Brave takes on the creepy websites that override your privacy settings

The new app has been announced with the release of Windows 11 Insider Preview Build 22572, now available in the Dev Channel (we were also able to install it on previously released Insider builds).

"Key to Microsoft Defender is the ability to view and manage your online security in one central dashboard view, across your devices, and your family member's devices," the Windows Insider team said.

"Plus get added malware and phishing protections on your mobile devices. The ability to view your family's devices is currently only available in the Windows app."

Right now, Microsoft Defender can be downloaded as an app for Windows 10, Windows 11, Android, and iOS devices, with Redmond still working on a macOS app that will also be released to preview soon.

The Microsoft Defender Preview provides users with a dashboard to manage and monitor their devices' security status, as well as malware protection and real-time threat scanning.

It also comes with safety alerts and recommendations, including real-time warnings about changes to your devices' security status and suggestions to keep your data and devices secure.

Microsoft says that malware protection is available for Windows PCs and Android phones, while anti-phishing protection is available on Android and iOS phones. Malware protection is not supported on iPhones because Apple already provides it.

While in preview, you can download and use the Microsoft Defender app across five devices per person, including a Windows computer, iPhone, or Android phone.

Hands-on with the Microsoft Defender Preview

While Microsoft paints a pretty picture of Microsoft Defender Preview's capabilities, in reality, the application is in its very early stages.

Today, BleepingComputer tested the Microsoft Defender preview, and the application is more of a front end to the underlying Windows Security infrastructure.

When using the app, we could add devices to our cloud dashboard and monitor their protection status. However, it is not possible to control any security feature on the main device or connected devices.

The new Microsoft Defender works as a front-end for Windows Security and a dashboard to see alerts and security recommendations for enrolled devices.

"In some situations, you'll be required to use the Windows Security app, but Microsoft Defender will connect you to that app," as Microsoft explains.

"For example, to run a manual scan on a Windows device or to manage your allow list, you must click on 'Manage in Windows Security' from within Microsoft Defender where you will receive additional guidance."

BleepingComputer also conducted a test where we downloaded multiple malware samples to a connected device.

While these samples were detected and reflected (very briefly) in the Microsoft Defender Preview app, they never showed up in the security alerts of the cloud dashboard for a Windows 11 device, with the Defender dashboard continuing to say that the device was protected and did not have any issues.

However, the Microsoft Defender dashboard worked just fine for one of our test Windows 10 devices, displaying a "Needs attention" status after the malware was detected.

You can get the Microsoft Defender app for Windows from the Microsoft Store, iPhones from the App Store, and Android phones via Google Play.

More information on how you can add new devices to your account can be found on the Adding devices to your Microsoft Defender account support page.

At the moment, you don't need to have a subscription to use Microsoft Defender Preview; however, the app will require a Microsoft 365 Family or Personal subscription.

Microsoft tests new cloud-based Microsoft Defender for home users

Today, the three CPU manufacturers have published advisories accompanied by mitigation updates and security recommendations to tackle recently discovered issues that allow leaking of sensitive information despite  isolation-based protections.

Speculative execution trouble

The speculative execution technique is designed to optimize CPU performance by running some tasks in advance (branch prediction) so the information is available when required. 

In 2018, researchers discovered a way to leak information derived from these proactive computations, naming the associated vulnerabilities Meltdown and Spectre.

Since then, vendors have released software-based mitigations such as “Retpoline” that isolate indirect branches from speculative execution. Chipmakers have also addressed the issues with hardware fixes like the eIBRS from Intel and CSV2 from Arm.

Bypassing Spectre fixes

Researchers at VUSec detail in a technical report today a new method to bypass all existing mitigations by leveraging what they call Branch History Injection (BHI).

The paper underlines that while the hardware mitigations still prevent unprivileged attackers from injecting predictor entries for the kernel, relying on a global history to select the targets creates a previously unknown attack method.

A malicious actor with low privileges on the target system can poison this history to force the OS kernel to mispredict targets that can leak data.

To prove their point, the researchers also released a proof of concept (PoC), demonstrating arbitrary kernel memory leak, successfully disclosing the root hash password of a vulnerable system.

Intel responded to this finding by assigning two medium-severity vulnerabilities, CVE-2022-0001 and CVE-2022-0002, and recommending users to disable access to managed runtimes in privileged modes.

For a complete list of mitigation recommendations, check out this dedicated page, while a list of all the affected processor models is available here.

Arm has also published a security bulletin on the issue, as the novel history poisoning attack affects several of its Cortex-A and Neoverse products.

VUsec has prepared a paper on the new BHI attack that will be presented at the 31st USENIX Security Symposium this year.

Straight-line-speculation

In parallel news that coincide in disclosure, grsecurity has published the details and a PoC that can leak confidential data from AMD processors via a new straight-line-speculation (SLS) attack method.

This new variant of SLS affects many AMD chips based on the Zen1 and Zen2 microarchitectures, including EPYC, Ryzen Threadripper, and Ryzen with integrated Radeon Graphics.

AMD has published a list of the affected products and also a whitepaper that offers security advice for the medium-severity flaw tracked as CVE-2021-26341.

As of now, AMD has not seen any examples of active exploitation of this security vulnerability in the wild, but it’s still important to apply the recommended mitigations.

Intel, AMD, Arm warn of new speculative execution CPU bugs

Linux has yet another high-severity vulnerability that makes it easy for untrusted users to execute code capable of carrying out a host of malicious actions, including installing backdoors, creating unauthorised user accounts, and modifying scripts or binaries used by privileged services or apps.

The vulnerability has been called Dirty Pipe and is the biggest hole disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw (named Dirty Cow) came to light as it was being used to hack a researcher's server.

For those who can’t remember 2016 Dirty Cow could be used to root any Android phone, regardless of the mobile OS version. Eleven months later, researchers unearthed 1,200 Android apps in third-party markets that maliciously exploited the flaw to do just that.

In Linux land a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.

Max Kellermann of CM4all parent company Ionos figured out how to weaponise the vulnerability to allow anyone with an account to add an SSH key to the root user's account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.

Other researchers quickly showed that the unauthorised creation of an SSH key was only one of many malicious actions an attacker can take when exploiting the vulnerability. This program, for instance, hijacks an SUID binary to create a root shell, while this one allows untrusted users to overwrite data in read-only files.

You can use Dirty Pipe to create a cron job that runs as a backdoor, adding a new user account to /etc/passwd + /etc/shadow (giving the new account root privileges), or modify a script or binary used by a privileged service.

The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. The vulnerability persisted until last month, when it was fixed with the release of versions 5.16.11, 5.15.25, and 5.10.102.

Source

The flaws affect APC Smart-UPS systems that are popular in a variety of activity sectors, including governmental, healthcare, industrial, IT, and retail.

UPS devices act as emergency power backup solutions and are present in mission-critical environments such as data centers, industrial facilities, hospitals.

Risk of physical impact

Researchers at Armis, a company providing security solutions for connected devices in enterprises, found the three issues in APC’s SmartConnect and Smart-UPS family of products.

Two of the vulnerabilities, CVE-2022-22805 and CVE-2022-22806 are in the implementation of the TLS (Transport Layer Security) protocol that connects the Smart-UPS devices with the “SmartConnect” feature to the Schneider Electric management cloud.

The third one, identified as CVE-2022-0715, relates to the firmware of “almost all APC Smart-UPS devices,” which is not cryptographically signed and its authenticity cannot be verified when installed on the system.

While the firmware is encrypted (symmetric), it lacks a cryptographic signature, allowing threat actors to create a malicious version of it and deliver it as an update to target UPS devices to achieve remote code execution (RCE).

Armis researchers were able to exploit the flaw and build a malicious APC firmware version that was accepted by Smart-UPS devices as an official update, a process that is performed differently depending on the target:

• The latest Smart-UPS devices featuring the SmartConnect cloud connection functionality can be upgraded from the cloud management console over the Internet
• Older Smart-UPS devices which use the Network Management Card (NMC) can be updated over the local network
• Most Smart-UPS devices can also be upgraded using a USB drive

Considering that vulnerable APC UPS units are used in about eight out of 10 companies - as per data from Armis - and the sensitive environments they serve (medical facilities, ICS network, server rooms), the implications can have significant physical consequences.

The TLS-related vulnerabilities that Armis discovered appear to be more severe as they can be exploited by an unauthenticated attacker without user interaction, in what is known as a zero-click attack.

Both vulnerabilities are caused by improper TLS error handling in the TLS connection from the Smart-UPS to the Schneider Electric server, and they lead to remote code execution when properly exploited.

One of the security issues is an authentication bypass caused by “state confusion in the TLS handshake,” the other is a memory corruption bug.

In a blog post today, Armis shows how the vulnerabilities could be leveraged by a remote threat actor:

Mitigation recommendations

The researchers’ report explains the technical aspects for all three TLStorm vulnerabilities and provides a set of recommendations to secure UPS devices:

1. Install the patches available on the Schneider Electric website
2. If you are using the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.
3. Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.

Armis has also published technical white paper with all the details of the research.

APC UPS zero-day bugs can remotely burn out devices, disable power

Tracked as CVE-2021-39708, the flaw lies in the Android System component, and it's an escalation of privilege problem requiring no user interaction or additional execution privileges.

"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation." - mentions Google's bulletin.

The other two critical flaws are CVE-2021-1942 and CVE-2021-35110, both affecting closed-source components on Qualcomm-based devices.

For a full list of which Qualcomm chipsets are affected by these two vulnerabilities, check out the chipmaker's security bulletin.

No further technical details have been published for any of the fixed vulnerabilities, as doing so would put users running an older patch level at risk.

Other fixes that land with the March 2022 update are:

• 1 medium severity escalation of privilege flaw in Android runtime (version 12)
• 5 high severity escalation of privileges flaws in Android Framework (versions 10, 11, 12)
• 2 high severity denial of service flaws in Android Framework (version 12)
• 1 high severity information disclosure in Media Framework (versions 10, 11, 12)
• 8 high severity escalation of privilege flaws in System (versions 10, 11, 12)
• 1 high severity information disclosure flaw in System (versions 10, 11, 12)
• 4 high severity escalation of privilege flaws in Kernel
• 1 high severity information disclosure in Kernel
• 3 high severity flaws in MediaTek components
• 10 high severity flaws in Qualcomm components

As is the case every month, Google has released two patch levels for March 2022, one denoted as "2022-03-01" and one as "2022-03-05".

The second patch level includes everything in the first set plus fixes for third-party closed source and Kernel components that may not apply to all devices.

As such, your device vendor may choose to push the first level to save on roll-out time, and it won't necessarily mean that you are left vulnerable to exploitation.

With the only exception being Google's Pixel line which receives these security updates immediately, all other vendors will need some time to bundle the patches for each of their models, as different hardware configurations require dedicated testing and fine-tuning.

If you are running anything older than Android 10, consider upgrading to a new and actively supported device or flashing your existing with a third-party Android ROM that's based on a recent AOSP version.

Android's March 2022 security updates fix three critical bugs

As Google’s second-largest acquisition to date, following their purchase of Motorolla for $12.5 billion in 2012, this deal will see Mandiant becoming part of Google Cloud in order to complement the company’s “existing strengths in security.”

In the announcement, Google detailed how they’ll utilize Mandiant’s proven expertise in order to offer services in threat detection and intelligence, automation and response tools, testing and validation, and managed defence, as well as offering advisory services to enterprises. 

While Mandiant may not be a household name, the cybersecurity company earned fame and this staggering valuation through uncovering the SolarWinds attack in December of 2020. Believed to be backed by the Russian government, the SolarWinds attack compromised computers within the US federal government for almost a year before Mandiant discovered it. 

“Organizations around the world are facing unprecedented cybersecurity challenges as the sophistication and severity of attacks that were previously used to target major governments are now being used to target companies in every industry,” Thomas Kurian, CEO of Google Cloud, stated in the announcement. 

“We look forward to welcoming Mandiant to Google Cloud to further enhance our security operations suite and advisory services, and help customers address their most important security challenges.”

Google is acquiring cybersecurity firm Mandiant for $5.4 billion

Distributed Denial of Service (DDoS) attacks target servers or networks with many requests and high volumes of data, aiming to deplete their available resources and cause a service outage.

The amplification ratio is critical when conducting attacks, as the higher the number, the easier it is for threat actors to overwhelm well-protected endpoints with less firepower.

A monstrous amplification level

As detailed in a report that Akamai shared with Bleeping Computer before publication, a new attack vector relies on the abuse of insecure devices that serve as DDoS reflectors/amplifiers.

Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each bounce. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target.

For this new DDoS method, threat actors are abusing a vulnerability tracked as CVE-2022-26143 in a driver used by Mitel devices that incorporate the TP-240 VoIP interface, such as MiVoice Business Express and MiCollab.

“The abused service on affected Mitel systems is called tp240dvr (“TP-240 driver”) and runs as a software bridge to facilitate interactions with the TP-240 VoIP processing interface cards,” Akamai explains in its report on the vulnerability.

“The daemon listens for commands on UDP/10074 and isn’t meant to be exposed to the Internet, as confirmed by the manufacturer of these devices. It’s this exposure to the internet that ultimately allows it to be abused.”

Akamai has counted 2,600 exposed Mitel devices currently vulnerable to this amplification flaw, while the vendor is already handling remediation with the customers.

The particular driver features a traffic generation command designed to stress-test the clients, used for debugging and performance testing.

By abusing this command, attackers can generate massive network traffic from these devices. Unfortunately, this is possible because the risky command is activated by default.

On a positive note, the associated daemon runs on a single-thread mode preventing parallel leverage, and due to the limited hardware resources on Mitel devices, the potential for attack volume has a relatively low upper ceiling.

Last week, Akamai disclosed a very similar DDoS method called “TCP Middlebox Reflection,” which leverages vulnerable firewalls and content filtering policy enforcement systems in middleboxes to achieve an amplification factor of 65x.

Attacks in the wild

The first signs of attacks abusing Mitel devices were noticed on January 8, 2022, while the first actual attacks leveraging the vulnerable driver began on February 18, 2022.

The targets were governments, commercial enterprises, financial institutions, logistic firms, broadband access ISPs, and other important organizations.

“Observed attacks were primarily predicated on packets-per-second, or throughput, and appeared to be UDP reflection/amplification attacks sourced from UDP/10074 that were mainly directed towards destination ports UDP/80 and UDP/443,”  details Akamai in their report.

“The single largest observed attack of this type to date was approximately 53 million packets-per-second (mpps) and 23 gigabits-persecond (gb/sec). The average packet size for that attack was approximately 60 bytes, with an attack duration of approximately ~5 minutes.”

One notable difference of this vector against most UDP reflection methodologies is that it can sustain lengthy DDoS attacks, lasting for up to 14 hours. 

When evaluated from this perspective, the packet amplification ratio reaches 4,294,967,296:1, and the attack traffic can go up to 400 mpps with a sustained flood of 393mb/sec.

Outlook and protection

Over the past month, DDoS attacks have become increasingly common, especially since Russia invaded Ukraine.

Even before the invasion, Ukrainian government agencies and banks suffered numerous DDoS attacks that took down their websites with the aim of sowing chaos within the country.

Since then, DDoS attacks have been conducted by Ukraine’s IT Army attacking Russian interests and supporters of Russia attacking Ukrainian and western entities. 

With DDoS attacks becoming so widely used, it is essential to try and harden your infrastructure against these types of attacks, especially at the amplification levels seen in this new DDoS method.

Akamai says that monitoring UDP/10074 traffic and implementing active packet capture and analysts systems to block attacks using this port will help mitigate reflection/amplification attacks.

However, legitimate traffic may be using this port that would also be blocked.

The best way to prevent this new DDoS method is for organizations that use the TP-240 interface to follow Mitel’s remediation instructions, enforcing firewall rules to block malicious initiator packets or disable the abused command.

DDoS attacks now use new record-breaking amplification vector

Today, security researcher Max Kellermann responsibly disclosed the 'Dirty Pipe' vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices.

The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.

Kellerman discovered the bug after tracking down a bug that was corrupting web server access logs for one of his customers.

Kellerman states that the vulnerability is similar to the Dirty COW vulnerability (CVE-2016-5195) fixed in 2016.

Public exploits give root privileges 

As part of the Dirty Pipe disclosure, Kellerman released a proof-of-concept (PoC) exploit that allows local users to inject their own data into sensitive read-only files, removing restrictions or modifying configurations to provide greater access than they usually would have.

For example, security researcher Phith0n illustrated how they could use the exploit to modify the /etc/passwd file so that the root user does not have a password. Once this change is made, the non-privileged user could simply execute the 'su root' command to gain access to the root account.

However, an updated exploit by security researcher BLASTY was also publicly released today that makes it even easier to gain root privileges by patching the /usr/bin/su command to drop a root shell at /tmp/sh and then executing the script.

Once executed, the user gains root privileges, as demonstrated by BleepingComputer below in Ubuntu 20.04.3 LTS running the 5.13.0-27-generic kernel.

The vulnerability was responsibly disclosed to various Linux maintainers starting on February 20th, 2022, including the Linux kernel security team and the Android Security Team.

While the bug has been fixed in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers continue to run outdated kernels making the release of this exploit a significant issue to server administrators.

Furthermore, due to the ease of gaining root privileges using these exploits, it is only a matter of time before threat actors begin using the vulnerability when conducting attacks. The similar Dirty COW vulnerability was previously used by malware, even though it was harder to exploit.

This bug is especially concerning for web hosting providers who offer Linux shell access or universities that commonly provide shell access to multi-user Linux systems.

It has been a rough twelve months for Linux, with numerous high-profile privilege elevation vulnerabilities disclosed.

These include privilege elevation vulnerabilities in the Linux iSCSI subsystem, another kernel bug, the Extended Berkeley Packet Filter (eBPF), and Polkit's pkexec component.

New Linux bug gives root on all major distros, exploit released

Academic researchers have devised a new working exploit that commandeers Amazon Echo smart speakers and forces them to unlock doors, make phone calls and unauthorized purchases, and control furnaces, microwave ovens, and other smart appliances.

 

The attack works by using the device’s speaker to issue voice commands. As long as the speech contains the device wake word (usually “Alexa” or “Echo”) followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy’s University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to bypass the measure by adding the word “yes” about six seconds after issuing the command. Attackers can also exploit what the researchers call the "FVV," or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.

Alexa, go hack yourself

Because the hack uses Alexa functionality to force devices to make self-issued commands, the researchers have dubbed it "AvA," short for Alexa vs. Alexa. It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.

 

The attack "is the first to exploit the vulnerability of self-issuing arbitrary commands on Echo devices, allowing an attacker to control them for a prolonged amount of time," the researchers wrote in a paper published two weeks ago. “With this work, we remove the necessity of having an external speaker near the target device, increasing the overall likelihood of the attack.”

 

A variation of the attack uses a malicious radio station to generate the self-issued commands. That attack is no longer possible in the way shown in the paper following security patches that Echo-maker Amazon released in response to the research. The researchers have confirmed that the attacks work against 3rd- and 4th-generation Echo Dot devices.

AvA begins when a vulnerable Echo device connects by Bluetooth to the attacker’s device (and for unpatched Echos, when they play the malicious radio station). From then on, the attacker can use a text-to-speech app or other means to stream voice commands. Here’s a video of AvA in action. All the variations of the attack remain viable, with the exception of what’s shown between 1:40 and 2:14:

 

The researchers found they could use AvA to force devices to carry out a host of commands, many with serious privacy or security consequences. Possible malicious actions include:

 

• Controlling other smart appliances, such as turning off lights, turning on a smart microwave oven, setting the heating to an unsafe temperature, or unlocking smart door locks. As noted earlier, when Echos require confirmation, the adversary only needs to append a “yes” to the command about six seconds after the request.
• Call any phone number, including one controlled by the attacker, so that it’s possible to eavesdrop on nearby sounds. While Echos use a light to indicate that they are making a call, devices are not always visible to users, and less experienced users may not know what the light means.
• Making unauthorized purchases using the victim’s Amazon account. Although Amazon will send an email notifying the victim of the purchase, the email may be missed or the user may lose trust in Amazon. Alternatively, attackers can also delete items already in the account shopping cart.
• Tampering with a user’s previously linked calendar to add, move, delete, or modify events.
• Impersonate skills or start any skill of the attacker’s choice. This, in turn, could allow attackers to obtain passwords and personal data.
• Retrieve all utterances made by the victim. Using what the researchers call a "mask attack," an adversary can intercept commands and store them in a database. This could allow the adversary to extract private data, gather information on used skills, and infer user habits.

 

The researchers wrote:

 

With these tests, we demonstrated that AvA can be used to give arbitrary commands of any type and length, with optimal results—in particular, an attacker can control smart lights with a 93% success rate, successfully buy unwanted items on Amazon 100% of the times, and tamper [with] a linked calendar with 88% success rate. Complex commands that have to be recognized correctly in their entirety to succeed, such as calling a phone number, have an almost optimal success rate, in this case 73%. Additionally, results shown in Table 7 demonstrate the attacker can successfully set up a Voice Masquerading Attack via our Mask Attack skill without being detected, and all issued utterances can be retrieved and stored in the attacker’s database, namely 41 in our case.

 

As noted earlier, Amazon has fixed several of the weaknesses, including one that used Alexa skills to self-wake devices, that made it possible to easily use radio stations to deliver self-issued commands. In a statement, company officials wrote:

 

At Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers.

Always listening

The research is the latest to underscore the risks posed by smart speakers. In 2019, researchers demonstrated how eight malicious apps they developed—four skills that passed Amazon’s vetting process and four actions that passed Google's vetting—surreptitiously eavesdropped on users and phished their passwords. The malicious skills or actions—which were hosted by Amazon and Google respectively—posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator.

 

The same year, a different team of researchers showed how Siri, Alexa, and Google Assistant were vulnerable to attacks that used low-powered lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles. The lasers could be as far away as 360 feet from a vulnerable device. The light-based commands could also be sent from one building to another and penetrate glass when a vulnerable device is located near a closed window.

 

The researchers behind AvA are Sergio Esposito and Daniele Sgandurra of Royal Holloway University and Giampaolo Bella of the University of Catania. As a countermeasure to make attacks less likely, they recommend that Echo users mute their microphones any time they’re not actively using their device.

 

“This makes it impossible to self-issue any command,” the researchers wrote on an informational website. “Additionally, if the microphone is unmuted only when you are near Echo, you will be able to hear the self-issued commands, hence being able to timely react to them (powering off Echo, canceling an order that the attacker has placed with your Amazon account, e.g.).”

 

People can always exit a skill by saying, "Alexa, quit" or "Alexa, cancel." Users can also enable an audible indicator that is played after the Echo device detects the wake word.

 

Amazon has rated the threat posed by AvA as having “medium” severity. The requirement to have brief proximity to the device for Bluetooth pairing means AvA exploits don’t work over the Internet, and even when an adversary successfully pairs the Echo with a Bluetooth device, the latter device must remain within radio range. The attack may nonetheless be viable for domestic partner abusers, malicious insiders, or other people who have fleeting access to a vulnerable Echo.

 

Attackers can force Amazon Echos to hack themselves with self-issued commands

This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.

The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them.

The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

A code-signing certificate allows developers to digitally sign executables and drivers so that Windows and end-users can verify the file's owner and whether they have been tampered with by a third party. 

To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed before the operating system will load them.

NVIDIA certificates used to sign malware

After Lapsus$ leaked NVIDIA's code-signing certificates, security researchers quickly found that the certificates were being used to sign malware and other tools used by threat actors.

According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.

For example, one threat actor used the certificate to sign a Quasar remote access trojan [VirusTotal], while someone else used the certificate to sign a Windows driver [VirusTotal].

Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:

43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518

Some of the files were likely uploaded to VirusTotal by security researchers but others appear to be used by threat actors for malware campaigns [1, 2].

While both stolen NVIDIA certificates are expired, Windows will still allow a driver signed with the certificates to be loaded in the operating system.

Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.

To prevent known vulnerable drivers from being loaded in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to control what NVIDIA drivers can be loaded.

However, using WDAC is not an easy task, especially for non-IT Windows users.

Due to the potential for abuse, it is hoped that the stolen certificates will be added to Microsoft's certificate revocation list in the future to prevent malicious drivers from loading in Windows.

However, doing so will cause legitimate NVIDIA drivers to be blocked as well, so we will likely not see this happening soon.

Malware now using stolen NVIDIA code signing certificates

Nvidia never denied that it got hacked. The GPU giant just didn’t say all that much about what happened, either.

But now — as we wait to see whether the hackers make good on their threat to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, by an unspecified Friday deadline — the compromised email alert website Have I Been Pwned suggests that the scope of the hack includes a staggering 71,000 employee emails and hashes that may have allowed the hackers to crack their passwords (via TechCrunch).

It’s not clear how Have I Been Pwned obtained this info, and Nvidia won’t say. Nvidia would not confirm or deny to The Verge whether 71,000 employee credentials have been compromised, and it would not say whether it plans to comply with any of the hackers’ demands.

It is worth noting that Nvidia has far fewer than 71,000 employees — its last annual report lists 18,975 employees across 29 countries, though it’s possible the compromised email addresses include prior employees and aliases for groups of employees. (Companies that rely heavily on email often have a lot of mailing lists.) The Telegraph’s initial report suggested that the company’s internal systems, including email, had been “completely compromised,” and a leak of 71,000 employee credentials would line up with that.

Here is all that Nvidia is actually saying today, via spokesperson Hector Marinez:

On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.

We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.

Security is a continuous process that we take very seriously at NVIDIA – and we invest in the protection and quality of our code and products daily.

That’s what we’d heard previously, and Nvidia’s cybersecurity incident response page hasn’t been updated since March 1st, either.

The LAPSUS$ hacking group, which has taken credit for the breach, had an unusually populist demand: it stated that it wants Nvidia to open source its GPU drivers forever and remove its Ethereum cryptocurrency mining nerf from all Nvidia 30-series GPUs (such as newer models of the RTX 3080) rather than directly asking for cash.

But they clearly want cash, too. The hackers have also publicly stated that they’ll sell a bypass for the crypto nerf for $1 million, and this morning, they briefly posted a message suggesting that today’s leak would be delayed while they discussed terms with a would-be buyer of Nvidia’s source code.

If Nvidia does pay up, something that’s not unheard of in these data ransom situations, I wouldn’t necessarily expect to hear about it anytime soon. It won’t necessarily be in either party’s best interests to say so. But if Nvidia doesn’t pay or comply and LAPSUS$ does have the data it claims, things might be about to get interesting.

As Nvidia hacker deadline looms, 71,000 employee accounts have reportedly been exposed

The leak comes less than a week after Lapsus$ released a 20GB document archive from 1TB of data stolen from Nvidia GPU designer.

Gang teases Samsung data leak

In a note posted earlier today, the extortion gang teased about releasing Samsung data with a snapshot of C/C++ directives in Samsung software.

Shortly after teasing their followers, Lapsus$ published a description of the upcoming leak, saying that it contains “confidential Samsung source code” originating from a breach.

• source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control)
• algorithms for all biometric unlock operations
• bootloader source code for all recent Samsung devices
• confidential source code from Qualcomm
• source code for Samsung’s activation servers
• full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services

If the details above are accurate, Samsung has suffered a major data breach that could cause huge damage to the company.

Lapsus$ split the leaked data in three compressed files that add to almost 190GB and made them available in a torrent that appears to be highly popular, with more than 400 peers sharing the content. The extortion group also said that it would deploy more servers to increase the download speed.

Included in the torrent is also a brief description for the content available in each of the three archives:

• Part 1 contains a dump of source code and related data about Security/Defense/Knox/Bootloader/TrustedApps and various other items
• Part 2 contains a dump of source code and related data about device security and encryption
• Part 3 contains various repositories from Samsung Github: mobile defense engineering, Samsung account backend, Samsung pass backend/frontend, and SES (Bixby, Smartthings, store)

It is unclear if Lapsus$ contacted Samsung for a ransom, as they claimed in the case of Nvidia.

BleepingComputer has contacted Samsung for a statement about the Lapsus$ data leak and will update the article when the company replies.

This is developing story

Hackers leak 190GB of alleged Samsung data, source code

Talking about Intel's partnership with ESET, Senior Director Ecosystem Partner Enablement, Intel Corp., Carla Rodriguez stated:

Ransomware impacts both small businesses and large enterprises and can result in economic fallout on a global scale. We are excited to partner with ESET which delivers a true global deployment footprint. ESET’s ransomware optimizations will work across both Intel vPro Enterprise and our new Intel vPro Essentials targeted for SMBs. This delivers a compelling hardware and software bundle that delivers right-sized security for businesses of any size and delivers higher efficacy security when ESET software is run on Intel-based PCs. This is a major step forward to turn the tide against ransomware.

The integration of ransomware detection enhancements to ESET endpoint security resources will offer upgraded immunity to most detection bypasses. The potential of ESET endpoint security resources to identify derivative variants of ransomware threats will improve with the progress and evolution of Intel TDT machine learning.

ESET's Chief of Endpoint Solutions and Security Technologies, Előd Kironský stated:

This collaboration recognizes the immediate boost in ransomware protection that integrating Intel’s hardware-based ransomware detection technology can deliver. Tapping into telemetry at the CPU level is an effective step we can take to enable improved tracking of malicious encryption. Basically, for ESET this means exposing ransomware as it attempts to avoid detection in memory. ESET has always believed in the multi-layered approach, and by adding the silicon layer we recognize that hardware-based security is the next milestone in battling threats.

The value proposition of this partnership, for ESET and its clients, abides in the parallel benefit of employing Intel TDT machine learning frameworks to aid in the identification of ransomware and the synchronous off-loading of the processing demands to the Intel integrated graphics controller (GPU), maintaining high overall system performance.

Commenting on the topic, Kironský further stated:

Low impact to system performance is an area that ESET has always prioritized within its multi-layered software architecture and is a key selling point for many of our clients. Leveraging tech that can help us with prevention and protection, while also preserving performance is a win-win choice.

In a forthcoming release of ESET's endpoint security solutions later in the year, the benefits that this integration will bring will be made available. The company will focus on endpoints with 9th Gen, and newer Intel Core, and Intel vPro Windows-based PCs capable of having the potential of leveraging Intel TDT "out-of-the-box", in the initial phase of releases.

ESET, Intel partner to "turn the tide against ransomware" with ESET ransomware optimizations

The Have I Been Pwned data breach notification service has added data belonging to 71,335 compromised accounts to its database on Wednesday.

Have I Been Pwned says the stolen data contains "email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community."

Nvidia confirmed on March 1st that its network was breached last month, with the attackers gaining access to employees' login data and proprietary information.

Attack claimed by the Lapsus$ extortion gang

Nvidia said it was investigating an "incident" that had reportedly impacted some of its systems, causing a two-day outage after news of the incident first came to light almost a week ago.

The same day, a data extortion group dubbed Lapsus$ claimed the attack and provided details regarding the incident, including that they stole 1TB of data from Nvidia's network.

Over the weekend, Lapsus$ shared even more details about the intrusion and leaking a 20GB archive containing data stolen from Nvidia's systems, as well as company employees' password hashes, 

The group threatened to leak hardware specifications info unless lite hash rate (LHR) limitations from GeForce RTX 30 Series firmware were not removed.

Lapsus$ also asked Nvidia to commit to open-sourcing their GPU drivers for Windows, macOS, and Linux devices until Friday, March 4th, to avoid having stolen information on all recent GPUs, including the RTX 3090Ti, leaked online.

After refusing to confirm the extortionists' claims, Nvidia told BleepingComputer Tuesday that it detected "a cybersecurity incident which impacted IT resources" on February 23rd.

The company added that it found no evidence of a ransomware attack, although the threat actor still managed to steal employee credentials and proprietary data, confirming Lapsus$'s claims.

"However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information," Nvidia told BleepingComputer.

"We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident."

NVIDIA data breach exposed credentials of over 71,000 employees

Pluton was first introduced by Microsoft back in 2020 with AMD, Intel, and Qualcomm as its partners. Hence, naturally after the AMD announcement of Pluton integration, one would expect Intel too to make a similar announcement sooner or later.

However, that does not seem to be the case as Intel via a spokesperson apparently informed The Register that Microsoft's Pluton won't be supported by Intel, at least in the 12th Gen Alder Lake family. "Intel's 12th Gen platforms do not support Pluton", the Intel spokesperson told The Register.

Pluton is said to offer protection even better than a Trusted Platform Module (TPM) as it is present inside the CPU and can protect from attacks against bus interfaces. Intel however is confident in its own TPM called Platform Trust Technology (PTT). Though, the company could support Pluton on its next 13th Gen Raptor Lake CPUs. And for now, the Intel is also enhancing its Threat Detection Technology (TDT) on 12th Gen vPro CPUs by working with ESET.

Oddly, Lenovo earlier confirmed it won't be enabling Pluton on its 2022 ThinkPad models, even on Ryzen 6000, despite these supporting the feature. Thankfully, customers will have the ability to enable it though.

Source: The Register

Intel looks past Microsoft's Pluton, the TPM-like Windows 11 security chip inside Ryzen 6000

DDoSers are using a potent new method to deliver attacks of unthinkable size

Cybercriminals keep devising new tactics to penetrate the security defenses, making the battle for security continuously grow more complex. To answer this, Microsoft partnered with Qualcomm. With the combined effort of the two companies, Microsoft is confident that its latest Windows 11 OS is more than armed in defending itself from attackers.

The latest product of the said partnership is the Qualcomm Snapdragon 8cx Gen 3 included in the ThinkPad X13s of Lenovo. According to Microsoft, it is the “first ARM platform for Windows that is built on the Microsoft Pluton security architecture.” It can store sensitive data securely with hardware integrated into the die of a device’s CPU, which would give hackers a hard time accessing any device even if they have it physically. 

“Windows 11 PCs built on top of Qualcomm’s latest Snapdragon 8cx Gen 3 Compute Platform, with Qualcomm Secure Processing Unit, will leverage advanced hardware capabilities from Microsoft Pluton and Pointer Authentication Codes (PAC),” David Weston, Director of Enterprise and OS Security, wrote in a Windows Blog post. “Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC protect against common exploit patterns to help customers strengthen their device security posture.”

According to Weston, Pluton can deliver numerous benefits to users through Windows 11 PCs with the Qualcomm Snapdragon 8cx Gen 3 Compute Platform. It includes the security updates delivered from the cloud to Pluton, physical attack resistance, and top-notch security built on approaches and technologies used in Xbox and Azure Sphere.

Microsoft Strengthens Windows 11 Security Through Pluton Technology

But, despite the great showing, Microsoft and fans of the Defender antivirus solution may be somewhat disappointed as the consumer version of the product failed to win any of the awards that AV-TEST conferred to the products it felt were the best anti-virus solutions of 2021.

For Windows, three awards were given for three different categories:

• Best Protection
• Best Performance
• Best Usability

As stated above, Defender failed to secure any of the categories for its consumer product. In case you are wondering who the winners are, they are listed below under the categories they won in.

• Best Protection

  • Bitdefender
  • Kaspersky
  • Norton 360

• Best Performance

  • ESET
  • G DATA
  • Kaspersky
  • Norton 360
  • PC Matic
  • Protected.net Total AV

• Best Usability

  • Avira
  • ESET

Not all is bad for Microsoft though as Defender managed to snag a win in the Best Protection for Corporate users category. You can view the full report here.

Windows Defender for home users fails to win any of AV-TEST's best anti-virus 2021 awards

News of the attack came to light late last week and the actor claiming it, a data extortion group named Lapsus$, started to share details about the incident and the damage they produced.

In an initial statement last week, Nvidia said it was investigating an incident that reportedly impacted some systems, causing an outage.

Over the weekend, Lapsus$ provided more details about the intrusion, saying that they had 1TB of Nvidia proprietary data and sharing passwords hashes they said belonged to company employees.

Lapsus$ also leaked a large document archive (close to 20GB) claiming it was from the 1TB cache they stole from Nvidia.

Nvidia confirms data breach

In a statement for BleepingComputer today, Nvidia confirmed that on February 23rd it detected “a cybersecurity incident which impacted IT resources.”

NVIDIA said that there was no evidence of a ransomware attack but the threat actor stole employee credentials and proprietary information, giving weight to Lapsus$’s claims.

The company said that its team is currently sifting through the information to analyze it and notes that the incident is not expected to disrupt its business or the ability to serve customers.

The complete statement can be read below:

NVIDIA confirms data was stolen in recent cyberattack

• Researchers say the discovery is noteworthy because of the scale of the intrusions and the advanced nature of the tool

Security researchers with US cybersecurity firm Symantec said they have discovered a “highly sophisticated” Chinese hacking tool that has been able to escape public attention for more than a decade.

The discovery was shared with the US government in recent months, who have shared the information with foreign partners, said a US official. Symantec, a division of chip maker Broadcom, published its research about the tool, which it calls Daxin, on Monday.

“It’s something we haven’t seen before,” said Clayton Romans, associate director with the US Cybersecurity Infrastructure Security Agency (CISA). “This is the exact type of information we’re hoping to receive.”

CISA highlighted Symantec’s membership in a joint public-private cybersecurity information sharing partnership, known as the JCDC, alongside the new research paper.

The JCDC, or Joint Cyber Defence Collaborative, is a collective of government defence agencies, including the FBI and National Security Agency, and 22 US technology companies that share intelligence about active cyberattacks with one another.

The Chinese embassy in Washington did not respond to a request for comment. Chinese officials have previously said China is also a victim of hacking and opposes all forms of cyberattacks.

“The capabilities of this malware are remarkable and would be extremely difficult to detect without this public research,” said Neil Jenkins, chief analytics officer at the Cyber Threat Alliance, a non-profit group that brings together cybersecurity experts to share data.

Symantec’s attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks, said Vikram Thakur, a technical director with Symantec.

Symantec researchers said the discovery of Daxin was noteworthy because of the scale of the intrusions and the advanced nature of the tool.

“The most recent known attacks involving Daxin occurred in November 2021,” the research report reads.

“Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic.”

Daxin’s victims included high level, non-Western government agencies in Asia and Africa, including Ministries of Justice, Thakur added.

“Daxin can be controlled from anywhere in the world once a computer is actually infected,” said Thakur. “That’s what raises the bar from malware that we see coming out of groups operating from China.”

Romans said he did know of affected organisations in the United States, but there were infections all around the globe, which the US government was helping to notify.

“Clearly the actors have been successful in not only conducting campaigns but being able to keep their creation under wraps for well over a decade,” Thakur said.

Source

Also: "China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks."

While the U.S. chipmaker giant has yet to confirm a breach on its network, the threat actor has been active with messages about the alleged hack since February 24.

Nvidia silent to extortionist's claims and leak

Replying to a request for comments from BleepingComputer on Friday about an incident that reportedly took down some of its systems for two days, Nvidia said that it was investigating what looked like a cyberattack.

In a reply to BleepingComputer, a company spokesperson said that Nvidia will issue an updated statement on Sunday but it never came. Several subsequent requests from us remained unanswered.

Reporting on the outage and what caused it, The Telegraph cited an insider saying that the intrusion “completely compromised” the company’s internal systems.

Lapsus$ said that they stole 1TB of data from Nvidia and that they were prepared to publish it unless the company paid a ransom demand.

The first round of messages from Lapsus$ included a leak of what the actor said were hashed passwords of all Nvidia employees and a claim that the company hacked back to encrypt their virtual machine with the data.

In an odd move, the extortion group removed all messages related to the Nvidia and resumed the stream of communication today with a note reiterating that they “hacked Nvidia.”

In multiple messages today, Lapsus$ provided more details about their incursion. “We were into nvidia systems for about a week, we fastly escalated to admin of a lot of systems,” the actor said.

They said they stole important files during the breach that include “stuff, schematics, driver, firmware,” and that they are willing to sell some of it:

LHR is Nvidia’s lite hash rate technology that enables graphics cards to reduce a GPU’s mining capacity. The Lapsus$ extortion group hopes that Nvidia will remove this limitation.

For this reason, they’re asking the GPU maker to remove the LHR limitations in the GeForce RTX 30 Series firmware, threatening to leak the folder with the hardware specifications.

The actor also claims to have documentation, company private tools, SDKs, “and everything about falcon” - Nvidia’s proprietary control processor.

The next message was a link to “part one of Nvidia data,” hosted on Amazon infrastructure, containing “source code and highly confidential/secret data from various parts of NVIDIA gpu driver. Falcon, LHR, and such.”

According to the threat actor, Nvidia filed an abuse report to stop the sharing. However, Lapsus$ switched to leaking the info over torrent and said that they would not re-upload the file.

The size of today’s data leak that Lapsus$ claims to have stolen from Nvidia is around 20GB and consists of an archive named “integdev_gpu_drv.rar.”

The actor says that the archive includes important source code and that they have enough information for a good developer to be able to create a bypass for Nvidia's LHR.

They also added that they're selling a LHR bypass that would disable the technology “without flashing anything.” This would enable a cryptocurrency mining operation to make the most of Nvidia graphic cards.

For now, Nvidia is keeping quiet about Lapsus$ claims and the data they shared. It is unclear how damaging this leak is to Nvidia or what secrets it may contain but there is a good chance for sensitive data to be present in a document archive of about 20GB.

Shortly before publishing this article, Nvidia responded with the following statement to BleepingComputer's request:

Hackers to NVIDIA: Remove mining cap or we leak hardware data

Kojima Industries is a Japanese manufacturer of plastic components that are crucial for car production, so this is a case of severe supply chain interruption.

Toyota said today that the incident caused it to decide to suspend the operation of 28 production lines in 14 plants in Japan, starting tomorrow, Tuesday, March 1, 2022.

The expected impact is a 5% drop in Toyota's monthly production in Japan, which translates to roughly 13,000 units.

Toyota’s subsidiaries Daihatsu Motors and Hino Motors will also halt production but the exact impact on them hasn’t been clarified.

Although Kojima has not published any official information about the attack, the company's website is currently offline and many Japanese news outlets are claiming that the disruption is a direct result of a cyberattack.

An official with knowledge about the incident at Kojima Industries told local media that the company "appears to have been hit by the cyberattack" and that the top priority is to resume Toyota's production.

Japanese reporters have asked Prime Minister Fumio Kishida if this could be linked to Japan’s sanctions on Moscow. Kishida said at the time that there was no confirmation of a Russian connection.

The COVID-19 pandemic has caused various supply chain problems for all car makers, especially those who rely on large production volumes for profit, most notably due to shortages in semiconductors.

This situation introduced unprecedented challenges to Toyota in particularly, due to its long-established “just in time” (JIT) lean manufacturing approach which historically provided ultimate efficiency but didn’t offer any margin for versatility.

Whatever caused the Kojima supply disruption, Toyota’s once advantageous JIT system proves to be a weakness in today’s production landscape, which is connected to a volatile cyberspace.

H/T Douglas Mun

Toyota halts production after reported cyberattack on supplier

This prediction is the result of several factors that make consumers a lot more lucrative to threat actors today than in previous years.

ReasonLabs has compiled a detailed report on the status of consumer-level cybersecurity and what trends are most likely to emerge this year.

Path of least resistance

Cybercriminals like to follow the shortest and most accessible pathway to achieving their goals, and when it comes to targeting corporate networks, the best chances lie at targeting remote workers.

The pandemic may slowly be fading, but remote work and the security risks that arise from this new work environment are here to stay. At the same time, organizations are spending significant amounts of money on bolstering their on-premise systems.

As such, for hackers looking to gain access to company networks, the easier way is to target remote employees through phishing or social engineering, take over their account, and use it to log in to the network.

Crypto-boom

2021 was the year of the crypto-miner, primarily due to the rising value of Bitcoin, Ether, and other cryptocurrencies that followed the same trend, further augmented by the rise of NFTs.

People in fear of missing out invested heavily in virtual assets, and many of these new investors don't know how to protect them adequately.

This crypto rush has created a steep rise in info-stealer infections, which according to ReasonLabs, is bound to continue following the same trajectory in 2022.

The rise of Meta, which is expected to create a new boom around digital asset payments from consumers, will fuel that fire even more.

Shutting the door on macros

Microsoft's move to disable Excel 4.0 macros by default shuts the door to malicious documents that included malicious macros to download malware on the user's device. This tactic was predominately used against corporate users.

Adversaries are now forced to lure victims to malicious websites instead, set up SEO poisoning attacks, create malware masqueraded as game cracks, or even use social media, YouTube, and IM channels to promote these files directly.

"Throughout 2021, we have seen countless threats that came specifically from supposed games, including miners, RATs, and infostealers, all delivered in a bundle with the (cracked) game," comments the ReasonLabs report.

All these somewhat random malware distribution methods flourished in 2021, and the same trend will most likely continue in 2022.

Adware

Adware remains a steady source of income for cybercriminals and one that relies on infecting and exploiting large numbers of systems, mostly consumer computers and smartphones.

ReasonLabs estimates the number of ad-injectors and clickers to rise in 2022, as they are easy to spread and hard to detect, map, and stop, which usually happens only when they reach jaw-dropping operational sizes.

While many consider adware to be more of a nuisance rather than malware, many adware bundles install information-stealing trojans, ransomware, and even rootkits.

The ransomware space

When it comes to ransomware, the case is especially characteristic because this is the category of threat actors that moved to larger targets in previous years, entirely snubbing consumers.

The busts of 2021 have brought turbulence in RaaS operations, and while most big players continued unabated, we have seen notable adjustments in their targeting scope.

Targeting governmental or critical infrastructure entities has consequences, and ransomware actors have realized that.

The trend we see now is targeting consumers who hold something valuable, and asking for small ransom payments from a larger number of victims.

As ReasonLabs comments in the report: "(Ransomware actors) will shift their focus to unprotected consumers, with the number of attacks drastically increasing to cover the pay gap."

The recent ransomware attacks against NAS devices are an excellent example of that. They weren't carried out by low-skilled opportunists but by hackers who could discover and leverage zero-days.

BleepingComputer has also seen ransomware operations that more commonly target the enterprise, also now targeting consumers and SMBs with ransom demands under $1,000.

With the enterprise more actively defending against network intrusions and ransomware attacks, we may see ransomware operations going back to spray-and-pray attacks hoping to encrypt anyone, including consumers.

Therefore, consumers must begin practicing strong security habits, which include:

• Use strong and unique passwords at every sites.
• Install security software or using Microsoft Defender, which is built into Windows.
• Do not open email attachments from unknown users.
• Do not expose internal services to the Internet, such as Remote Desktop and NAS devices.
• Install software and operating system updates as they become available.
• Do not download pirated software cracks or key generators, as they commonly lead to ransomware and information-stealing trojans.

Following these simple security habits will significantly decrease the risk of malware infections to consumers and should be practiced by everyone on all of their devices.

2022 may be the year cybercrime returns its focus to consumers

According to a new report from the cybersecurity firm Pangu, security researchers from its Advanced Cyber Security Research team first found the malware behind the backdoor back in 2013 while conducting a “forensic investigation of a host in a key domestic department”. At that time, the team decided to name the malware Bvp47 due to the fact that the most common string in the sample was “Bvp” and 0x47 was the numerical value used in its encryption algorithm.

Despite the fact that Bvp47 was submitted to Virus Total's antivirus database almost a decade ago, it only appeared in one antivirus engine. Things have changed with the release of Pangu's report and it has now been flagged by six antivirus engines according to BleepingComputer.

During the almost ten years that the Bvp47 malware went undetected, it was used to hit more than 287 organizations in 45 countries with a focus on targets in the telecommunications, military, higher-education, financial and science sectors.

Ties to the Equation Group

The Bvp47 sample that was obtained from Pangu's Advanced Cyber Security Research team back in 2013 turned out to be an advanced Linux backdoor that also contained a remote control function protected using the RSA asymmetric encryption algorithm.

As such it requires a private key to enable and this private key was found in a series of leaks published by the Shadow Brokers hacking group during 2016-2017. The leaks themselves also contained hacking tools and zero-day exploits used by the Equation Group which is suspected of having ties to the NSA's Tailored Access Operations unit.

Some of the components found in these leaks such as “dewdrop” and “solutionchar_agents” were integrated into the Bvp47 framework which indicates that its backdoor could be used on Unix-based operating systems such as the mainstream Linux distros JunOS, FreeBSD and Solaris.

Based on automated analysis of the backdoor by Kaspersky's Threat Attribution Engine (KTAE), 34 out of 483 strings found in Bvp47 match those from from another Equation Group-related sample for Solaris SPARC systems. There was also a 30 percent similarity with another malware sample from the Equation Group which was submitted to Virus Total back in 2018.

Director of global research and the analysis team at Kapsersky, Costin Raiu told BleepingComputer that Bvp47's code-level similarities also match one other sample in its malware collection. This is a good indication that use of this malware wasn't widespread as is often the case with hacking tools created by high-level threat actors that only deploy them in highly targeted attacks.

Now that Bvp47's Linux backdoor has finally come to light, security researchers will likely conduct further analysis on it and we could see more evidence that it was used in other past attacks as well.

Source