The add-on, which was available for Google Chrome and Mozilla Firefox, had over 600,000 users. The GitHub page for the Video Ad-Block for Twitch extension has vanished, which was the first bad sign. Here is a web archive page of the original repo.

What followed was worse, the add-on had been updated, and requested new permissions. More specifically, the extension wanted to "Read and change your data on all Amazon sites". Some users spotted that product listings on Amazon.UK ended with a referral tag "aradb-21", which the browser plugin began injecting. The extension's developer could earn a commission, when someone buys a product after clicking the affiliate URLs.

It's not just that, the add-on is actually redirecting requests made to Amazon.UK, without the user being aware of this. Both of these things violate some policies, and considered malware. So it is not surprising that Google and Mozilla have banned the extension from their extensions repositories. If you are using the Video Ad-Block for Twitch extension, you should uninstall it right away.  For those who are interested in the technical side of things, here is the code that was used to redirect users.

A few months ago, Raymond Gorhill, the creator of uBlock Origin, had praised such add-ons because extensions dedicated to blocking ads on a single site are updated faster and offer better support than regular ad blockers. Ironically, his comment was written on a discussion related to the then-unblocked add-on. Who could have predicted the fall of such a popular extension? But, don't worry about it, there are a couple of alternative methods that are readily available.

What should you use to block ads on Twitch?

Another developer has forked a clean version of the add-on, and provides it under the name, Twitch Adblock. It is free, open source, and has a cheeky description mocking the original extension's malpractices. The extension is available for Firefox and Chrome. It has been recommended by a member of the uBlock Origin team, as a proper alternative for the Video Ad-Block for Twitch extension.

uBlock Origin does a lot of things well, but it struggles with ads on Twitch, because Amazon keeps updating its systems to combat ad blockers. Why? Because Twitch offers an ad-free experience as part of its Twitch Turbo plan, which costs $8.99/month, and that's easy money for the company. That being said, there is a way to get the add-on to block ads on Twitch, by editing the filters and changing some settings.

How to configure uBlock Origin to block ads on Twitch

1. Click on uBlock Origin's button, and open the Dashboard.

2. Switch to the My Filters tab.

3. Paste the following line in it.

twitch.tv##+js(twitch-videoad)

4. Apply the Changes.

5. Go to the main Settings page of uBlock Origin, and toggle the checkbox next to "I am an Advanced User."

6. Click the gear icon next to it. Set the value of the userResourcesLocation to https://github.com/pixeltris/TwitchAdSolutions/raw/master/notify-strip/notify-strip-ublock-origin.js

7. Hit the Apply Changes button to save the settings.

Note: You can also use notify-swap version that's available via the link below, if the video freezes for you.

8. Restart the browser, and try watching the Twitch videos which displayed ads. The ads should no longer be displayed in the videos.

credit:Pixeltris

It is unclear why the Video Ad-Block for Twitch extension went bad. Rumors suggest that the developer sold it to a third party, and that they made the add-on switch from an open source project, to a closed model.  This is not the first time an extension sold out its users, and it probably won't be the last.

Video Ad-Block for Twitch extension banned from Chrome and Firefox for redirecting users and injecting referral links

Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach.

These emails prompted Trezort customers to reset their hardware wallet PINs by downloading malicious software that allowed stealing the stored cryptocurrency.

Fake Trezor data breach notification
Source: Twitter

Trezor later shared that MailChimp had been compromised by threat actors targeting the cryptocurrency industry, who conducted the phishing attack.

MailChimp breach targeted crypto, finance

In an email to BleepingComputer, MailChimp has confirmed that the breach was more significant than just Trezor's account being accessed by threat actors.

According to MailChimp, some of their employees fell for a social engineering attack that led to the theft of their credentials.

"On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration," MailChimp CISO, Siobhan Smyth, told BleepingComputer.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised."

"We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected."

These credentials were used to access 319 MailChimp accounts and to export "audience data," likely mailing lists, from 102 customer accounts.

In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.

Application Programming Interface (API) keys are access tokens that allow MailChimp customers to manage their accounts and perform marketing campaigns directly from their own websites or platforms.

Using these compromised API keys, a threat actor can create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal.

Smyth told BleepingComputer that all of the compromised account holders have been notified and that the threat actors accessed customers in the cryptocurrency and finance sectors.

MailChimp says that they received reports of this access being used to conduct phishing campaigns against stolen contacts but have not disclosed information about those attacks..

MailChimp recommends that all customers enable two-factor authentication on their accounts for further protection.

"We sincerely apologize to our users for this incident and realize that it brings inconvenience and raises questions for our users and their customers. We take pride in our security culture, infrastructure, and the trust our customers place in us to safeguard their data. We’re confident in the security measures and robust processes we have in place to protect our users’ data and prevent future incidents."

Siobhan Smyth, Mailchimp’s CISO.

This attack is reminiscent of recent breaches by the Lapsus$ hacking group, who used social engineering, malware, and credential theft to gain access to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.

The Okta breach was accomplished through a similar method as MailChimp, by social-engineering a contractor who had access to internal customer support and account management systems.

BleepingComputer has sent MailChimp and Trezor further questions about the breach but has not heard back.

Hackers breach MailChimp's internal tools to target crypto customers

A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment.

As a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files, network points, and hide any signs of their presence.

The malware lets its operators choose their compilation options to create small payloads that feature precisely what they need for highly tailored attacks.

Borat was analyzed by researchers at Cyble, who spotted it in the wild and sampled the malware for a technical study that revealed its functionality.

Some of Borat's features (Cyble)

Extensive features

It is unclear if the Borat RAT is sold or freely shared among cybercriminals, but Cycle says it comes in the form of a package that includes a builder, the malware’s modules, and a server certificate.

Files in the Borat RAT archive (Cyble)

The features of the trojan, each having its own dedicated module, include the following:

• Keylogging – monitor and log key presses and store them in a txt file
• Ransomware – deploy ransomware payloads onto the victim’s machine and automatically generate a ransom note through Borat
• DDoS – direct garbage traffic to a target server by using the compromised machine’s resources
• Audio recording – record audio via the microphone, if available, and store it in a wav file
• Webcam recording – record video from the webcam, if available
• Remote desktop – start a hidden remote desktop to perform file operations, use input devices, execute code, launch apps, etc.
• Reverse proxy – set up a reverse proxy to protect the remote operator from having their identity exposed
• Device info – gather basic system information
• Process hollowing – inject malware code into legitimate processes to evade detection
• Credential stealing – steal account credentials stored in Chromium-based web browsers
• Discord token stealing – steal Discord tokens from the victim
• Other functions – disrupt and confuse the victim by playing audio, swapping the mouse buttons, hiding the desktop, hiding the taskbar, holding the mouse, turning off the monitor, showing a blank screen, or hanging the system

As noted in Cyble’s analysis, the above features make Borat essentially a RAT, spyware, and ransomware, so it’s a potent threat that could conduct a variety of malicious activity on a device.

All in all, even though the RAT's developer decided to name it after the main character of the comedy movie Borat, incarnated by Sacha Baron Cohen, the malware is no joke at all.

By digging deeper trying to find the origin of this malware, Bleeping Computer found that the payload executable was recently identified as AsyncRAT, so it's likely that its author based his work on it.

Typically, threat actors distribute these tools via laced executables or files that masquerade as cracks for games and applications, so be careful not to download anything from untrustworthy sources such as torrents or shady sites.

New Borat remote access malware is no laughing matter

Although the survey consisted of questions about various topics including cybersecurity, legacy software, and purchasing habits of organizations, there were some questions that involved Microsoft too.

According to the results, 84% of D.C. metro government employees use Microsoft services such as Teams, Word, Outlook, and OneDrive. The majority of all respondents claimed that the government's reliance on Microsoft tech makes it more vulnerable to cybersecurity incidents such as hacks. And why do they believe this, you ask? Apparently, Google doesn't think that this is important enough to disclose or even ask about.

Google further attacked Microsoft by implying that the firm's tech is actually legacy and that the only reason organizations aren't switching to newer vendors is because of resistance to change. Roughly half of the respondents also claimed that there are other products out there which would allow them to do their jobs better. Google says that this has lead to a harmful trend of shadow IT where workers are using unapproved software to be more productive at their workplace. And why are they being allowed to download software without any vetting from IT admins? Apparently, Google doesn't think that this is important enough to disclose or even ask about.

As a final note, Google also added that organizations need to rethink their software purchasing strategies, going on to say that:

With so many survey respondents reporting that they are dissatisfied with their legacy IT solutions, it may be time for the government to rethink its approach to procurement.

[...] As governments work to meet the demands and preferences of their constituents—and their employees—it’s clear that there’s an overreliance on legacy solutions, despite a track record of cybersecurity vulnerabilities and poor user perception.

At Google Cloud, we believe it’s time for more diversity and choice in the tools available for our civil servants across the nation—70% of whom use Gmail outside of work, according to our survey. Government workers have the right to benefit from the same flexible, secure-by-design tools at the office that they use in their personal lives.

In a statement to NBC News, Microsoft expressed disappointment at Google's tactics but stated that it's not surprised to see its competitor utilizing these methods to push its own products. On a sassy note, the Redmond tech giant has said that it will continue supporting the U.S. government and its other customers with its "best software and security services".

As someone who uses both Google and Microsoft services across various workflows, I'll be honest here. The survey and Google's associated blog post reads more like a hit piece rather than actual findings. There's an absurd lack of context to the responses and it's clear that the company just wants to attack Microsoft and push its own products. While that makes sense from a competing standpoint, perhaps its efforts and money would be better spent on improving its own services rather than commissioning weak surveys to bash the competition.

Google bashes Microsoft, says that its tech makes customers less secure

According to the City of London Police announcement, the two boys appeared at Highbury Corner Magistrates Court but it has not said anything on this front since. The teens are being charged with three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation and one count of unauthorised access to a computer with intent to hinder access to data. The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program.

Last week, we reported that the City of London Police had arrested a group of seven teenagers that were suspected of being involved with Lapsus$ so it’s interesting to see that just two have been charged. At the time, it was also reported that a 16-year-old from Oxford had his name revealed by rival hackers – he could be the same person as the one who has been charged but that’s a bit unclear.

Last week, the group stated on its Telegram channel that some of its members were on “vacation” and that updates may take some time. The group has resumed activity again and has leaked admin passwords for Globant’s platforms. Globant is an Argentinian IT and software development company.

Two UK teenagers have been arrested for their alleged link to the hacking group Lapsus$

Zero-day security bugs are flaws the software vendor is unaware of and hasn't patched. In some cases, they also have publicly available proof-of-concept exploits or may be actively exploited in the wild.

In security advisories published today, Apple said that they're aware of reports the issues "may have been actively exploited."

The two flaws are an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver that allows apps to read kernel memory and an out-of-bounds read issue (CVE-2022-22675) in the AppleAVD media decoder that will enable apps to execute arbitrary code with kernel privileges.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively.

The list of impacted devices includes:

• Macs running macOS Monterey
• iPhone 6s and later
• iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Withholding this information is likely designed to allow the security updates to reach as many iPhones, iPads, and Macs as possible before threat actors pick up on the details and start abusing the now-patched zero-days.

Even though these zero-days were likely only used in targeted attacks, it's still strongly advised to install today's security updates as soon as possible to block potential attack attempts.

Five zero-days patched by Apple this year

In January, Apple patched two more actively exploited zero-days that can enable attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users' identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

These first three zero-days also impacted iPhones (iPhone 6s and up), Macs running macOS Monterey, and multiple iPad models.

The company also had to deal with an almost unending stream of zero-days exploited in the wild to target iOS, iPadOS, and macOS devices throughout 2021.

That list includes multiple flaws used to deploy NSO's Pegasus spyware on iPhones belonging to journalists, activists, and politicians.

Apple emergency update fixes zero-days used to hack iPhones, Macs

Chrome’s “Topics” advertising system is here, whether you want it or not

As part of the leak, the hacking group released a 70GB archive of data stolen from Globant, describing it as “some customers source code.”

Source code and private keys

Globant is an IT and software development firm with over 16,000 employees worldwide and $1.2 billion in revenue for 2021.

Founded in Buenos Aires, Argentina, Globant is currently headquartered in Luxembourg and boasts a well-known list of customers, including Metropolitan Police, SmileDirectClub, Autodesk, Electronic Arts, Santander, Interbank, Royal Carribbean, and many more.

Following the leak from Lapsus$, Globant issued a press release confirming that some of the company source code has been exposed to an unauthorized party.

Among the data published by Lapsus$, there is a screenshot the group claims to be of an archived directory from Globant, containing folder names that appear to be company customers.

Some of the source code folders listed in the screenshot include, Abbott, apple-health-app, C-span, Fortune, Facebook, DHL, and Arcserve.

The metadata for the entries shows that the folders have been modified on March 29, which could indicate when the data was stolen.

In a follow-up post, Lapsus$ published a set of credentials for what they say give administrator access to various platforms used by Globant for developing, reviewing, and collaborating on customer code (Jira, Confluence, GitHub, Crucible).

A third post from the gang today shared a torrent file for about 70GB of data stolen from Globant. The company says that the intruder on its systems accessed “certain source code and project-related documentation for a very limited number of clients.”

The damage appears to be significant.

According to threat intelligence company SOS Intelligence, the leaked data contains customer information as well as a  code repositories with a large number of private keys (full chain, web server SSL certificates, Globant server, API keys).

One of the repositories is for the Bluecap app for consultancy in the financial sector, that Globant acquired in late 2020.

The cache that Lapsus$ leaked also includes a little over 150 SQL database files for various customer applications, SOS Intelligence says.

Globant said today that its investigation into the incident did not reveal any evidence that the hackers compromised other parts of its infrastructure system.

Lapsus$ on LE radar

The Lapsus$ data extortion group has been constantly making the news due to their attacks on big technological companies, like Microsoft, Nvidia, Samsung, Okta, Ubisoft, many of them resulting in big data leaks.

Despite the big names on their victim list, Lapsus$ is believed to be formed mainly by teenagers exercising their hacking skills driven mainly by making a name on the hacking scene, not by financial motivation.

The group has been on the radar of law enforcement for a while and some individuals, all teens believed to be connected to Lapsus$, have been arrested in the U.K.

The FBI is also investigating the activities of the group and has asked the public for any information leading to identifying Lapsus$ members involved in the compromise of computer networks from U.S.-based companies.

However, it is unclear how many active members are in the group and what roles they play.

It is believed that Lapsus$ has affiliates all over the world, as their Telegram chats seem to suggest that some of them speak English, Russian, Turkish, German, and Portuguese.

Globant confirms hack after Lapsus$ leaks 70GB of stolen data

How did a hacker steal over $600 million from a crypto gaming blockchain?

Mars Stealer emerged as a redesign of the Oski malware that shut down development in 2020, featuring extensive info-stealing capabilities targeting a broad spectrum of apps.

Promoted on hacking forums at affordable prices in the range of $140-$160, Mars Stealer grew slowly until recently, when the abrupt shut down of Raccoon Stealer forced cybercriminals to seek alternatives.

Mars Stealer was overwhelmed by an influx of new users, as the service is operating similarly to how Raccoon used to run, so it’s about to become the springboard of numerous new campaigns.

Mars Stealer dev overwhelmed by new requests

Threat analysts at Morphisec report having spotted several of these new campaigns, including one using a cracked version of the malware that circulates with instructions on how to use it.

OpenOffice campaign

A new Mars Stealer campaign uncovered by Morphisec is using Google Ads advertising to rank cloned OpenOffice sites high on Canadian search results.

Poisoning Google Search results with malicious ads (Morphisec)

OpenOffice is a once-popular open-source office suite now belonging to the Apache foundation and has been surpassed by LibreOffice, which started as its fork back in 2010.

However, OpenOffice still enjoys a respectable number of daily downloads from people who seek a free document and spreadsheet editor. Possibly, the threat actors didn’t clone the much more popular LibreOffice because that would result in a quick take-down due to numerous reports.

Malicious site compared to the real one (Morphisec)

The OpenOffice installer on the phony site is, in reality, a Mars Stealer executable packed with the Babadeda crypter or the Autoit loader, so the victims are unknowingly infecting themselves.

Due to an error in the configuration instructions of the cracked version, the operator has exposed the victims’ 'logs' directory, giving full access to any visitor.

A log is a zip file containing data stolen by an information-stealing Trojan and uploaded to threat actors' command and control servers.

Directory storing stolen data (logs) - Morphisec

In this campaign, the stolen information produced by Mars Stealer appears to contain browser auto-fill data, browser extension data, credit cards, IP address, country code, and timezone.

Because the threat actor infected themselves with their copy of Mars Stealer during debugging, their sensitive information was also exposed.

This mistake allowed the researchers to attribute the attacks to a Russian speaker and discover the threat actor's GitLab accounts, stolen credentials used to pay for the Google Ads, and more.

A threat to crypto assets

Mars Stealer is a rising threat, promoted in over 47 darknet sites and hacking forums, Telegram channels, and “unofficial” distribution pathways like the cracked pack.

Morphisec says that the operators of these info-stealers are heavily focused on cryptocurrency assets.

Overview of stolen logs from a single campaign operator (Morphisec)

The most stolen browser plugin from the analyzed campaign is MetaMask, followed by Coinbase Wallet, Binance Wallet, and Math wallet, all “hot” wallets for managing cryptocurrency assets.

Morphisec also identified credentials belonging to a healthcare infrastructure provider in Canada and saw signs of compromise on several high-profile Canadian service firms.

To protect against info-stealers, ensure that you click on official sites and not Google Ad results and always scan downloaded executables on your AV before launching.

For those looking for a deep technical nose-dive into the new Mars Stealer malware, you can read 3xp0rt's analysis of the new malware variant.

Mars Stealer malware pushed via OpenOffice ads on Google

Ronin is an Ethereum sidechain created by Sky Mavis to faciliate transactions for the Axie Infinity game, with the bridge acting as a way to transfer ERC-20 tokens between the Ethereum and Ronin blockchains.

Today, Sky Mavis disclosed that a threat actor hacked the Ronin bridge and stole 173,600 Ethereum and 25.5M USDC tokens in two transactions [1 and 2], worth $617 million at today's prices.

While the Ronin sidechain uses 9 validator nodes to confirm transactions, the threat actor was able to gain controler over five of the validator signatures needed to withdraw cryptocurrency from the bridge.

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO," explains an advisory from the Ronin network.

"The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator."

The attack occurred almost a week ago, on March 23rd, but Sky Mavis only learned about it today when a user tried to withdrwaw 5,000 Ethereum from the bridge and was unable to do so.

Most of the stolen cryptocurrency still resides in the attacker's Ethereum address, though their has been some activity, with the attacker transfering ETH to various addresses and exchanges.

Attacker sending ETH to other addresses

While Sky Mavis states that all AXS, RON, and SLP tokens on Ronin are secure, all of the Ethereum and USDC deposits have been stolen by the attacker.

Sky Mavis has also shut down the Ronin Bridge and the Katana Dex as they investigate the attack.

"We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now," explains Sky Mavis.

This attack is largest crypto hack in history, with the previous largest theft being $611 million stolen from Poly Network in August, 2021.

$620 million in crypto stolen from Axie Infinity's Ronin bridge

Every day, billions of messages are sent using end-to-end encryption. Millions of people use iMessage, WhatsApp, and Signal to chat with friends, family, and colleagues, and those conversations are all automatically protected by strong encryption. But it’s not possible to send a message from one encrypted app to another. If you use Signal and your friends only use WhatsApp, someone has to compromise.

Under the European Union’s wide-ranging Digital Markets Act (DMA), which European lawmakers approved last week and is expected to be implemented this year, the owners of messaging apps will be required to make them interoperable if another company requests that they do so. As a result, the largest messaging platforms—including WhatsApp, Facebook Messenger, and iMessage, which the DMA designates as gatekeepers—will have to open up to rivals.

“Users of small or big platforms would then be able to exchange messages, send files, or make video calls across messaging apps, thus giving them more choice,” the lawmakers said in an announcement. Under the plans, Signal could ask to work with Messenger, for instance. Or Meta could request that WhatsApp be made compatible with iMessage—a logistical challenge even if Meta and Apple weren’t actively feuding, but one EU lawmakers say is worth solving.

Proponents of interoperability say the law will give consumers more choice and will allow third-party clients to build out extra functions. And while MEP Andreas Schwab, the lead negotiator for the DMA, says that the politicians are not looking to weaken encryption, cryptography experts are concerned the proposals will not be technically possible without compromising end-to-end encryption, potentially putting those billions of messages we send each other every day at risk.

While end-to-end encryption has become seamless for people using messaging apps, no two apps implement encryption identically. WhatsApp uses a custom version of the Signal encryption protocol, for example, but users still can’t message each other across the apps. And while Apple’s iMessage is interoperable with SMS, these standard text messages aren’t encrypted.

Many cryptographers and security experts have already pointed out flaws in Europe’s plan. “Interoperable E2EE [end-to-end encryption] is somewhere between extraordinarily difficult and impossible,” Steve Bellovin, one of the world’s leading cryptographers and a former chief technologist at the Federal Trade Commission, tweeted on Friday.

“When you start talking about different companies exchanging encrypted communications with one another, there are many serious considerations here that are extremely difficult to resolve,” says Nadim Kobeissi, an applied cryptographer and founder of decentralized publishing platform Capsule Social. “It is very likely that there will be a serious degradation of the cryptographic techniques that will be necessary in order to accommodate this proposal,” Kobeissi says.

The proposals put forward as part of the DMA—which has yet to be fully published—don’t include technical details on how interoperability would work, but officials say the changes should be rolled out over a number of years. Basic features such as messages between two people should be implemented three months after a tech company is asked to provide them; audio and video calls have a four-year deadline.

“Making end-to-end encrypted messaging apps interoperable is technically challenging and creates real risks for privacy, safety, and innovation,” Will Cathcart, Meta’s head of WhatsApp, said in a statement. “Changes of this complexity risk turning a competitive and innovative industry into SMS or email, which is not secure and full of spam,” he says. In an interview with tech journalist Casey Newton, Cathcart said the move could cause misinformation problems and moderation issues for WhatsApp. “I have a lot of concerns around whether this will break or severely undermine privacy, whether it'll break a lot of the safety work we've done that we're particularly proud of, and whether it'll actually lead to more innovation and competitiveness,” he said.

Apple did not respond to a request for comment about encryption but said it has general concerns that parts of the DMA will create “unnecessary privacy and security vulnerabilities.” Signal did not respond to a request for comment.

Not everyone is against interoperability and end-to-end encryption. Matrix, a nonprofit that’s building an open source standard for encryption, has published multiple blog posts outlining how it believes the EU's proposals could work. “The main challenge is the trade-off between interoperability and privacy for gatekeepers who provide end-to-end encryption,” the team behind Matrix say.

There are broadly two routes that could allow encryption to work across apps operated by different companies. The first involves tech companies allowing access to APIs that connect to their messaging services—this is the option Schwab and lawmakers are leaning toward. The second involves more radical change: All companies would have to adopt and implement one universal encryption standard.

Neither is easy.

Connecting to an open API could involve a company using a “bridge” that joins the two platforms together. Signal would, for instance, have to implement multiple bridges if it wanted to work with different apps. “Every device has to speak every language, but at least users have the building blocks to get at each other’s messages, rather than then being arbitrarily locked away by the gatekeepers,” Ian Brown, a visiting professor at Fundação Getulio Vargas Law School in Rio de Janeiro, wrote for Interoperability News.

Using a bridge would involve decrypting messages, potentially on someone’s device, and then making them appear in the destination app. Removing the end-to-end encryption would open up a new layer that could be attacked by hackers or malicious actors. “How do you guarantee that the things sitting next to your messaging app are benevolent and not malicious,” says Robin Wilton, director of internet trust at the Internet Society. Kobeissi adds that it’s unclear under the proposals who would manage the exchange of public encryption keys and how cryptographic metadata would be shared between companies. If Signal and iMessage become interoperable, which one changes its encryption to match the other?

One of the biggest unanswered questions is how interoperability would ensure you are chatting with the people you think you are. People use different usernames on each platform, and not knowing who someone is could lead to identity issues, explains Alan Duric, cofounder of encrypted messaging app Wire. “If you’re communicating across Wire and WhatsApp, how can the Wire user be certain that the person they are talking to on WhatsApp is authentic?” he says. “How can they be sure the person they're talking to is even using WhatsApp at all?” Duric says this can be combated by verifying each user's identity, which can then help reduce abuse and spam.

Those in favor of interoperability say the best way to do this would be for all companies to adopt one encryption standard and stick to it. These standards already exist—for instance, the Matrix messaging protocol, the XMPP standard, and the upcoming Messaging Layer Security. “If every player in the field—so the gatekeepers but also the smaller player—all connect to the same standard, it ends up being a big glue between the different services,” says Amandine Le Pape, a cofounder of the Matrix standard. This would avoid companies implementing APIs via a piecemeal process, although this isn’t what the European Union has opted for at the moment. “The DMA is just the first step,” Le Pape says.

Getting all messaging apps to use one standard would be a significant, time-consuming challenge. “Potentially, you could just have a situation where everyone switches to Matrix,” Kobeissi says. “But Matrix is a fundamentally different security architecture, not just from an end-to-end encryption perspective, but also from a threat modeling perspective.” Each app faces different potential attacks against it—based on its user base and operations—so moving to one model would require companies to reassess how their users could be compromised.

Companies would have to rebuild their entire encryption systems and change multiple features in their apps, a process that could take years. Take Meta: In 2019, the company said it was going to make Instagram DMs and Messenger end-to-end encrypted by default and integrate their infrastructure with WhatsApp. Three years later, the company is still trying to untangle its systems and add safety features. The transition has been harder than expected—and Meta controls all of the technology involved.

Ultimately, how much companies change may come down to the technical realities and the degree of pressure the European Commission, which will enforce the DMA, puts on them. Like GDPR, the DMA could lead to multimillion-dollar fines for businesses that don't comply. However, GDPR has been poorly enforced—including a provision that says people should be able to transport their data from one app to another. Tech companies may have no choice if the European Commission enforces the DMA—but that could be the least of their worries.

Forcing WhatsApp and iMessage to Work Together Is Doomed to Fail

(May require free registration to view)

Google Workspace will re-enable tracking for many users today

UPS devices are regularly used as emergency power backup solutions in mission-critical environments, including data centers, industrial facilities, server rooms, and hospitals.

They're also connected to the Internet to allow admins to perform various remote tasks such as power monitoring and routine maintenance, which also exposes them to attacks.

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.

"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet."

How to block the attacks

Recommended mitigation measures include finding all UPSs and other emergency power systems on orgs' networks and ensuring they're not reachable over the Internet.

If connecting their management interfaces to the Internet cannot be avoided, admins are advised [PDF] to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and strong passwords or passphrases to hinder brute-forcing attempts.

The recommendations also include checking that the UPSs are not using factory default credentials to attackers' attempts to use them and take over the targeted devices.

U.S. organizations are also urged to implement login timeout/lockout policies to block these ongoing attacks against UPSs and similar systems.

Besides default credentials, threat actors can also use critical security vulnerabilities to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely.

For instance, a set of critical zero-day vulnerabilities tracked as TLStorm exploitable remotely by unauthenticated attackers without user interaction are known to impact SmartConnect and Smart-UPS devices from APC, a subsidiary of Schneider Electric.

CISA warns of attacks targeting Internet-connected UPS devices

Google is preparing another round of tests for the latest iteration of its purportedly private-preserving ad technology, after last year's Federated Learning of Cohorts (FLoC) experiment revealed the need for further refinement.

In separate messages to Chromium developers declaring their "Intent to Experiment," Google software developers on Friday said Origin Trials for the company's FLEDGE API and its Topics API will commence following the March 31 debut of Chrome 101 Beta.

Testing is expected to continue at least until Chrome 104 Beta, three months hence.

FLEDGE aims to enable remarketing – showing ads at a website based on prior interactions at a different website – and Topics, which replaces FLoC, aims to enable interest-based advertising. And both aspire to do so in a way that doesn't involve tracking individuals across the web, or so it's said.

FLEDGE is an effort to implement Turtledove, an API to facilitate advertising targeted at interest groups. It moves interest data and the decision about which ad gets presented from the server-side to the client-side (browser), for the sake of privacy.

"The intent of the Topics API is to provide callers (including third-party ad-tech or advertising providers on the page that run script) with coarse-grained advertising topics that the page visitor might currently be interested in," Google says.

Google's explainer for FLEDGE/Turtledove says that the in-browser ad scheme "involves the browser running untrusted JavaScript downloaded from multiple parties" and outlines various ways in which the API imposes limitations on the execution environment for the sake of security.

The Topics API also has security and privacy considerations that have yet to be fully addressed.

Google's hope in experimenting with these APIs is to prove that FLEDGE and Topics are privacy-preserving and revenue-preserving, as well as secure.

Since the early days of web advertising, presenting ads to people using web browsers has involved cookies – files that get deposited by web server code on behalf of the site publisher and affiliated third-party firms.

As the privacy problems posed by this approach became apparent and spurred regulation, and as Google's competitors made changes to restrict the use of third-party cookies, Google in 2019 launched its Privacy Sandbox initiative to redesign its ad tech in a way that complies with evolving privacy rules and tolerates privacy defenses.

With that project underway, Google in January 2020 announced plans to phase out third-party cookies "within two years," a commitment soon thereafter hedged with qualifiers. By the middle of last year, the third-party cookie phase out had slipped back to late 2023.

A matter of trust

Part of the problem for Google is that ad industry rivals fear they will be at a data disadvantage in the Privacy Sandbox and their concerns have reached the ears of lawmakers and regulators in the US, Europe, and the UK at a time when the ad biz faces broad antitrust scrutiny and litigation.

The result has been that Google made a set of commitments to the UK's Competition & Markets Authority that it will design its Privacy Sandbox systems in consultation with competitors. So now instead of moving fast and breaking things, the online ad giant has to engage with marketers who think this whole privacy push will put them at a disadvantage.

Google also faces ongoing criticism from rival browser makers like Brave that argue its Privacy Sandbox only improves privacy as measured from the intrusive baseline set by Chrome. The Topics API, said Brave senior director of privacy Peter Snyder in January, is dangerous because it makes Google the arbiter of what data is "sensitive" in terms of the interests associated with a particular internet user.

And FLEDGE, Snyder has cautioned, relies on WebBundles, which pack web resources for download. They pose a security and privacy threat, he contends, because they remove resources from the global namespace, where they can be identified and blocked. Content blocking extensions would not be able to block bundled resources because they would not know what file name or string to look for.

"Anyone with a concern for a truly privacy-first Web should be concerned with Fledge and Topics API," said Snyder in an email to The Register. "Google is trying to track the web on a course that still favors their infrastructure and advantages, before others can nudge things on a more user-focused approach."

"Much of 'Privacy Sandbox' should be understood as 'moat around Google,' where Google is pushing for a direct or intermediating role in an ever greater percentage of web requests, knowing they have first-party access to nearly every site (Google Analytics, AdWords, Google Tag Manager, Google Maps, etc)." ®

Source

"Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis shared with The Hacker News. "Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage."

Last month, the advanced persistent threat expanded its malware toolset to compromise Android devices with a backdoor named CapraRAT that exhibits a high "degree of crossover" with CrimsonRAT.

The latest set of attacks detailed by Cisco Talos involves making use of fake domains that mimic legitimate government and related organizations to deliver the malicious payloads, including a Python-based stager used to install .NET-based reconnaissance tools and RATs as well as a barebones .NET-based implant to run arbitrary code on the infected system.

Besides continually evolving their deployment tactics and malicious functionalities, Transparent Tribe is known to rely on a variety of delivery methods, such as executables impersonating installers of legitimate applications, archive files, and weaponized documents to target Indian entities and individuals.

One of the downloader executables masquerades as Kavach (meaning "armor" in Hindi), an Indian government-mandated two-factor authentication solution required for accessing email services, in order to deliver the malicious artifacts.

Also put to use are COVID-19-themed decoy images and virtual hard disk files (aka VHDX files) that are used as a launchpad for retrieving additional payloads from a remote command-and-control server, such as the CrimsonRAT, which is used to gather sensitive data and establish long-term access into victim networks.

"The use of multiple types of delivery vehicles and new bespoke malware that can be easily modified for agile operations indicates that the group is aggressive and persistent, nimble, and constantly evolving their tactics to infect targets," the researchers said.

Source

On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company — defined as having a market capitalization of more than €75 billion or a user base of more than 45 million people in the EU — create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS — which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed “gatekeepers,” defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to “break open” some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols.

But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldn’t be affected by the DMA provisions, but WhatsApp — which uses the Signal protocol and is owned by Meta — certainly would be. The result could be that some, if not all, of WhatsApp’s end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging.

Given the need for precise implementation of cryptographic standards, experts say that there’s no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” Bellovin said. “A design that works only when both parties are online will look very different than one that works with stored messages .... How do you make those two systems interoperate?”

Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that the encryption be dropped.

Alternatively, the DMA suggests another approach — equally unsatisfactory to privacy advocates — in which messages sent between two platforms with incompatible encryption schemes are decrypted and re-encrypted when passed between them, breaking the chain of “end-to-end” encryption and creating a point of vulnerability for interception by a bad actor.

Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.

“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Muffett said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

Currently, every messaging service takes responsibility for its own security — and Muffett and others have argued that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another. In the end, overall security is only as strong as the weakest link.

Another point of concern raised by security experts is the problem of maintaining a coherent “namespace,” the set of identifiers that are used to designate different devices in any networked system. A basic principle of encryption is that messages are encoded in a way that is unique to a known cryptographic identity, so doing a good job of identity management is fundamental to maintaining security.

“How do you tell your phone who you want to talk to, and how does the phone find that person?” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management... If the goal is for all of the messaging systems to treat each other’s users exactly the same, then this is a privacy and security nightmare.”

Not all security experts have responded so negatively to the DMA. Some of the objections shared previously by Muffett and Stamos have been addressed in a blog post from Matrix, a project geared around the development of an open-source, secure communications standard.

The post, written by Matrix co-founder Matthew Hodgson, acknowledges the challenges that come with mandated interoperability but argues that they are outweighed by benefits that will come from challenging the tech giants’ insistence on closed messaging ecosystems.

“In the past, gatekeepers dismissed the effort of [interoperability] as not being worthwhile,” Hodgson told The Verge. “After all, the default course of action is to build a walled garden, and having built one, the temptation is to try to trap as many users as possible.”

But with users generally happy to centralize trust and a social graph in one app, it’s unclear whether the top-down imposition of cross-platform messaging is mirrored by demand from below.

“iMessage already has interop: it’s called SMS, and users really dislike it,” said Alex Stamos. “And it has really bad security properties that aren’t explained by green bubbles.”

Security experts say new EU rules will damage WhatsApp encryption

But none of these digital payment options are really like cash. Unlike paper money, they require both an internet connection and a bank account to use. Above all, they lack what has long made cash the preferred medium of civil libertarians, dissidents, and criminals alike: privacy. The only kind of money that leaves no paper trail is paper.

A bill introduced in Congress on Monday seeks to re-create the virtues of cash, privacy and all, in digital form. The ECASH Act would direct the US government to experiment with issuing digital dollars that are stored on hardware, not in bank accounts, and can be used without an internet connection. The idea of new, surveillance-proof currency will surely face skepticism within government. But with paper money on a slow path to extinction, the case for a real digital alternative will only grow stronger.

It’s easy enough to understand why apps like Venmo, which infamously makes your transactions public by default, are an imperfect substitute for cash. Anyone using an app to send money around should be aware that they’re leaving a permanent digital trail that could be accessed by the government or malicious actors. With crypto, on the other hand, the lack of privacy is a bit counterintuitive. Privacy was an essential part of Bitcoin’s original appeal. Early crypto enthusiasts believed that the blockchain would free them from Big Brother. Using a distributed ledger rather than a centralized one would remove the need for a banklike middleman that could block transactions. And tying accounts to cryptographic wallet addresses, rather than offline identity, would keep transactions anonymous. This led to a profusion of illegal activity taking advantage of cryptocurrencies.

But, as my colleague Andy Greenberg illustrates in his forthcoming book, the early faith in crypto anonymity was misplaced. The thing about blockchains is that while your transactions might be hidden behind a crypto wallet address, they are also permanently stored on a public database. It didn’t take law enforcement agencies too long to figure out how to connect those transactions and wallets to the real-world identities behind them.

“In the grand scheme of things, distributed ledger versus regular ledger is almost irrelevant on the question of cash-like privacy,” says Rohan Grey, a law professor at Willamette University. The more meaningful distinction, he explains, is between two different currency models: tokens and accounts. When you pay for something with cash, you’re handing over a physical token. Whoever holds the token has the money, and there is no third party to the transaction. When you send a payment using Venmo, or a bank, on the other hand, you’re just directing them to update your account by moving some numbers around in their books. The same thing is true of cryptocurrencies; the only meaningful difference is that the network as a whole, rather than a financial institution, approves the transactions.

This means that, despite the various options for making online payments, true digital cash doesn’t exist. This is not merely a theoretical distinction. Paper cash has been on the decline for years, a trend accelerated during the pandemic, as more and more businesses decided to stop accepting paper money. This poses risks, most notably for the so-called unbanked—people who can’t afford to have a bank account and thus can’t access non-cash forms of payment.

Governments around the world, spooked by the rise of privately issued cryptocurrencies, have been exploring so-called central bank digital currencies, or CBDCs. Imagine a government version of PayPal or Venmo. This could solve the unbanked problem by creating a public banking option for low-income people, but it would not replace cash. As the economy shifts inexorably toward all-digital transactions, a future where our only options are payment apps, banks, crypto, or CBDCs means a future in which every financial transaction is potentially subject to surveillance by the government or private companies.

The ECASH Act, introduced by representative Stephen Lynch, a Massachusetts Democrat and chair of the House Task Force on Financial Technology, seeks to avoid that fate. (It stands for the Electronic Currency and Secure Hardware Act—an impeccable legislative acronym.) The bill, which Grey consulted on, would direct the US Treasury Department to conduct a pilot program for a version of digital dollars that work just like cash.

“If we’re to have a public option for digital finance, it needs to include everyone,” says Raúl Carrillo, a researcher at Yale Law School, who like Grey consulted on the legislation. “A key part of that is being able to go offline.”

What would that look like? The Treasury would issue digital dollars, just as it has issued paper money since the 1860s. To function as cash, the money can’t live on the government’s books or on a distributed blockchain ledger. That means balances must be stored on hardware. That could look like a stand-alone device, or it could be a secure hardware environment on your cell phone, similar to a SIM card—essentially a chip that is physically segregated from the rest of the device, so that it doesn’t depend on the security of the entire operating system.

This idea has been around for a while. In the 1990s, companies like Mondex developed stored-value cards that could support offline payments. Governments, however, didn’t take to the idea of issuing digital currency, and those companies were bought up by the credit card industry. (As WIRED’s Steven Levy wrote, in 1994, “When I called a spokesperson for the Federal Reserve to ask about electronic cash, he laughed at me. It was as if I were inquiring about exchange rates with UFOs.”)

Today, the technology is sleeker, and its applications more apparent. Last week, I spoke with Razvan Dragomirescu, the chief technical officer of WhisperCash. Over Zoom, he showed me his company’s products. One looks like a credit card that has both a touchscreen keypad and a miniature, Kindle-style electronic ink display. Payments can be sent between cards either using Bluetooth or by entering the recipient’s ID number and the amount. In the latter case, the transaction generates a 10-digit cryptographic hash that encodes the parties to the transaction and the amount. To receive it, the recipient has to enter that code into their own card. WhisperCash’s other main product, a secure chip that sticks onto a SIM card, turns a phone—even a cheap “feature phone,” of the type common throughout the developing world—into a wallet for digital cash.

The key to making this work on a technical level is security—not so much from outside attackers but from the person holding the money. The main danger for any digital currency is the so-called double-spend problem, where someone spends the same money over and over again, wrecking the system. Anyone holding a digital cash device has a powerful incentive to try to hack past its defenses against double spending.

The device “is the user’s enemy,” Dragomirescu says. “The user will try to double spend, will try to counterfeit money, will generally try to bypass any limitations.”

Dragomirescu acknowledges that WhisperCash, like every piece of hardware ever built, can’t offer perfect security. The realistic goal is to make it so expensive and time consuming to hack the chip that no one would bother. Any version of state-backed money will involve restrictions on how much can be stored on a device and how much can be moved in a transaction—similar to the way in which American banks are required to report cash withdrawals or deposits above $10,000. Even if a hacker managed to unlock a digital cash wallet for double spending, it would be hard to actually spend the money, because everyone else’s device would still be capped.

At this point, the barriers to digital cash are political, not technological. Government officials tend to like being able to monitor who spends what. In the US, lawmakers remain freaked out about criminals taking advantage of crypto, despite law enforcement’s growing success in catching them. In that environment, a digital currency that’s even more resistant to surveillance will be a tough sell.

The ECASH Act tries to anticipate these concerns. It specifies that digital cash must be “subject to existing anti-money laundering, counterterrorism, Know Your Customer, and financial transaction reporting requirements and regulations.”

Privacy is not the only selling point for hardware-based digital cash. Because it doesn’t have to connect to a network, it would work even in places with no internet access or in the event of a natural disaster (a prospect that grows ever likelier thanks to climate change). For that reason, the near-term future of the technology is most likely as an offline backup option for central bank-issued digital currency. So far, that’s WhisperCash’s market. “I think the first wave of customers will be countries where there’s concern about natural disaster risk or there’s large parts of the country that are not online,” says John Kiff, a former analyst at the International Monetary Fund and an adviser to WhisperCash. In that situation, people would need to be able to make transactions with no internet access, but these transactions would have still have to be periodically uploaded to the central bank.

The question of whether the public deserves true digital cash is ultimately philosophical. It depends on whether you believe that people should have the right to a degree of privacy in their personal finances—and that as life shifts ever more online, and our purchases generate detailed data that merchants and marketers eagerly sweep up, the government should take the initiative to carve out a zone of confidentiality that even it can’t pierce.

The supporters of the ECASH Act want to force Congress to take a stand on the issue. “Protecting the liberties that we have always enjoyed with physical cash in a digital form is going to be essential to preserve the liberties that we already have,” says Rohan Grey. “If people want to get rid of privacy, they should probably own that.”

The Future of Digital Cash Is Not on the Blockchain

(May require free registration to view)

This morning, I received a very blatant spam text offering me “a little gift” for supposedly paying my phone bill. Normally I’d groan, roll my eyes, and quickly delete such a thing, but there was something different about this particular message: it was spoofed as coming from my own phone number. As best my iPhone could tell, it was a legitimate message from me to myself. Tapping into the sender details took me to my own contact card.

Equally frustrating was that I had no obvious way of reporting the alarming spoof to my carrier, Verizon Wireless. Spoofed calls and texts are nothing new; most people face a constant deluge of spam calls that appear on caller ID as from a number similar to their own. But this was the first time I actually got something from my own number. These scammers keep getting more sophisticated.

Turns out I wasn’t alone. More than a few customers on Verizon reported getting similar spam from their respective numbers over the last few days — same for its MVNO Visible — and several Verge employees on other carriers have also encountered them. I posted an Instagram story about it and have gotten plenty of “same” responses. SMS phishing, or “smishing,” has been on the rise in recent years, but there’s something more disconcerting and invasive about it being linked to your own number. It’s all very “the call is coming from inside the house.”

The main reaction on Twitter is confusion and “how?!” Again, this is all spoofing and technological impersonation. It’s trivially easy for spammers to camouflage as any number they choose. My Verizon account is secure, and my number hasn’t been hijacked. If you’ve gotten the same message, there’s no cause for panic. Just don’t go clicking that link.

Still, it often feels like the phone carriers are losing the war against scammers. I don’t envy having to contend with the sheer volume of spam attacks that come across their networks daily, but this is getting out of hand. I’ve noticed an uptick in general SMS spam over the last several weeks. And as Alex Lanstein noted on Twitter, this particular message contains several phrases — “free msg,” “bill is paid,” “gift” — that one assumes would be flagged by Verizon’s spam protection systems. And yet it came through successfully. And since this one showed as coming from me, the text also successfully evaded Apple’s “filter unknown messages” feature.

So what can be done? In addition to offering various measures of spam protection, Verizon and other US carriers encourage customers to forward spam texts to SPAM (7726). Some people might have pause about reporting spam “from” their own number, though. I’ve asked Verizon about what happens in that situation.

If you’re deeply annoyed by any spam texts or calls you receive, you can always file a complaint with the FCC about this stuff, where “my own number is being spoofed” is a sub-issue that can be reported.

Aside from those options, all you can really do is delete the texts and wait for the next scam tactic that seems like it shouldn’t even be possible. Damn you, scammers. Do better, carriers.

My own phone number is now spam texting me

AV-TEST says:

During January and February 2022 we continuously evaluated 18 home user security products using their default settings. We always used the most current publicly-available version of all products for the testing. They were allowed to update themselves at any time and query their in-the-cloud services. We focused on realistic test scenarios and challenged the products against real-world threats.

In the previous two rankings of October 2021 and December 2021, Defender scored full marks as well but failed to secure any of best home antivirus awards.

In total, 18 anti-malware products including Defender were tested across three categories:

• Protection
• Performance
• Usability

You can see the scores of the various products by clicking on the image below:

Despite some of its faults, Microsoft has been continuing to add helpful features to Defender which is probably one of the reasons why it continues to do well in security assessment reports. For example, the firm recently added a "Vulnerable Driver Blocklist" option and it is also actively working to improve false positive detections.

Source: AV-TEST GmbH (Twitter)

Despite no wins, Microsoft Defender continues to dazzle AV-TEST shows latest report

Announced by Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, the Microsoft Vulnerable Driver Blocklist is a new security feature that is enabled by default on Windows 10 in S mode devices and on devices that have the Core Isolation feature Memory Integrity, which Microsoft may also refer to as Hypervisor-protected code integrity (HVCI), enabled.

Memory integrity, or HVCI, makes use of Microsoft's Hyper-V technology to protect Windows kernel-mode processes against malicious code injections. The feature was not enabled on existing devices when it first shipped, but it appears to be enabled by default on devices with new installations of Windows.

Some users reported issues with certain devices with HVCI enabled, and that disabling it resolved the issues that they experienced.

The core idea behind the new protective feature is to maintain a list of drivers that will be blocked by Windows Defender because the drivers have at least one of the following attributes:

• Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
• Malicious behaviors (malware) or certificates used to sign malware
• Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel

Microsoft cooperates with hardware vendors and OEMs to maintain the blocklist. Suspected drivers may be submitted to Microsoft for analysis and manufacturers may request that changes are made to drivers that are on the vulnerable blocklist, e.g., after patching an issue.

Devices that run Windows 10 in S mode and devices with HVCI enabled protect against these security threats once the feature is rolled out to devices.

Windows users and administrators may enable the Memory Integrity prerequisite in the following way on non-Windows 10 S-mode devices:

1. Select Start and then Settings, or use the keyboard shortcut Windows-I to open the Settings application.
2. On Windows 10, go to  Update & Security > Windows Security. Select Open Windows Security.
3. On Windows 11, go to Privacy & Security > Windows Security > Select Open Windows Security.
4. Select Device Security from the sidebar on the left side.
5. Activate the "core isolation details" link.
6. Toggle the Memory Integrity setting to On to enable the feature.
7. Restart the device.

Windows administrators will see the new Microsoft Vulnerable Driver Blocklist on the Core isolation page of Windows Security once the feature becomes available. The feature can be toggled on or off, and also managed through other means. David Weston notes that turning it on will enable a more aggressive blocklist.

Microsoft states that it recommends enabling HVCI or using S mode, but that administrators may also block the drivers on the list using an existing Windows Defender Application Control policy. The documentation lists an XML file that contains the blocked drivers ready for use.

Now You: is memory integrity enabled on your devices, if you use Windows Defender?

Windows Defender: Vulnerable Driver Blocklist protects against malicious or exploitable drivers

The issue in question is tagged as CVE-2022-1096, but the interesting thing is that very little about it has been publicly revealed as of now. The Microsoft Security Response Center (MSRC) has simply described it as "Type Confusion in V8".

For those unaware, V8 is the JavaScript engine utilized in Chromium. The company has further highlighted that the exploit is being utilized in the wild and Google is aware of it. As such, the fix has been deployed in Chromium 99.0.4844.84 which has been ingested in Edge 99.0.1150.55. You can click on the three-dot button on the top-right of Edge and navigate to Help and feedback > About Microsoft Edge to trigger the update manually.

Google doesn't describe the security hole in too much detail either but there are a couple of interesting tidbits of information available. The issue has been tagged with a severity level of "High" and was in fact reported on March 23 by an unnamed person. Since it's in the wild and is apparently a rather severe vulnerability, it makes sense that the firm has patched Chromium quite quickly and immediately pushed out the fix for Chrome as well.

The update is available for Chrome via version 99.0.4844.84 on Windows, Mac, and Linux. You can head over to the three-dot button on the top-right of Chrome and navigate to Help > About Google Chrome to trigger the update.

Given the hush-hush surrounding the vulnerability, it's likely that the issue is easily exploitable on older versions of Chromium, so Google wants the patch to be generally available for everyone before it releases more details about the issue in due course.

Microsoft Edge and Google Chrome get emergency update to patch security vulnerability

As the enterprise becomes increasingly reliant on virtual machines to save computer resources, consolidate servers, and for easier backups, ransomware gangs are creating dedicated encryptors that focus on these services.

Ransomware gang's Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most commonly used in the enterprise.

While Hive has been using a Linux encryptor to target VMware ESXi servers for some time, a recent sample shows that they updated their encryptor with features first introduced by the BlackCat/ALPHV ransomware operation.

Hive borrows features from BlackCat

When ransomware operations attack a victim, they try to conduct their negotiations in private, telling victims if a ransom is not paid their data will be published and they will suffer a reputational hit.

However, when ransomware samples are uploaded to public malware analysis services, they are commonly found by security researchers who can extract the ransom note and snoop on negotiations.

In many cases, these negotiations are then publicized on Twitter and elsewhere, causing negotiations to fail.

The BlackCat ransomware gang removed Tor negotiation URLs from their encryptor to prevent this from happening. Instead, it required the URL to be passed as a command-line argument when the encryptor is executed.

This feature prevents researchers who find the sample from retrieving the URL as it's not included in the executable and only passed to the executable at run time.

While the Hive Ransomware already requires a login name and password to access a victim's Tor negotiation page, these credentials were previously stored in encryptor executable, making them easy to retrieve.

In a new Hive Linux encryptor found by Group-IB security researcher rivitna, the Hive operation now requires the attacker to supply the user name and login password as a command-line argument when launching the malware.

By copying BlackCat's tactics, the Hive ransomware operation has made it impossible to retrieve negotiation login credentials from Linux malware samples, with the credentials now only available in ransom notes created during the attack.

It is not known if the Hive Windows encryptors are also using this new command-line argument at this time, but if not, we will likely see it added shortly.

Rivitna also told BleepingComputer that Hive continued to copy BlackCat by porting their Linux encryptor from Golang to the Rust programming language to make the ransomware samples more efficient and harder to reverse engineer.

"Rust allows to get safer, fast, and efficient code, while code optimization complicates analysis of Rust program," rivitna told BleepingComputer in a chat on Twitter.

With the encryption of VMware ESXi virtual machines a critical part of a successful attack, ransomware operations are constantly evolving their code to not only be more efficient, but to keep the operations and negotiations secret.

As more businesses move to virtualization for their servers, we will continue to see ransomware developers not only focus on Windows devices, but also create dedicated Linux encryptors targeting ESXi.

Due to this, all security professionals and network admins need to pay close attention to their Linux servers to detect signs of attacks.

Hive ransomware ports its Linux VMware ESXi encryptor to Rust

Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.

RCE bug in web administration console

On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for.

Assigned CVE-2022-1040 with a 9.8 CVSS score, the vulnerability allows a remote attacker who can access the Firewall's User Portal or Webadmin interface to bypass authentication and execute arbitrary code.

The vulnerability was responsibly reported to Sophos by an unnamed external security researcher via the company's bug bounty program.

To address the flaw, Sophos released hotfixes that should, by default, reach most instances automatically.

"There is no action required for Sophos Firewall customers with the 'Allow automatic installation of hotfixes' feature enabled. Enabled is the default setting," explains Sophos in its security advisory.

The security advisory however implies that some older versions and end-of-life products may need to be actioned manually.

As a general workaround against the vulnerability, the company advises customers to secure their User Portal and Webadmin interfaces:

"Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN," reads the advisory.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management."

Earlier this week, Sophos had also resolved two 'High' severity vulnerabilities (CVE-2022-0386 and CVE-2022-0652) impacting the Sophos UTM (Unified Threat Management) appliances.

Sophos Firewall bugs previously exploited by attackers

It remains crucial to ensure your Sophos Firewall instances are receiving the latest security patches and hotfixes timely, given that attackers have targeted vulnerable Sophos Firewall instances in the past.

In early 2020, Sophos fixed a zero-day SQL injection vulnerability in its XG Firewall following reports that hackers were actively exploiting it in attacks.

Starting April 2020, threat actors behind the Asnarök trojan malware had exploited the zero-day to try and steal firewall usernames and hashed passwords from vulnerable XG Firewall instances.

The same zero-day had also been exploited by hackers attempting to deliver Ragnarok ransomware payloads onto companies' Windows systems.

Sophos Firewall users are therefore advised to make sure their products are updated. The Sophos Support website explains how to enable automatic hotfix installation and to verify if the hotfix for CVE-2022-1040 successfully reached your product.

Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every thirty minutes and after any restart.

Critical Sophos Firewall vulnerability allows remote code execution

What with the rise of deep learning and other AI research, infosec folks are investigating ways machine learning can be used to bring greater speed, efficiency, and automation to this process. These automated systems must cope with devilishly obfuscated malicious code that's designed to evade detection. One key aim is to have AI systems take on more routine work, freeing up reverse engineers to focus on more important tasks.

Mandiant is one of those companies seeing where neural networks and related technology can change how malware is broken down and analyzed. At this week at Nvidia's GTC 2022 event, Sunil Vasisht, staff data scientist at the infosec firm, presented one of those initiatives: a neural machine translation (NMT) model that can annotate functions.

This prediction model, from what we understand, can take decompiled code – machine-language instructions turned back into corresponding high-level language code – and use this to suggest appropriate, descriptive names for each of the function blocks. This is for when function or symbol names have been stripped from a binary or obfuscated, and is an alternative to signature-based tools, such as IDA FLIRT.

If you're a reverse engineer, you can skip the functions that, for instance, get the OS to handle a printf() call, and go right to the functions identified as performing encryption or raising privileges. You can ignore a block that's labeled by the model as tolower(), and go after the inject_into_process() one. You can avoid wasting time on dead-ends or inconsequential functions.

Specifically, the model works by predicting function name keywords (eg, 'get', 'registry', 'value') from abstract syntax tree (AST) tokens from decompiled executable files. It was shown that the model was able to label one function as 'des', 'encrypt', 'openssl', 'i386', 'libeay32', whereas an analyst involved in the experiment was only able to suggest encode(). Mandiant also built a second NMT that made predictions from control flow graphs and API calls of code.

Vasisht outlined the typical methods that are used to reverse engineer malware and the myriad challenges that come with that, including the techniques malware creators use to build their code to make it more difficult for threat hunters to find and disassemble it. It makes for what is becoming an untenable situation.

"Reversing is an extremely difficult job and throwing more analyst hours at the problem is not sustainable," he said during his presentation.

By automating function annotations, Mandiant is aiming to address the broad challenges most reverse engineers encounter when analyzing modern malware. The vendor, bought by Google for $5.4bn, wants to scale up reporting of malware functionality and capabilities, reduce the challenges its analysts face, and make reversing more efficient. In other words, make it easier to pinpoint the heart of tricky malware code. We imagine this could also be useful for comparing malware strains.

"We hope to tackle the easy cases so that the analysts can spend their precious time on more important cases," Vasisht said. "At Mandiant, these are the challenges that we set out to tackle with a unified machine learning approach. Our problem statement is: how can we increase function name coverage within binary disassembly in order to accelerate malware triage?"

We hope to tackle the easy cases so that the analysts can spend their precious time on more important cases

Malware analysts use a number of techniques that fall under static and dynamic analysis; the former involves studying the executable code, the latter involves running it and observing its operation. There are tools like IDA Pro, Binary Ninja, Ghidra, and debuggers and emulators and hypervisors, to help with this. Even so, decompiled and disassembled functions can be hard to follow, forcing reversers to spend hours before they understand what a section of code is doing, and many samples are far too large for a complete analysis. Code can also be encrypted, making static analysis a pain.

In addition, malware can be written to self-terminate or act innocuous if it detects it's running under dynamic analysis. "Malware can detect when they are running in a virtual machine and hide its true behavior. They can maybe check the OS or even check the CPU temperature and determine whether to execute or just hide," he said.

Vasisht detailed two ways to transform binary code into inputs for a predictive NMT model. One is by using code2seq that breaks down source code, and decompiled code, into an AST of representative tokens. The other is Nero, which describes the control flow graph (CFG) of code.

Mandiant engineers looked to both initiatives in creating their function-naming model, he said. As described above, one focused on ASTs, and other CFGs.

"Using code2seq- and Nero-like architectures as an inspiration, we set out to see if we could apply these techniques to malware disassembly by using AST and CFG representations to predict meaningful function and in the process, hopefully reduce the effort surrounding a tedious reverse engineering workflow," Vasisht said.

The engineers used a Linux server with 48 CPU cores, 500GB of system RAM. and eight Nvidia Tesla M40 GPUs with 24GB of memory. The platform was used to run multiple hyper-parameter searches simultaneously – from max AST contexts to output label max sub-tokens – and for training the final model, he said. They used an input dataset of more than 360,000 disassembled functions and annotations taken from 4,000 malicious Windows PE files, some auto-generated from IDA's FLIRT and others from a decade's worth of hand-written reverser annotations from Mandiant.

Mandiant's automated and scalable analysis pipeline showed improvements over the code2seq and Nero models, he said. Now the company needs to consider how it will deploy the model.

"These include using these model predictions with IDA Pro and [the NSA's open-source] Ghidra plug-ins," Vasisht said. "We also envision deploying this model within the malware analyst pipeline. Also, this will enable us to collect feedback about the predictions, also collect some newer annotations so we can iterate and improve on this model in the future."

Future work includes improving the labeling and data quality; using a combined AST and CFG model; and using different mixes of binaries for training the model, he said. ®

Source