Systems impacted in what looks like a cyberattack include the company's developer tools and email systems, as first reported by The Telegraph.

The reported outage is the result of a network intrusion, and it is still not known if any business or customer data was stolen during the incident.

Nvidia told BleepingComputer that the nature of the incident is still being evaluated and that the company's commercial activities were not affected.

"We are investigating an incident. Our business and commercial activities continue uninterrupted," an Nvidia spokesperson told BleepingComputer.

"We are still working to evaluate the nature and scope of the event and don't have any additional information to share at this time."

An insider has described this incident as having "completely compromised" Nvidia's internal systems.

On February 8, the American chipmaker terminated previously announced efforts to acquire British semiconductor giant Arm for $80 billion.

GPU giant Nvidia is investigating a potential cyberattack

Last year, 17.7 percent of brand phishing emails impersonated Amazon while 16.5 percent impersonated the global logistics company DHL and 12.7 percent impersonated the eSign software company DocuSign.

Further down the list, popular payment gateway provider PayPal took the fourth spot as its brand was used in 5.7 percent of brand impersonation emails followed by the professional social network LinkedIn whose name was abused in 3.5 percent of brand phishing campaigns. Microsoft (3%), the web hosting company 1&1 (2.5%), British telecom O2 (2.3%) social media giant Facebook (2.2%) and the banking group HSBC (1.8%) also made the list as well.

All of these figures come from Hornetsecurity's Cyber Threat Report 2021/22 which examines the state of global email threats.

Spotting a brand phishing email

The reason cybercriminals choose to impersonate these and other large brands is to lower the guard of potential victims. Once a victim has been tricked into taking one of these phishing emails seriously, they are then lured into opening links to malicious websites designed to infect their devices with malware or steal their data.

While organizations can do very little to prevent cybercriminals from impersonating their brands online, consumers can protect themselves from falling victim to phishing campaigns by learning about and keeping in mind a few tell-tale signs.

As large brands have professional copywriters and editors to proofread all of the emails and other messages the sent out to their customers, spelling and grammatical errors are a dead giveaway that an email isn't official. Likewise, inconsistencies in the sender address in one of these emails can indicate that email is not legitimate. 

Cybercriminals often use email addresses that appear similar to a company's official email address in an attempt to dupe potential victims. Suspicious URLs and attachments are also clear giveaways when it comes to phishing emails.

Although those behind brand phishing attacks may try to instill a sense of urgency to get users to respond, requests to provide sensitive information are another red flag. This is because large businesses like Amazon would rarely if ever ask their customers to provide sensitive information over email.

Finally, if an email's message seems too good to be true, it probably is. So avoid emails informing you that you have won the lottery or other similar-themed messages at all costs.

Brand phishing isn't going anywhere anytime soon as it can be a very lucrative endeavor for cybercriminals but being able to spot the signs can help protect you from these campaigns and allow you to avoid falling victim to identity theft.

These companies are the most impersonated in email phishing campaigns

The malware, spotted and analyzed by cyber-intelligence firm Check Point, is a backdoor that gives the adversaries complete control over compromised machines, supporting remote command execution and real-time interactions.

The goal of the threat actors is social media promotion and click fraud, which they achieve by controlling social media accounts on Facebook, Google, YouTube, and Sound Cloud, as Electron Bot supports new account registration, commenting, and liking on these platforms.

Three years of evolution

The operation was first discovered at the end of 2018 when an early Electron Bot variant was submitted to the Microsoft Store as “Album by Google Photos,” published by a spoofed Google LLC entity.

Since then, the malware authors have added several new features to their tool and advanced detection evasion capabilities like dynamic script loading.

The malware is written in Electron, hence the name, and it can emulate natural browsing behavior and perform actions as if it’s a real website visitor.

For this, it opens a new hidden browser window using the Chromium engine in the Electron framework, sets the appropriate HTTP headers, renders the requested HTML page, and finally performs mouse movement, scrolling, clicks, and keyboard typing.

Human mouse movement emulation (Check Point)

Electron Bot's primary goals in the ongoing campaign analyzed by the Check Point researchers are:

• SEO poisoning – Create malware-dropping sites that rank high on Google Search results.
• Ad clicking – Connect to remote sites in the background and click on non-viewable advertisements.
• Social media account promotion – Direct traffic to specific content on social media platforms.
• Online product promotion – Increase store rating by clicking on its advertisements.

Hardcoded YouTube comments (Check Point)

These functions are offered as services to those who want to increase their online profits illegitimately, so the gains for the malware operators are indirect.

As for attribution, Check Point reports finding evidence pointing to the actors being based in Bulgaria, but besides that, nothing is known about the malicious actors' identity or location.

Infection chain

The infection chain begins with the victim installing one of the laced apps from within the Microsoft Store, an otherwise trustworthy source of software.

Electron Bot infection chain (Check Point)

Upon launching the application, a JavaScript dropper is loaded dynamically in the background to fetch the Electron Bot payload and install it.

The malware launches at the next system startup, connects to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com or 11k[.]online), retrieves its configuration, and executes any commands in the pipeline.

Because the main scripts are loaded dynamically at run time, the JS files dropped on the machine’s memory are very small and seemingly innocuous.

Commands supported by Electron Bot (Check Point)

More than just a game

All laced games identified by Check Point featured the expected functionality while the malicious operations unfolded in the background.

This results in having positive user reviews on the Microsoft Store. For instance, Temple Endless Runner 2, which was published on September 6, 2021, has close to a perfect five-star rating from 92 reviews.

Of course, the crooks constantly refresh their lures and use different game titles and apps to deliver the malware payloads to unsuspecting victims.

Laced Temple Runner game on the Microsoft Store (Check Point)

For now, users may take note of the publishers who released confirmed malicious game apps using the following names:

• Lupy games
• Crazy 4 games
• Jeuxjeuxkeux games
• Akshi games
• Goo Games
• Bizzon Case

It is important to emphasize that while the existing version of Electron Bot isn’t causing catastrophic damage to the infected machines, the threat actors may easily modify the code to fetch a second-stage payload like a RAT or even ransomware.

Check Point suggests that Windows users avoid downloading applications with a low review count, scrutinize the developer/publisher details, and ensure that the app name is correct and not typo-squatted.

Malware infiltrates Microsoft Store via clones of popular games

  1Password can now store details attached to your Phantom wallet. Image: 1Password

1Password now lets you easily store crypto wallet details

This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full.

The survey was conducted by cybersecurity specialist Venafi, and the most important findings that emerge from the respondents are the following:

• 83% of all ransomware victims who paid the requested amount were extorted again, twice, or even three times.
• 18% of victims who paid the ransom still had their data exposed on the dark web.
• 8% refused to pay the ransom, and the attackers tried to extort their customers.
• 35% of victims paid the ransom but were still unable to retrieve their data.

As for the ransomware actor extortion tactics, these are summarized as follows:

• 38% of ransomware attacks threatened to use stolen data to extort customers.
• 35% of ransomware attacks threatened to expose stolen data on the dark web.
• 32% of attacks threatened to directly inform the victim's customers of the data breach incident.

The lack of credibility in ransomware actors' empty promises to their victims stems from several factors.

First, most RaaS operations are short-lived, so they simply look to maximize their profits in the shortest possible period of time. As such, they don't care about long-term reputation.

Secondly, many renegade affiliates don't follow the rules set by the core ransomware operators, and enforcing these rules is rarely considered a priority for these groups.

Thirdly, even if the data isn't leaked right away, the remnants of data breaches may be maintained for a long time in multiple threat actor systems and almost always find their way to the broader cyber-crime community sooner or later.

A vicious cycle

As Venafi underlines in its report, paying the ransom is only motivating crooks to return for more, as it sends the signal that the victim sees this as the easiest way out of trouble, which is nothing but an illusion.

"Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more," - comments Venafi's vice president, Kevin Bocek

"The bad news is that attackers are following through on extortion threats, even after the ransom has been paid! This means CISOs are under much more pressure because a successful attack is much more likely to create a full scale service disruption that affects customers."

The above matches the findings of another report published by Proofpoint yesterday, which presents the results of a survey of thousands of employees and hundreds of IT professionals across seven countries.

70% of the survey participants report having experienced at least one ransomware attack in 2021. 60% of them opted to negotiate with the attackers, and many of them ended up paying ransom more than once.

In summary, the best approach for victims is not to give in to ransomware demands but instead restore systems and data from backups and alert the law enforcement and data protection authorities of the incident.

All else is futile considering that all scenarios eventually lead to the same result, with the only difference being the enrichment of ransomware actors and the feeding of their motivation to continue.

Ransomware extortion doesn't stop after paying the ransom

The iSTARE team’s fault injection system can use ultra-fast pulses of LASER and RF radiation that may cause the silicon device to fail. They attempt to trigger such faults when a particular operation is being executed, thus causing a change in the device's behavior that may lead to a breach in security. Photograph: Shlomo Shoham

"Evil maid" attacks are a classic cybersecurity problem. Leave a computer unattended in a hotel and an attacker dressed as an employee could enter your room, plant malware on your laptop, and slip out without leaving a trace. Allowing physical access to a device is often game over. But if you're building processors that end up in millions of devices around the world, you can't afford to give up so easily.

That's why five years ago Intel launched a dedicated hardware hacking group known as Intel Security Threat Analysis and Reverse Engineering. About 20 iSTARE researchers now work in specially equipped labs in the northern Israeli city of Haifa and in the US. There, they analyze and attack Intel's future generations of chips, looking for soft spots that can be hardened long before they reach your PC or MRI machine.

“People don’t always quite understand all the security implications and may feel like physical attacks aren’t as relevant,” says Steve Brown, a principal engineer in Intel's product assurance and security department. “But this is a proactive approach. The earlier you can intercept all of this in the life cycle the better.”

When hackers exploit vulnerabilities to steal data or plant malware, they usually take advantage of software flaws, mistakes, or logical inconsistencies in how code is written. In contrast, hardware hackers rely on physical actions; iSTARE researchers crack open computer cases, physically solder new circuits on a motherboard, deliver strategic electromagnetic pulses to alter behavior as electrons flow through a processor, and measure whether physical traits like heat emissions or vibrations incidentally leak information about what a device is doing.

Think about the security line at the airport. If you don't have ID, you could work within the system and try to sweet-talk the TSA agent checking credentials, hoping to manipulate them into letting you through. But you might instead take a physical approach, finding an overlooked side entrance that lets you bypass the ID check entirely. When it comes to early schematics and prototypes of new Intel chips, iSTARE is trying to proactively block any routes that circumnavigators could attempt to use.

“We basically emulate the hacker, figuring out what would they want to get out of an attack,” says Uri Bear, iSTARE's group manager and a senior security analyst for Intel's product assurance and security department. “We’re not tasked with just finding security vulnerabilities, we’re also tasked with developing the next generation of attacks and defenses and making sure we are ready for the next thing that will come. We fix things ahead of time, before they’re in the market.”

The mind-bending thing about hardware hacking is that software can also play a role. For example, physics-based “Rowhammer” attacks famously use little software programs running over and over again to cause a leak of electricity in a computer's memory. That strategic glitch physically alters data in such a way that hackers can gain more access to the system. It’s an example of the type of paradigm shift that iSTARE researchers are trying to presage.

“It’s about the fun of breaking things,” Bear says, “finding ways to use hardware that was either blocked or that it was not designed for and trying to come up with new usages. If there were no hackers, everything would be stale and just good enough. Hackers challenge the current technology and force designers to make things better.”

Working in cramped labs stuffed with specialized equipment, iSTARE vets schematics and other early design materials. But ultimately the group is at its most effective when it reverse engineers, or works backward from, the finished product. The goal is to probe the chip for weaknesses under the same conditions an attacker would—albeit with prototypes or even virtualized renderings—using tools like electron microscopes to peer inside the processor's inner workings. And while iSTARE has access to top-of-the-line analysis equipment that most digital scammers and criminal hackers wouldn't, Bear emphasizes that the cost of many advanced analysis tools has come down and that motivated attackers, particularly state-backed actors, can get their hands on whatever they need.

iSTARE operates as a consulting group within Intel. The company encourages its design, architecture, and development teams to request audits and reviews from iSTARE early in the creation process so there's actually time to make changes based on any findings. Isaura Gaeta, vice president of security research for Intel’s product assurance and security engineering department, notes that in fact iSTARE often has more requests than it can handle. So part of Gaeta and Brown's work is to communicate generalizable findings and best practices as they emerge to the different divisions and development groups within Intel.

Beyond Rowhammer, chipmakers across the industry have faced other recent setbacks in the security of core conceptual designs. Beginning in 2016, for example, Intel and other manufacturers began grappling with unforeseen security weaknesses of “speculative execution.” It’s a speed and efficiency strategy in which processors would essentially make educated guesses about what users might ask them to do next and then work ahead so the task would already be in progress or complete if needed. Research exploded into attacks that could grab troves of data from this process, even in the most secure chips, and companies like Intel struggled to release adequate fixes on the fly. Ultimately, chips needed to be fundamentally rearchitected to address the risk.

Around the same time that researchers would have disclosed their initial speculative execution attack findings to Intel, the company formed iSTARE as a reorganization of other existing hardware security assessment groups within the company. In general, chipmakers across the industry have had to substantially overhaul their auditing processes, vulnerability disclosure programs, and funding of both internal and external security research in response to the Spectre and Meltdown speculative execution revelations.

“A few years back, maybe a decade back, the vendors were much more reluctant to see that hardware, just like software, will contain bugs and try to make sure that these bugs are not in the product that the customers then use,” says Daniel Gruss, a researcher at Graz University of Technology in Austria.

Gruss was on one of the original academic teams that discovered Spectre and Meltdown. He says in recent years Intel has funded some of the PhD students in his lab, TU Graz's Secure Systems Group, though none of his students is currently funded by Intel.

“Finding vulnerabilities is a creative job, to some extent. You have to think about the hardware and software in ways others haven’t,” Gruss says. “I think it was a necessary step for vendors to create these teams or increase the sizes and budgets of them. But they won’t replace the massive scale of creativity you can find in academia, which is just so many more brains than you can hire in one red team.”

The iSTARE team says they feel acutely the responsibility of working on projects that will end up as ubiquitous Intel chips. And they must also live with the reality that some flaws and vulnerabilities will always slip by.

“It can be frustrating,” Brown says. “From a researcher’s point of view, you want to do the best you can, but there are times when maybe it wasn’t enough or the assumptions changed along the way that then create a different vulnerability or weakness in a product that wasn’t necessarily considered. But as those things are revealed, we learn more to make the next product better. So we try to take it in a positive form, though it may be sometimes in a negative light.”

Independent hardware hacker Ang Cui, founder of the embedded device security firm Red Balloon, says that groups like iSTARE are vital to large chip manufacturers, whose products power computation in every industry and government. “Groups like this have been around since man first used a paperclip to glitch a computer,” he says. But he argues that manufacturers have economic incentives that generally don’t align with maximum security, a challenging dynamic for a group like iSTARE to transcend.

“Chip vendors have to add extra features and bells and whistles so they can sell new, shiny things to the market, and that translates to billions more transistors on a chip,” Cui says. “So you're adding known and unknown vulnerabilities to this very complicated piece of hardware, and adding more and more things for these teams to defend against.”

As a system is being used, the electrons flowing through it cause tiny transmissions of electromagnetic signals through the air and in the power supplies feeding the system. This system monitors these minute signals and uses sophisticated algorithms to extract information on system behavior and the data being used during the operation. Photograph: Shlomo Shoham

When it comes to sharing the findings of its forward-looking research, Brown says iSTARE doesn't pull punches.

“It could be fairly adversarial—you’re finding issues and somebody else is the product owner, that can be kind of a contentious relationship,” Brown says. “But we try to approach it as if we’re part of those teams and that we have as much at stake as they do versus just pointing out deficiencies in their products.”

Security and privacy auditors can often seem like unwelcome Cassandras in large organizations, always nitpicking and finding problems that create more work for everyone. Bear agrees that part of iSTARE's job is to be aware of this dynamic and deliver findings tactfully.

“I think the solution is not to find a problem and throw it at somebody," he says. “It’s working on the solution together. That’s a huge part of the acceptance of issues that need solving.”

Gaeta emphasizes that by catching security issues while there's still time to fix them, iSTARE saves Intel and its customers money and the reputational damage that comes from major systemic security vulnerabilities. This is ultimately where the interests align between a tech behemoth like Intel and the creative, endlessly curious, pain-in-the-ass hackers needed for a team like iSTARE.

“Every few months we change completely in our heads the item that we are working on,” Bear explains. “It’s a new technology, it’s a new processor type, a new command set, a new manufacturing technology, and there are lots of tedious details. So we’ve got to keep it fun because really security researchers do this for fun. I’m paid to break other people’s toys, that's how I explain it.”

Inside the Lab Where Intel Tries to Hack Its Own Chips

The FTC added a total of roughly 5.7 million consumer reports to its Consumer Sentinel Network (Sentinel) secure online database in 2021.

Out of these, US consumers filed 2,789,161 fraud reports during 2021, 25% of them indicating a monetary loss and informing the consumer protection agency that they lost a total of $5,893,260,382 to fraud schemes.

"Of the losses reported by consumers, more than $2.3 billion of losses reported last year were due to imposter scams—up from $1.2 billion in 2020, while online shopping accounted for about $392 million in reported losses from consumers—up from $246 million in 2020," the FTC said.

The FTC also received nearly 1.4 million reports of identity theft in 2021, representing a quarter of all reports filed last year.

The FTC said that young consumers (aged 20 to 29) have reported losing money to fraud a lot more often than older people (ages 80 and over).

However, "while younger people lost money 41 percent of the time they experienced fraud, older adults lost money only 17 percent of the time," according to FTC's data.

"But when older people did lose money, they lost a median amount of $1,500, or three times the median amount younger people lost."

You can report fraud attempts at ReportFraud.ftc.gov and file an identity theft report at IdentityTheft.gov.

Once included in the Consumer Sentinel Network network, your report will be available to more than 3,000 federal, state, and local law enforcement agencies across the US.

Filed reports are helpful when investigating fraud, scams, and bad business practices, as well as for discovering trends and educating the public.

FTC: Americans report losing over $5.8 billion to fraud in 2021

Two ransomware groups, LockBit and Conti, have been most active compromising organizations with an Industrial Control System (ICS)/Operational Technology (OT) environment in 2021.

Ransomware threat is frequent in the manufacturing sector

A report today from industrial cybersecurity company Dragos highlights that the industrial sector has become a more attractive target for both financially motivated adversaries and actors linked to state-sponsored groups.

Monitoring the threat activity in the industrial sector last year, the company discovered a jump in ransomware incidents targeting ICS/OT networks.

According to Dragos’ findings, the most common targets for ransomware groups were in the manufacturing sector, with 211 attacks accounting for 65%, followed by 35 successful compromises of companies in the food and beverages business, and 27 attacks against entities in the Transportation sector.

The researchers note that the manufacturing vertical is the most exposed to attacks because this “sector is often the least mature in their OT security defenses.”

An overview of the security of these companies reveals a troubling trend, the researchers say based on data collected during customer engagements

Many organizations have very limited visibility into the infrastructure, fail to properly segment network perimeters, have many devices with an external connection, and a large percentage of shared credentials between the enterprise network (IT) and the OT environment

The problems above lay the ground for successful attacks, allowing threat actors to pivot from the IT network into the OT segment, even if breaching the latter is not the main goal.

This allowed the ransomware threat to become the number one cause for compromises in the industrial sector, the researchers note in the report.

After gaining access to the IT network to execute the ransomware component, adversaries can move laterally into OT systems, allowing them to ask for larger ransoms by causing a more damaging impact.

LockBit and Conti attacks in ICS sector

Of the ransomware groups attacking the industrial infrastructure, LockBit and Conti are by far the most active, accounting for 51% of the incidents.

According to Dragos, the two ransomware groups are responsible for 166 attacks on companies in the ICS sector, LockBit accounting for 103 incidents and Conti for 63. The latter has taken control of the TrickBot operation recently and will likely increase its incursions into OT networks.

In 70% of all the ransomware incidents that Dragos analyzed, the targets were in the manufacturing sector, the most affected subsectors being metal products, automotive, plastics, technology, and packaging.

Ransomware threats are not showing any decline, despite governments prioritizing law enforcement efforts to bring ransomware-as-a-service (RaaS) operators and their affiliates to justice.

Dragos has high confidence that this threat will keep disrupting industrial operations and OT environments in 2022 because of either of the following three factors:

• Actors integrate OT kill processes into ransomware payloads
• Operators shutting down OT environments to prevent ransomware from spreading to the OT systems from the IT network
• Adoption of the simplified flat network design to lower cost and maintenance effort by reducing the number of routers and switches, which leads to a less secure environment due to lack of segmentation

LockBit, Conti most active ransomware targeting industrial sector

One of the biggest obstacles to successful phishing attacks is bypassing multi-factor authentication (MFA) configured on the targeted victim's email accounts.

Even if threat actors can convince users to enter their credentials on a phishing site, if MFA protects the account, fully compromising the account still requires the one-time passcode sent to the victim.

To gain access to a target's MFA-protected accounts, phishing kits have been updated to use reverse proxies or other methods to collect MFA codes from unwitting victims.

However, companies are catching on to this method and have begun introducing security measures that block logins or deactivate accounts when reverse proxies are detected

VNC to the rescue

While conducting a penetration test for a customer, security researcher mr.d0x attempted to create a phishing attack on the client's employees to gain corporate account credentials.

As the accounts were all configured with MFA, mr.d0x set up a phishing attack using the Evilginx2 attack framework that acts as a reverse proxy to steal credentials and MFA codes.

When conducting the test, the researcher found that Google prevented logins when detecting reverse proxies or man-in-the-middle (MiTM) attacks.

mr.d0x told BleepingComputer that this was a new security feature added by Google in 2019, specifically to prevent these types of attacks.

The researcher also told BleepingComputer that websites, such as LinkedIn, detect man-in-the-middle (MiTM) attacks and deactivate accounts after successful logins.

To overcome this obstacle, mr.d0x came up with a devious new phishing technique that uses the noVNC remote access software and browsers running in kiosk mode to display email login prompts running on the attacker's server but shown in the victim's browser.

VNC is a remote access software that allows remote users to connect to and control a logged-in user's desktop. Most people connect to a VNC server through dedicated VNC clients that open the remote desktop in a similar manner to Windows Remote Desktop.

However, a program called noVNC allows users to connect to a VNC server directly from within a browser by simply clicking a link, which is when the researcher's new phishing technique comes into play.

"So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com)," explains a new report by mr.d0x on his new phishing technique.

"Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected."

Using this configuration, a threat actor can send out targeted spear-phishing emails that contain links that automatically launch the target's browser and log into the attacker's remote VNC server.

These links are highly customizable and allow the attacker to create links that don't look like suspicious VNC login URLs, such as the ones below:

Example[.]com/index.html?id=VNCPASSWORD
Example[.]com/auth/login?name=password

As the attacker's VNC server is configured to run a browser in kiosk mode, which runs the browser in full-screen mode, when the victim clicks on a link they will simply see a login screen for the targeted email service and login as normal.

However, as the login prompt is actually being displayed by the attacker's VNC server, all login attempts will happen directly on the remote server. mr.d0x told BleepingComputer that once a user logs into the account, an attacker can use various tools to steal credentials and security tokens. 

Even more dangerous, this technique will bypass MFA as the user will enter the one-time passcode directly on the attacker's server, authorizing the device for future login attempts.

"Since it's my server I can have many tricks up my sleeve, for example say I have burp suite or any other HTTP proxy attached to this browser and its capturing all the HTTP requests occurring. When the user is done I can check the requests and grab the username and password and session token," mr.d0x told BleepingComputer in a conversation about the attack.

Another alternative could be I inject JS into the browser before sending the phishing link. When the user begins using the browser it runs my JS.Theres many more options because at the end of the day the user authenticates onto your server."

mr.d0x

If the attack were being used on a limited basis to target only a few people, simply logging into their email account over the attacker's VNC session would authorize the device to connect to the account in the future.

As VNC allows multiple people to monitor the same session, an attacker could disconnect the victim's session after the account was logged in and connect to the same session later to access the account and all its email.

While this attack has not been seen used in real-world attacks, the researcher told BleepingComputer that he believes attackers will use it in the future.

As for how to protect yourself from these types of attacks, all the phishing advice remains the same: do not click on URLs from unknown senders, inspect embedded links for unusual domains, and treat all email as suspicious, especially when it prompts you to login to your account.

Devious phishing method bypasses MFA using remote access software

What’s Next in Security from Microsoft will highlight the importance of a comprehensive approach to security to business growth. It will welcome different security experts who will talk about the newest innovations and technologies to lessen the latest threat risk.

Some of the speakers include Vasu Jakkal (Microsoft Corporate Vice President of Security, Compliance, and Identity) and Jeff Pollard (Vice President and Principal Analyst at Forrester).

Pollard will share insights on how to efficiently use human knowledge, cloud, and technology as a combination in forming innovative security solutions. This will serve as an answer to the evolving attacker tactics affecting the current security landscape. The speakers are also expected to cover the overall situation of security trends today by highlighting the state of the market now, together with some future projections about security.

On the other hand, in response to the growing threats moving laterally across systems and platforms, Microsoft will provide information about the latest cloud defense innovations that can complement and work across platforms and clouds. Plus, there will be a moderated panel discussion to explore the technologies that can help you protect and manage your identities across a multi-cloud environment. Microsoft security experts will also actively answer questions from participants via live chat. 

Lastly, What’s Next in Security from Microsoft will educate and guide participants in:

• Applying least privilege access across your cloud environments.
• Protecting identities, apps, clouds, and endpoints with comprehensive solutions.
• Recognizing security gaps and protecting multi-cloud environments against threats.
• Updating security strategy through the latest market trends.
• Removing blind spots with proactive threat hunting and extended detection and response (XDR).

To know more about the What’s Next in Security from Microsoft digital event and its registration, you can visit Microsoft’s page.

What to Expect From ‘What’s Next in Security from Microsoft’ Digital Event

The attacks are said to have first commenced at the end of November 2021, with the intrusions attributed to a threat actor tracked as APT10, also known as Stone Panda, the MenuPass group, and Bronze Riverside, and known to be active since at least 2009.

The second wave of attacks hit a peak between February 10 and 13, 2022, according to a new report published by Taiwanese cybersecurity firm CyCraft, which said the wide-ranging supply chain compromise specifically targeted the software systems of financial institutions, resulting in "abnormal cases of placing orders."

The infiltration activity, codenamed "Operation Cache Panda," exploited a vulnerability in the web management interface of the unnamed securities software that has a market share of over 80% in Taiwan, using it to deploy a web shell that acts as a conduit for implanting the Quasar RAT on the compromised system with the goal of stealing sensitive information.

Quasar RAT is a publicly available open-source remote access trojan (RAT) written in .NET. Its features include capturing screenshots, recording webcam, editing registry, keylogging, and stealing passwords. In addition, the attacks leveraged a Chinese cloud file sharing service called wenshushu.cn to download auxiliary tools.

The disclosure comes as Taiwan's Parliament, the Executive Yuan, unveiled draft amendments to national security laws aimed at combating Chinese economic and industrial espionage efforts. To that end, unapproved use of critical national technologies and trade secrets outside of the country could carry up to a 12-year prison sentence.

Furthermore, individuals and organizations that have been entrusted or subsidized by the Taiwanese government to conduct operations involving critical national technologies are expected to secure prior government approval for any trips to China, failing which could incur monetary fines of up to NT$10 million (~US$359,000).

Source

Still in early development stage, Xenomorph is targeting users of dozens of financial institutions in Spain, Portugal, Italy, and Belgium.

Researchers at fraud and cybercrime prevention company ThreatFabric analyzing Xenomorph found code that is similar to Alien banking trojan. This suggests that the two threats are somehow connected: either Xenomorph is Alien's successor or a developer has been working on both of them.

Banking trojans like Xenomorph aim to steal sensitive financial information, take over accounts, perform unauthorized transactions, and operators then sell the stolen data to interested buyers.

Sneaking into the Play Store

The Xenomorph malware entered the Google Play Store via generic performance-boosting applications such as the "Fast Cleaner", which counts 50,000 installations.

Such utilities are a classic lure used by banking trojans, Alien included, because there's always an interest in tools that promise to improve the performance of Android devices.

To evade rejection during the application review from the Play Store, Fast Cleaner is fetching the payload after installation, so the app is clean at submission time.

ThreatFabric recognized the application as a member of the "Gymdrop" dropper family, first discovered in November 2021, and observed pushing payloads that pose as Google Play, Chrome, or Bitcoin management apps.

Xenomorph capabilities

Xenomorph's functionality is not full-blown at this point, as the trojan is under heavy development. However, it still represents a significant threat as it can fulfill its info-stealing purpose and it targets no less than 56 different European banks.

For example, the malware can intercept notifications, log SMS, and use injections to perform overlay attacks, so it can already snatch credentials and one-time passwords used to protect banking accounts.

After its installation, the first action taken by the app is to send back a list of the installed packages on the infected device to load the suitable overlays.

To achieve the above, the malware requests the granting of Accessibility Service permissions upon installation, and then abuses the privileges to grant itself additional permissions as needed.

Examples of commands present in the code but not yet implemented refer to keylogging functions and behavioral data collection.

As the ThreatFabric report details:

Its Accessibility Engine is very detailed, and is designed with a modular approach in mind. It contains modules for each specific action required by the bot, and can be easily extended to support more functionalities. It would be unsurprising to see this bot sport semi-ATS capabilities in the very near future.

All in all, the malware may add next-level capabilities at any time, as only minor code implementations and modifications are required to activate extensive data siphoning functions.

ThreatFabric assesses that Xenomorph is not a strong threat at the moment due to its "under development" status. In time, though, it could reach its full potential, "comparable to other modern Android Banking trojans."

To steer clear from Android malware that lurks in the Play Store, users should avoid installing apps that carry promises that are too good to be true. Checking other users' reviews can sometimes help avoid malicious apps.

New Xenomorph Android malware targets customers of 56 banks

If Google Chrome is your browser of choice, you have access to an Enhanced Safe Browsing mode, which you might not be aware of: It's essentially what it sounds like, an extra layer of protection that you're able to switch on if you want to be as cautious as possible.

Why wouldn't it be on by default? Well, when it's on, you'll share more data with Google about where you go and what you do online—data that Google says is only kept temporarily before being anonymized, but you can't be blamed for feeling like you've already given Google enough data as it is.

Enhanced Safe Browsing is for "users who require or want a more advanced level of security while browsing the web," Google says. For example, it uses what Google knows about past security issues to preemptively block new security threats that might not have been cataloged yet.

More checks will be carried out on extensions you install and downloads you initiate. You'll get the option to send files flagged as suspicious to Google for further inspection if you're not sure about them. This might mean waiting a little longer to install something, but this extra caution reduces the risk of getting caught out by malware.

The Enhanced Safe Browsing mode works on top of the security measures already built into Chrome. For example, as standard, the browser checks sites you visit against a list of URLs known to be dangerous—a list that's updated every 30 minutes. Turn on the additional security protections, and Chrome uses machine learning models to recognize bad sites even if they're not on the latest list.

Google says Enhanced Safe Browsing is also better able to thwart hacking attempts against your Google account by monitoring a broader range of signals. By default, it'll also check to see if your email addresses and passwords are included in any data breaches leaked out on the web—you'll be sent an alert if this happens.

How to Use Google Chrome's Enhanced Safety Mode

However, this may not be able to stop a new botnet called Kraken which was recently discovered by ZeroFox. That's because Kraken simply adds itself as an exclusion instead of trying to look for excluded places to deliver the payload. This is a relatively simple and effective way to bypass Windows Defender scan.

ZeroFox has explained how this works:

During Kraken’s installation phase, it attempts to move itself into %AppData%\Microsoft.

[...]

To stay hidden, Kraken runs the following two commands:

1. powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft

2. attrib +S +H %APPDATA%\Microsoft\

ZeroFox noted that Kraken is mainly a stealer malware, similar to the recently discovered Microsoft Windows 11 lookalike website. The security firm adds that Kraken's capabilities now include the ability to steal information related to users' cryptocurrency wallets, reminiscent of the recent fake KMSPico Windows activator malware.

ZeroFox writes:

The most recent feature addition is the ability to steal various cryptocurrency wallets from the following locations:

• %AppData%\Zcash

• %AppData%\Armory

• %AppData%\bytecoin

• %AppData%\Electrum\wallets

• %AppData%\Ethereum\keystore

• %AppData%\Exodus\exodus.wallet

• %AppData%\Guarda\Local Storage\leveldb

• %AppData%\atomic\Local Storage\leveldb

• %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb

You can find more details about how Kraken works in the official blog post.

Beware: New Kraken botnet easily fools Windows Defender and steals Crypto wallet data

There have been quite a few discoveries of security bugs and vulnerabilities within Linux. However, this does not mean the platform, powering millions of servers and home computers, is unsafe for daily use. Google’s Project Zero has published new research that shows Linux's developers do a faster job of fixing security bugs than anyone else. Surprisingly, developers working to maintain Linux seem to be faster than Google’s own in-house team.

The research team at Project Zero looked at fixed bugs that had been reported between January 2019 and December 2021. They discovered open-source programmers, on average, fixed Linux issues in just 25 days. Additionally, Linux's developers have been steadily reducing the days taken to patch security flaws. Back in 2019, developers patched flaws in a month’s time. Now, they often fix bugs within a fortnight.

During the same time, Apple took about 69 days, Google took 44 days, and Mozilla fixed bugs in about 46 days. Windows is currently the most popular operating system for home and office use, but it is concerning to note that Microsoft needed a little less than three months, on average, to fix security flaws.

The report also analyzed the time taken by developers to fix security vulnerabilities within mobile operating systems. Despite facing a lot more security threats, Apple managed to issues patches for iOS quicker than Google did for Android.

Project Zero is Google's security research team. It hunts for security vulnerabilities and loopholes within a variety of platforms. When the team discovers a flaw, it gives developers 90-days to fix security problems. Researchers working in the team have indicated that overall, all companies are getting better and quicker at fixing bugs.

Source: ZDNet

Linux is safer than its competitors because developers race to fix security flaws

First spotted in October 2021 by ZeroFox researchers who dubbed it Kraken, this previously unknown botnet uses the SmokeLoader backdoor and malware downloader to spread to new Windows systems.

After infecting a new Windows device, the botnet adds a new Registry key to achieve persistence between system restarts. It will also add a Microsoft Defender exclusion to ensure that its installation directory is never scanned and hides its binary in Window Explorer using the hidden attribute.

Kraken has a limited and simplistic feature set, allowing attackers to download and execute additional malicious payloads on compromised devices, including the RedLine Stealer malware.

RedLine is currently the most widely deployed information stealer capable of harvesting victims' passwords, browser cookies, credit card info, and cryptocurrency wallet info.

"Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer," ZeroFox said.

"It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet."

Built-in crypto wallet theft capabilities

However, the botnet also features built-in information theft capabilities and can also steal crypto wallets before dropping other info stealers and cryptocurrency miners.

According to ZeroFox, Kraken can steal info from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets.

Based on info collected from the Ethermine cryptocurrency mining pool, this botnet seems to be adding roughly USD 3,000 every month to its masters' wallets.

"While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP," the researchers added.

Nevertheless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2."

New Golang botnet empties Windows users’ cryptocurrency wallets

The Commission wants to hit Florida-based lead generator Interstate Brokers with a $45 million TCPA fine for making more than 500,000 unlawful robocalls without an emergency purpose or the consumers' prior express consent.

The company allegedly used false claims about the COVID-19 pandemic to convince people to purchase health insurance products and offered health plans that included telemedicine services.

Consumers contacted in this illegal robocall campaign received pre-recorded voice messages on phone numbers collected while they were looking for health insurance quotes online or from third-party vendors.

If they answered the call, the automated system transferred them to call centers and were offered health insurance products from several insurance companies that had hired Interstate Brokers' services.

"The FCC’s Enforcement Bureau investigation found that Interstate Brokers made 514,196 robocalls to wireless phones and 271 telemarketing robocalls to landline phones in apparent violation of the Telephone Consumer Protection Act," the FCC press release reads.

"The Bureau reviewed a sample of 10,000 calls, confirmed with the dialing platform provider that the calls were pre-recorded messages, and spoke to several recipients who confirmed they had not provided to consent to be called. [..] This is the largest TCPA robocall fine ever proposed by the Commission."

TCPA and Do Not Call Registry violations

Many of these automated telemarketing calls were made to phone numbers without prior written consent as required under the Telephone Consumer Protection Act. 

Furthermore, some of these calls were also received by people on the Do Not Call Registry that should've prevented unwanted sales calls.

Today's proposal comes after an FCC order issued in May 2020 saying it will no longer warn robocallers before fining them for harassing US consumers and violating the law.

This order also increased the maximum penalty for each intentional unlawful robocall to $10,000, in addition to the FCC-proposed forfeiture penalty amount.

In the past, the Commission has also carried out other enforcement actions under the Truth in Caller ID Act targeting spoofed robocalls.

For instance, the FCC issued a $120 million fine in May 2018 against a Florida-based telemarketer for making approximately 100 million spoofed robocalls over three months.

In September 2018, the FCC issued an $82 million penalty against a North Carolina-based health insurance telemarketer for over 21 million spoofed robocalls made to market health insurance plans.

FCC proposes $45 million fine for health insurance robocaller

Three million sites use the popular WordPress plugin, so the potential for exploitation was substantial, affecting a significant share of the internet, including large platforms.

The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

The flaw was discovered by security researcher Marc Montpas of Automattic and is tracked as CVE-2022-0633 and carries a CVSS v3.1 score of 8.5.

Flaw and exploitation

UpdraftPlus helps simplify the process of backups and restoration with scheduled backup functions and an auto-download option to a trusted email address.

However, due to bugs found in the plugin, any low-level authenticated user can craft a valid link that would allow them to download the files.

The issue is improper user validation on whether or not they have the required privileges to access a backup's nonce identifier and timestamps.

The attack starts by sending a heartbeat request containing a "data" parameter to obtain information about the most recent backup.

Having this info, the attacker triggers the "send backup via email" function after manipulating the endpoint request.

This function is normally restricted to administrators only, but anyone with an account on the target site can access it without limits due to missing the permission check.

Of course, the attacker would need to know how to download database backups, and for now, Updraft reports that they have seen no such cases in the wild.

"At this point in time, (the appearance of a PoC) relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out." - Updraft.

As noted in the Automattic report, some indirect checks were still present in the vulnerable plugin versions, but those aren't enough to stop a skilled attacker.

Timeline and fixes

The flaw was discovered on February 14, 2022, and UpdraftPlus was notified immediately, while technical details followed the next day.

The response from the developers of the popular plugin was almost immediate, and on February 16, 2022, WordPress began force-upgrading installations to version 1.22.3.

According to the WordPress download stats for this plugin, 783,000 installs were upgraded on the 16th and an additional 1.7 million were updated on the 17th.

Montpas told Bleeping Computer that this is one of those very rare and exceptionally severe cases where WordPress forces auto-updates on all sites regardless of their admins' settings.

If you want to update immediately to the secured version, you can manually apply the security update from the dashboard. The latest version available today is 1.22.4, so this is the recommended one to use.

Note that this vulnerability introduces no risks for sites that don't support user logins of any kind or don't hold any backups.

WordPress force installs UpdraftPlus patch on 3 million sites

TrickBot is a Windows malware platform that uses multiple modules for various malicious activities, including information stealing, password stealing, infiltrating Windows domains, initial access to networks, and malware delivery.

TrickBot has dominated the malware threat landscape since 2016, partnering with ransomware gangs and causing havoc on millions of devices worldwide.

The Ryuk ransomware gang initially partnered with TrickBot for initial access to works, but were replaced Conti Ransomware gang who has been using the malware for the past year to gain access to corporate networks.

It is estimated that the group handling TrickBot campaigns - an elite division known by the name Overdose, has made at least $200 million from its operations, 

Conti takes over TrickBot operation

Researchers at cybercrime and adversarial disruption company Advanced Intelligence (AdvIntel) noticed that in 2021 Conti had become the only beneficiary of TrickBot’s supply of high-quality network accesses.

By this time, TrickBot’s core team of developers had already created a stealthier piece of malware, BazarBackdoor, used primarily for remote access into valuable corporate networks where ransomware could be deployed.

As the TrickBot trojan had become easily detectable by antivirus vendors, the threat actors began switching to BazarBackdoor for initial access to networks as it was developed specifically to stealthily compromise high-value targets.

However, by the end of 2021, Conti managed to attract “multiple elite developers and managers” of the TrickBot botnet, turning the operation into its subsidiary rather than a partner, AdvIntel notes in a report shared with BleepingComputer.

Based on internal Conti conversations that the researchers had access to and shared with BleepingComputer, AdvIntel says that BazarBackdoor moved from being part of TrickBot’s toolkit to a standalone tool whose development is controlled by the Conti ransomware syndicate.

The main admin for the Conti group said that they took over TrickBot. However, as the "bot is dead" they are moving Conti from TrickBot to BazarBackdoor as the primary way of gaining initial access.

Ever since its launch, the Conti operation maintained a code of conduct that allowed it to rise as one of the most resilient and lucrative ransomware groups, unfazed by law enforcement crackdowns on its competitors.

AdvIntel says that the group was able to run their normal cybercriminal business by adopting a “trust-based, team-based” model instead of working with random affiliates that would cause action from law enforcement due to the organizations they hit.

While TrickBot malware detections will become less common, AdvIntel's recent findings show that the operation is not finished and it just moved to a new control group that takes it to the next level with malware better suited for high-value targets.

Conti ransomware gang takes over TrickBot malware operation

Several smartphone users and privacy advocates have long complained that Android is a lot less privacy-friendly than it should be. Apple claims, ‘What happens on iPhone, stays on an iPhone’, but this isn’t absolutely accurate either. Still, Apple seems to zealously promote the privacy and security aspect of iOS. With Privacy Sandbox, Google could be doing the same for Android.

Google has made an official announcement about adopting new privacy restrictions that will cut tracking across apps on its Android devices. The search giant indicated it is developing multiple approaches, but the primary focus seems to be on “Advertising ID”, which is a unique string of characters that identifies every user’s device. Anthony Chavez, Google’s vice president of Product Management, Android Security and Privacy, said:

Today, we’re announcing a multiyear initiative to build the privacy sandbox on Android, with the goal of introducing new, more private advertising solutions. Specifically, these solutions will limit sharing of user data with third parties and operate without cross-app identifiers, including advertising ID.

Google has indicated that Privacy Sandbox is both a set of standards and a pledge. Under the initiative, the company has promised to develop new tech tools that will eventually limit tracking across the company’s multiple products and platforms. For a company that depends heavily on advertising revenue, such assurances are surprising, if not downright unbelievable.

Apple’s approach to privacy, with "App Tracking Transparency", angered several tech giants, including Facebook (now Meta). Google, on the other hand, is attempting to please both sides. The company reportedly mentioned it has worked with third-party developers to ensure that while the general public has a more private experience, its partners would not be adversely affected.

Google may seem non-committal about the roadmap of Privacy Sandbox for Android. But Chavez did indicate that the Android OS should receive privacy-focused features, presumably under the Privacy Sandbox initiative, in the next two years.

Google makes ‘Privacy Sandbox' for Android stringent but changes could take multiple years

Ukraine's defense ministry and two banks were knocked offline on Tuesday by a flood of malicious traffic designed to prevent people from visiting the sites, Ukraine's information security center said.

The distributed denial-of-service attacks targeted the websites for Ukraine's defense ministry, the Armed Forces of Ukraine, and two banks, Privatbank and Oschadbank, the country's State Service for Special Communication and Information Protection reported. At the time this post was being reported, the Defense Ministry site remained completely unreachable. Meanwhile, only the homepage for PrivatBank was available, and it was defaced. Oschadbank's site provided only limited access.

The malicious data floods were also reported by the Ukrainian cyberpolice, but at the time this post was being reported, attempts to visit most of the department's website were unsuccessful. The homepage said: "We apologize for the inconvenience. The site is under maintenance."

On Twitter, department personnel also said they had identified individuals who were sending texts reporting fraudulent ATM failures. Ukraine's Security Service website was also not loading.

No pizza for you

Campaigns that use DDoSes (short for distributed denial-of-service) deliver torrents of junk traffic that are intended to overwhelm targets so they are unable to deliver services. DDoSes can be difficult to stop because they are delivered by large numbers of devices distributed in a wide geographic region.

They're analogous to flooding a pizza parlor with so many calls that it's unable to accept orders from customers.

While DDoSes have the capacity to paralyze websites or even huge swaths of the Internet, the disruptions they cause are temporary and usually last only as long as the responsible party continues to deliver the torrent or until a DDoS mitigation service filters out the junk traffic.

Network observability company Kentik has been tracking Internet traffic flowing through Ukraine. Graphs showed the DDoSes starting on Tuesday, when the volume of traffic to various targets suddenly spiked by orders of magnitude. AS28907, the autonomous system that hosts the Ukrainian Army, was hit by three waves, as the following two images show:

AS60173 AND AS15742, which host Oschadbank and PrivatBank respectively, saw similar floods:

The DDoSes arrived as Russia has amassed more than 100,000 soldiers at its border with Ukraine. There's no evidence the Russian government or citizens are behind the cyber actions, but a statement from Ukraine's Center for Strategic Communications and Information Security posted on Facebook hinted who it suspected.

"It is not ruled out that the aggressor used tactics of little dirty tricks because its aggressive plans are not working out on a large scale," the center officials wrote in a rough translation.

Flood of malicious junk traffic makes Ukrainian websites unreachable

"Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," Google said in a security advisory released today.

Google states that the Chrome update will roll out over the coming weeks. However, it is possible to install the update immediately simply by going into the Chrome menu > Help > About Google Chrome.

The browser will also automatically check for new updates and install them the next time you close and relaunch Google Chrome.

Zero-day details not disclosed

The zero-day bug fixed today, tracked as CVE-2022-0609, is described as a "Use after free in Animation" and was assigned a High severity level.

This vulnerability was discovered by Clément Lecigne from Google's Threat Analysis Group.

Attackers commonly exploit use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or escape the browser's security sandbox.

While Google said they have detected attacks exploiting this zero-day, it did not share any additional info regarding these incidents or technical details about the vulnerability.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added.

In addition to the zero-day, this Google Chrome update fixed seven other security vulnerabilities, all but one classified as 'High' severity.

First Chome zero-day fixed this year

With this update, Google has addressed the first Chrome zero-day since the start of 2022.

However, we will likely see many more disclosed as the year goes on as there were a total of 16 zero-days patched in 2021:

• CVE-2021-21148 - February 4th
• CVE-2021-21166 - March 2nd
• CVE-2021-21193 - March 12th
• CVE-2021-21220 - April 13th
• CVE-2021-21224 - April 20th
• CVE-2021-30551 - June 9th
• CVE-2021-30554 - June 17th
• CVE-2021-30563 - July 15th
• CVE-2021-30632 and CVE-2021-30633 - September 13th
• CVE-2021-37973 - September 24th
• CVE-2021-37976 and CVE-2021-37975 - September 30th
• CVE-2021-38000 and CVE-2021-38003 - October 28th
• CVE-2021-4102 - December 13th

Because this zero-day is known to have been used by attackers in the wild, is it strongly recommended that everyone install today's Google Chrome update as soon as possible.

Google Chrome emergency update fixes zero-day exploited in attacks

Frontpage:   Google Chrome 98.0.4758.102

Romance scammers collected $139 million in crypto last year

Soon, Chrome users may be able to mute these warnings for individual passwords. While it is already possible to disable the warning for all passwords by disabling the feature, some Chrome users may want to disable them for individual passwords instead.

Tip: to turn password checks off completely visit chrome://settings/security and disable "warn you if passwords are exposed in a data breach".

Default passwords for local services are a good example. If you have saved the default username and password combination for a local service or device, Chrome may detect it as breached. While that may indeed be the case, it may not pose a threat because of the local nature of the service.

Google is testing a new feature that gives users control over individual password leak warnings. Called "Mute & Unmute compromised passwords in bulk leak check", it needs to be enabled currently as it is an experimental feature at the time.

1. Load chrome://flags/#mute-compromised-passwords in the Google Chrome address bar.
2. Set the flag of Mute & Unmute compromised passwords in bulk leak check to enabled.
3. Restart the Google Chrome browser.

Once restarted, do the following to use the new functionality:

1. Select Menu > Settings > Autofill > Passwords, or load chrome://settings/passwords directly.
2. Select the Check Passwords option to run a check for compromised and weak passwords.

Compromised and weak passwords that are found during the scan are listed by Google under the Compromised Password and Weak passwords sections.

The two listings separate passwords found in data breaches (compromised) and passwords that are considerer weak. Weak passwords have not been compromised, but it is usually trivial to gain access to the account because of the weak nature of the password.

To mute a compromised password, select the "change password" button next to the password in question and activate the "dismiss warning" context menu option. Similarly, if you want to restore a warning, repeat the process but select "restore warning" this time for the selected password.

Closing Words

Chrome users may use the new functionality to supress warnings that Chrome displays if compromised or weak passwords are found; this is useful in some cases to block warning messages from appearing in Chrome.

The feature is experimental at this point and there is a chance that it won't make it into the stable version of Chrome.

You may soon disable individual compromised password warnings in Chrome

When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits.

One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows.

This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices.

A demonstration of how threat actors can use the popular Mimikatz program to dump NTLM hashes from LSASS is shown below.

While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked.

Microsoft Defender's ASR to the rescue

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process.

One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it.

However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it.

As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default.

The rule, ' Block credential stealing from the Windows local security authority subsystem,' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

As Attack Surface Reduction rules tend to introduce false positives and a lot of noise in Event Logs, Microsoft had previously not enabled the security feature by default.

However, Microsoft has recently begun to choose security at the expense of convenience by removing common features used by Admins and Windows users that increase attack surfaces.

For example, Microsoft recently announced that they would prevent VBA macros in downloaded Office documents from being enabled within Office applications in April, killing off a popular distribution method for malware.

This week, we also learned that Microsoft had begun the deprecation of the WMIC tool that threat actors commonly use to install malware and run commands.

Not a complete solution but a great start

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means.

This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer's tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients.

Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device.

Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process.

Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

"For example, if they want to exclude a directory from the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," it's not possible for this rule only. Exclusion is for ALL of the ASR rules... including LSASS access", Delpy explained to BleepingComputer in a conversation about the upcoming changes.

However, even with all of these issues, Delpy sees this change as a major  step forward by Microsoft and believes it will significantly impact a threat actor's ability to steal Windows credentials.

"It's something we have asked for years (decades?). It's a good step and I'm very happy to see that + Macro disabled by default when coming from the Internet. We now start to see measures really related to real world attacks," continued Delpy.

"There is no legitimate reason to support a process opening the LSASS process... only to support buggy / legacy / crappy products - most of the time - related to authentication :')."

BleepingComputer has reached out to Microsoft to learn more about when this rule will be enabled by default but has not heard back.

Microsoft is making it harder to steal Windows passwords from memory