Splunk has tested some of the most common ransomware to see how quickly they can encrypt 53GB worth of files after infecting a system, and it turns out the answer is "pretty quickly."

The company says it loaded up four machines running Windows 10 or Windows Server 2019 with "98,561 test files (pdf, doc, xls, etc.) from a public file corpus." It then measured how long it took 10 samples of 10 popular ransomware families to encrypt all of those files on each system.

So what ransomware family is the fastest? Splunk's testing reveals that it's LockBit, one sample of which encrypted all 53GB worth of data on a Windows Server 2019 machine in just four minutes and nine seconds, with a median time-to-encryption of five minutes and 50 seconds.

Here are the median results for all of the ransomware families Splunk tested:

That means it takes most ransomware less than an hour to encrypt 53GB worth of data after it's deployed. But the attackers would likely be on the network longer as they attempted to compromise as many systems as possible and determine what data they could access.

"Ultimately, this research demonstrates the need for organizations to move away from response and mitigation," Splunk distinguished security strategist Ryan Kovar says in a blog post about the company's findings, "and concentrate on preventing ransomware infections."

The full whitepaper detailing Splunk's findings, "An Empirically Comparative Analysis of Ransomware Binaries," can be downloaded from the company's website.

Source

This flaw is an out-of-bounds heap read/write (tracked as CVE-2021-44142) in the Samba vfs_fruit VFS module.

It can be exploited by unauthenticated threat actors in low complexity attacks targeting My Cloud devices running vulnerable firmware versions.

"This specific flaw exists within the parsing of extended attributes (EA) metadata when opening a file in smbd," the data storage company explained.

"This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes."

Bug addressed by removing vulnerable Samba module

While default configurations are exposed to attacks, threat actors need write access to a file's extended attributes (this could also be a guest or unauthenticated user if they are allowed write access to file extended attributes, according to the Samba Team.

Western Digital addressed the vulnerability by removing the "fruit" VFS module from the list of configured VFS objects and changing EA support configurations in My Cloud OS 5 Firmware 5.21.104, released on March 23, 2022.

The American hard disk drive manufacturer advises customers to update their devices to the latest firmware by clicking the update alert as soon as possible.

The list of devices considered vulnerable to CVE-2021-44142 attacks includes:

• My Cloud PR2100
• My Cloud PR4100
• My Cloud EX4100
• My Cloud EX2 Ultra
• My Cloud Mirror Gen 2
• My Cloud DL2100
• My Cloud DL4100
• My Cloud EX2100
• My Cloud
• WD Cloud

Netatalk critical flaw also patched this week

This week, Western Digital fixed one more critical vulnerability in the open-source Netatalk Apple File Protocol fileserver used to access network shares and perform Time Machine backups.

The bug was addressed by deprecating the Netatalk service and removing it from My Cloud OS with the 5.19.117 firmware update.

After installing the firmware to the latest version, the Netatalk service will no longer be available. 

However, My Cloud device users can still configure them to access network shares via SMB (info on how to do that is available on this support page).

Western Digital fixes critical bug giving root on My Cloud NAS devices

Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.

Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.

Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.

After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”

“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.

Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud.

For many years on DirectConnection and other crime forums, Berezan went by the hacker alias “Albanec.” Investigators close to the case told KrebsOnSecurity that Albanec was involved in multiple so-called “unlimited” cashouts, a highly choreographed, global fraud scheme in which crooks hack a bank or payment card processor and used cloned payment cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

Berezan joins a growing list of top cybercriminals from DirectConnection who’ve been arrested and convicted of cybercrimes since the forum disappeared years ago. One of Albanec’s business partners on the forum was Sergey “Flycracker” Vovnenko, a Ukrainian man who once ran his own cybercrime forum and who in 2013 executed a plot to have heroin delivered to our home in a bid to get Yours Truly arrested for drug possession. Vovnenko was later arrested, extradited to the United States, pleaded guilty and spent more than three years in prison on botnet-related charges (Vovnenko is now back in Ukraine, trying to fight the Russian invasion with his hacking abilities).

Perhaps the most famous DirectConnection member was its administrator Aleksei Burkov, a Russian hacker thought to be so connected to the Russian cybercriminal scene that he was described as an “asset of extreme importance to Moscow.” Burkov was arrested in Israel in 2015, and the Kremlin arrested an Israeli woman on trumped-up drug charges to force a prisoner swap.

That effort failed. Burkov was extradited to the U.S. in 2019, soon pleaded guilty, and was sentenced to nine years. However, he was recently deported back to Russia prior to serving his full sentence, which has prompted Republican leaders in the House to question why.

Other notable cybercrooks from DirectConnection who’ve been arrested, extradited to the U.S. and sentenced to prison include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

At his sentencing today, Berezan was sentenced to 66 months in prison and ordered to pay $36 million in restitution to his victims. A source close to the investigation said Berezan’s sentence likely would have been far more severe had he not entered into a cooperation agreement to share useful information with U.S. authorities.

Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison

Fake websites that mimic well-known brands are abundant on the internet to lure victims and steal their payment details or account credentials.

Most of these websites are built using phishing kits that feature brand logos, realistic login pages, and in cases of advanced offerings, dynamic webpages assembled from a set of basic elements.

Advanced phishing kit dictionary (Kaspersky)

Threat actors use phishing kits extensively due to the automation they offer, as they typically have to set up hundreds of fake sites each day to replace those detected and blocked the previous day.

However, that doesn’t mean that authors of these kits don’t make an effort to incorporate anti-detection systems that would help them stay up and running for longer.

On the contrary, they are employing multiple mechanisms to help keep their malicious nature hidden from sophisticated threat detectors, and Kaspersky has published a report today detailing the main methods.

How phishing kits stay hidden

First, phishing kits include visitor filtering settings that prevent bots, analysis software, and guests from non-targeted locations from entering.

Search engine crawlers also have to be blocked from accessing the site as putting it too high on search results increases the risk of exposure and leads to a prompt take-down.

Then there are the obfuscation options that aim to prevent detection from internet security tools.

• Caesar cipher – Replacing every character in the text by one that is a fixed number of positions further down the alphabet so that the content doesn’t make sense. When the page is loaded, the shift reverts, and the correct characters are displayed.
• Page source encoding – AES or base64 encoding on the text or the page’s HTML code, which is much more powerful than the Caesar method. The content is decoded on the browser when the page is loaded.
• Invisible HTML tags – Add many junk HTML tags that are invisible when the page is rendered on the browser and only serve as innocuous “noise” that hides the malicious parts.
• String slicing – Cutting strings into re-arrangeable groups of characters and referring to them by their number in a code table. When the page is loaded, the strings are reassembled back into completion.
• Randomized HTML attributes – Adding a large number of randomized tag attribute values to effectively disable anti-phishing tools by rendering their guesses unreliable, which leads them to dismissal.

Some of the above tricks are also employed for obfuscating the stolen data from victims or the code of the phishing kit to prevent unpaid copies and forks.

A shifting market

Kaspersky reports that in 2021, it detected 469 individual phishing kits supporting at least 1.2 million phishing websites.

Number of unique domains using the top 10 phishing kits (Kaspersky)

As the security firm underlines, the number of sophisticated phishing kits that include anti-bot, anti-detection, and geoblocking features constantly increases.

The URLs to these sites are circulated via emails, instant messages, forum posts, and even YouTube videos, so beware.

Phishing kits constantly evolve to evade security software

A minor in Oxford, England, is believed to be among the leaders of the group that leaked closed source code and proprietary data from high-profile companies like Nvidia, Samsung, Microsoft, and Okta.

Lapsus$ has also claimed attacks on game developer Ubisoft, telecom company Vodafone, and e-commerce giant Mercado.

Some members may take a longer break

The latest public message from the group on Wednesday announced that some of its members were taking a vacation until March 30.

It is unclear how many members are in Lapsus$ but clues from their Telegram chats seem to suggest that there are members who speak English, Russian, Turkish, German, and Portuguese.

In a statement to the BBC, the City of London Police said that it had arrested seven people aged 16 to 21 “in connection with an investigation into a hacking group” and that all of them are under investigation.

No names have been released but the real identities of some Lapsus$ members have been known for a while as they had been doxed by rival hackers.

One of them is a teenager using the aliases White/Breachbase, a 17-year-old known from Oxford, England, who is believed to have accumulated over 300 BTC - around $13 million at today’s value, from hacking activities, SIM swapping being one of them.

Allegedly, White lost a good part of this fortune gambling and by leaving their system unprotected, allowing it to get hacked, twice.

The aliases above are just a few of more than a dozen the teenager used online, along with a couple of pseudonyms used on various platforms and hacker forums

Along with identifying information that included the real name, home address, date of birth, and education, rival hackers also published private photos of White with their family.

This was possible because of the long string of poor opsec decisions that left behind an identification trail, which appears to be a flaw that extends to other members of the Lapsus$ group as well.

A sample of this is exemplified by Bill Demirkapi, senior security engineer at Zoom, who noticed that Lapsus$ bragged about breaching Microsoft while stealing the source code:

source: Bill Demirkapi

While this is not a crtitical mistake in revealing the identity of the group, it shows that their operational security skills are incredibly lacking, allowing security researchers and rivals alike to link email accounts and usernames to their real identity.

These operational security mistakes are likely what allowed law enforcement to identify and arrest many of the cybercrime gang's members.

Lapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks

The company added that 366 corporate customers, or about 2.5% of its customer base, may have been impacted by the "highly constrained" compromise.

"On January 20, 2022, the Okta Security team was alerted that a new factor was added to a Sitel customer support engineer' Okta account [from a new location]," Okta's Chief Security Officer, David Bradbury, said in a statement. "This factor was a password."

The disclosure comes after LAPSUS$ posted screenshots of Okta's apps and systems earlier this week, about two months after the hackers gain access to the company's internal network over a five-day period between January 16 and 21, 2022 using remote desktop protocol (RDP) until the MFA activity was detected and the account was suspended pending further probe.

Although the company initially attempted to downplay the incident, the LAPSUS$ group called out the San Francisco-based company for what it alleged were lies, stating "I'm STILL unsure how it's a [sic] unsuccessful attempt? Logged in to [sic] the SuperUser portal with the ability to reset the Password and MFA of ~95% of clients isn't successful?"

Contrary to its name, SuperUser, Okta said, is used to perform basic management functions associated with its customer tenants and operates with the principle of least privilege (PoLP) in mind, granting support personnel access to only those resources that are pertinent to their roles.

Okta, which has faced criticism for its delay in notifying customers about the incident, noted that it shared indicators of compromise with Sitel on January 21, which then engaged the services of an unnamed forensic firm that, in turn, went on to carry out the investigation and share its findings on March 10, 2022.

According to a timeline of events shared by the company, "Okta received a summary report about the incident from Sitel" last week on March 17, 2022.

"I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report," Bradbury said. "Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications."

"If you're confused about Okta saying the 'service has not been breached,' remember that the statement is purely a legal word soup," security researcher Runa Sandvik said on Twitter. "Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta's customers."

The security breaches of Okta and Microsoft are the latest in a rampage of infiltrations staged by the LAPSUS$ group, which has also hit high-profile victims like Impresa, NVIDIA, Samsung, Vodafone, and Ubisoft. It's also known for publicizing its conquests on an active Telegram channel that has over 46,200 members.

Cybersecurity firm Check Point described LAPSUS$ as a "Portuguese hacking group from Brazil," with Microsoft calling out its "unique blend of tradecraft" that involves targeting its victims with SIM swapping, unpatched server flaws, dark web reconnaissance, and phone-based phishing tactics.

"The real motivation of the group is still unclear however, even if it claims to be purely financially motivated," the Israeli company said. "LAPSUS$ has a strong engagement with their followers, and even posts interactive polls on who their next unfortunate target should be."

A 16-year-old behind LAPSUS$?

But in an interesting twist, Bloomberg reported that "a 16-year-old living at his mother's house near Oxford, England" might be the brains behind the operation, citing four researchers investigating the group. Another member of LAPSUS$ is suspected to be a teenager living in Brazil.

What's more, the alleged teen hacker, who goes by the online alias "White" and "breachbase," may also have had a role in the intrusion at game maker Electronic Arts (EA) last July, going by cybersecurity expert Brian Krebs' latest report detailing the activities of a core LAPSUS$ member nicknamed "Oklaqq" aka "WhiteDoxbin."

"Back in May 2021, WhiteDoxbin's Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as '@breachbase,'" Krebs noted. "News of EA's hack last year was first posted to the cybercriminal underground by the user 'Breachbase' on the English-language hacker community RaidForums, which was recently seized by the FBI."

Source

First surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone.

On Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. In a blog post published Mar. 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete.

“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft wrote. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft says LAPSUS$ — which it boringly calls “DEV-0537” — mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

“Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),” Microsoft wrote. The post continues:

“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”

The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad that LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms and call centers.

Sources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.”

Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal.

“LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. “LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches. The group has claimed it is not state-sponsored. The individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities.”

Microsoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations they wish to hack, knowing that most employees these days use some sort of VPN to remotely access their employer’s network.

“In some cases, [LAPSUS$] first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems,” Microsoft wrote. “Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.”

In other cases, Microsoft said, LAPSUS$ has been seen calling a target organization’s help desk and attempting to convince support personnel to reset a privileged account’s credentials.

“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” Microsoft explained. “Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

SIM-SWAPPING PAST SECURITY

Microsoft said LAPSUS$ also has used “SIM swapping” to gain access to key accounts at target organizations. In a fraudulent SIM swap, the attackers bribe or trick mobile company employees into transferring a target’s mobile phone number to their device. From there, the attackers can intercept any one-time passwords sent to the victim via SMS or phone call. They can also then reset the password for any online account that allows password resets via a link sent over SMS.

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote.

Allison Nixon is chief research officer at Unit 221B, a cybersecurity consultancy based in New York that closely tracks cybercriminals involved in SIM-swapping. Working with researchers at security firm Palo Alto Networks, Nixon has been tracking individual members of LAPSUS$ prior to their forming the group, and says the social engineering techniques adopted by the group have long been abused to target employees and contractors working for the major mobile phone companies.

“LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets that are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”

Microsoft says LAPSUS$ also has been known to gain access to victim organizations by deploying the “Redline” password-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials and session tokens from criminal forums.

That last bit is interesting because Nixon said it appears at least one member of LAPSUS$ also was involved in the intrusion at game maker Electronic Arts (EA) last year, in which extortionists demanded payment in exchange for a promise not to publish 780 GB worth of source code. In an interview with Motherboard, the hackers claimed to have gained access to EA’s data after purchasing authentication cookies for an EA Slack channel from a dark web marketplace called Genesis.

“The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s internal network,” wrote Catalin Cimpanu for The Record.

Why is Nixon convinced LAPSUS$ was behind the EA attack? The “WhiteDoxbin/Oklaqq” identity referenced in the first insider recruitment screenshot above appears to be the group’s leader, and it has used multiple nicknames across many Telegram channels. However, Telegram lumps all aliases for an account into the same Telegram ID number.

Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News of EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.

WHO IS LAPSUS$?

Nixon said WhiteDoxbin — LAPSUS$’s apparent ringleader — is the same individual who last year purchased the Doxbin, a long-running, text-based website where anyone can post the personal information of a target, or find personal data on hundreds of thousands who have already been “doxed.”

Apparently, Doxbin’s new owner failed to keep the site functioning smoothly, because top Doxbin members had no problems telling WhiteDoxbin how unhappy they were with his stewardship.

“He wasn’t a good administrator, and couldn’t keep the website running properly,” Nixon said. “The Doxbin community was pretty upset, so they started targeting him and harassing him.”

Nixon said that in January 2022, WhiteDoxbin reluctantly agreed to relinquish control over Doxbin, selling the forum back to its previous owner at a considerable loss. However, just before giving up the forum, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remain unpublished on the site as drafts) to the public via Telegram.

The Doxbin community responded ferociously, posting on WhiteDoxbin perhaps the most thorough dox the community had ever produced, including videos supposedly shot at night outside his home in the United Kingdom.

According to the denizens of Doxbin, WhiteDoxbin started out in the business of buying and selling zero-day vulnerabilities, security flaws in popular software and hardware that even the makers of those products don’t yet know about.

“[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”

WhiteDoxbin’s Breachbase identity on RaidForums at one point in 2020 said they had a budget of $1 million in bitcoin with which to buy zero-day flaws in Github, Gitlab, Twitter, Snapchat, Cisco VPN, Pulse VPN and other remote access or collaboration tools.

“My budget is $100000 in BTC,” Breachbase told Raidforums in October 2020. “Person who directs me to someone will get $10000 BTC. Reply to thread if you know anyone or anywhere selling this stuff. NOTE: The 0day must have high/critical impact.”

KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17), and because this person has not officially been accused of a crime. Also, the Doxbin entry for this individual includes personal information on his family members.

Nixon said that prior to launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group calling itself the “Recursion Team.” According to the group’s now-defunct website, they mostly specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

“The team is made up of Cyber-enthusiasts who major in skills including security penetration, software development, and botting,” reads the now-defunct Recursion Team website. “We plan to have a bright future, and we hope you do too!”

A Closer Look at the LAPSUS$ Data Extortion Group

The first security bulletin confirms that certain HP printer models are affected by critically rated security issue CVE-2022-3942. The remote code execution and buffer overflow issue uses Link-Local Multicast Name Resolution (LLMNR). The issue is rated 8.4 out of 10.

HP created firmware updates for some of the affected printer models and released mitigation instructions for others. Models of the following printer families are affected by the vulnerability according to HP:

• HP Color LaserJet Enterprise
• HP Color LaserJet Managed
• HP Digital Sender Flow
• HP LaserJet Enterprise 500
• HP LaserJet Enterprise Color Flow
• HP LaserJet Managed Flow
• HP LaserJet Enterprise Flow
• HP LaserJet Enterprise 600
• HP LaserJet Enterprise 700
• HP LaserJet Enterprise
• HP OfficeJet Enterprise Color
• HP PageWide Color
• HP PageWide Enterprise Color
• HP PageWide Enterprise Color Flow
• HP PageWide Managed Color
• HP Scanjet Enterprise 8500
• HP ScanJet Enterprise Flow
• HP Color LaserJet Pro
• HP LaserJet
• HP LaserJet Pro
• HP PageWide
• HP PageWide Pro
• HP PageWide Managed
• HP DeskJet
• HP DeskJet Ink Advantage
• HP DeskJet Plus
• HP DeskJet Plus Ink Advantage
• HP OfficeJet Pro
• HP DesignJet Z6+ Pro
• HP DesignJet Z9+ Pro
• HP DesignJet
• HP DesignJet XL
• HP PageWide XL

HP owners and system administrators should check the published table to find out if printers that are in use in the home, business or enterprise environment are affected. Firmware updates are available for some of the printer models, for others, mitigations are provided to disable LLMNR.

• HP Color LaserJet Pro - Disable unused network protocols and features using the Embedded Web Server (EWS)
• HP LaserJet Enterprise, HP PageWide Enterprise - Disable unused network protocols and features (EWS)

Second HP security bulletin

The second security bulletin lists three vulnerabilities: CVE-2022-24291 with a rating of 7.5 and a severity of high, CVE-2022-24292 with a rating of 9.8 and a severity of critical, and CVE-2022-24293 with a rating of 9.8 and a severity of critical.

HP notes that the issue can be fixed by installing a new firmware version that HP released. The list of affected products is smaller:

• HP Color LaserJet Pro
• HP PageWide
• HP PageWide Managed
• HP OfficeJet Pro

Firmware is available for all affected printer models with the exception of HP Color LaserJet Pro MFP M2XX, which is listed as "remediation pending".

Closing Words

HP customers who operate affected printer models should consider upgrading the firmware immediately or apply the workaround to protect systems and data from attacks targeting the vulnerabilities.

Now You: do you operate one of the affected printer models? (via Bleeping Computer)

Hundreds of HP printers affected by critical security issues

Ransomware is malware that enumerates the files and directories on a compromised machine, selects valid encryption targets, and then encrypts the data, so it is unavailable without a corresponding decryption key.

This prevents the data owner from accessing the files, so ransomware attacks are either carried out for data destruction and operational disruption or financial extortion, demanding the payment of a ransom in return for a decryption key.

How fast a device is encrypted is important, as the quicker it is detected, the less damage is done, and the volume of data needing to be restored is kept to a minimum.

Putting ransomware to the test

Researchers at Splunk conducted 400 encryption tests, consisting of 10 different families, ten samples per family, and four different host profiles reflecting different performance specifications.

"We created four different "victim" profiles consisting of Windows 10 and Windows Server 2019 operating systems, each with two different performance specifications benchmarked from customer environments," Splunk explained in their report.

"We then chose 10 different ransomware families and 10 samples from each of those families to test."

During these tests, the researchers evaluated the encryption speed against 98,561 files totaling 53GB using various tools, such as native Windows logging, Windows Perfmon statistics, Microsoft Sysmon, Zeek, and stoQ.

The host system hardware and OS configurations varied to reflect a realistic corporate network setting, and the analysts measured all encryption times and derived the median speed of encryption for each variant.

The total median time for all 100 different samples of the ten ransomware strains on the test rigs was 42 minutes and 52 seconds.

However, as reflected in the following table, some ransomware samples deviated significantly from this median value.

Average encryption times for each strain (Splunk)

The "winner," and the most lethal strain in response time margins was LockBit, achieving an average of 5 minutes and 50 seconds. The fastest LockBit variant encrypted 25,000 files per minute.

LockBit has long bragged on their affiliate promotion page that they are the fastest ransomware for encrypting files, releasing their own benchmarks against over 30 different ransomware strains.

The once-prolific Avaddon achieved an average of just over 13 minutes, REvil encrypted the files in about 24 minutes, and BlackMatter and Darkside completed the encryption in 45 minutes.

On the slower side, Conti needed almost an hour to encrypt the 54 GB of test data, while Maze and PYSA finished in nearly two hours.

The time factor

While time is an important factor, it's not the only detection opportunity in ransomware attacks, which typically involve reconnaissance periods, lateral movement, credential-stealing, privilege escalation, data exfiltration, disabling of shadow copies, and more. 

All possible detection opportunities in a ransomware attack (CertNZ)

After the encryption is over, it is the strength of the encryption scheme itself that determines how long-lasting or manageable the consequences of the attack will be, so strength is more important than speed.

The short time to respond when ransomware is ultimately deployed highlights that focusing on that particular detection and mitigation opportunity is unrealistic and ultimately wrong.

As noted in the Splunk report, this research demonstrates the need for organizations to shift focus from incident response to ransomware infection prevention.

The overall median of 43 minutes is a tiny window of opportunity for network defenders to detect ransomware activity, considering that previous studies have found that the average time to detect compromise is three days.

Since most ransomware groups hit during weekends when the IT teams are understaffed, most encryption attempts are completed successfully, so the time for encryption shouldn't be a significant consideration for defenders.

Ultimately the best defense is to detect unusual activity during the reconnaissance stage, before ransomware is even deployed.

This includes looking for suspicious network activity, unusual account activity, and the detection of tools commonly used before an attack, such as Cobalt Strike, ADFind, Mimikatz, PsExec, Metasploit, and Rclone.

Ten notorious ransomware strains put to the encryption speed test

According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

"The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the Mēris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

"The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service," Hron said.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain "globalmoby[.]xyz."

Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

"When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy)," Hron said. "This is a control panel for the orchestration of enslaved MikroTik routers," with the page displaying a live counter of devices connected into the botnet.

But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.

The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

In light of these attacks, it's recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router's administration interface from the public side.

"It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies," Hron said. "This is done to either anonymize the attacker's traces or to serve as a DDoS amplification tool."

Source

Attributing the attacks to a group tracked as Storm Cloud, cybersecurity firm Volexity characterized the new malware, dubbed Gimmick, a "feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels."

The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11.6 (Big Sur) as part of an intrusion campaign that took place in late 2021.

"Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets," Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster said in a report.

"They make use of built-in operating system utilities, open-source tools, and custom malware implants to achieve their objectives. Leveraging cloud platforms for C2, such as using Google Drive, increases the likelihood of operating undetected by network monitoring solutions."

Unlike its Windows counterpart, which is coded in both .NET and Delphi, the macOS version is written in Objective C. The choice of the programming languages aside, the two versions of the malware are known to share the same C2 infrastructure and behavioral patterns.

Once deployed, Gimmick is launched either as a daemon or in the form of a customized application that's engineered to impersonate a program frequently launched by the targeted user. The malware is configured to communicate with its Google Drive-based C2 server only on working days in order to further blend in with the network traffic in the target environment.

What's more, the backdoor, besides retrieving arbitrary files and executing commands from the C2 server, comes with its own uninstall functionality that allows it to erase itself from the compromised machine.

To protect users against malware, Apple has issued new signatures to its built-in anti-malware protection suite known as XProtect as of March 17, 2022 to block and remove the infections via its Malware Removal Tool (MRT).

"The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile," the researchers said.

Source

Both applications are installed on over a billion Android devices each. Google Messages is the default messaging application that many manufacturers and mobile phone companies ship as the default application for messaging on their devices. The same is true for Dialer, as it is the default phone application on many Android devices.

The paper notes that Google does not provide specific privacy policies for the two applications in question, even though Google requires that third-party developers do provide privacy policies. The applications link to Google's generic consumer privacy policy only.

The researcher analyzed the data that the Google Messages and Google Dialer applications sent to Google on Android handsets. According to the research paper, linked here the following data is sent when the Messages application sends or receives messages

When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text. The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed

Google Messages submits data about the event, including the time messages were received or sent, a truncated hash of the message text, and the sender's phone number, to Google. The hash may identify the message according to the researcher, and if Google Messages is used on both handsets, Google gets both phone numbers involved in the conversation.

Google Dialer sends similar logs to Google. The data includes the time and the call duration according to the research paper.

When a phone call is made/received the Google Dialer app similarly logs this event to Google servers  together with the time and the call duration.

The data that is sent to Google "is tagged with the handset Android ID" according to the researcher. The ID is linked to Google user accounts and thus the identify of the user.

Additionally, both applications submit data about user interactions within the applications. Nature and timings of interactions, e.g., viewing an app screen, searching contacts, or browsing an SMS conversation, are also submitted to Google according to the paper.

If "See caller and spam ID" is enabled, which it is by default, Google Dialer sends the phone number of each incoming call and the time of the call to Google as well.

The applications have no opt-out that prevents the data from being submitted to Google.

The data is sent to Google via the Google Play Services Clearcut logger service and Google/Firebase Analytics according to the researcher.

The Google Messages and Dialer apps send data to Google via two channels: (i) the Google Play Services Clearcut logger service and (ii) Google/Firebase Analytics. Recent Android measurement studies have noted the large volume of data sent by Google Play Services to Google servers on most Android handsets. A substantial component of this data is sent by the Clearcut logger service within Google Play Services. However, the data transmission is largely opaque, being binary encoded with little public documentation.

The Register received confirmation by Google that the "paper's representations [..] are accurate". Additional details, including information about the test setup and code, are available in the research paper.

Android users may switch to different applications that may take over the tasks of the default applications. For instance, Simple Dialer: Phone Calls, as a replacement for the Google Dialer application, and Simple SMS Messenger. as a replacement for Google Messages.

Now You: which dialer and messaging apps do you use?

Source: https://www.ghacks.net/2022/03/22/android-messages-and-dialer-apps-allegedly-sent-data-to-google-without-consent/

Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft's Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps.

Leaked source code projects

In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories.

"No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," explained Microsoft in an advisory about the Lapsus$ threat actors.

"Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog."

"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact."

While Microsoft has not shared how the account was compromised, they provided a general overview of the Lapsus gang's tactics, techniques, and procedures (TTPs) observed across multiple attacks.

Focusing on compromised credentials

Microsoft is tracking the Lapsus$ data extortion group as 'DEV-0537' and says they primarily focus on obtaining compromised credentials for initial access to corporate networks.

These credentials are obtained using the following methods:

• Deploying the malicious Redline password stealer to obtain passwords and session tokens
• Purchasing credentials and session tokens on criminal underground forums
• Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and multi-factor authentication (MFA) approval
• Searching public code repositories for exposed credentials

Redline password stealer has become the malware of choice for stealing credentials and is commonly distributed through phishing emails, watering holes, warez sites, and YouTube videos.

Once Laspsus$ gains access to compromised credentials, they use it to log in to a company's public-facing devices and systems, including VPNs, Virtual Desktop infrastructure, or identity management services, such as Okta, which they breached in January.

Microsoft says they use session replay attacks for accounts that utilize MFA, or continuously trigger MFA notifications until the user becomes tired of them and confirms that the user should be allowed to log in.

Microsoft says that in at least one attack, Lapsus$ performed a SIM swap attack to gain control of the user's phone numbers and SMS texts to gain access to MFA codes needed to log in to an account.

Once they gain access to a network, the threat actors use AD Explorer to find accounts with higher privileges and then target development and collaboration platforms, such as SharePoint, Confluence, JIRA, Slack, and Microsoft Teams, where other credentials are stolen. 

The hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub, and Azure DevOps, as we saw with the attack on Microsoft.

"DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation," Microsoft explains in their report.

"The group compromised the servers running these applications to get the credentials of a privileged account or run in the context of the said account and dump credentials from there."

The threat actors will then harvest valuable data and exfiltrate it over NordVPN connections to hide their locations while performing destructive attacks on the victims' infrastructure to trigger incident response procedures. 

The threat actors then monitor these procedures through the victim's Slack or Microsoft Teams channels.

Protecting against Lapsus$

Microsoft recommends that corporate entities perform the following steps to protect against threat actors like Lapsus$:

• Strengthen MFA implementation
• Require Healthy and Trusted Endpoints
• Leverage modern authentication options for VPNs
• Strengthen and monitor your cloud security posture
• Improve awareness of social engineering attacks
• Establish operational security processes in response to DEV-0537 intrusions

Lapsus$ has recently conducted numerous attacks against the enterprise, including those against NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre, and now Microsoft.

Therefore, it is strongly advised that security and network admins become familiar with the tactics used by this group by reading Microsoft's report.

Microsoft confirms they were hacked by Lapsus$ extortion group

Okta is a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy—and, crucially, secure—for their employees or partners to log in to multiple services without juggling a dozen passwords. Past breaches, like 2020's notorious Twitter meltdown, have stemmed from attackers taking over access to an administrative or support account that has the ability to modify customers' accounts. Attackers use these system privileges to reset target account passwords, change the email address linked to victim accounts, and generally take control. When they're attacking Twitter accounts, hackers can lock legitimate users out and tweet from their profiles. When you have this type of access for an identity platform like Okta, though, the potential impacts are exponentially more extreme.

Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and leaking it in apparent extortion attempts. But researchers had only found broadly that the attackers seemed to be using phishing to compromise their victims. It wasn't clear how a previously unknown and seemingly amateur group had pulled off such monumental data heists. Now it seems possible that some of those high-profile breaches stemmed from the group's Okta compromise.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Okta did not answer further questions from WIRED, including repeated queries about why the company didn't publicly disclose the incident before.

A Microsoft spokesperson said early Tuesday morning that the company is “aware of the claims and investigating.”

Without more information, it is unclear exactly how much access Lapsus$ had within Okta or its unnamed “subprocessor.” Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group, says the screenshots suggest Lapsus$ compromised the access of an Okta site reliability engineer, a role that would potentially have extensive system privileges as part of infrastructure maintenance and improvement work.

“All I have to go on are these screenshots, but there is a nonzero possibility of this being a SolarWinds 2.0,” Tentler says, referencing last year's massive supply chain attack launched by Russian intelligence hackers that compromised a slew of high-profile companies and government agencies around the world by first infiltrating the IT management platform SolarWinds. “It is indeed quite a big deal.”

Independent security researcher Bill Demirkapi puts it even more bluntly: “This is really, really bad.” 

Okta is presumably aware of the grave danger to its business and customers if an attacker ever compromised a highly privileged administrative account. (The company stock price fell by around 6 percent on Tuesday morning following news of the claimed breach.) Okta did not return WIRED's requests for comment about its defenses and monitoring tools for such access. But Demirkapi points out that no matter how many layers of protection you add, the mere existence of “super user” accounts creates exposure. An attacker who has strategically taken over a device when such an account is already logged in, or who has compromised, say, a VPN connection to that device can impersonate the legitimate user of the admin account.

“The idea is that the access controls to get to that Administrative panel would be very restrictive” for a service like Okta, Demirkapi says. “The problem here is that it appears like Lapsus$ directly compromised an employee's machine, so even with those access controls they can just piggyback on the employees' access.”

On Tuesday, companies implicated even incidentally in the situation began distancing themselves from Okta. The internet infrastructure company Cloudflare, for example, investigated overnight and said it had confirmed it was not compromised as a result of the incident. “Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option,” Cloudflare CEO Matthew Prince wrote on Twitter. He later added, “Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.”

Questions remain about Lapsus$ itself and the group's motivations. Researchers have consistently found that it is a loose, even disorganized collective that is likely based in South America and still getting its bearings. But the scale and scope of the organizations Lapsus$ has been able to compromise so far raise a chilling range of possibilities. Either the group is a more sophisticated organization than incident responders have realized or admitted, or the security of some of the world's most critical companies is even more fragile and inadequate than previously thought. 

The Twitter hackers turned out to be a 17-year-old Minecraft scammer and other vanity handle brokers. The Lapsus$ gang really could be out to burn it all down for the lulz.

'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack

(May require free registration to view)

According to Cyber Kendra, Lapsus group has posted a link to a torrent containing Microsoft's source code for Cortana, Bing, and Bing Maps, among many other projects. The dump reportedly contains data for 258 projects and is 37GB in size. The outlet has analyzed the dump and confirmed that it does come from Microsoft. It has further relayed that the data also contains emails, signing certificates, and details about private and public keys. However, it's unclear how recent the leaked information actually is.

Alongside this, Lapsus group has also released a text file containing logging details of LG employees and service accounts. This includes hashed passwords and usernames. It has further announced that it will leak LG's Confluence infrastructure too.

We will not link to the data dump for any company for obvious reasons. We would also recommend that users stay away from them as this matter could very well become the subject of federal investigations. The popular running theory for now is that rather than using sophisticated tooling, Lapsus group was able to infiltrate companies by paying off contractors who basically acted as insiders exfiltrating access to this data. While this hasn't been confirmed by Microsoft yet, the possibility of this happening does mean that companies need to rigorously vet contractors and even full-time employees before it hires them and also regularly keep track of logs which show activities requiring elevated privileges.

Source

BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it.

As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software. 

Targeting pirates with malware

In a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors are distributing the malware as a Windows 10 Pro license activator on webhards.

Webhards are online storage services popular in South Korea that have a steady influx of visitors from direct download links posted on social media platforms or Discord. Due to their wide use in the region, threat actors are now more commonly using webhards to distribute malware.

The actor behind the new BitRAT campaign appears to be Korean based on some of the Korean characters in the code snippets and the manner of its distribution.

Post promoting the BitRAT dropping Windows activator (ASEC)

To properly use Windows 10, you need to purchase and activate a license with Microsoft. While there are ways to get Windows 10 for free, you still need a valid Windows 7 license to get the free upgrade.

Those who do not want to deal with licensing issues or do not have a license to upgrade commonly turn to pirating Windows 10 and using unofficial activators, many of which contain malware.

In this campaign, the malicious file promoted as a Windows 10 activator is named 'W10DigitalActiviation.exe' and features a simple GUI with a button to "Activate Windows 10."

The malware downloader posing as a Windows activator (ASEC)

However, instead of activating the Windows license on the host system, the "activator" will download malware from a hardcoded command and control server operated by the threat actors.

The fetched payload is BitRAT, installed in %TEMP% as ‘Software_Reporter_Tool.exe’ and added to the Startup folder. The downloader also adds exclusions for Windows Defender to ensure that BitRAT won’t encounter detection issues.

Once the malware installation process is completed, the downloader deletes itself from the system leaving behind only BitRAT.

The downloader fetching the BitRAT payload (ASEC)

A versatile RAT

BitRAT is promoted as a powerful, inexpensive, and versatile malware that can snatch a wide range of valuable information from the host, perform DDoS attacks, UAC bypass, etc.

BitRAT supports generic keylogging, clipboard monitoring, webcam access, audio recording, credential theft from web browsers, and XMRig coin mining functionality.

Additionally, it offers remote control for Windows systems, hidden virtual network computing (hVNC), and reverse proxy through SOCKS4 and SOCKS5 (UDP). On that front, ASEC’s analysts have found strong code similarities with TinyNuke, and its derivative, AveMaria (Warzone).

The hidden desktop feature on these RATs is so valuable that some hacking groups, like the Kimsuky, incorporated them in their arsenal just to use the hVNC tool.

Risk of piracy

Even if the legal and ethical aspects are ignored, using pirated software is always a security gamble.

The more tools are used to activate illegally obtained copies of software or crack their intellectual property protection systems, the greater the chances of ending up with a nasty malware infection.

Those who can’t afford to purchase a Windows license should look at alternative options instead, such as accepting the limitations of the free version, monitoring for special offers from trustworthy platforms, or using Linux.

Ultimately, users should not trust license activators and any unsigned executable authored and released by unknown vendors to run on your system.

BitRAT malware now spreading as a Windows 10 license activator

The Android malware is disguised as a cartoonifier app called 'Craftsart Cartoon Photo Tools,' allowing users to upload an image and convert it into a cartoon rendering.

Over the past week, security researchers and mobile security firm Pradeo discovered that the Android app includes a trojan called 'FaceStealer,' which displays a Facebook login screen that requires users to log in before using the app.

App requesting the user to login on Facebook (Pradeo)

According to Jamf security researcher Michal Rajčan, when users enter their credentials, the app will send them to a command and control server at zutuu[.]info [VirusTotal], which the attackers can then collect.

In addition to the C2 server, the malicious Android app will connect to www.dozenorms[.]club URL [VirusTotal] where further data is sent, and which has been used in the past to promote other malicious FaceStealer Android apps.

Sending data to dozenorms[.]club server
Source: BleepingComputer

As Pradeo explains in its report, the author and distributor of these apps appear to have automated the repackaging process and inject a small piece of malicious code into an otherwise legitimate app.

This helps the apps get through the Play Store vetting procedure without raising any red flags. As soon as the user opens it, they are not given any actual functionality unless they log in to their Facebook account.

However, once they log in, the app will provide limited functionality by uploading a specified image to the online editor, http://color.photofuneditor.com/, which will apply a graphics filter to the picture.

This new image will then be displayed in the app, where it can be downloaded by the user or sent to friends.

As many apps unnecessarily require users to log in to a server, in many cases Facebook, users have become numb to these login prompts and more commonly input their credentials without suspicion.

Signs of trouble

As popular and fun as these cartoonifier apps may be, people should be extra cautious when installing software that requires them to input sensitive information such as biometric data (images of their faces).

These apps perform the image alterations and apply filters on a remote server, not locally on the device, so your data is uploaded to a remote location and is at risk of being kept indefinitely, shared with others, resold, etc.

Since the particular app is still on the Play Store, one may automatically assume that the Android app is trustworthy. But unfortunately, malicious Android apps sometimes sneak into Google Play Store and remain until they are detected from bad reviews or discovered by security companies.

However, it is possible to spot scammy and malicious apps in many cases by looking at their reviews on Google Play.

As you can see below, the user reviews for 'Craftsart Cartoon Photo Tools' are overwhelmingly negative, totaling a score of only 1.7 stars out of a possible five. Furthermore, many of these reviews warn that the app has limited functionality and requires you to sign in to Facebook first.

User reviews on the Play Store

Secondly, the developer's name is 'Google Commerce Ltd', which indicates it is is developed by Google. Also, the listed contact details include a random person's Gmail email address, which is a big red flag.

App details on the Play Store

We have visited the developer's page, hosted on Blogspot, to read the project's privacy policy, and we found a different email address there, so there's even a mismatch.

The security clause of the app's privacy policy

Finally, we tried sending an email to the author for a comment on the allegations made by Pradeo, but one of the addresses doesn't even exist.

Listed email address doesn't exist

This may seem like excessive scrutiny for each app you install on your smartphone, but it should be the standard checking procedure for inherently risky apps.

Pradeo has informed Google of the nature of the Craftsart Cartoon Photo Tools app, and Bleeping Computer has also sent a message to the Play Store team, so Google should remove it shortly.

However, those who have the app installed on their devices should remove it immediately, reset their Facebook accounts, and enable two-factor authentication for additional protection.

Android password-stealing malware infects 100,000 Google Play users

The locally exploited vulnerability in Windows User Profile Service is tracked as CVE-2021-34484 and was given a CVSS v3 score of 7.8. While exploits have been publicly disclosed in the past, they are not believed to be actively exploited in the wild.

The peculiarity of this case lies in the fact that Microsoft has been unable to address the flaw since its discovery last summer and that it has marked the bug as fixed twice.

According to the 0patch team, which has been unofficially providing fixes for discontinued Windows versions and some vulnerabilities that Microsoft won't address, the flaw is still a zero-day. In fact, Microsoft's patches failed to fix the bug and broke 0patch's previous unofficial patch.

The LPE that won't stay fixed

The Windows User Profile Service Elevation of Privilege Vulnerability, tracked as CVE-2021-34484, was discovered by security researcher Abdelhamid Naceri and disclosed to Microsoft, who fixed it as part of the August 2021 Patch Tuesday.

Soon after the fix was released, Naceri noticed that Microsoft’s patch was incomplete and presented a proof of concept (PoC) that bypassed it on all Windows versions.

CVE-2021-34484 Exploit launching an elevated command prompt with SYSTEM privileges
Source: BleepingComputer

The 0patch team stepped in at that point, releasing an unofficial security update for all Windows versions and making it free to download for all registered users.

Microsoft also responded to this bypass with a second security update released with the January 2022 Tuesday Patch Tuesday, giving the bypass a new tracking ID as CVE-2022-21919 and marking it as fixed. However, Naceri found a way to bypass that fix while commenting that this attempt was worse than the first.

While testing their patch against the researcher's second bypass, 0patch found that their patch to the "profext.dll" DLL still protected users against the new exploitation method, allowing those systems to remain secure.

However, Microsoft's second fixing attempt replaced the "profext.dll" file, leading to the removal of the unofficial fix from everyone who had applied the January 2022 Windows updates.

0patch has now ported the fix to work with the March 2022 Patch Tuesday updates and made it available for free to all registered users. 

The Windows versions that can take advantage of the new micro-patch are the following:

• Windows 10 v21H1 (32 & 64 bit) updated with March 2022 Updates
• Windows 10 v20H2 (32 & 64 bit) updated with March 2022 Updates
• Windows 10 v1909 (32 & 64 bit) updated with March 2022 Updates
• Windows Server 2019 64 bit updated with March 2022 Updates

It should be noted that Windows 10 1803, Windows 10 1809, and Windows 10 2004 are still protected by 0patch's original patch, as those devices have reached the end of support and did not receive the Microsoft update that replaced the DLL.

How to install the micro-patch

The micro-patch will remain available as a free download to users of the above Windows versions as long as Microsoft hasn't released a complete fix for the particular LPE problem and all its bypasses.

To those interested in taking up that offering, update your Windows 10 to the latest patch level (March 2022), create a free account in 0patch Central, and then install and register the 0patch Agent from here.

Doing that will initiate an automated micro-patching process with no manual actions or reboots required for the chances to take effect on your system.

Bleeping Computer has contacted Microsoft to ask if it's planning to revisit the particular flaw and maybe try and fix it via a security update in the future, but we have not received a response yet.

Windows zero-day flaw giving admin rights gets unofficial patch, again

Unlike many extortion groups we read about today, Lapsus$ does not deploy ransomware on their victim's devices.

Instead, they target the source code repositories for large companies, steal their proprietary data, and then attempt to ransom that data back to the company for millions of dollars.

While it is not known if the extortion group has successfully ransomed stolen data, Lapsus has gained notoriety over the past months for their confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre.

Lapsus$ claims to have breached Microsoft

Early Sunday morning, the Lapsus$ gang indicated that they hacked Microsoft's Azure DevOps server by posting a screenshot on Telegram of alleged internal source code repositories.

This screenshot, shown below, is for an Azure DevOps repository containing the source code for Cortana and various Bing projects, named 'Bing_STC-SV', 'Bing_Test_Agile', and "Bing_UX.'

Screenshot of Microsoft's Azure DevOps account leaked by Lapsus$
Source: Tom Malka

The screenshot also shows other source code repositories, but it is unknown what is contained within them.

Strangely, the extortion gang left the initials of the logged-in user, "IS," in the screenshot, potentially allowing Microsoft to identify and secure the compromised account.

Initials of account used to access Azure DevOps

Including the initials may also mean that they no longer have access to the repository or are simply taunting Microsoft, which the extortion gang is known to do with previous victims.

Lapsus$ taunting NVIDIA
Source: BleepingComputer

Soon after posting the screenshot, the Lapsus$ gang took their post down and replaced it with a message stating, "Deleted for now will repost later." However, security researchers had already grabbed the screenshot and shared it on Twitter by that time.

Deleted Telegram post
Source: BleepingComputer

While Microsoft has not confirmed if their Azure DevOps account was breached, they have told BleepingComputer that they are aware of the claims and are investigating them.

Unfortunately, Lapsus$ has a good track record, with their claims of attacks on other companies later confirmed to be true.

Are source code leaks bad?

While the leaking of source code makes it easier to find vulnerabilities in a company's software, Microsoft has previously stated that leaked source code does not create an elevation of risk.

Microsoft says that their threat model assumes that threat actors already understand how their software works, whether through reverse engineering or previous source code leaks.

"At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code," explained Microsoft in a blog post about the SolarWinds attackers gaining access to their source code.

"So viewing source code isn’t tied to elevation of risk."

However, source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.

When Lapsus$ breached NVIDIA and released their data, it also included code-signing certificates that other threat actors quickly used to sign their malware. Using NVIDIA's code signing certificate could cause antivirus engines to trust the executable and not detect it as malicious.

Quasar RAT signed by the stolen NVIDIA certificate
Source: BleepingComputer

Microsoft has previously said that they have a development policy that prohibits "secrets," such as API keys, credentials, or access tokens, from including their source code repositories.

Even if that is the case, it does not mean that there is no other valuable data included in the source code, such as private encryption key or other proprietary tools.

It is unknown what is contained within these repositories, but as was done with previous victims, it is only a matter of time before Lapsus$ leaks whatever stolen data they claim to have obtained.

Microsoft investigating claims of hacked source code repositories

EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface.

It's a proprietary software solution aiming to increase usability and comfort, offering powerful content searching, filtering, categorization options, privacy settings, collection creation, duplicate detection, and more.

Considering that Western Digital is one of the world's most successful manufacturers and retailers of digital storage products, there are likely a significant number of people using EdgeRover for data management.

A data exposing problem

The vulnerability, tracked as CVE-2022-22998, is a directory traversal bug, allowing unauthorized access to restricted directories and files. The vulnerability has been given a CVSS v3 severity rating of 9.1, categorizing the flaw as critical.

Western Digital's brief advisory does not provide much detail regarding the vulnerability, so it is not clear if it is a DLL hijacking bug allowing local privilege elevation or a bug allowing access to unprivileged data locations.

However, Western Digital is advising its customers to update their EdgeRover desktop applications to version 1.5.1-594 or later, released last week to resolve these vulnerabilities.

The flaw was discovered by threat researcher Xavier Danest, who responsibly disclosed it to the vendor.

Western Digital addressed the security problem by correcting the file and directory permissions to prevent unauthorized access and modification.

It is unclear if the vulnerability has been actively exploited, Bleeping Computer has contacted the hardware giant to request more details.

It should be noted that for a threat actor to utilize this vulnerability to steal your data, it is likely your system has already been compromised in some manner.

Media collection management apps may appear enticing, especially to users who need to organize several terabytes of data from various sources. Still, one shouldn't forget that each app comes with its own set of security and privacy risks.

Users worried about the privacy implications of using EdgeRover (Western Digital)

In this case, it's convenience vs. security, as CVE-2022-22998 could potentially lead to the exposure of the users' entire private media and data collection.

If you're worried about this scenario, we suggest that you stick with the default file manager that comes with your OS and keep the number of third-party apps on your system at a minimum.

Western Digital app bug gives elevated privileges in Windows, macOS

A big bet to kill the password for good

That’s according to a recent study from Hive Systems, a cybersecurity company based in Richmond, Virginia, which breaks down just how long it would likely take the average hacker to crack the passwords safeguarding your most important online accounts.

The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker. Anything shorter or less complex could be cracked instantly, or within a few minutes, by any hacker who knows what they’re doing, even if they’re only using fairly basic equipment.

Meanwhile, a password that’s 18 characters in length – and which uses a mix of numbers, lowercase and uppercase letters, and symbols – could take up to 438 trillion years for the average hacker to crack, according to Hive Systems.

The company compiled a color-coded graph to illustrate how quickly different passwords could be hacked, depending on their length and use of varied characters, and how those times have accelerated since 2020 thanks to faster technology:

The findings back up the advice of experts like the National Institute of Standards and Technology, which also suggests choosing long, complex passwords with at least eight characters.

To determine how long it would take to crack your passwords, Hive Systems used data from Security.org’s HowSecureIsMyPassword tool to determine how quickly the average hacker – meaning someone using consumer-grade equipment, including a desktop computer with “a top-tier graphics card” – can crack passwords of different lengths and complexities.

In a blog post, company researchers explain how the process of cracking your passwords can work. It starts with a process called “hashing,” an algorithmically driven process websites use to disguise your stored passwords from hackers.

If you plug the word “password” into one commonly-used hashing software, called MD5, you’ll get this string of characters: “5f4dcc3b5aa765d61d8327deb882cf99.” The idea is that if hackers break into a website’s server to find lists of stored passwords, they’ll only see hashed jumbles of letters and numbers.

You shouldn’t, of course, use “password” as your password. In fact, it’s one of the most common passwords that end up leaked on the dark web.

Hashed passwords are irreversible, because they’re created with one-way algorithms. But hackers can make lists of every possible combination of characters on your keyboard, and then hash those combinations themselves using the most commonly-used software programs. At that point, hackers only have to search for matches of the hashed passwords on their list to determine your original passwords.

It’s a complicated process, but one that can easily be pulled off by any knowledgeable hacker with consumer-grade equipment, Hive Systems notes. That’s why your best defense is using the sort of long, complicated passwords that take the longest to crack.

The report also strongly recommends not recycling passwords for multiple websites. If you do that, and hackers are able to crack your password for one website, then “you’re in for a bad time,” the company writes.

Understandably, you might not want to remember 18-character passwords each time you log into an online account. After all, a password that takes trillions of years to crack isn’t very useful if it also takes you a few million years to remember.

But even a password with 11 characters – again, using a mix of numbers, uppercase and lowercase letters, and symbols – could still take hackers 34 years to crack, Hive Systems estimates. And that’s certainly better than eight hours or less.

Source

In a surprising move, Bitdefender launched a new free antivirus product for Windows after cancelling the old one just three months earlier.

The company announced the launch of Bitdefender Antivirus Free on the company blog. The blog post reveals that the program has been created from the ground up. Bitdefender Antivirus Free "offers enhanced features, functionality, and improved user experience in comparison to the previous free version" according to Bitdefender.

The free section of the Bitdefender website does not list the new product yet. You need to visit this link to open the page with the download link. The download is small, but the installer requires an Internet connection and will download more than 500 Megabytes when it is run, provided that you allow it to do so.

The version requires a Bitdefender account. A sign-up and sign-in form is displayed on first run. Users who don't want to create an account just for that can uninstall the antivirus product right after installation again as there is no option to use it without an account.

According to Bitdefender, the new antivirus adds Outlook and Thunderbird email protection, custom scanning schedule options, and exploit detection to the protective features.

The free version protects against all advanced threats according to Bitdefender. Several features, such as ransomware remediation, vulnerability scanning or a firewall are not included in the free version.

The free version includes antivirus protection, including on demand scanning of devices it is installed on, web protection, and advanced threat defense, which attempts to block zero-day attacks.

The interface is easy to use, but many of the options are locked for free users. The dashboard displays two actions, quick scan and system scan, that are available in the free version, and three, vulnerability scan, VPN and Safepay, that are not.

There are multiple upgrade buttons in the interface, and selecting any of the locked options will also display upgrade options. Users may also be notified about special offers and recommendations by default, which can be disabled in the options.

Closing Words

Bitdefender received quite a bit of backlash when it announced the end of the free antivirus solution. If it would have waited with the announcement until the new free product would have been ready, many users might not have taken the announcement that badly.

Bitdefender Antivirus Free offers basic protection against certain types of threats. Good news is that it uses the same antivirus engine as the paid products, and Bitdefender has scored highly in all recent tests.

The program may be an option for users who don't mind the missing features and regular reminders about the paid upgrade options. Free trial options are available for users who want to test the extra features without having to part with their money right away.

Now You: what is your take on the launch?

After retiring Bitdefender Free, Bitdefender launches Antivirus Free for Windows

Diavol ransomware victims can download the free tool from Emsisoft's servers to decrypt their data using detailed instructions available in this usage guide [PDF].

"The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data," Emsisoft explains.

"By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives."

This Diavol ransomware decryption tool will keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.

Additionally, it comes with an "Allow partial decryption of large files," needed to partially recover some files larger than the pair of files provided for reconstructing the encryption keys. This is required because the decryptor might fail to recover such files due to technical limitations.

Unlike other ransomware families that use symmetric algorithms to speed up the encryption process significantly, Diavol's encryption procedure employs user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm.

Diavol also comes with no obfuscation as it doesn't use packing or anti-disassembly tricks, but it still hinders analysis efforts by storing its main routines within bitmap images.

Before the encryption process is done, Diavol will change encrypted Windows devices' backgrounds to a black wallpaper with an "All your files are encrypted! For more information see README-FOR-DECRYPT.txt" message.

Notably, while the Diavol ransomware originally created ransom notes named README_FOR_DECRYPT.txt, as the FBI pointed out, BleepingComputer has seen a switch in November to ransom notes named Warning.txt.

FortiGuard Labs security researchers first tied this ransomware strain to the TrickBot gang (aka Wizard Spider) after spotting it deployed on different systems together with Conti ransomware payloads in an attack blocked by the company's EDR solution in early June 2021.

Following their report and likely after the arrest of Alla Witte, who was involved in ransomware development for the malware gang, the FBI also formally linked it to the TrickBot cybercrime gang.

This Russian-based financially motivated cybercrime group operates the Trickbot botnet used to drop second-stage malware on compromised systems and networks.

The FBI first learned of the ransomware strain in October 2021, and, since then, it has seen ransom demands between $10,000 and $500,000, with lower payments accepted following ransom negotiations.

These ransoms are in stark contrast to the massive ransoms demanded by other ransomware gangs linked to TrickBot, including Conti and Ryuk. They have historically requested multi-million dollar payments for decryptors and not leaking stolen data online.

Although active since at least June 2021, Diavol ransomware has never been very active and has only a few dozen submissions on the ID-Ransomware service.

Free decryptor released for TrickBot gang's Diavol ransomware

The underlying Chromium version 99.0.4844.74 has also got several security patches, one of them being critical. These are given below:

• [1299422] Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
• [1301320] High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
• [1297498] High CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
• [1291986] High CVE-2022-0974 : Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
• [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
• [1296866] High CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
• [1299225] High CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
• [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
• [1302644] High CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
• [1302157] Medium CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02

You can find the link to download Chrome 99.0.4844.74 here.

Latest Microsoft Edge 99.0.1150.46 and Chrome 99.0.4844.74 fix many security vulnerabilities

Frontpaged:   Microsoft Edge 99.0.1150.46   Google Chrome 99.0.4844.74