payload at the start of the year.

Source

The research sponsored by TuxCare sought to understand better how organizations are currently managing the security and stability of their Linux-based systems. The results allow all organizations operating Linux-based systems to benchmark their processes against their peers and best practices.

You can get a copy of the complete report HERE if you can't wait to see the findings, but we've highlighted the key takeaways below if you'd like a preview.

Research Goals

Understanding the current State of Enterprise Linux Security Management has never been more imperative. The number of high and critical vulnerabilities continues to grow each year significantly, and exploits against them are being deployed faster and faster.

TuxCare previously sponsored the Ponemon Institute to research how organizations managed their Linux-based systems' security and stability. This research was of enormous benefit for organizations operating Linux-based systems.

Ponemon has updated the research to see how the threat management landscape is changing and provide insights into how businesses have adapted and refined their practices. In addition, the updated reports offer a more in-depth understanding of the security risks and mitigation strategies currently in place.

The Latest Findings

Organizations spend on average $3.5 million annually monitoring their systems for threats and vulnerabilities and implementing patch management processes. This cost to businesses includes the productivity impact of system downtime associated with patching.

Organizations spend around 1,075 hours monitoring and patching systems each week. This includes 340 hours of system downtime while applying patches, placing significant pressure on security teams when downtime impacts productivity. In fact, 45% of respondents reported their organization has no tolerance for patching downtime. This is a problem that live-patching solutions can eliminate, hence why 76% of respondents have adopted this technology.

However, the research found that despite this investment, respondents were not completely confident in their ability to quickly find and patch all the critical vulnerabilities in their systems to reduce security risks to an acceptable level. Over 56% of respondents took over a month to patch critical and high-priority vulnerabilities when they realized their systems were vulnerable. Furthermore, 5% of respondents admitted taking over a year to apply critical patches. This represents a worsening situation from the previous research and increased business risk.

The whole time a system has an unpatched vulnerability, that system is susceptible to exploitation. Vulnerability disclosure prompts attackers to work on methods to exploit the flaw and techniques to scan for exploitable systems. Fast patching doesn't just provide reassurance that your systems are secure. It can also be critical in meeting regulatory requirements.

Even more remarkable were the findings that about a third of organizations are not aware of their responsibility for the security of cloud-hosted systems, assuming the hosting company managed it. Many cloud-hosted systems with no active security management rely on default security controls and luck to avoid an attack.

Conclusions

Organizations are at risk because of the inability to detect and patch vulnerabilities quickly enough for all the systems they are responsible for managing. The research found only 43% of respondents believe they have adequate resources and in-house expertise for timely patching. In addition, respondents saw a lack of accountability for patch management and assigning responsibilities outside IT security functions as factors.

The research also shows an increase in automation for day-to-day system management activities. The standardization and repeatability of processes are positive factors in system security and stability, plus respondents who have implemented automation reported a significantly faster vulnerability response time.

To read the complete report and all its detailed findings related to Enterprise Linux Security, you can get your free copy HERE.

Source