Videoconferencing relies on camera and microphone access, and it appears that the built-in controls to mute the microphone are not always preventing apps from listening and sending data.

Sometimes, users who participate in a video conference may want to mute their audio output. Examples may include going to the bathroom, talking to someone nearby, or answering the door. Most users would expect that hitting the mute button does mute all audio and prevents the sending, but research suggests that this may not be the case.

The research paper "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps", published by assistant professor Kassem Fawaz of electrical and computer engineering at the University of Wisconsin-Madison, suggests that videoconferencing applications may still record and send data while mute is activated.

Videoconferencing applications require access to a device's camera and microphone, which the users control through operating system functionality, and sometimes, in the case of the camera, through hardware options. Permissions can be revoked and managed, but once permissions have been granted, apps and services have access to the hardware devices until the permissions do get revoked.

Most applications and services include built-in options to turn off the camera or the microphone. Blocking access to the camera prevents apps from accessing the camera as it "engages an OS-level control" according to the researchers. The mute control in applications on the other hand uses a different app-dependent system, which may lead to the recording and sending of audio data while mute is active. The researchers note that none of the operating systems they looked at supported "OS-mediated software mute" functionality.

Videoconferencing services can be divided into the two broad categories native apps and web apps. The core difference between the two categories when it comes to muting is that native apps "collect data from the microphone with few restrictions" while web apps need to "request access to the microphone through a web server", which "generally has more restrictive policies for data collection and more tools that allow the user to control the app's access to hardware".

The team analyzed the muting behavior of ten different video conferencing and audio chat applications, including Microsoft Teams, Skype, Zoom, Google Meet, Discord and Jitsi Meet. The services were then classified into three "broad policies" based on the analysis:

Continuously sampling audio from the microphone: apps stream data from the microphone in the same way as they would if they were not muted. Webex is the only VCA that continuously samples the microphone while the user is muted. In this mode, the microphone status indicator from an operating system remains continuously illuminated.

Audio data stream is accessible but not accessed: apps have permissions to sample the microphone and read data; but instead of reading raw bytes they only check the microphone’s status flags: silent, data discontinuity, and timestamp error. We assume that the VCAs, like Zoom, are primarily interested in the silent flag to tell if a user is talking while the software mute is active. In this mode, apps do not read a continuous real-time stream of data in the same way as they would while unmuted. Most Windows and macOS native apps can check if a users is talking even while muted but do not continuously sample audio in the same way as they would while unmuted. In this mode, the microphone status indicator in Windows and macOS remains continuously illuminated, reporting that the app has access to the microphone. We found that applications in this state do not show any evidence of raw audio data being accessed through the API.

Software mute: apps instruct the microphone driver to completely cut off microphone data. All of the web-based apps we studied used the browser’s software mute feature. In this mode, the microphone status indicator in the browser goes away when the app is muted, indicating that the app is not accessing the microphone.

Cisco Webex was found to access the microphone continuously while muted. The researchers could not determine how Microsoft "Teams and Skype use microphone data when muted", as they make direct calls to the operating system. The research team concluded that the behavior of applications that fall into categories one and two violate user expectation.

Conclusion

Computer users have better control over the muting behavior when they use web services, as these need to go through the browser for their activity. When it comes to muting and videoconferencing applications, it is advised to use the operating system's mute functionality, as it ensures that access to the microphone is prevented for the time it is being muted.

The full research paper is available here as a PDF document.

Now You: do you use videoconferencing tools?

Muting videoconferencing apps may not prevent them from listening

Vivaldi Technologies announced the release of a minor update for the desktop version of the Vivaldi web browser on April 15, 2022. The new version of the web browser is available already and is downloaded and installed automatically on most devices.

Vivaldi users may speed up the installation of the update by selecting Vivaldi Menu > Help > Check for Updates. The page that opens displays the current version that is installed; a newer version is downloaded and installed automatically at this point, if available.

The release announcement on the Vivaldi website is short, but to the point:

[Chromium] Upgraded to 100.0.4896.133 (includes fix for CVE-2022-1364)

Vivaldi released five minor updates for version 5.2 of the browser, which it released in early April 2022.

Microsoft published an update for the desktop version of its Microsoft Edge web browser as well. The update is available already and should be distributed to most devices running Edge automatically.

Edge users may speed up the installation of the update by loading edge://settings/help in the browser's address bar. The page that opens displays the installed version. A check for a newer version is performed automatically on page open, and any new version that is found is downloaded and installed automatically.

The release notes for Microsoft Edge 100.0.1185.44 confirm that the update includes the security fix for the Chromium vulnerability that is exploited in the wild:

This update contains a fix for CVE-2022-1364, which has been reported by the Chromium team as having an exploit in the wild. For more information, see the Security Update Guide.

Microsoft notes that the update includes a fix for the Edge-specific vulnerability as well. The vulnerability, CVE-2022-29144, fixes an elevation of privilege vulnerability in Microsoft's browser. The Edge-specific issue is not exploited actively according to Microsoft.

Google released a security update for its Chrome web browser as well to address the security issues.

Vivaldi and Microsoft patch 0-day vulnerability in their browsers

Chrome 100.0.4896.127 has been released for all supported desktop operating systems -- Windows, Mac and Linux -- to address the issue. The update is being rolled out over time as usual, but Chrome users may speed up the installation in the following way:

• Select Chrome Menu > Help > About Google Chrome, or load chrome://settings/help directly.

The page displays the installed browser version. A check for updates is performed when the page is opened in the browser. Chrome should download and install the update automatically at that point.

Google announced the release on the company's Chrome Releases blog, but did not provide many details on the issue. The vulnerability is listed with a severity rating of high, the second-highest after critical. It is a Type Confusion in V8 issue, Chrome's JavaScript engine. These type of vulnerabilities may lead to the execution of arbitrary code, and it appears that this is the case for the vulnerability that Google disclosed on the blog.

The company notes that it is aware of an exploit that is actively used against the vulnerability:

Google is aware that an exploit for CVE-2022-1364 exists in the wild.

Google did not provide specifics; this is common, as companies that release security patches want updates to be rolled out to the majority of users and devices first. The premature release of information could result in the creation of exploits by other malicious actors.

Google released three zero-day vulnerability updates for its Chrome web browser this year. Other Chromium-based web browsers may also be affected by the issue. Security updates for these web browsers will likely be released soon, provided that the issue affects these browsers as well.

Chrome users may want to upgrade their browser as soon as possible to protect it against attacks that target the 0-day vulnerability. Users who use other Chromium-based browsers may want to check for updates or news regularly to make sure their browsers do get patched as well.

Google Chrome emergency update patches 0-day vulnerability

Frontpaged:   Google Chrome 100.0.4896.127

The tool called "Powershell Windows Toolbox" was hosted on GitHub and user LinuxUserGD noticed that the underlying code was cryptic and contained malicious bits. The issue was then raised for the tool by user SuchByte. The Powershell Windows Toolbox has since been removed from GitHub.

Here are all the things the tool claimed to do:

To start, the software was using Cloudflare workers to load a script. In the How to use section of the tool, the developer had instructed users to run the following command in CLI:

While the loaded script was doing what was mentioned, obfuscated code was also found here. After de-obfuscating this, it was found that these were PowerShell codes that were loading malicious scripts from Cloudflare workers and files from a GitHub repo of user alexrybak0444, who is likely the threat actor or one of them. These were also reported and removed (archived version here).

After this, the script ultimately creates a Chromium extension which is thought to be the main malicious component of this malware campaign. The payload of the malware seems to be certain links or URLs used to generate revenue via affiliates and referrals through the promotion of some software or some money making schemes distributed via Facebook and WhatsApp messages.

If you happened to install the Powershell Windows Toolbox on your system, you can remove the following components that were created by the tool during the infection:

• Microsoft\Windows\AppID\VerifiedCert

• Microsoft\Windows\Application Experience\Maintenance

• Microsoft\Windows\Services\CertPathCheck

• Microsoft\Windows\Services\CertPathw

• Microsoft\Windows\Servicing\ComponentCleanup

• Microsoft\Windows\Servicing\ServiceCleanup

• Microsoft\Windows\Shell\ObjectTask

• Microsoft\Windows\Clip\ServiceCleanup

   

Also remove the "C:\systemfile" hidden folder which was created by the malicious script during the infestation. And in case you are doing a system restore, make sure to use a restore point that was not done by the Powershell Windows Toolbox itself as it will not remove the malware from the system.

On that note, if you are looking to install Google Play Store using something that is not harmful, check this guide out by Neowin's own Taras Buria, but do keep in mind that Microsoft has put out some really hefty needs for running Android apps on Windows 11.

Via: BleepingComputer

Note: We have linked to an earlier comment by Neowin member +Eli in this article. The link opens to our own guide for installing Google Play Store on Windows 11 which is different from the Powershell Windows Toolbox that's the topic of today's news piece.

Beware: Powershell Windows Toolbox that helped install Google Play on Windows 11 is malware

The online detection and protection rates for the Microsoft product, however, are amongst the best. In case you are wondering what the difference between protection and detection is, here's how AV-Comparatives defines the two:

The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution.

[..] This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system.

You can find the full comparison of the various anti-malware solutions for offline and online detection rates as well as the protection rates in the image below:

Here's a breakdown of the protection rates for the various antivirus programs. A total of 10,040 malicious samples were used for the test:

Here's a full breakdown of the entire Malware Protection Test March 2022 data:

Aside from the Malware Protection Test, AV-Comparatives has also released data for what it calls the Real-World Protection Test that you can see in the image below. Here's how the firm distinguishes between the two:

In the Malware Protection Test, malicious files are executed on the system. While in the Real-World Protection Test the vector is the web, in the Malware Protection Test the vectors can be e.g. network drives, USB or cover scenarios where the malware is already on the disk.

Finally, we have the awards that the various tested anti-virus programs have received. Here Microsoft Defender has received the highest praise as it has got the ADVANCED+ award. Incidentally, none of the products has received the ADVANCED award.

You can find more details on the tests at the source links below.

Source: AV-Comparatives (1 , 2)

AV-Comparatives finds Microsoft Defender has one of the poorest offline detection rates

US uncovers “Swiss Army knife” for hacking industrial control systems

Although exploiting the flaw requires authentication, it's critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers.

A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different.

Security researchers believe that a non-logged in user could also exploit the recently fixed flaw in Elementor plugin but they have not confirmed this scenario.

Vulnerability details

In a report released this week by researchers at the WordPress security service Plugin Vulnerabilities, who found the vulnerability, describe the technical details behind the issue in Elementor.

The problem lies in the absence of a crucial access check on one of the plugin's files, "module.php", which is loaded on every request during the admin_init action, even for users that are not logged in, the researchers explain.

One of the functions triggered by the admin_init action allows file upload in the form of a WordPress plugin. A threat actor could place a malicious file there to achieve remote code execution.

The file upload function (Plugin Vulnerabilities)

The researchers say that the only restriction in place is access to a valid nonce. However, they found that the relevant nonce is present in "source code of admin pages of WordPress that starts 'elementorCommonConfig', which is included when logged in as a user with the Subscriber role."

Impact and fixing

According Plugin Vulnerabilities, the issue was introduced with Elementor 3.6.0, released on March 22, 2022.

WordPress stats report that approximately 30.7% of Elementor's users have upgraded to version 3.6.x, which indicates that the maximum number of potentially affected sites is roughly 1,500,000.

The plugin has been downloaded a little over one million times today. Assuming that all of them were for 3.6.3, there must still be around 500,000 vulnerable websites out there.

The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function.

Commit in Elementor addressing the security flaw (WordPress)

While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch.

BleepingComputer has reached out to Elementor's security team, and will update this article as soon as we receive a response.

Plugin Vulnerabilities has also published a proof of concept (PoC) to prove the exploitability, increasing the risk of vulnerable websites to be compromised.

Admins are advised to apply the latest update available for the Elementor WordPress plugin or remove the plugin from your website altogether.

Critical flaw in Elementor WordPress plugin may affect 500k sites

Opera Software's browsers include built-in VPN functionality that is free to use. The new Pro version extends the service to the entire device. Connecting to the free VPN in Opera encrypts only the traffic in the browser, but any other application that is run on the Android device does not benefit from it.

As far as specifics are concerned: Opera Software claims that customers get access to more than 3000 VPN servers in locations around the world when they subscribe to the service. Up to six Android devices can be protected, and the VPN component is integrated into the Opera web browser, which means that customers do not have to install another app to add the VPN functionality to their devices.

Opera Software states that its VPN service is a "no-log service". The company offers early bird access for interested users, and there is a 7-day trial for users who want to test the service before they make a buying decision.

All plans offer the same functionality, and the pricing differs based on the subscription period. Customers may sign-up for one-month or three-month periods, which cost $2.99 or $1.99 respectively. It is unclear for how long the early bird pricing is available.

Opera customers who subscribe to VPN Pro get several benefits. Besides device-wide support, customers may also select specific regions to connect to, enable auto-connect on startup, and switch the VPN protocol. Unfortunately, only OpenVPN and IKEv2 are available, which means that Wireguard is missing.

Usage is simple. Open the Opera web browser on the Android device, select VPN, and sign-in to the Opera account if you are not signed-in already. There you get the options to connect to the fastest server or a server in a specific region. Opera VPN Pro supports servers in more than 30 different countries, including the United States, United Kingdom, Japan, Singapore, Germany, France, and United Arab Emirates.

Apps and services worked as expected during tests, but the browser in question is still a beta product.

Closing Words

Android users who want to try Opera VPN Pro may download the beta version of the browser for Android here. The version includes the VPN component that is used to establish system-wide VPN connections.

The VPN service is limited to Android currently, and this may be one of the main reasons why Opera Software is launching it with a reduced price point. It is unclear if desktop support is planned, but it seems likely as it would improve the VPN product significantly.

Plenty of information is missing at this point, including whether there are data thresholds and whether Opera Software is managing the entire infrastructure of the service.

Some Android users, especially those using the Opera browser already, may find the addition of the device-wide VPN service useful, as it eliminates the need to install another application on the device. Some users may want more information, especially about the infrastructure that is used before they make a decision.

Could this move be an option for Mozilla as well? The Firefox-maker operates a VPN service as well with the help of Mullvad and it could, in theory, integrate it into the Firefox browser to reach a larger audience.

Now You: what is your take on Opera VPN Pro? Will other browser makers follow?

Opera Software launches Opera VPN Pro for Android

The Hafnium group is utilizing Tarrask, a "defense evasion malware", to evade Windows defenses and ensure compromised environments remain vulnerable, explained the Microsoft Detection and Response Team (DART) in a blog post:

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages un-patched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

Microsoft is actively tracking Hafnium's activities and is aware the group is using novel exploits within the Windows subsystem. The group is apparently exploiting a previously unknown Windows bug to hide the malware from "schtasks /query" and Task Scheduler.

The malware successfully evades detection by deleting the associated Security Descriptor registry value. Simply put, an as-yet-unpatched Windows Task Scheduler bug is helping the malware clean up its trails, and make sure that its on-disk artifacts (remnants of activities) aren’t around to reveal what's going on.

Technical jargon aside, the group seems to be using "hidden" scheduled tasks to retain access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes dropped connections to Command-and-Control (C2) infrastructure.

Microsoft’s DART has not only issued a warning but has also recommended enabling logging for 'TaskOperational' within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This should help admins lookout for suspicious outbound connections from critical Tier 0 and Tier 1 assets.

Microsoft Windows under attack from Hafnium group's 'Tarrask' malware

Tim Cook delivers speech railing against “data industrial complex,” sideloading

The updates are already available via Windows Updates, other update management products and services, and as direct downloads. Our overview assists home users and system administrators in understanding the updates and getting the information they need to update products that they use.

The guide includes direct download links, links to support websites, information about critical updates, known issues, and other bits that are important when it comes to updating.

You can check out the March 2022 Microsoft update guide here.

Microsoft Windows Security Updates: March 2022

The following Excel spreadsheet includes the released security updates for Windows and other company products. Just download it with a click on the following link: microsoft-windows-security-updates-april-2022

Executive Summary

• All supported client and server versions of Windows are affected by at least 4 critical security issues.
• Windows clients with known issues: Windows 7, Windows 8.1, Windows 10 version 1607, 1809, 1909, 20H2, 21H1, 21H2, and Windows  11
• Windows server versions with known issues: Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2022
• Other Microsoft products with security updates: .NET Framework, Azure SDK, Active Directory Domain Services, Azure Site Recovery, Microsoft Edge, LDAP, Visual Studio, Microsoft Office, and others.
• Windows 10 version 20h2 Pro and Home are reaching end of servicing next month.

Operating System Distribution

• Windows 7 (extended support only): 41 vulnerabilities: 4 critical and 37 important
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows 8.1: 51 vulnerabilities: 7 critical and 44 important
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows 10 version 1909: 68 vulnerabilities: 8 critical and 60 important
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows 10 version 20H2, 21H1 and 21H2 : 72 vulnerabilities, 9 critical and 63 important
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-23257
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497

• Windows 11:  69 vulnerabilities, 9 critical and 60 important
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-23257
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497

Windows Server products

• Windows Server 2008 R2 (extended support only): 51 vulnerabilities: 4 critical and 47 important
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows Server 2012 R2: 66 vulnerabilities: 5 critical and 22 important
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows Server 2016: 86 vulnerabilities: 8 critical and 78 important
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows Server 2019: 93 vulnerabilities:  0critical and 28 important
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919

• Windows Server 2022:  98 vulnerabilities: 0 critical and 28 important
  • Windows LDAP Remote Code Execution Vulnerability -- CVE-2022-26919
  • Remote Procedure Call Runtime Remote Code Execution Vulnerability -- CVE-2022-26809
  • Windows Server Service Remote Code Execution Vulnerability -- CVE-2022-24541
  • Windows Network File System Remote Code Execution Vulnerability --  CVE-2022-24491
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-24537
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-23257
  • Windows Hyper-V Remote Code Execution Vulnerability -- CVE-2022-22008
  • Windows SMB Remote Code Execution Vulnerability -- CVE-2022-24500
  • Windows Network File System Remote Code Execution Vulnerability -- CVE-2022-24497

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2

• Monthly Rollup: KB5012626
• Security-Only: KB5012649

Updates and improvements:

• Fixed a Windows Media Center issue that had users configure the application on each start.
• Fixed a memory leak that was introduced in the November 2021 cumulative update. It caused a decrease in performance on domain controllers.
• Fixed an issue that could cause Event ID 37 to be logged during password change scenarios.
• Fixed an Access Denied error when writing a service principal name alias and Host/Name already exists on another object.
• Fixed a domain joins failing issue in environments that use DNS hostnames.
• Fixed an issue that prevented the changing of expired passwords when signing in.

Windows 8.1 and Windows Server 2012 R2

• Monthly Rollup: KB5012670 
• Security-only: KB5012639 

Updates and improvements:

• Fixed a Windows Media Center issue that had users configure the application on each start.
• Fixed a memory leak that was introduced in the November 2021 cumulative update. It caused a decrease in performance on domain controllers.
• Fixed an issue that could cause Event ID 37 to be logged during password change scenarios.
• Fixed a domain joins failing issue in environments that use DNS hostnames.
• Fixed an issue that made Windows go into BitLocker Recovery after servicing updates. (monthly-rollup only).
• Fixed an issue that prevented the changing of expired passwords when signing in. (monthly-rollup only).
• Fixed an issue that caused a Denial of Service vulnerability on Cluster Shared Volumes. (monthly-rollup only).

Windows 10 version 20H2, 21H1 and 21H2

• Support Page: KB5012599

Windows 11

• Support Page: KB5012592 

Updates and improvements:

• Fixes are listed on the preview update's release page here.

Other security updates

2022-04 Security Only Quality Update for Windows Server 2008 (KB5012632)

2022-04 Security Monthly Quality Rollup for Windows Server 2008 (KB5012658)

2022-04 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB5012650)

2022-04 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB5012666)

2022-04 Cumulative Update for Windows 10 Version 1909 (KB5012591)

2022-04 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607 (KB5012596)

2022-04 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5012604)

2022-04 Cumulative Update for Windows Server 2019 and Windows 10 Version 1809 (KB5012647)

2022-04 Cumulative Update for Windows 10 (KB5012653)

.NET Framework

2022-04 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012122)

2022-04 Security and Quality Rollup for .NET Framework 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB5012124)

2022-04 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012129)

2022-04 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2 (KB5012130)

2022-04 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB5012131)

2022-04 Security and Quality Rollup for .NET Framework 3.5 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012136)

2022-04 Security and Quality Rollup for .NET Framework 2.0, 3.0 for Windows Server 2008 (KB5012137)

2022-04 Security and Quality Rollup for .NET Framework 3.5.1 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012138)

2022-04 Security and Quality Rollup for .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 (KB5012139)

2022-04 Security and Quality Rollup for .NET Framework 4.5.2 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012140)

2022-04 Security and Quality Rollup for .NET Framework 4.5.2 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB5012141)

2022-04 Security and Quality Rollup for .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2 (KB5012142)

2022-04 Security Only Update for .NET Framework 4.8 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012143)

2022-04 Security Only Update for .NET Framework 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB5012144)

2022-04 Security Only Update for .NET Framework 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012145)

2022-04 Security Only Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012146)

2022-04 Security Only Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2 (KB5012147)

2022-04 Security Only Update for .NET Framework 4.6 and 4.6.2 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB5012148)

2022-04 Security Only Update for .NET Framework 3.5 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012149)

2022-04 Security Only Update for .NET Framework 2.0, 3.0 for Windows Server 2008 (KB5012150)

2022-04 Security Only Update for .NET Framework 3.5.1 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012151)

2022-04 Security Only Update for .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 (KB5012152)

2022-04 Security Only Update for .NET Framework 4.5.2 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012153)

2022-04 Security Only Update for .NET Framework 4.5.2 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB5012154)

2022-04 Security Only Update for .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2 (KB5012155)

2022-04 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012324)

2022-04 Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012325)

2022-04 Security Only Update for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB5012326)

2022-04 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 and 4.6.2 for Windows Server 2008 (KB5012327)

2022-04 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012329)

2022-04 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded 8 Standard and Windows Server 2012 (KB5012330)

2022-04 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2 (KB5012331)

2022-04 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 and 4.6.2 for Windows Server 2008 (KB5012332)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H1, Windows Server, version 20H2, Windows 10 Version 20H2, Windows 10 Version 2004, Windows 10 Version 1909, Windows 10 Version 1903, Windows 10 Version 1809, and Windows 10 Version 1607 (KB5012117)

2022-04 Cumulative Update for .NET Framework 4.8 for Windows Server 2016 and Windows 10 Version 1607 (KB5012118)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server 2019 and Windows 10 Version 1809 (KB5012119)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 (KB5012120)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 (KB5012121)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.8 for Microsoft server operating system version 21H2 for ARM64 (KB5012123)

2022-04 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows Server 2019 and Windows 10 Version 1809 (KB5012128)

2022-04 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 and Windows 10 Version 1809 (KB5012328)

2022-04 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB5012125)

Servicing Stack Updates

2022-04 Servicing Stack Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB5012672)

2022-04 Servicing Stack Update for Windows 10 (KB5013269)

2022-04 Servicing Stack Update for Windows Embedded 8 Standard and Windows Server 2012 (KB5013270)

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

• (Old) Updates may show as failed and may be uninstalled because the machine is not on ESU.
  • Expected behavior.
• (Old) Certain operations such as rename may fail on Cluster Shared Volumes.
  • Perform the operation from a process with administrator privileges.
  • Perform the operation from a node that does not have CSV ownership.

Windows 8.1 and Windows Server 2012 R2

• (Old) Certain operations such as rename may fail on Cluster Shared Volumes.
  • Perform the operation from a process with administrator privileges.
  • Perform the operation from a node that does not have CSV ownership.
• (Old) Issues with apps using the " Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information". These may fail, close, or may throw errors messages such as access violation (0xc0000005).
  • Install out-of-band updates for the .NET Framework version that the app in question uses. Microsoft has links to these on the support page.

Windows 10 versions 20H2, 21H1 and 21H2

• (Old) Custom installations may not receive the new Microsoft Edge web browser, while the old version may be removed.
  • Workaround described on the support page.
• (Old) Some devices can't install updates after installation of KB5003690 (June 21, 2021). Error PSFX_E_MATCHING_BINARY_MISSING is displayed.
  • Workaround instructions are available here.
• (Old) Connections may fail to authentication when using smart card authentication in Remote Desktop Connections.
  • Resolved according to Microsoft, should not be experienced anymore.
• (NEW) After installing the January 11, 2022 updates or later updates, recovery discs on CD or DVD created using the Backup and Restore tool (Windows 7) may be unable to start. Recovery discs created earlier are not affected.
  • Microsoft is working on a resolution.

Windows 11

• (NEW) After installing the January 11, 2022 updates or later updates, recovery discs on CD or DVD created using the Backup and Restore tool (Windows 7) may be unable to start. Recovery discs created earlier are not affected.
  Microsoft is working on a resolution.

Security advisories and updates

ADV 990001 -- Latest Servicing Stack Updates

Non-security updates

Microsoft Office Updates

You find Office update information here.

How to download and install the April 2022 security updates

Critical updates are downloaded and installed automatically on most Home Windows devices. On other systems, administrators may need to download and install updates manually, or allow updates to be installed after reviewing them carefully.

Home users may use the following method to check for updates manually (and speed up the installation of updates in the process):

1. Select Start, type Windows Update and load the Windows Update item that is displayed.
2. Select check for updates to run a manual check for updates.

Direct update downloads

Below are resource pages with direct download links, if you prefer to download the updates to install them manually.

Windows 7 and Server 2008 R2

• KB5012626 -- 2022-04 Security Monthly Quality Rollup for Windows 7
• KB5012649 -- 2022-04 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

• KB5012670 -- 2022-04 Security Monthly Quality Rollup for Windows 8.1
• KB5012639 -- 2022-04 Security Only Quality Update for Windows 8.1

Windows 10 (version 20H2)

• KB5012599 -- 2022-04 Cumulative Update for Windows 10 Version 20H2

Windows 10 (version 21H1)

• KB5012599 -- 2022-04 Cumulative Update for Windows 10 Version 21H1

Windows 10 (version 21H2)

• KB5012599 -- 2022-04 Cumulative Update for Windows 10 Version 21H2

• KB5012592 -- 2022-04 Cumulative Update for Windows 11

Additional resources

Microsoft Windows Security Updates April 2022 overview

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForums takedown was the result of “Operation Tourniquet,” an investigation carried out by the NCA in cooperation with the United Staes, Europol and four other countries that resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

RaidForums Gets Raided, Alleged Admin Arrested

The Broadcom-owned company, which makes Norton Antivirus, revealed that a group of hackers, which it claims are affiliated to the Chinese government, were conducting cyber-espionage campaigns targeting organizations across the world.

Symantec says that the campaign primarily targeted victims in government-related institutions or NGOs in education and religion, telecom, legal and pharmaceutical sectors. The malware attack campaign, called Cicada or APT10, was first tracked last year. It was active in February 2022, and could still be ongoing. Attackers are targeting victims via Microsoft Exchange Servers in unpatched system deployments, to gain access to their machines. The hackers use various tools in addition to a custom loader, and a backdoor called Sodamaster.

Hackers distributed a modified version of VLC to use it for triggering a custom malware loader

One of these tools is a modified version of the popular open source media player, VLC. Symantec's Security Threat Intelligence blog mentions the following statement.

"The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines."

This statement's wording is quite confusing, and was misinterpreted by some blogs, who wrote that VLC is vulnerable and that hackers are using it to launch malware attacks. This is not correct, VLC is not the reason for the malware attacks like these websites allege. The rest of the report should be taken into context.

The second section of the report (highlighted in the image) mentions that attackers needed access to the victim machines, before they could launch the malware attack.  This was confirmed by a member of Symantec's Threat Hunter Team, in a statement released to Bleeping Computer. They said that some hackers took the clean version of VLC, added a malicious DLL file to it and distributed it, aka DLL side-loading. This file is located in the same folder as the export function's path, and is used by the attackers to launch a custom malware loader.

So it is evident there are at least two different requirements for this attack to happen: a compromised system, and a modified version of VLC (among the other tools that were used).

Is VLC safe to use?

Yes, it is. As long as you download VLC from the official website (or a trustworthy site), your computer should be safe from malware, because it does not contain the malicious DLL File used in these attacks.

When you download a program from a third-party site, and that website had stealthily embedded some files into the package, it is no longer an official release from the developer. It becomes a modified version that could potentially be malicious. When such files get circulated, people who use them are at the risk of attacks. Hackers use various tricks such as malvertising, e.g. use a popular program's icon to convince people into thinking they are downloading the original file, while in fact they are downloading a malware that could infect their system, and could even spread to other users.

If you are worried whether a program that you have could have been tampered with, you may want to upload the installer to an online service like VirusTotal, to confirm that it is safe to use. Another option is to verify whether the hash values to see if the checksum matches that of the official release. e.g. VLC lists its hash values on its archive site. Keep your operating system and antivirus software up-to-date, and use an ad blocker like uBlock Origin to minimize the chances of malware attacks.

Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks

Businesses, governments, and other institutions have been plagued by ransomware attacks, business email compromise, and an array other breaches in recent years. Researchers say, though, that while source code leaks may seem catastrophic, and certainly aren't good, they typically aren't the worst-case scenario of a criminal data breach.

“Some source code does represent trade secrets, some parts of source code may make it easier for people to abuse systems, but accounts and user data are typically the biggest things companies have to protect,” says Shane Huntley, director of Google's Threat Analysis Group. “For a vulnerability hunter, it makes certain things easier, allowing them to skip a lot of steps. But it’s not magic. Just because someone can see the source code doesn't mean they'll be able to exploit it right then.”

In other words, when attackers gain access to source code—and especially when they leak it for all to see—a company's intellectual property could be exposed in the process, and attackers may be able to spot vulnerabilities in their systems more quickly. But source code alone isn't a road map to find exploitable bugs. Attackers can't take over Cortana from Microsoft or access users' accounts simply because they have some of the source code for the platform. In fact, as open source software shows, it's possible for source code to be publicly available without making the software it underpins less secure.

Google's Huntley points out that the same broad and diverse vetting needed to secure open source software is also vital for critical proprietary source code, just in case it is ever stolen or leaks. And he also notes that major vulnerabilities in open source software, like the recent Log4j flaws, have often lurked undiscovered for years or even decades, similar to inconspicuous typos that aren't caught by an author, editor, or copyeditor. 

Microsoft detailed its Lapsus$ breach on March 22 and said in a statement that “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

Typically, security researchers and attackers alike must use “reverse engineering” to find exploitable vulnerabilities in software, working backward from the final product to understand its components and how it works. And researchers say that process can actually be more helpful than looking at source code for finding bugs, because it involves more creative and open-ended analysis than just looking at a recipe. Still, there's no doubt that source code leaks can be problematic, especially for organizations that haven't done enough auditing and vetting to be sure that they've caught most basic bugs.

Brett Callow, a threat analyst at the antivirus company Emsisoft, also points out that attackers have a clear interest in making source code leaks sound as damaging as possible, regardless of the reality for a particular organization.

“Attackers want to make the incident seem as bad as they possibly can, and that isn’t simply to extract payment from the current victim," Callow says. “It’s also sending a warning shot to their future victims saying, ‘Look how much attention these incidents can bring; we make your life thoroughly miserable. The easiest and least painful option is simply to pay us!’”

In practice, though, Callow says that while some data breach victims have specific concerns about source code leaks, they aren't the highest-priority concern for most organizations. “It isn’t to say it can never be problematic, just that it usually isn’t,” he says. 

The bigger concern about source code leaks often isn't about the source code itself. Rather, if an attacker has compromised something as highly guarded as source code, it could mean that they've grabbed other crown jewels like sensitive user data, encryption keys, or code-signing certificates, which are meant to verify that a piece of software hasn't been altered by a malicious actor. If stolen, these have more urgent and immediate ramifications for the security of a company, its products, and, most importantly, its customers.

Most dangerous of all, if an attacker can not just access or steal a copy, but change a product's source code through a software update or other manipulation, that's the type of breach that can have dire consequences.

The Tricky Aftermath of Source Code Leaks

(May require free registration to view)

SimpleLogin is an open source email alias service that has free, commercial and Enterprise plans. Email alias services act as proxies that protect user email addresses online. Users sign-up online using an email alias that is provided by the service to protect their own email address. All communication is forwarded to the user's email address automatically. Options to reply from the email alias and other features are supported by many services, including SimpleLogin, as well.

Email spam and other unwanted content can be blocked using an email alias service, as it is usually just a flip of a button to disable an alias and block any future communication.

We mentioned SimpleLogin as an excellent alternative to Mozilla's Firefox Relay service, as it is offering more features for a lower price.

The acquisition by Proton AG has no affect on SimpleLogin's service according to the announcement on the SimpleLogin blog. The current open source model won't change and users may use the email alias service with all email providers just like before. Proton AG will provide additional resources for the development of SimpleLogin.

SimpleLogin mentioned the following improvements that are coming to its service in the near future:

• The service will benefit from the Proton infrastructure and expertise in "running an email service that’s been battle-tested".
• Uptime and incidence handling will improve thanks to a 24/7 team.
• Ability to leverage Proton's "expertise in email and application security", and to benefit from "ProtonMail's anti-abuse and anti-spam technologies".

SimpleLogin's code has been audited already and the infrastructure has been hardened. Development will be faster thanks to increase of development team members.

Proton AG plans to integrate the SimpleLogin service better into its ProtonMail email service.

Closing Words

ProtonMail users could use SimpleLogin already, but the upcoming integration of the service will make things easier and the entire process smoother. ProtonMail benefits from the move in several ways: it adds capabilities to its service in the short term that were not as good as those of competing services, and it is getting another revenue source.

Now You: do you use SimpleLogin or ProtonMail? What is your take on the acquisition?

Proton AG acquires SimpleLogin, an email alias service

Starting with this latest release, when installing the OS, you will first be prompted to create an account by choosing a username and password (before this change, the OS installer would only ask for a custom password).

You can no longer skip this step since the setup wizard will be launched when first booting the device (previously, you could hit Cancel to use the default pi/raspberry credentials).

While you can still choose to use a 'pi' username and 'raspberry' as your password, you will be warned that it's not a wise choice.

"We are not getting rid of the 'pi' user on existing installs. We are not stopping anyone from entering 'pi' and 'raspberry' as the username and password on a new install," said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

"All we are doing is making it easy for people who care about security to not have a default 'pi' user – which is something people have been requesting for some time now."

When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.

If you want to run Raspberry Pi headless, you can create the user before booting into the OS by setting a username and a password via the Settings dialog before writing the image or adding a userconf file to the boot partition containing a username:encrypted-password pair.

Existing installations are not affected by this change. However, users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.

"This isn't that much of a weakness – just knowing a valid user name doesn't really help much if someone wants to hack into your system; they would also need to know your password, and you'd need to have enabled some form of remote access in the first place," Long explained.

"But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."

For instance, the UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, "not resettable to any universal factory default value."

Raspberry Pi removes default user to hinder brute-force attacks

These new developer requirements will take effect between May 11th through November 1st, 2022, giving developers enough time to adjust to the new changes.

Among the list of policy changes that will be introduced, the most important ones related to cybersecurity and fraud include:

• New API level target requirements.
• Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
• Prohibiting the abuse of the Accessibility API.
• New policy changes for the permission to install packages from external sources.

New API level targets

Starting from November 1, 2022, all newly released/published apps must target an Android API level released within one year from the latest major Android version release.

API level targeting requirement for newly published apps (Google)

Those that fail to abide by this requirement will be rejected from inclusion in the Play Store, Android's official app store.

Existing apps that do not target an API level within two years of the latest major Android version will be removed from the Play Store and will no longer be discoverable.

This change aims to force app developers to adopt the stricter API policies that underpin newer Android releases, typically better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen restrictions, and more.

As Google explains in the blog post about the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer."

App developers that need more time to migrate to more current API levels may request a six-month extension, although this is not guaranteed for everyone.

This policy change is expected to force many outdated apps to adopt more secure practices but will also inevitably push several projects that are no longer actively developed outside the Play Store.

One side effect of the latter could be people turning to obscure sources to get an APK of their favorite app, only to get scammed and infect themselves with malware.

Accessibility API abuse

Android's Accessibility API allows developers to create apps that can be used by those with disabilities, allowing the creation of different ways to control the device and use its applications.

However, this feature is commonly abused by malware [1, 2] to perform actions on an Android device without the user's permission or even knowledge.

Google's new policies further restrict how this policy can be used, as listed below.

• Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
• Work around Android built-in privacy controls and notifications; or
• Change or leverage the user interface in a way that is deceptive or otherwise violates Google Play Developer Policies.

Policy for package fetching

Another key policy change announced by Google tightens the "REQUEST_INSTALL_PACKAGES" permission.

Many malicious app publishers submit innocuous code onto the Play Store to have their submission approved but hide package-fetching functionality that downloads malicious modules after installation.

Users see these actions as "request to update" or "download additional content," so they approve of the action when served the associated prompt or don't see anything because it happens in the background.

Google wants to close this loophole by enforcing new policies for the permission, shedding light on a previously poorly regulated space.

The functions allowed now will be limited to web browser, search, communication, file sharing, file transfer, file management, and enterprise device management.

Apps using this permission must now fetch only digitally signed packages, while the user's consent will still not allow self-updates, code modifications, or bundling of APKs in the asset file.

The new REQUEST_INSTALL_PACKAGES policies will go into effect on July 11th, 2022, for all apps using API level 25 (Android 7.1) and above.

Google boosts Android security with new set of dev policy changes

Social Media accounts, especially verified ones, are an attractive target for hackers as threat actors can use them for various malicious activities, including conducting cryptocurrency scams and distributing malware.

These accounts are even more attractive when they have access to the social site's ad platforms, allowing threat actors to use the stolen credentials to run malicious advertisements.

Distributed through software cracks

Researchers at Zscaler have been tracking the new info-stealer and its spread and published a detailed technical analysis today based on recent samples.

Like many malware, FFDroider is spread through software cracks, free software, games, and other files downloaded from torrent sites.

When installing these downloads, FFDroider will also be installed, but disguised as the Telegram desktop app to evade detection.

Once launched, the malware will create a Windows registry key named "FFDroider," which led to the naming of this new malware.

The Zscaler researcher has put together an attack flow chart illustrating how the malware is installed on victims' devices.

FFDroid targets cookies and account credentials stored in Google Chrome (and Chrome-based browsers), Mozilla Firefox, Internet Explorer, and Microsoft Edge.

For example, the malware reads and parses the Chromium SQLite cookie and SQLite Credential stores and decrypts the entries by abusing Windows Crypt API, specifically, the CryptUnProtectData function.

The procedure is similar for the other browsers, with functions like InternetGetCookieRxW and IEGet ProtectedMode Cookie abused for snatching all cookies stored in Explorer and Edge.

The stealing and decryption results in cleartext usernames and passwords, which are then exfiltrated via an HTTP POST request to the C2 server; in this campaign, http[:]//152[.]32[.]228[.]19/seemorebty.

Targeting social media

Unlike many other password-stealing trojans, FFDroid's operators aren't interested in all account credentials stored in the web browsers.

Instead, the malware developers are focusing on stealing credentials for social media accounts and eCommerce sites, including Facebook, Instagram, Amazon, eBay, Etsy, Twitter, and the portal for the WAX Cloud wallet.

The goal is to steal valid cookies that can be used to authenticate on these platforms, and this is tested on the fly by the malware during the procedure.

If the authentication is successful on Facebook for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim's friends, and their account billing and payment information from the Facebook Ads manager.

The threat actors may use this information to run fraudulent ad campaigns on the social media platform and promote their malware to a larger audience.

If successfully logged in on Instagram, FFDroider will open the account edit web page to grab the account's email address, mobile phone number, username, password, and other details.

This is an interesting aspect of the info-stealer's functionality because it isn't just trying to grab credentials but to log in on the platform and steal even more information.

After stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals.

Zscaler's analysts haven't provided many details about these modules, but having a downloader functionality makes the threat even more potent.

To avoid this type of malware, people should stay away from illegal downloads and unknown software sources. As an extra precaution, downloads can be uploaded to VirusTotal to check if antivirus solutions detect it as malware.

New FFDroider malware steals Facebook, Instagram, Twitter accounts

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

HOW DID WE GET HERE?

The smash-and-grab attacks by LAPSUS$ obscure some of the group’s less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings.

In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours.

The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.

The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack.

“Someone was trying to phish employee credentials, and they were good at it,” Wired reported. “They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.”

Twitter revealed that a key tactic of the group was “phone spear phishing” (a.k.a. “voice phishing” a.k.a. “vishing”). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users.

In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer’s VPN login page.

Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020:

“It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.”

“And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.”

“Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization.”

SMASH & GRAB

The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn’t also trying to use them.

This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization.

Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees’ Okta credentials.

Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of “a third-party customer support engineer working for one of our subprocessors,” and that “the matter was investigated and contained by the subprocessor.”

This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta’s claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations — especially when victims are not immediately forthcoming about the details of a security incident that affects customers.

“It does force us to think about insider access differently,” the CXO told KrebsOnSecurity. “Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft’s recent blog post on the group’s activities, tactics and tools. Microsoft’s guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials.

The Original APT: Advanced Persistent Teenagers

The expansion of facial recognition across Europe is included in wider plans to “modernize” policing across the continent, and it comes under the Prüm II data-sharing proposals. The details were first announced in December, but criticism from European data regulators has gotten louder in recent weeks, as the full impact of the plans have been understood.

“What you are creating is the most extensive biometric surveillance infrastructure that I think we will ever have seen in the world,” says Ella Jakubowska, a policy adviser at the civil rights NGO European Digital Rights (EDRi). Documents obtained by EDRi under freedom of information laws and shared with WIRED reveal how nations pushed for facial recognition to be included in the international policing agreement.

The first iteration of Prüm was signed by seven European countries—Belgium, Germany, Spain, France, Luxembourg, the Netherlands, and Austria—back in 2005 and allows nations to share data to tackle international crime. Since Prüm was introduced, take-up by Europe's 27 countries has been mixed.

Prüm II plans to significantly expand the amount of information that can be shared, potentially including photos and information from driving licenses. The proposals from the European Commission also say police will have greater “automated” access to information that’s shared. Lawmakers say this means police across Europe will be able to cooperate closely, and the European law enforcement agency Europol will have a “stronger role.”

The inclusion of facial images and the ability to run facial recognition algorithms against them are among the biggest planned changes in Prüm II. Facial recognition technology has faced significant pushback in recent years as police forces have increasingly adopted it, and it has misidentified people and derailed lives. Dozens of cities in the US have gone as far as banning police forces from using the technology. The EU is debating a ban on the police use of facial recognition in public places as part of its AI Act.

However, Prüm II allows the use of retrospective facial recognition. This means police forces can compare still images from CCTV cameras, photos from social media, or those on a victim’s phone against mug shots held on a police database. The technology is different from live facial recognition systems, which are often connected to cameras in public spaces; these have faced the most criticism.

The European proposals allow a nation to compare a photo against the databases of other countries and find out if there are matches—essentially creating one of the largest facial recognition systems in existence. One document obtained by EDRi says the number of potential matches could range from between 10 and 100 faces, although this figure needs to be finalized by politicians. A European Commission spokesperson says that a human will review the potential matches and decide if any of them are correct, before any further action is taken. “In a significant number of cases, a facial image of a suspect is available,” France’s interior minister said in the documents. It claimed to have solved burglary and child sexual abuse cases using its facial recongition system.

The Prüm II documents, dated from April 2021, when the plans were first being discussed, show the huge number of face photos that countries hold. Hungary has 30 million photos, Italy 17 million, France 6 million, and Germany 5.5 million, the documents show. These images can include suspects, those convicted of crimes, asylum seekers, and “unidentified dead bodies,” and they come from multiple sources in each country.

Jakubowska says that while criticism of facial recognition systems has mostly focused on real-time systems, those that identify people at a later date are still problematic. “When you are applying facial recognition to footage or images retrospectively, sometimes the harms can be even greater, because of the capacity to look back at, say, a protest from three years ago, or to see who I met five years ago, because I'm now a political opponent,” she says. “Only facial images of suspects or convicted criminals can be exchanged,” the European Commission spokesperson says, citing a guide on how the system will work. “There will be no matching of facial images to the general population.”

Pictures of people’s faces shouldn’t be combined in one giant central database, the official proposal says, but police forces will be linked together through a “central router.” This router won’t store any data, the European Commission spokesperson says, adding that it will “only act as a message broker” between nations. This decentralized approach makes Prüm II more straightforward: Police wanting to compare fingerprints under the current system must connect to other police forces individually. Under the new infrastructure, countries only need one connection to the central router and it will be easier to “add additional data categories to the system,” the documents obtained by EDRi say.

The European data protection superviser (EDPS), who oversees how EU bodies use data under GDPR, has criticized the planned expansion of Prüm, which could take several years. “Automated searching of facial images is not limited only to serious crimes but could be carried out for the prevention, detection, and investigation of any criminal offenses, even a petty one,” Wojciech Wiewiórowski, the EDPS, said in early March. Wiewiórowski said more safeguards should be written into the proposals to make sure people’s privacy rights are protected. The European Commission spokesperson says the body has taken “good note” of the EDPS opinion and the thoughts will be taken into account as the European Parliament and Council discuss the legislation.

During the development of the plans, Slovenia has been one key country pushing for the expansion—including asking for people’s driving license data to be included. Domen Savič, the CEO of Slovenian digital rights group Državljan D, says there are significant concerns about the differences between police databases and who is included. “I haven't heard enough to be convinced that all of this data gathered by individual police forces is sanitized in the same way,'' Savič says.

Police databases are often poorly put together. In July 2021, police in the Netherlands deleted 218,000 photos it wrongly included in its facial recognition database. In the UK, more than a thousand young Black men were removed from a “gangs database” in February 2021. “You could have databases that have completely different backgrounds in terms of how this data was collected, where it was sourced, how it was exchanged, and who approved what,” Savič says. Slovenia has already faced similar problems. “And this could lead to misidentification.”

One of the biggest problems for Jakubowska is how Prüm II could normalize the use of facial recognition by police forces across Europe. “What really concerns us is how much this Prüm II proposal could incentivize the creation of facial image databases and the application of algorithms to these databases to perform facial recognition,” she says. The EU will pay for the cost of connecting databases to Prüm II, the proposal says, and this includes the cost of creating new national facial images databases. Sixty years after being invented, facial recognition is still just getting started.

Europe Is Building a Huge International Facial Recognition System

(May require free registration to view)

The agency warns in an alert today that reports of money recovery scams this year have increased in Australia by 725% compared to the same period in 2021.

The losses reported in Q1 2022 are estimated to be $270,000 (up by 301% compared to 2021), which add up to losses incurred by victims who previously fell for the same type of scam.

The case appears to be particularly effective because the original scammers maintain a list of people who proved to be gullible, having been scammed in the context of other campaigns.

Although these people have higher than average alertness due to past negative experiences, they are still very likely to fall for the trap because of the believable theme used in the second attempt.

Coming back for more

The scammers approach their victims out of the blue via phone or email, posing as a money recovery firm, law office, or a special government task force that offers help with the recovery of previously stolen funds.

The threat actors then ask the victims to fill out fake paperwork, to make this appear as a legitimate procedure and also demand an up-front payment to cover the processing fees.

Apart from stealing the identification details of these people, some of the threat actors also request remote access to the victims' computers or smartphones, supposedly to look for the original scammers' traces.

In other cases, the fraudsters contact people who haven't been scammed, and present a range of potential recovery amounts to entice them.

Believing they're about to receive a significant sum due to an error in the system, victims give away money, personal details, and remote system access to crooks.

"Scammers can be very convincing and one way to spot them is to search online for the name of the organization who contacted you with words like ‘complaint’, ‘scam’ or ‘review’", mentions ACCC's Deputy Chair Delia Rickard.

What to do instead

If you are a victim of online fraud in Australia or New Zealand, you are advised to contact IDCare, the official national identity and cyber support service.

Reporting phishing emails to the agency will help track fraudsters, protect other people from being scammed, and possibly result in compensation for registered and validated victims.

Also, people who suspect they have been scammed should contact their bank and card issuer immediately and place their accounts under fraud monitoring.

Do not give away your information or money to anyone else no matter what claims they make, but instead report these attempts to IDCare as suspicious.

Australia warns of money recovery phishing luring past victims

"In a future release of Windows 11 you're going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software," said David Weston, VP for Enterprise & OS Security.

One of the new security features Microsoft is adding in Windows 11 is enhanced phishing protection against targeted phishing attacks with the help of Microsoft Defender SmartScreen, a cloud-based anti-phishing and anti-malware service.

With SmartScreen integrated into the OS, Windows users will be warned when entering their credentials into malicious applications or hacked websites.

As proof of SmartScreen's efficiency, Weston said Microsoft has blocked over 25.6 billion Azure Active Directory brute force authentication attacks and was able to intercept more than 35.7 billion phishing emails before landing in the recipients' inboxes just in the last year alone.

"These enhancements will make Windows the world's first operating system with phishing safeguards built directly into the platform and shipped out of the box to help users stay productive and secure without having to learn to be their own IT department," he added.

Protection for user data and against malicious drivers 

Weston also said Windows 11 users would get additional layers of security that protect their data and act as a defense against malicious drivers.

The newly planned Personal Data Encryption feature, for instance, protects users' files and data when they are not signed into the device by blocking access until they authenticate via Windows Hello.

"To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user's passwordless credentials so even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built in," Weston said.

Windows 11 customers will also be able to enable a vulnerable driver blocklist that uses Windows Defender Application Control (WDAC) to block drivers with known vulnerabilities automatically.

It hardens Windows systems against third party-developed drivers with any of the following attributes:

• Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel
• Malicious behaviors (malware) or certificates used to sign malware
• Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel

Windows 11 app, enterprise security improvements

Smart App Control is another crucial security enhancement planned for Windows 11 that will be integrated with the OS at the process level to block users from running malicious apps using code signing coupled with an AI model.

"When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run," Weston added.

"This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices."

Microsoft also wants to enable Credential Guard by Default and additional protection for Local Security Authority (LSA) for organizations using Windows 11 Enterprise to improve security in enterprise environments further.

The company's engineers have also added other security enhancements to secure Windows 11 users' accounts, devices, and apps since this new version's release in October 2021.

Probably the most important of them, named Config Lock, locks security settings to have them automatically reverted if end-users or attackers try to modify them.

It utilizes MDM policies to monitor and revert registry keys to the original states if users are altering them, likely rendering their devices insecure and exposed to attacks.

Microsoft announces new Windows 11 security, encryption features

The police were also able to seize 543 bitcoins from the profits of Hydra, which are currently worth a little over $25 million.

The confiscated money indicate the size of the Hydra market, which counted around 19,000 registered seller accounts that served at least 17 million customers around the world.

In an announcement today, the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA) estimate that Hydra Market had a turnover of $1.35 billion in 2020, making it the largest darknet market in the world.

Today, the blockchain analytics expert Elliptic, has confirmed the digital asset seizure from the authorities, tracking the action as 88 transactions amounting to 543.3 bitcoin.

Apart from narcotics and money laundering services, which were the main focus, Hydra also offered stolen databases, forged documents, and hacking for hire services.

Investigation into an obscured space

At the moment, Hydra's homepage shows that the BKA acting on behalf of the Attorney General's Office in Frankfurt am Main seized the market's infrastructure following a coordinated international law enforcement effort.

This action was possible after a lengthy investigation directed against the previously unknown operators and administrators of the platform.

As the BKA announcement points out, Hydra Market featured a Bitcoin Bank Mixer, which obfuscated all cryptocurrency transactions made on the platform, making it hard for law enforcement agencies to track money obtained from illegal activities.

At this time, it is unknown if the German authorities have made any arrests or if they hold identification information or even clues about Hydra’s core team.

Bleeping Computer has attempted to source more information in that regard, and we will update this post as soon as we hear back from BKA.

In the meantime, the seized equipment most likely contains incriminating evidence on Hydra sellers and clients, so a significant number of users could be charged in an upcoming second phase.

Update April 5 - A spokesperson of the BKA has told Bleeping Computer that no arrests have been made in this operation, and that due to the ongoing investigations, they cannot share any additional information on the evaluation of the seized infrastructure.

Germany takes down Hydra, world's largest darknet market

Brave includes an array of fingerprinting defenses that are expanded regularly. Fingerprinting refers to a tracking technique that identifies and tracks users across the Internet based on certain characteristics of their applications and systems. Browsers do reveal certain information to sites automatically, and scripts may pull even more information that sites may then use to fingerprint users. The uniqueness of the data set determines the tracking success.

Brave plans to launch the anti-fingerprinting techniques in Brave 1.39. The current stable version of Brave is 1.37 at the time of writing.

Language-based fingerprinting protection

The latest iteration of Brave's fingerprinting protections protect users against language-based fingerprinting techniques. Browsers reveal preferred languages to sites so that sites may serve content in the preferred language, if available. Scripts may also pull the information from the browser. Downside to the feature that is designed to improve the accessibility of sites is that it may be included in fingerprinting attacks.

The browser reveals all languages and their weight to sites automatically. While most browsers include just one language by default, most allow users to add more languages. Users who speak multiple languages, say English, French and German, may add all of these to the browser, as these may also power features such as spell checking.

Combinations that are not very popular make the user more unique as the entire pool of users with that combination is small.

Brave going forward reports the most preferred language to sites only going forward. Users who have multiple languages installed will only have the preferred language reported to sites.

The strict fingerprinting setting changes the reporting to English in all cases, even if the user has set a different default language in the browser. The reported weight for the single language that Brave reveals is also randomized "within a certain range" according to Brave.

Font Fingerprinting protection

Fonts are also reported to websites and sites may use the data set for tracking purposes, especially if uncommon fonts are installed. Brave protects users of the browser on all supported systems except for iOS  and Linux against fingerprinting techniques that target installed fonts.

Font fingerprinting protection is enabled in default and aggressive Shield configurations. Brave allows sites to use web fonts and all operating system fonts, and a random set of user installed fonts.

The random set is determined for each site and each session, which means that a site will have access to all listed fonts during the entire browsing session.

Brave notes that the protective feature may prove problematic in certain edge cases, for instance, when a particular user-installed font is required for a specific site. Brave 1.39 has a new option under brave://settings/shields that turns off the feature in the browser by toggling "Prevent sites from fingerprinting me based on my language preferences".

Brave plans to monitor the rollout of the feature to adjust it if compatibility issues are noticed on sites.

Closing Words

Brave continues to extend the privacy features of its web browser. The new preferred language and font fingerprinting protections add two more protections to the browser that make it more difficult for sites to use fingerprinting for tracking.

Now Read: Study on the effectiveness of counter-fingerprinting measures

Brave Browser gets language and font fingerprinting privacy protections

This phishing campaign aims to lead the recipient through a series of steps that will ultimately end with the installation of an information-stealing malware infection, opening the way to credential theft.

Information-stealing malware is aggressively distributed today via various means, with phishing remaining a primary channel for threat actors.

The information stolen by these special-purpose malware tools is predominately account credentials stored in browsers and applications but also targets cryptocurrency wallets, SSH keys, and even files stored on the computer.

WhatsApp voice messages as a lure

The new WhatsApp voice message phishing campaign was discovered by researchers at Armoblox, who are constantly on the lookout for new phishing threats.

For years, WhatsApp has had the ability to send voice messages to users in groups and private chats, with the feature receiving new enhancements last week.

A timely phishing attack pretends to be a notification from WhatsApp stating that they received a new private message. This email features an embedded “Play” button and audio clip duration and creation time details.

The sender, masquerading as a "Whatsapp Notifier" service, is using an email address belonging to the Center for Road Safety of the Moscow Region.

The phishing email impersonating WhatsApp (Armoblox)

Due to this being a genuine and legitimate entity, the messages aren't flagged or blocked by email security solutions, which typically is the biggest problem for phishing actors.

Armoblox believes this is a case of the hackers having somehow exploited the domain to promote their purpose, so the organization plays a role without knowledge.

If the recipient clicks on the "Play" button in the message body, they are redirected to a website that serves an allow/block prompt for installing a JS/Kryptic trojan.

To trick the victim into clicking on "Allow," the threat actors display a web page stating that you need to click 'Allow' to confirm you are not a robot. However, clicking these allow buttons will subscribe the user to browser notifications that send in-browser advertisements for scams, adult sites, and malware.

The website that installs the malware (Armoblox)

This simple trick can be very effective with people who are not consciously aware or thinking twice about their actions online.

Once the “allow” option is pressed, the browser will prompt the user to install the payload, which in this case is an information-stealing malware.

How to protect yourself

The fact that the emails in this campaign bypassed numerous secure email solutions makes it a particularly nasty case, but the clues that it was phishing were still abundant.

First, the email address has nothing to do with WhatsApp, and the same goes for the landing URL that requests the victims to click “Allow” to confirm they’re real. They are both obviously out of WhatsApp’s domain space.

Secondly, voice messages received on WhatsApp are downloaded automatically in the client app, so the IM company would never inform you about receiving one via email.

Thirdly, the phishing email features no WhatsApp logo, which is almost certainly to avoid having trouble with the VMC checks introduced by Gmail last year.

To protect yourself from phishing attempts, always take your time to look into potential signs of fraud when receiving messages that make surprising claims, and never jump into action.

If you need to check something, do it yourself through the official website or application, and never by following URLs or instructions provided in the message.

WhatsApp voice message phishing emails push info-stealing malware