To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not "sufficiently regulated" citing a violation of Articles 44 et seq. of the data protection decree, which govern the transfers of personal data to third countries or international entities.

Specifically the independent administrative regulatory body highlighted the lack of equivalent privacy protections and the risk that "American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated."

"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL said. "There is therefore a risk for French website users who use this service and whose data is exported."

As part of the order, the CNIL recommended one of the offending websites to adhere to the GDPR by ceasing to utilize the Google Analytics functionality or by using an alternative website traffic monitoring tool that does not involve a transfer outside the E.U., giving it a deadline of one month to comply.

In addition, the watchdog underscored that website audience measurement and analysis services such as Google Analytics should only be "used to produce anonymous statistical data, thus allowing for an exemption from consent if the data controller ensures that there are no illegal transfers."

The development comes amid fresh warnings from Meta Platforms, the owner of social media networks like Facebook, Instagram, and WhatsApp, that legislation dictating how E.U. citizens' user data gets transferred to the U.S. could lead to it pulling out the services from the region.

"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe," the company said in an annual report issued earlier this week.

The ruling also arrives less than two weeks after a regional court in the German city of Munich found that embedding Google Fonts on a website and transferring the IP address to Google via the library without users' consent contravenes GDPR laws, ordering the website operator to pay €100 in damages.

Source: https://thehackernews.com/2022/02/france-rules-that-using-google.html

$3.6 billion bitcoin seizure shows how hard it is to launder cryptocurrency

This security flaw [1, 2] affected the latest Windows 10 versions, and threat attackers could abuse it since at least 2014.

As BleepingComputer previously reported, the flaw resulted from lax security settings for the "HKLM\Software\Microsoft\Windows Defender\Exclusions" Registry key. This key contains the list of locations (files, folders, extensions, or processes) excluded from Microsoft Defender scanning.

Exploiting the weakness was possible because the Registry key was accessible by the 'Everyone' group, as shown in the image below.

This made it possible for local users (regardless of their permissions) to access it via the command line by querying the Windows Registry.

Security expert Nathan McNulty also warned that users could also grab the list of exclusions from registry trees with entries storing Group Policy settings, which is much more sensitive info as it provides exclusions for multiple computers on a Windows domain.

After finding out what folders were added to the antivirus exclusion list, attackers could deliver and execute malware from an excluded folder on a compromised Windows system without having to fear that its malicious payload will be detected and neutralized.

By exploiting this weakness, BleepingComputer could execute a sample of Conti ransomware from an excluded folder and encrypt a Windows system without any warnings or signs of detection from Microsoft Defender.

Security weakness addressed silently by Microsoft

This is no longer be possible given Microsoft has now addressed the weakness via a silent update, as spotted by Dutch security expert SecGuru_OTX on Thursday.

SentinelOne threat researcher Antonio Cocomazzi confirmed that the flaw can no longer be used on Windows 10 20H2 systems after installing the February 2022 Patch Tuesday Windows updates.

Some users are seeing the new permission change after installing the February 2022 Patch Tuesday Windows cumulative updates.

On the other hand, Will Dormann, a vulnerability analyst for CERT/CC, noted that he received the permissions change without installing any updates, indicating that the change could be added by both Windows updates and Microsoft Defender security intelligence updates.

As BleepingComputer was also able to confirm today, the permissions on Windows advanced security settings for Defender exclusions have indeed been updated, with the 'Everyone' group removed from the Registry key's permissions.

On Windows 10 systems where this change has already rolled out, users are now required to have admin privileges to be able to access the list of exclusions via the command line or when adding them using the Windows Security settings screen.

The change rolled out since our previous report, but, at the moment, only Microsoft knows how it was pushed to affected Windows 10 systems (via Windows updates, Defender intelligence updates, or other means).

A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today.

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows Management Instrumentation.

Using this tool, administrators can query the operating system for detailed information about installed hardware and Windows settings, run management tasks, and even execute other programs or commands.

Microsoft announced last year that they had begun deprecating wmic.exe in Windows Server in favor of Windows PowerShell, which also includes the ability to query Windows Management Instrumentation.

"The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by Windows PowerShell for WMI," explains the list of deprecated Window features.

"Note: This deprecation only applies to the command-line management tool. WMI itself is not affected."

As first noted by security researcher Grzegorz Tworek, Microsoft has now begun removing WMIC from Windows clients, starting with Windows 11 preview builds in the Dev channel.

BleepingComputer has independently confirmed that from at least build 22523 and later, WMIC is no longer available in Windows 11 preview builds in the 'Dev' channel, but Microsoft could have removed it in earlier builds.

We will likely see Microsoft expanding the deprecation of WMIC.exe to Windows 11 general release and possibly Windows 10 in the future.

While the removal of WMIC.exe may cause some of your scripts or daily administration tasks to no longer function, you can easily port these tasks to PowerShell.

WMIC is commonly abused by threat actors

In Windows systems, LoLBins (living-off-the-land binaries) are Microsoft-signed executables that threat actors abuse to evade detection while performing malicious tasks.

Some legitimate Windows tools abused by threat actors include but are not limited to Microsoft Defender, Windows Update, CertUtil, and even the Windows Finger command.

WMIC.exe has long been considered a LOLBIN as it is abused by threat actors for a wide range of malicious activities.

For example, ransomware encryptors commonly use the WMIC command to delete Shadow Volume Copies so that victims can't use them to recover files.

WMIC.exe shadowcopy delete /nointeractive

Other threat actors have used WMIC to query for the list of installed antivirus software and even uninstall them.

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /format:list

wmic product where ( Vendor like "%Emsisoft%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;

Other malware has been seen using WMIC to add exclusions to Microsoft Defender so that their malware won't be detected when launched.

WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"
WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"\Temp\\"
WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionExtension=\".dll\"
WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionProcess=\"rundll32.exe\"

A phishing campaign recently used CSV files to infect devices with the used WMIC to launch a PowerShell command that downloads and installs the BazarBackdoor malware.

By removing WMIC, a wide range of malware and attacks will no longer work correctly as they will not be able to execute various commands needed to conduct their attack.

Furthermore, BleepingComputer has seen ransomware strains that relied on WMIC to look up CPU information, and, when they could not do so, they failed to run correctly.

Unfortunately, threat actors will just see this as a bump in the road and replace WMIC with other methods, but disruption, even for a short time, is worth it.

Microsoft starts killing off WMIC in Windows, will thwart attacks

The zero-day patched today is tracked as CVE-2022-22620 [1, 2] and is a WebKit Use After Free issue that could lead to OS crashes and code execution on compromised devices.

Successful exploitation of this bug allows attackers to execute arbitrary code on iPhones and iPads running vulnerable versions of iOS and iPadOS after processing maliciously crafted web content.

"Apple is aware of a report that this issue may have been actively exploited," the company said when describing the zero-day.

Apple addressed CVE-2022-22620 with improved memory management in iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1.

The complete list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:

• iPhone 6s and later,
• iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
• Macs running macOS Monterey

Although this zero-day was likely only used in targeted attacks, it's still strongly recommended to install the updates as soon as possible to block potential attack attempts.

Third zero-day patched this year by Apple

In January, Apple patched two other zero-days exploited in the wild that could allow threat actors to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track browsing activity and users' identities in real-time (CVE-2022-22594).

These first two zero-days impacted iPhones (iPhone 6s and up), Macs running macOS Monterey, and multiple models of iPads.

While Apple has patched only three zero-days since the start of 2022, the company had to deal with an almost interminable stream of zero-days exploited in the wild to target iOS, iPadOS, and macOS devices.

The list includes multiple zero-day flaws used to install NSO's Pegasus spyware on iPhones belonging to journalists, activists, and politicians.

Apple patches new zero-day exploited to hack iPhones, iPads, Macs

After lying low, SSH botnet mushrooms and is harder than ever to take down

< Watch the video at the Source page. >

Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity – and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. 

Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there's also a lack of focus on managing and detecting threats against them. This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. 

That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. 

These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key. 

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they're not paid a ransom. 

Ransomware families that have been seen targeting Linux servers in attacks include REvil, DarkSide and Defray777 and it's likely that new forms of ransomware will appear that also target Linux.   

Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency.  

The attacks against all operating systems often go undetected. While cryptojackers are using up energy and potentially slowing down systems, it's usually not a noticeable enough drain to cause significant disruption.

The most common application used to mine for Monero is the open-source XMRig miner and many of these are being placed on Linux servers. If the Linux environment isn't being correctly monitored, cryptojacking can easily go undetected and cyber criminals know this. 

"Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible," said Giovanni Vigna, senior director of threat intelligence at VMware. Rather than infecting a PC and then navigating to a higher value target, cyber criminals have realised that compromising a single server can deliver a massive payoff. 

Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems – that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. 

That includes cybersecurity hygiene procedures such as ensuring default passwords aren't in use and avoiding sharing one account across multiple users. 

"Focus on the basics. The fact is that most adversaries are not super advanced," said Brian Baskin, manager of threat research at VMware. 

"They're not looking for unique exploits, they're looking for the general open vulnerabilities and misconfigurations. Focus on those before you start focusing on zero-day attacks and new vulnerabilities – make sure you've got the basics covered first," he added. 

Source

What’s more, as most anti-malware and cybersecurity solutions are focused on protecting Windows-based devices, Linux is finding itself on thin ice, as threat actors grow aware of this security gap and target the software more than ever before.

VMware's report, based on real-time big data, event streaming processing, static, dynamic and behavioral analytics, and machine learning data, claims ransomware has evolved to target host images used to spin workloads in virtualized environments.

Ransomware, cryptomining, Cobalt Strike

Attackers are now seeking most valuable assets in the cloud, VMware says, mentioning Defray777 as the ransomware family which encrypted host images on ESXi servers, as well as the DarkSide ransomware family that was behind the Colonial Pipeline attack.

Furthermore, multi-cloud infrastructure is often abused to mine cryptocurrencies for the attackers. As cryptojacking, as the method is called, does not completely disrupt the operations of cloud environments like ransomware does, it is a lot more difficult to detect.

Still, almost all (89%) of cryptojacking attacks use XMRig-related libraries. That is why, when XMRig-specific libraries and modules in Linux binaries are identified, it is most likely malicious cryptomining.

There is also the growing problem of Cobalt Strike and Vermilion strike, commercial penetration testing and red team tools for Windows and Linux. 

Even though they aren’t designed to be malicious, they can be used as an implant on a compromised system that gives malicious actors partial control of the machine. VMware discovered more than 14,000 active Cobalt Strike Team Servers on the internet, in the time period between February 2020 and November 2021. 

The fact that the total percentage of cracked and leaked Cobalt Strike customer IDs is 56%, leads VMware to conclude that more than half of Cobalt Strike users may be cybercriminals.

To tackle this growing threat, the report further claims, organizations need to “place a greater priority” on threat detection.

Source

uBlock Origin adds support for a dark theme

The dark mode was initially tested in the dev build of the extension, before it was brought over to the stable version.

Once you have updated to uBlock Origin 1.41.0, you can open the Dashboard, switch to the Settings pane, to find a new section called Appearance. It has a drop-down menu that lets you switch to the Dark theme, Light theme, or set it to change the theme automatically based on your browser's settings.

The extension also supports custom accent colors that you may choose from the color palette.

Other fixes in uBlock Origin 1.41.0

Back in December 2021, I wrote that uBlock Origin introduced a workaround, that blocked YouTube ads from bypassing the add-on's filters, just after the browser had been launched by the user. The issue was that Chromium based browsers sent network requests to servers to resume the activity of the tabs from the previous session. The extension's latest version introduces a  setting that fixes the problem. It prevents all network activity when the browser is launched, and waits for the add-on's filter lists to be loaded, to block the ads, after which the tabs are loaded with proper filtration of the ads. The new option is enabled by default, and can be toggled from the Filter Lists tab. It is labeled "Suspend network activity until all filter lists are loaded".

The new version of the extension will not use background images on web pages as the best candidate in the Element Picker mode. This will allow users to pick elements in the foreground of web pages, for example, a nag banner that prompts you to accept the site's cookies before you can click on other elements on the page.

Websites which implemented FingerprintJS V3 were reportedly not allowing video playback after detecting the extension. A commit to the ad blocker's code fixes this issue. The uBlock Origin 1.41.0 update also resolves a conflict with the WebRTC Protect extension. The minimum requirements for uBlock Origin has been raised, and you will need to have Firefox 68, or Chromium 66, or Opera 53, to use the latest version of the ad blocker. The version bump was made in order to remove support for the classic popup panel, the legacy UI was in fact deprecated when the extension was updated to 1.27.0.

uBlock Origin 1.41.0 has already been submitted on the Firefox AMO, Chrome Web Store, Microsoft Store, and Opera Add-ons. The latest version has not been approved yet, but will soon be available as an auto-update.

I don't recommend this, but if you want to test the dark theme right now, you can do so by installing the dev build of the add-on from GitHub. These builds are not signed like the store versions, so use it at your own discretion. Firefox users can turn to the nightly build of the browser, and set the value of the following preference to False in the about:config page. xpinstall.signatures.required.

This will allow you to switch the Appearance of uBlock Origin to the Dark theme, as described earlier in this article.

uBlock Origin adds support for a dark theme, a new setting to block network activity at browser launch

Software Updates: uBlock Origin 1.41.0 uBlock Origin 1.41.1b0

The vulnerability is tracked as CVE-2021-39675, carrying a “critical” severity rating, and affects only Android 12, the latest version of the popular OS.

These flaws are typically leveraged by sophisticated spyware vendors that independently discover and privately use zero-days in mobile operating systems. However, in this case, Google hasn’t seen any signs of active exploitation.

The second critical flaw addressed by the February 2022 security update is CVE-2021-30317, which affects a closed-source component of Qualcomm, and thus only concerns Android devices that use that vendor’s hardware.

Here’s a summary of this month’s fixes:

• Five high-severity flaws in Framework
• Four high-severity bugs in Media Framework
• Seven high-severity to critical flaws in System
• Two vulnerabilities of undefined severity in Media Provider
• One high-severity flaw in Amlogic components
• Five high-severity bugs in MediaTek components
• Three high-severity flaws in Unisoc components
• Six high to critical-severity vulnerabilities in Qualcomm components

As Google clarifies in the bulletin: "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."

The technical details about the vulnerabilities are not available at this time, as Android updates typically need several months to reach a respectable percentage of the userbase, given that vendors need to bundle them separately for each device model.

The only exception to this practice is Google’s own Pixel devices, with all models from '3a' up to '6 Pro' already receiving the February 2022 security update in a simultaneous roll-out.

Finally, the fixes that come with this month’s update concern Android 10, 11, and 12, so if your phone runs anything older than that, you are no longer covered, and you should consider your device a security liability.

If you don’t want to replace a perfectly working electronic device that is no longer supported by its manufacturer, you could flash it with a third-party Android ROM that's based on a more recent and secure AOSP version, like LineageOS for example.

Google fixes remote escalation of privileges bug on Android

Microsoft has fixed 48 vulnerabilities (not including 22 Microsoft Edge vulnerabilities ) with today's update, with none of them classified as Critical.

The number for each type of vulnerability is listed below:

• 16 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 16 Remote Code Execution Vulnerabilities
• 5 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities
• 22 Edge - Chromium Vulnerabilities

For information about the non-security Windows updates, you can read about today's Windows 10 KB5010342 & KB5010345 updates and Windows 11's KB5010386 update.

One zero-day fixed, none actively exploited

This month's Patch Tuesday includes fixes for one publicly disclosed zero-day vulnerabilities. The good news is that there were no zero-day vulnerabilities actively exploited in attacks from this Patch Tuesday.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The publicly disclosed vulnerabilities fixes as part of the February 2022 Patch Tuesday are:

•  CVE-2022-21989 - Windows Kernel Elevation of Privilege Vulnerability

However, as many of these have public proof-of-concept exploits available, they will likely be exploited by threat actors soon.

Recent updates from other companies

Other vendors who released updates in February 2022 include:

• Android's February security updates were released yesterday.
• Cisco released security updates for numerous products this month, including Cisco Small Business RV routers, Snort, and Cisco DNA Center.
• SAP released its February 2022 security updates.

The February 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the February 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Microsoft February 2022 Patch Tuesday fixes 48 flaws, 1 zero-day

When it comes to the company's in-house anti-malware solution, which is Microsoft Defender, here too, the firm has been scoring very highly in some of the recent AV-TEST results and rankings. In the October 2021 report, it came out as one of the best antivirus solutions in the market, and in the latest December 2021 rankings, it actually improved relative to some of the other popular products.

However, AV-Comparatives does not quite agree with AV-TEST's findings as per the former's 2021 Summary Report. In this report, Microsoft didn't score the full marks as it did twice on AV-TEST's last two results. Some of the others like AVG or Avast, which were outperformed by Defender in the lastest AV-TEST results have also beat Microsoft's product in this AV-Comparatives test.

Now coming to the results, while AV-TEST uses scores out of 6.0 to rate the various anti-malware solutions, AV-Comparatives deploys star ratings where:

• * = Standard
• ** = Advanced
• *** = Advanced+

In total, 17 products were tested and AV-Comparatives was most impressed by McAfee rewarding it the "Product of the Year 2021" Award. McAfee managed to score the full three stars except in the February-May 2021 Real-World Protection category.

Speaking of categories, the 17 products were tested for:

• Real-World Protection Test
• Performance Test
• Malware Protection Test
• False-Alarm Test
• Advanced Threat Protection (ATP) Test

The image below shows the summarized result.

Microsoft's Defender was the only antivirus that failed to score in the Real-World Protection test for February-May 2021 due to an error. AV-Comparatives has also explained why:

Unfortunately, we cannot provide results or an award for Microsoft Defender in the February-May 2021 Real-World Protection Test. During the testing, despite being configured for automatic updates and performing manual updates, parts of Defender were not correctly updated. As there were no error messages, this issue was only discovered at the beginning of June and required a new installation of the OS.

It must be noted however that the product received the highest available rating of Advanced++ in the July-October round of tests. And malware protection was also outstanding, though, it scored low in the Performance metric which implies a system with Defender on it was impacted relatively more than ones without it.

Source: AV-Comparatives

Unlike AV-TEST, AV-Comparatives wasn't as impressed by Microsoft Defender in 2021

First things first, the app doesn't replace the default antivirus that exists on your PC. That's because it is called Windows Security, not Microsoft Defender or Windows Defender, even though you're maybe referring to it as such. So, the new app is essentially a companion program that complements the present program, it's sort of like a Dashboard if you will.

What is Microsoft Defender Preview

The app, first spotted by Aggiornamenti Lumia, has an interface that's divided into three panes. The left pane displays some tips to educate users about how to stay safe online. The middle pane is called, This Device, and has a text label clicking on which takes you to a screen with the device's security information. It tells you when the last threat scan was run on the computer, the number of files that were scanned and the number of threats that were found.

For more details, click the Security History button on the home page, to view the Alerts and History of all threats that were detected on the system.

The "This Device" screen in Microsoft Defender Preview lets you check whether all security components are working properly on your system, such as the Virus & Threat Protection, Updates, Ransomware Protection. It also lets you view your Security History. The Settings can only be changed from the Windows Security app.

Back on the home page of the app, the bottom of the central pane lists other devices that you have connected to the account. Speaking of which, you can add other devices using the section to the right side of the screen, the app gives you a link to install it on other devices, including mobile phones and tablets, via this URL.

Once they are connected to your account, the app will allow you to view the security information of all your devices (including your family's), remotely via its interface. Let's say that Windows Security detected a malware on one of the computers, it will show up on the "Other devices" dashboard in Microsoft Defender Preview. But you will still have to run a scan or take an action via the Windows Security app manually, at least that's how I understand it.

According to its Store description, Microsoft Defender Preview will display real-time notifications for alerts. The fine print in the Store listing is where things get interesting. Allow me to quote it for you,

"No subscription is required for Microsoft Defender Preview. In the future, Microsoft Defender will require a Microsoft 365 Family or Personal subscription."

This clearly suggests that the app will not be free for users, though I wonder if there will be other limitations in place.

Download the Microsoft Defender Preview app from the Microsoft Store. (credit). There are a couple of caveats here, for one, you need to have a US IP address, just to sign in to the program. I used ProtonVPN (free), but you can use any VPN. You will need to use it to sign in to the app, every single time you reboot the computer, which is annoying. But this is a Preview version, so such restrictions are to be expected. The other requirement is that your computer needs to be running on Windows 10 version 19041.0 or higher, to run the app. The system requirements listed on the Store says that the app supports x64/x86 systems, and the Xbox console.

Though the Microsoft Defender Preview is available for download, it is yet to be announced officially. It is likely to be unveiled in this week's Windows 11 Insider Preview Build. I'd advise waiting for the announcement, before you dive in to test the program, but it seems to work just fine, even on stable Windows 11.

Microsoft Defender Preview seems like a nice app, and the endpoint-like experience will surely be useful for users who want to manage the security of their not-so-tech-savvy family members' computers remotely.

Microsoft Defender Preview is now available on Windows 10 and 11

A Manhattan couple, Ilya Lichtenstein, 34, and his wife, Heather Morgan, 31, were arrested today for allegedly being involved in a conspiracy to launder the stolen cryptocurrency.

In 2016, the 119,756 bitcoins stolen during the attack were worth almost $78 million and are now valued at roughly $4.5 billion.

DOJ officials said the funds were recovered after IRS-Criminal Investigation (IRS-CI) special agents executed "court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan" to seize files with the private keys required to access the wallets containing the stolen Bitfinex bitcoins.

"Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure," DOJ said.

"Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals," added Deputy Attorney General Lisa O. Monaco.

Lichtenstein and Morgan were charged today with conspiracy to commit money laundering, which comes with a maximum sentence of 20 years in prison, and conspiracy to defraud the USA, which also carries a maximum sentence of five years.

Largest cryptocurrency seizure ever

According to Chief Jim Lee of IRS-Criminal Investigation (IRS-CI), this was the largest cryptocurrency seizure ever made by DOJ.

"IRS-CI Cyber Crimes Unit special agents have once again unraveled a sophisticated laundering technique, enabling them to trace, access and seize the stolen funds, which has amounted to the largest cryptocurrency seizure to date, valued at more than $3.6 billion," Lee said.

The defendants allegedly attempted to launder the stolen cryptocurrency by making deposits on the AlphaBay dark web marketplace, as well as buying gift cards from Uber, Hotels.com, PlayStation, and Walmart.

Court documents show that the couple allegedly used sophisticated laundering techniques, including:

• using fictitious identities to set up online accounts;
• utilizing computer programs to automate transactions, a laundering technique that allows for many transactions to take place in a short period of time;
• depositing the stolen funds into accounts at a variety of virtual currency exchanges and darknet markets and then withdrawing the funds, which obfuscates the trail of the transaction history by breaking up the fund flow;
• converting bitcoin to other forms of virtual currency, including anonymity-enhanced virtual currency (AEC), in a practice known as “chain hopping”;
• and using U.S.-based business accounts to legitimize their banking activity.

More info on how the stolen Bitfinex funds were traced and were moved to accounts linked to the two defendants can be found in this statement of facts released today by DOJ.

"Bitfinex will work with the DOJ and follow appropriate legal processes to establish our rights to a return of the stolen bitcoin," the Hong Kong cryptocurrency exchange said in a statement today.

"Bitfinex intends to provide further updates on its efforts to obtain a return of the stolen bitcoin as and when those updates are available."

Update: Added Bitfinex statement.

US seizes $3.6 billion stolen in 2016 Bitfinex cryptoexchange hack

The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency’s website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one’s identity with the U.S. government online.

Late last year, the login page for the IRS was updated with text advising that by the summer of 2022, the only way for taxpayers to access their records at irs.gov will be through ID.me, an online identity verification service that collects biometric data — such as live facial scans using a mobile device or webcam.

The IRS first announced its partnership with ID.me in November, but the press release received virtually no attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me. That story immediately went viral, bringing this site an almost unprecedented amount of traffic. A tweet about it quickly garnered more than two million impressions.

It was clear most readers had no idea these new and more invasive requirements were being put in place at the IRS and other federal agencies (the Social Security Administration also is steering new signups to ID.me).

ID.me says it has approximately 64 million users, with 145,000 new users signing up each day. Still, the bulk of those users are people who have been forced to sign up with ID.me as a condition of receiving state or federal financial assistance, such as unemployment insurance, child tax credit payments, and pandemic assistance funds.

In the face of COVID, dozens of states collectively lost tens of billions of dollars at the hands of identity thieves impersonating out-of-work Americans seeking unemployment insurance. Some 30 states and 10 federal agencies now use ID.me to screen for ID thieves applying for benefits in someone else’s name.

But ID.me has been problematic for many legitimate applicants who saw benefits denied or delayed because they couldn’t complete ID.me’s verification process.  Critics charged the IRS’s plan would unfairly disadvantage people with disabilities or limited access to technology or Internet, and that facial recognition systems tend to be less accurate for people with darker skin.

Many readers were aghast that the IRS would ask people to hand over their biometric and personal data to a private company that begin in 2010 as a way to help veterans, teachers and other public servants qualify for retail discounts. These readers had reasonable questions: Who has (or will have) access to this data? Why should it be stored indefinitely (post-verification)? What happens if ID.me gets breached?

The Washington Post reported today that in a meeting with lawmakers, IRS officials said they were considering another identity verification option that wouldn’t use facial recognition. At the same time, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements.

In a statement published today, the IRS said it was transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.

“The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season,” the IRS said. “During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.”

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig wrote. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The statement further stressed that the transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. “During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season,” the IRS said. “People should continue to file their taxes as they normally would.”

It remains unclear what other service or method the IRS will use going forward to validate the identities of new account signups. Wyden and others have urged the IRS to use Login.gov, a single sign-on service that Congress required federal agencies to use in 2015.

“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Login.gov is run by the U.S. General Services Administration, which told The Post that it was “committed to not deploying facial recognition…or any other emerging technology for use with government benefits and services until a rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations.”

IRS To Ditch Biometric Requirement for Online Access

Russian media reports that the arrests come at the request of investigators from the Ministry of Internal Affairs of the Russian Federation.

"The Tverskoy Court of Moscow received petitions from the investigation to select a measure of restraint in the form of detention against six people suspected of committing a crime under part 2 of article 187 of the Criminal Code of the Russian Federation ("Illegal circulation of means of payment")," said press court clerk Ksenia Rozina in a statement to TASS Russian News Agency.

Article 187 of the "The Criminal Code Of The Russian Federation" relates to "The making of counterfeit credit or debit cards, and also of other payment documents, which are not securities, with the purpose of their utterance or their sale".

Russian law enforcement has not specified what hacking groups the arrested individuals were allegedly affiliated with. 

However, in possibly related news, three carding forums/marketplaces devoted to the theft and selling of stolen credit cards suddenly displayed seizure notices today claiming to be from the Russian government.

BleepingComputer has confirmed that the websites for SkyFraud, Ferum, and Trump's Dumps now show notices saying the sites were seized by Management "K" of the BSTM of the Ministry of Internal Affairs of Russia.

The seizure message translated by Google Translate reads in English as:

THIS RESOURCE IS BLOCKED

The SKYFRAUD resource was closed forever during a special law enforcement operation.

Management "K" of the BSTM of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!

Art. 187 of the Criminal Code of the Russian Federation: Production, acquisition, storage, transportation for the purpose of use or sale, as well as the sale of counterfeit payment cards, money transfer orders, documents or means of payment, as well as electronic means, electronic media, technical devices, computer programs, intended for illegal acceptance, issuance, transfer of funds.

Punishable by imprisonment for up to seven years.

While these seizure notices cite the same Russian Criminal Code offense as today's arrests of the six individuals, it has not been confirmed if the notices are legitimate or even related.

Security researcher Soufiane Tahiri also discovered that the source code for the sky-fraud.ru seizure notice includes a hidden message for other Russian hackers, saying "КТО ИЗ ВАС СЛЕДУЮЩИЙ?"

Translated into English, this warning says, "WHICH OF YOU IS NEXT?"

These arrests mark the third hacking group arrested by Russian authorities since the beginning of 2022.

In January, Russia seized $6 million and arrested fourteen individuals associated with REvil, a notorious ransomware operation responsible for numerous cyberattacks worldwide.

At the end of the month, Russia also arrested the leader of the Infraud Organization, a hacking group that caused more than $560 million in losses to businesses worldwide.

This stream of arrests by Russia is unusual as the country does not have a history of cooperating in the crackdown on cybercrime operating within its borders.

However, after DarkSide's ransomware attack on Colonial Pipeline and REvil's attack on Kaseya, the White House and Russian representatives have been working to increase cooperation to stem the rising tide of hacking activities originating from Russia.

H/T Dmitry Smilyanets

Update 2/7/22: Added Trump's Dumps to the list of stolen credit card forums/marketplaces seized today. While likely related, we updated th

Russia arrests third hacking group, reportedly seizes carding forums

Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

"This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.

"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."

After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.

This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.

Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.

If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.

By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.

"SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted," reads the new warning.

According to Microsoft, this significant security improvement will roll out to other Office update channels such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel at a later date.

This update will also be pushed to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 users at a future date.

"We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations," said Tristan Davis, a Partner Group Program Manager for Microsoft's Office Platform.

After the Office update rolls out and blocks one-click enabling macros in documents downloaded from the Internet, you will still be able to enable them by going into the documents' properties and checking the "Unlock" button on the bottom right.

You can find more info on the security risk behind macros, safe practices to thwart phishing and malware attacks, as well as instructions on how to enable these macros if you're sure they're safe on this support page.

Last month, Microsoft also said Excel 4.0 (XLM) macros will be disabled by default to protect customers from malicious documents designed to infect them with malware.

That change was first announced in October when Redmond first revealed that it would disable XLM macros in all tenants if the users or the admins hadn't manually toggled the feature on or off.

Microsoft plans to kill malware delivery via Office macros

Roaming Mantis is a credential theft and malware distribution campaign that uses SMS phishing (smishing) to distribute malicious Android apps as standalone APK files outside the Google Play Store.

Over the past four years, the campaign has been under constant evolution and was first spotted in 2018, targeting Android smartphone users in Japan via DNS hacking. 

It later evolved to target iOS users with phishing pages for credential theft and expand the targeted countries to include Taiwan and Korea.

Fake shipping texts

In its most recent form, Roaming Mantis uses a trojan named 'Wroba,' and is targeting users in France and Germany with smishing messages and landing pages injected on compromised legitimate websites.

The goal of Wroba is to steal e-banking details, and like other similar trojans, it spreads automatically using SMS phishing texts to people in the infected device's contacts.

The infection chain starts with the arrival of an SMS text on the target device, which contains a short warning message about a shipped package with an included URL.

If the URL is clicked from an Apple device, it redirects the victim to a phishing page, where it attempts to steal the user's Apple login credentials.

However, if the victim uses an Android device, they are taken to a landing page that prompts them to install malware disguised as an Android app.

The impersonated apps that contain the Wroba are predominantly for Google Chrome but also imitate the Yamato transport and ePOST apps. 

Below are the download stats from a single day in September 2021, counting tens of thousands of malicious APK downloads in Europe.

Now stealing your images and videos

Compared to past variants, the Wrogba loader and payload have evolved and are now written in Kotlin, a language with excellent interoperability with Java.

The backdoor includes 21 malicious commands that can be executed by the attacks, with two new ones added in recent campaigns. These new commands are "get_gallery" and "get_photo," which are meant to steal the victim's photos and videos and upload them to the attacker's servers.

Kaspersky explains that threat actors may use the addition of these two new commands for financial fraud, identity theft, blackmail, and extortion if sensitive media is stolen.

"One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services," Kaspersky explains in their report.

"The criminals are also able to use stolen photos to get money in other ways, such as blackmail or sextortion."

Don’t get bit by the Mantis

To prevent Roaming Mantis and other Android malware from infecting your device, you should always avoid downloading APKs from unusual sources and never allow the installation of packages from unknown sources.

Furthermore, SMS texts that contain URLs should always be treated with caution and suspicion, even if they come from someone you know.

Finally, an Android internet security tool from a trusty vendor could help flag these URLs upon visiting them, as analysts actively track these campaigns.

Roaming Mantis Android malware campaign sets sights on Europe

Stringent data privacy rules under GDPR have the company in a tight spot.

Meta may be forced to shutter Facebook, Instagram in EU

It also provided information to help organizations block this adversary's attempts to breach their networks and asked victims to urgently report such incidents to their local FBI Cyber Squad.

The LockBit ransomware gang has been very active since September 2019 when it launched as a ransomware-as-a-service (RaaS), with gang representatives promoting the operation, providing support on Russian-language hacking forums, and recruiting threat actors to breach and encrypt networks.

Two years later, in June 2021, LockBit announced the LockBit 2.0 RaaS on their data leak site after ransomware actors were banned from posting on cybercrime forums [1, 2].

With the relaunch, the ransomware gang redesigned Tor sites and overhauled the malware, adding more advanced features, including the automatic encryption of devices across Windows domains via Active Directory group policies.

The gang is now also trying to remove the intermediaries by recruiting insiders to provide them with access to corporate networks via Virtual Private Network (VPN) and Remote Desktop Protocol (RDP).

In January, it was discovered that LockBit also added a Linux encryptor targeting VMware ESXi servers to its toolkit.

Among the technical details on how LockBit ransomware works, the FBI also revealed that the malware comes with a hidden debug window that can be activated during the infection process using the SHIFT + F1 keyboard shortcut.

Once it shows up, it can be used to view real-time information on the encryption process and track the status of user data destruction.

This week's advisory follows an alert issued by the Australian cybersecurity agency in August 2021 warning of quickly escalating LockBit ransomware attacks.

Days later, Accenture, a Fortune 500 company and one of the world's largest IT services and consulting firms, confirmed to BleepingComputer that it was breached after LockBit threatened to leak data stolen from its network and asked for a $50 million ransom.

Two months later, Accenture also disclosed a data breach in October SEC filings after "extraction of proprietary information" during the August attack.

Companies asked to report LockBit ransomware attacks

While the FBI didn't say what prompted this flash alert, it did ask admins and cybersecurity professionals to share information on LockBit attacks targeting their companies' networks.

"The FBI is seeking any information that can be shared, [including] boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file," the federal agency said.

"The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office.

"By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks."

How to defend your network

The FBI also provides mitigations that would help defenders guard their networks against LockBit ransomware attack attempts:

• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords
• Require multi-factor authentication for all services to the extent possible
• Keep all operating systems and software up to date
• Remove unnecessary access to administrative shares
• Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines
• Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

Admins can also hinder ransomware operators' network discovery efforts by taking these measures:

• Segment networks to prevent the spread of ransomware
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
• Implement time-based access for accounts set at the admin level and higher
• Disable command-line and scripting activities and permissions
• Maintain offline backups of data, and regularly maintain backup and restoration
• Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure

Paying ransoms is frowned upon, but ...

The FBI also added that it does not encourage paying ransoms and advises companies against it since it's not guaranteed that paying will protect them from future attacks or data leaks.

Moreover, giving into ransomware gangs' demands further finances their operations and motivates them to target more victims. It also incentivizes other cybercrime groups to join them in conducting illegal activities.

Despite this, the FBI acknowledged that a ransomware attack's fallout might force companies to consider paying ransoms to protect shareholders, customers, or employees. The law enforcement agency strongly recommends reporting such incidents to a local FBI field office.

Even after paying a ransom, the FBI still urges to promptly report ransomware incidents as it will provide critical info that would allow law enforcement to prevent future attacks by tracking ransomware attackers and holding them accountable for their actions.

FBI shares Lockbit ransomware technical details, defense tips

Linked by Ukraine's security (SSU) and secret (SBU) services to Russia's Federal Security Service (FSB), the country's domestic intelligence service, this hacking group is also tracked as Armageddon, Primitive Bear, and ACTINIUM.

Gamaredon has been active for at least a decade and has been behind thousands of attacks on Ukrainian orgs since 2013.

Security and threat researchers with the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) said today that Gamaredon's cyber-espionage campaign is being coordinated out of Crimea, confirming SSU's assessment that the Gamaredon hackers are officers of the Crimean FSB who sided with Russia during the 2014 occupation.

"MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations," Microsoft added.

"Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis."

Gamaredon is not linked to last month's cyberattacks that targeted multiple Ukraine government agencies and corporate entities with destructive data-wiping malware disguised as ransomware.

SSU blocks 120 cyberattacks in January

Palo Alto Networks' Unit 42 also issued a report regarding this group's recent activity targeting Ukraine and mentioned "an attempt to compromise a Western government entity in Ukraine on Jan. 19, 2022," via a spear-phishing attack pushing a malware downloader.

"In this attempt, rather than emailing the downloader directly to their target, the actors instead leveraged a job search and employment service within Ukraine," Unit 42 said.

"Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization."

The same tactics were described by Symantec's Threat Hunter team, who saw Gamaredon distributing macro-laced Word documents in spear-phishing attacks that started in July 2021.

These reports confirm an advisory published by the Ukrainian Computer Emergency Response Team warning of attacks against Ukrainian authorities.

One day later, the SSU said it blocked more than 120 cyberattacks targeting the information systems of state institutions in Ukraine, including brute-force and malware attacks.

"MSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value for the purpose of intelligence collection," Microsoft also said today.

"Despite seemingly wide deployment of malicious capabilities in the region, follow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting."

Microsoft: Russian FSB hackers hitting Ukraine since October

First discovered by the Walmart Security Team, 'Sugar' is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but has slowly been picking up speed.

The name of the ransomware is based on the operation's affiliate site discovered by Walmart at 'sugarpanel[.]space'.

Unlikely most ransomware operations you read about in the news, Sugar does not appear to be targeting corporate networks but rather individual devices, likely belonging to consumers or small businesses.

As such, it is not clear how the ransomware is being distributed or infecting victims.

The Sugar Ransomware

When launched, the Sugar Ransomware will connect to whatismyipaddress.com and ip2location.com to get the device's IP address and geographic location.

It will then proceed to download a 76MB file from http://cdn2546713.cdnmegafiles[.]com/data23072021_1.dat, but it is unclear how this file is used.

Finally, it will connect to the ransomware operation's command and control server at 179.43.160.195, where it transmits and receives data related to the attack. The ransomware will continue to call  back to the command and control server as it is executed, likely updating the RaaS with the status of the attack.

When encrypting files, the ransomware will encrypt every file except those listed in the following folders or have the following file names:

Excluded folders:

\windows\
\DRIVERS\
\PerfLogs\
\temp\
\boot\

Excluded files:

BOOTNXT
bootmgr
pagefile
.exe
.dll
.sys
.lnk
.bat
.cmd
.ttf
.manifest
.ttc
.cat
.msi;

The Walmart researchers say that the ransomware encrypts files using the SCOP encryption algorithm. The encrypted files will have the .encoded01 extension appended to file names, as shown below.

The ransomware will also create ransom notes named BackFiles_encoded01.txt in each folder that was scanned for files on the computer.

This ransom note contains information on what happened to the victim's files, a unique ID, and a link to a Tor site with information on how to pay the ransom. The Tor site is located at chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion.

When visiting the Tor site, the victim will be presented with their own page that contains the bitcoin address to send a ransom, a chat section, and the ability to decrypt five files for free.

The ransom demands by this operation are very low, with attacks seen by BleepingComputer demanding only a few hundred dollars to receive a key. Strangely, on our test box, the resulting ransom demand was only 0.00009921 bitcoins, worth $4.01.

As BleepingComputer tested the ransomware on a virtual machine with a small number of files, it could indicate that the ransomware is generating ransom amounts based on the number of encrypted files.

Unlike most ransomware infections, the malware executable runs even after encryption has finished. However, no auto-start setting is created, and it does not appear to continue encrypting new documents.

At this time, it is unclear if the ransomware has any weaknesses that could allow decryption for free. We will update this article as more information becomes available.

Furthermore, if you are affected by this ransomware, please let us know how you became infected.

A look at the new Sugar ransomware demanding low ransoms

At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linkedin.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions.

The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks. Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.

Here’s one example from Jan. 31 that uses Linkedin.com links to redirect anyone who clicks to a site that spoofs Adobe, and then prompts users to log in to their Microsoft email account to view a shared document.

Urlscan also found this phishing scam from Jan. 12 that uses Slinks to spoof the U.S. Internal Revenue Service. Here’s a Feb. 3 example that leads to a phish targeting Amazon customers. This Nov. 26 sample from Urlscan shows a LinkedIn link redirecting to a Paypal phishing page.

Let me be clear that the activity described in this post is not new. Way back in 2016, security firm Fortinet blogged about LinkedIn’s redirect being used to promote phishing sites and online pharmacies. More recently in late 2021, Jeremy Fuchs of Avanan wrote that the use of a LinkedIn URL may mean that any profession — the market for LinkedIn — could click.

“Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective,” Fuchs wrote. “The idea is to create a link that contains a clean page, redirecting to a phishing page.”

In a statement provided to KrebsOnSecurity, Linkedin said it has “industry standard technologies in place for URL sharing and chained redirects that help us identify and prevent the spread of malware, phishing and spam.” LinkedIn also said it uses 3rd party services — such as Google Safe Browsing, Spamhaus, Microsoft, and others — to identify known-bad URLs.

KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question. In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site.

Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.

Linkedin’s parent company — Microsoft Corp — is by all accounts the most-phished brand on the Internet today. A report last year from Check Point found roughly 45 percent of all brand phishing attempts globally target Microsoft. Check Point said LinkedIn was the sixth most phished brand last year.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

How Phishers Are Slinking Their Links Into LinkedIn

Intuit's alert follows reports received from customers who were emailed and told that their Intuit accounts were disabled following a recent server security upgrade.

"We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours," the attackers say in the phishing messages, masquerading as the Intuit Maintenance Team.

"This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season."

The recipients are instructed to go to https://proconnect.intuit.com/Pro/Update immediately to restore access to their accounts.

Clicking the link will likely redirect them to an attacker-controlled phishing site designed to infect them with malware or harvest their financial or personal information.

Those who might think twice before clicking the embedded link are warned that they might permanently lose access to their accounts.

The financial software maker said that it's not behind these emails and that the sender "is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit."

How to avoid getting phished

The maker of TurboTax and QuickBooks urges all customers who have received one of these phishing emails not to click any embedded links or open attachments.

The recommended way to tackle these phishing attempts is to delete the emails to avoid getting infected with malware or being redirected to a phishing landing page that would try to hand over your credentials.

Customers who already opened attachments or clicked the links in such phishing emails should:

1. Delete any downloaded files immediately.
2. Scan their systems using an up-to-date anti-malware solution.
3. Change their passwords.

Intuit also shares info on how its customers can protect themselves from phishing attacks on its support website.

In October, the company also warned QuickBooks customers of phishing attacks using fake renewal charges as lures.

The same month, QuickBooks users were targeted by scammers via sites threatening them to upgrade to avoid having their databases corrupted or company backup files removed automatically with the end goal of taking over their accounts.

TurboTax customers were also affected by at least four account takeover attack campaigns in 2014/2015, 2019, and 2021.

Intuit warns of phishing emails threatening to delete accounts

"From January 2021 through December 2021, we've blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365," said Vasu Jakkal, Microsoft's Corporate Vice President for Security, Compliance, and Identity.

Multi-factor authentication (MFA) and passwordless authentication would make it a lot harder for threat actors to brute force their way into their targets' Microsoft accounts, Jakkal added.

However, even though attackers have been steadily increasing their breach attempts throughout the last two years, Microsoft is yet to see the vast majority of its customer base interested in adopting strong identity authentication, including passwordless auth and MFA. 

"For example, our research shows that across industries, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft's Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021," Jakkal said.

"MFA and passwordless solutions can go a long way in preventing a variety of threats and we're committed to educating customers on solutions such as these to better protect themselves."

Just last week, Microsoft warned of an active multi-stage phishing campaign leveraging Azure AD to register rogue devices onto targets' networks to distribute phishing emails. As Redmond explained, the attack was blocked on networks where an MFA policy was enabled in Azure AD.

Why multi-factor authentication matters

Enabling multi-factor authentication (MFA) whenever possible makes it a lot harder or even impossible for attackers to pull off a successful attack and take control of your accounts.

To put things into perspective, Microsoft Director of Identity Security Alex Weinert said that "your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."

A joint study by Google, New York University, and University of California San Diego also discovered that MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and approximately 66% of targeted attacks.

In August, the US Cybersecurity and Infrastructure Security Agency (CISA) also advised switching to MFA when adding single-factor authentication (SFA) to its list of cybersecurity bad practices.

As CISA explained, threat actors can easily gain access to systems and accounts not protected with MFA since passwords can be easily stolen or guessed using various techniques, including phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, and credential dumping.

Microsoft and Google provide simple-to-follow guides on how to secure your accounts, with Microsoft offering a support page on the five steps to secure your identity and Google a blog post on the five things to do to stay safe online.

Microsoft blocked billions of brute-force and phishing attacks last year