News: Security & Privacy News

ProtonMail introduces a new email tracker blocking system

Thu, 20 Jan 2022 19:13:33 +0000

ProtonMail has introduced an enhanced email tracking protection system for its web-based email solution that prevents senders from being tracked by recipients who open their messages.

ProtonMail is an end-to-end encrypted email service based in Switzerland and uses a client-side encryption approach to maintain user privacy and protect their communications from snooping intermediaries.

40% of all emails have trackers

According to a 2017 study, almost half of all emails sent and received feature trackers that beam information back to the sender.

The information includes the time a recipient opened an email, how many times it was revisited, what device was reached, and the recipient's IP address.

How email trackers work
Source: ProtonMail

These trackers are practically invisible since they are just tiny pixels in an image embedded on the email body, and they log data about the user activity every time the message is opened.

Email trackers are predominantly used for targeted advertising but can also be used for de-anonymization, to expose the recipient's information to third parties, or simply to monitor when someone has read your email.

The collection of this data occurs without the user's consent, but these systems are hard to regulate, so the best approach is to block them.

Blocking trackers for all users

ProtonMail will now start blocking email trackers by default on all accounts, including free (non-paying) users.

The webmail service will block the identified as risky pixels and hide the user's IP address so that their location remains concealed.

Pop up informing the user about blocked trackers
Source: ProtonMail

Whenever a tracker is blocked, the user will get a relevant notification with a clickable icon that holds more information on the detected trackers.

As the company explains, this new system won't affect subscribing to newsletters or registering for online services.

ProtonMail users can check if this privacy feature is enabled by going to Settings > Email Privacy and confirming if the Block email tracking setting is toggled on, as shown below.

Block Email Tracking setting in ProtonMail

Other ways to protect yourself

If you're not using ProtonMail, but you still want to protect yourself from email trackers, try disabling image/resource loading on your email client.

This option is available on Thunderbird, Outlook, Gmail, and Apple Mail, and should be enough to block most trackers from loading.

You can also turn off HTML email entirely and read your messages in plain text form for additional security. However, this measure is not recommended for a pleasing user experience but could help in cases where privacy protection is critical.

ProtonMail introduces a new email tracker blocking system

If you like the data on your WD My Cloud OS 3 device, patch it now

Thu, 20 Jan 2022 03:17:07 +0000

The disk maker updates the OS to incorporate patches available for 4 months.

Western Digital has patched three critical vulnerabilities—one with a severity rating of 9.8 and another with a 9.0—that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud OS.

CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attackers’ choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.

The vulnerability with a severity rating of 9 out of a maximum 10 stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker's choosing.

CVE-2021-39275, meanwhile, carries a severity rating of 9.8 out of a possible score of 10. It allows remote attackers to crash vulnerable systems and possibly execute malicious code. Two additional vulnerabilities—CVE-2021-36160 and CVE-2021-34798—make it possible to remotely crash vulnerable systems.

Apache released patches for the vulnerabilities last October. Why the disk maker took four months to incorporate them into its disk OS is not clear.

Many people are often slow to patch vulnerabilities in periphery devices such as network-attached storage devices, which run Western Digital’s My Cloud proprietary operating system. That would be a mistake in this case. In June, Western Digital advised users of a different product, the My Book Live, to immediately unplug the devices from the Internet. Meanwhile, the company responded to what later turned out to be the mass exploitation of a zero-day vulnerability.

Last year, Western Digital laid out a schedule for phasing out use of My Cloud OS 3. Starting earlier this week, users of the older OS with devices that are compatible with the current OS version 5 were required to update to the new version. If they didn’t, the users would no longer be able to connect to the devices over the Internet, receive security updates, or get technical support. On April 15, support for version 3 will end completely. Devices that aren’t compatible with version 5 by then will lose remote access, meaning they will only be able to access files over local networks.

“We recommend that all eligible users upgrade to My Cloud OS 5 immediately to benefit from the latest security fixes,” Western Digital said in an advisory. Instructions for upgrading are here.

Listing image by followtheseinstructions / Flickr

If you like the data on your WD My Cloud OS 3 device, patch it now

Interpol arrests 11 BEC gang members linked to 50,000 targets

Wed, 19 Jan 2022 21:10:29 +0000

In coordination with the Nigerian Police Force, Interpol has arrested 11 individuals suspected of participating in an international BEC (business email compromise) ring.

BEC is a type of attack conducted via email involving the spear-phishing of certain company employees responsible for approving payments to contractors, suppliers, etc.

By impersonating a coworker, a supervisor, or a client/supplier, BEC actors manage to divert payments to their bank accounts, essentially stealing them from the targeted company.

In the latest Interpol operation codenamed 'Falcon II,' which unfolded between December 12 and 22, 2021, the police followed leads provided by cyber-intelligence firms Group-IB and Palo Alto Networks' Unit 42 to arrest suspects in Lagos and Asaba.

Members of the SilverTerrier gang

According to the forensic investigation and the evidence collected so far, Interpol believes that at least some of the arrested individuals belong to the BEC gang known as SilverTerrier (aka TMT).

This is the second blow for the particular group after Interpol arrested more of their members in the context of 'Falcon I' back in 2020.

"This preliminary analysis indicates that the suspects' collective involvement in BEC criminal schemes may be associated with more than 50,000 targets," details Interpol's announcement.

"One of the arrested suspects was in possession of more than 800,000 potential victim domain credentials on his laptop."

"Another suspect had been monitoring conversations between 16 companies and their clients and diverting funds to 'SilverTerrier' whenever company transactions were about to be made."

Photo from the arrest
Source: Interpol

Six actors with history in BEC

According to a report shared with Bleeping Computer by Palo Alto Unit 42, most of the arrested individuals have had a lengthy involvement in or prior convictions for BEC scams.

The arrested individuals who were tracked and identified by Unit 42 are:

Darlington Ndukwu - active since 2014, using ISRStealer, Keybase, Pony, LokiBot, PredatorPain, ISpySoftware. Registered websites such as "fbigov[.]org", "annexbanks[.]com", and "western-union[.]org". He has targeted security researchers too, and was arrested again during FBI's 'WireWire' 2018 operation.
Onuegwu Ifeanyi Ephraim - active since 2014, using Lokibot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, AgentTesla, Keybase. Registered domains like "us-military-service[.]com" and "pennssylvania[.]com[.]mx". He sponsored at least 30 BEC actors and was arrested for BEC activities again in 2020. When released in 2021, he immediately returned to scams by registering "covid19-fundservices[.]com".
Oyebade Fisayo - Active since 2015, using ISRStealer, Pony, LuminosityLink, NanoCore, LokiBot, Keybase, Adwind, AgentTesla, PredatorPain, ImminentMonitor. He publicly offered instructions on how to use RATs on Facebook. Registered domains such as "atlanticexpresslogistics[.]com," and "shipatlanticlogistics.co[.]uk"
Kevin Anyanwu - Active since 2015, operating the "hsbctelex[.]net" scam site.
Onukwubiri Ifeanyi Kingsley - Active since 2016, using Pony and Lokibot. He was linked to at least 20 fraudulent domains like "qatarairways[.]pw". Is believed to be a core member of the TMT gang.
Kennedy Ikechukwu Afurobi - Active since 2014, using Pony, PredatorPain, Azorult. He is also directly linked to TMT group activities and registered almost a hundred domains that were used for distribution of spear-phishing email.

Onukwubiri Kingsley on social media
Source: Unit 42

Hiding behind banks

BEC scammers cannot siphon funds in the form of untraceable cryptocurrencies, so the only way for them to hide is by moving the stolen amounts around, attempting to obscure the money trace.

Unfortunately, many banks, especially in countries where weak money laundering regulations apply, insist on protecting their clients' identities and refuse to revert transactions that were part of payment diversion fraud acts.

However, the international collaboration and information exchange between law enforcement and intelligence agencies worldwide make it increasingly challenging for BEC actors to remain hidden.

How to defend against BEC

When requested to send money or to change to conduct all payments to a new bank, you may pick up the phone and call the supplier/colleague to confirm it.

For this, use the phone number you have confirmed to be valid in past communications and not any new numbers provided in the email.

To protect your email account from takeover, enable multi-factor authentication along with a strong and unique password.

Organizations should also secure their domain from spoofing by registering potential domain typo-squatting candidates and instructing employees not to over-share business information online.

Post updated to add more info shared with Bleeping Computer by Unit 42 on a subset of the arrested individuals.

Interpol arrests 11 BEC gang members linked to 50,000 targets

OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online

Wed, 19 Jan 2022 21:00:39 +0000

OpenSubtitles, one of the largest repositories of subtitle files on the internet, has been hacked. Founded in 2006, the site was reportedly hacked in August 2021 with the attacker obtaining the personal data of nearly seven million subscribers including email and IP addresses, usernames and passwords. The site alerted users yesterday after the hacker leaked the database online.

OpenSubtitles is one of the largest and most popular subtitle repositories on the Internet. Millions of subtitle files are downloaded every week in many languages, often to be paired with downloaded movies and TV shows.

The site was founded in 2006 by a Slovakian programmer who came up with the idea while drinking a few beers at a local pub. Following an announcement late yesterday, more beers might be needed to cope with an emerging crisis.

OpenSubtitles Hacked, Millions of Subscribers’ Details Exposed

In a post to the OpenSubtitles forum, site administrator ‘oss’ reveals that the site – which has millions of members – has been hacked. Apparently the development isn’t new either.

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data,” the post reads.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

Hacker Gained Access to All User Data

According to ‘oss’, the hacker gained access to email addresses, usernames and passwords, but promised that the data would be erased after the payment was made. That promise was not kept.

While no member data was leaked last August, on January 11, 2022, OpenSubtitles received new correspondence from a “collaborator of the original hacker” who made similar demands. Contacting the original hacker for help bore no fruit and on January 15 the site learned that the data had been leaked online the previous day.

Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more.

“In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers’ personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes,” the site reports.

Measures Taken By OpenSubtitles

OpenSubtitles describes the hack as a “hard lesson” and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage.

The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate. Those with exceptionally strong passwords may be safer than those who chose an easy-to-guess option but according to OpenSubtitles, the former are in the minority.

Threats to OpenSubtitles Members

Perhaps the most immediate threat concerns users who used the same email address and password combination on other sites. With these in the wild, an attacker could breach third-party accounts so immediately changing these credentials should be a priority for those affected, perhaps with the use of a password manager service such as 1Password.

Another concern for OpenSubtitles users is that many are likely to be members of pirate sites. If they used the same credentials on those then that is clearly an issue but if the report from Have I Been Pwned is correct, their email addresses can now be matched with their IP addresses too.

Only time will tell if that will prove of interest to third parties but in privacy terms the situation is certainly not optimal. OpenSubtitles has been officially labeled as a pirate service in a number of regions and courts around the world including those in Australia, Greece, and Norway have ordered the platform to be blocked by ISPs.

Further information on the breach and actions to be taken can be found here

OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online

Some Roku smart TVs are now showing banner ads over live TV

Wed, 19 Jan 2022 03:47:22 +0000

It's still unclear which TVs are affected.

Some Roku smart TV owners are seeing banner ads appear over live content, according to a thread on the r/cordcutters subreddit.

A user named p3t3or posted the following message:

Welp, this is the last time I purchase or recommend a Roku. After a Sleep Number commercial, I just got a Roku ad sidebar while watching live TV. Really loved the Roku experience up until now, but this is a deal breaker.

The message was accompanied by the following photo:

An ad appears over a sports game on a Sharp-branded TV running Roku software.

u/p3t3or

The photo shows a Sharp TV running Roku software and displaying an ad for a bed over a live sports broadcast, plus a prompt to 'press OK to get offer."

These ads don't seem to appear on Roku's own hardware, like the Roku Ultra, Express, Streambar, or Streaming Stick. Rather, they show up on certain smart TVs running the Roku TV platform—and it might just be certain brands, like Sharp. Some owners of TCL Roku TVs commented that they had not seen the ads.

Fortunately, users in the thread reported that the feature can be disabled in privacy settings. But it's possible that doing so may disable other Roku features.

Roku's platform is not the only one adding ads to content. Users have complained previously about ads featured prominently on Samsung's TVs, and while we haven't seen reports of ads appearing over live content on LG's webOS TVs, they do appear in other places in the TV's software.

Further, some of these platforms collect and monetize user data, as we previously reported about Vizio TVs.

Smart TV platforms offer convenience, but it's rare for software and services that receive ongoing free support and updates to operate without showing ads, monetizing user data, or both. The profit margins on TVs can be small outside of the high-end part of the market, and supporting software and live services over time costs money, so TV and platform makers are seeking out ways to generate recurring revenue on top of what they get from initial sales.

User complaints like these may reflect a trend to which there is no clear end.

We've reached out to Roku for comment and clarification about which devices serve these ads and what the effects of disabling them in settings might be.

Some Roku smart TVs are now showing banner ads over live TV

Telegram is a hotspot for the sale of stolen financial accounts

Tue, 18 Jan 2022 22:44:21 +0000

Telegram is increasingly abused by cybercriminals to set up underground channels to sell stolen financial details to pseudonymous users.

Telegram is a free and cross-platform instant messaging service that offers end-to-end encryption communication, currently having a user base of over 500 million active users.

Because the platform follows an approach of loose moderation, only censoring extremist content, cyber-criminals find it reasonably easy to abuse it to promote their nefarious purposes.

It is also much easier to set up a Telegram channel to sell stolen data than creating a new dark website, and often, much easier to promote and draw a wider audience of interested buyers.

Finally, because Telegram channels are more volatile and short-lived than dark web markets, they could be safer to use for criminals as they are harder to track and correlate online personas with real identities.

An ongoing concern

Researchers at Cybersixgill have published a report based on data they collected throughout 2021 and concluded that even though the sale of financial accounts on Telegram has decreased in volume, it remains a stable problem.

When conducting the report, the researchers filtered out bot spam and only focused on high-quality data, such as listings containing specific keywords related to money laundering and financial account sales.

Sales activity in 2020 and 2021
Source: Cybersixgill

Cybersixgill's analysts believe that the reason behind the stark nosedive of 60% compared to 2020 is the overall reduction of newly-issued credit cards during the pandemic.

"This stark nosedive in discourse surrounding compromised accounts from 2020 to 2021 might seem remarkable, but it is not an isolated event; a parallel decrease was also identified in the total number of compromised credit cards sold on underground markets throughout the same period," the reasearchers explain in their report.

"In our Underground Financial Fraud report for H1 2021, we attributed this decline to the closure of several credit card markets (either imposed by law enforcement or as a result of threat actor “retirement”), ongoing trends towards contactless payments accelerated during the pandemic, and the overall reduction of newly-issued credit cards."

Another factor that may have played a key role is the general decline of the carding space and the shift of cybercriminal attention to the much-more prolific ransomware operations.

PayPal accounts the most bartered item

The leader in the number of listings on these channels is PayPal, followed by Chase and Western Union.

Volume of listings per payment platform
Source: Cybersixgill

Account takeovers on PayPal constitute a direct way to drain funds from other people, and thanks to the platform’s popularity, it’s easy to make online purchases with it on almost any site.

Cybersixgill explains that for most compromised PayPal accounts, the buyers use them to purchase hard-to-trace cryptocurrency, essentially laundering the money.

On that front, cyber-criminals also offer money transfer services right on Telegram, helping actors obfuscate the origin of the stolen funds.

Money-moving services through PayPal
Source: Cybersixgill

Credits cards continue to be sold

Even if at a smaller volume, credit cards are also offered on Telegram channels, with roughly half of them including the highly-valuable CVV/CVV2 codes required to verify online purchases.

The prices range from $10 to $1,500 per card, depending on the bank account balance and the “freshness” of the data.

A $10 listing containing basic credit card data
Source: Cybersixgill

If the owner hasn't realized the breach of their credit card details, there's no risk of being reported to the bank, so the listing's price is higher.

Valuable debit card selling for $1,500
Source: Cybersixgill

That is at least how things work theoretically, as scams are always to be found among genuine listings.

Finally, there are dedicated Telegram channels that sell bank logs (credentials) as well, which can also be used for electronic cashouts.

Bank logs can be equally as valuable as credit card data
Source: Cybersixgill

Conclusion

The above is only a small part of the cybercriminal activity on Telegram channels, with other activities including identity theft, fraud, network access, stolen database, and many more.

Anonymity in Telegram is linked to the telephone number used during the subscription, so if the actors acquired the SIM without providing real identification details, they become hard to track and catch.

We have reached out to Telegram to request a comment on the matters of abuse and what they’re planning to do about it, but we have not received a response yet.

Telegram is a hotspot for the sale of stolen financial accounts

Firefox Relay's addition to disposable email blocklist upsets users

Mon, 17 Jan 2022 21:39:50 +0000

The maintainers of a "disposable email service" blocklist have decided to add Firefox Relay to the list, leaving many users of the service upset.

Firefox Relay is a privacy-centric email service that enables users to protect their real email addresses and hence limit spam.

Firefox Relay to go into disposable email blocklist

Launched in November 2021, Firefox Relay was created with the goal of helping users safeguard their privacy and limit the amount of email spam directed at them.

Available as a free and premium offering, the service hides the user's real email address to help protect their identity by giving them an alias to use.

Disposable email address services work by providing users with a temporary, intermediate email address that "relays" mail to their real inbox.

Users signing up for Firefox Relay are assigned an @*.mozmail.com email alias which forwards their mail to their actual email address.

FireFox Relay's mozmail.com domain in use (Mozilla)

Although disposable email services might provide users with peace of mind when signing into free Wi-Fi portals that require an email address, and services with a high probability of sending marketing emails to users, they can also become a nuisance for service providers.

For example, mission-critical sites providing e-commerce and online banking services may become susceptible to abuse by threat actors if they allow the use of disposable emails.

Therefore, blocklists of domains used by burner email services are compiled and maintained by third-parties.

These can be referred to by online service providers from time to time to deny account signups to users presenting a disposable email address.

As seen by BleepingComputer today, the list, "disposable-email-domains" present on a GitHub repository by the same name contains known burner email services like 10minutemail, GuerrillaMail, and Mailinator.

Alongside these domains, relay.firefox.com was also proposed for addition as of a few days ago:

Firefox Relay domain added to blocklist (GitHub)

It isn't clear who all or how many service providers reference the "disposable-email-domains" list when checking if a provided email address is a burner.

But, note, we did not see *.mozmail.com domains on the list just yet: "mozmail.com" is the functional domain used by email aliases generated by Firefox Relay.

Back in November 2021, Firefox Relay's team lead had requested the maintainer of a separate burner email list, "burner-email-providers" to exempt the particular domain form the blocklist:

"We are operating Relay with a number of features that I think mitigate the risks that these aliases pose," Mozilla's privacy and security engineer Luke Crouch explained in November.

Firstly, if a @mozmail.com alias is disabled by the user, any emails sent to the alias are not bounced back but instead discarded with a 404 error message returned by the service's HTTP webook, stated Crouch.

Secondly, he explained, the anti-abuse protections built into Relay limit free users to a total of five aliases, and further rate-limit premium customers so they cannot abuse the service by creating large-scale throw-away aliases for, say, automated signups to web services.

With that reasoning, mozmail.com was swiftly removed from that blocklist. And it appears, the creators of "disposable-email-domains" have also honored the clause, for now.

Users upset at the decision

The move to propose the addition of Firefox Relay's main domain to the disposable email providers blocklist has left many users confused and unpleased, prompting the list's maintainers to lock the GitHub discussion before it gets "too heated."

"Well, nice pickle. Why are you doing this to us Firefox? Among other things this throws a wrench in the original (not really rock-solid) reasoning about domain levels from here -- so it breaks our CI even if in the correct order," asked software developer Martin Cech, who is one of the contributors to the blocklist's repository.

"My reasoning on including this is that an email with a mozmail domain is never going to be a primary email and is always going to forward to some other address," responded the list's co-maintainer, Dustin Ingram, who is also a Google open source security team member.

But, one of the pseudonymous GitHub users, worldofgeese cautioned that such blocklists could strip users of "one of the few defenses they have" against their email address leaking, and from threat actors waiting to flood users' mailboxes with spam.

"Can you not do this? You look like extremely bad actors. Please don't contribute to an unsafe internet," wrote worldofgeese.

"I use Private Relay to protect my personal mail address, not as a tool for spam. I'm not even sure how a user would use Private Relay for spam, as users cannot begin email chains with a Relay address, only respond to mails delivered to those addresses."

Another GitHub user urged that the decision to blocklist Firefox Relay be reconsidered as the service is one of the safeguards that prevent personal email addresses from turning up in data breaches and being spammed.

Interestingly, privacy-focused email services like Fastmail allow creation of both real and randomly generated email aliases via their primary domain (i.e. @fastmail.com).

"Good luck blocking the hundreds of thousands of Fastmail users by trying to block the minority using masked addresses," challenged a Hacker News commentator.

As seen by BleepingComputer, fastmail.com is present on the allowlist within the "disposable-email-domains" repo.

Some surmised that, with additional effort, malicious actors could choose to abuse legitimate email providers like Gmail just as well, rather than turning to a service like Firefox Relay, thereby rendering such blocklists futile.

And the divide seems to be stern between those who vouch by the efficacy of Firefox Relay and disposable email services, and those with the painful task of maintaining anti-spam blocklists.

"The reason disposable email addresses exist and are popular is because services have abused users' trust to not use these emails for shady ad revenue and marketing schemes," writes a user on Hacker News.

"It's further compounded by shoddy security that leads to leaks and exposure of people's personal email addresses to pwned compromised lists. People don't want to give up their personal email addresses so that they can be spammed or hacked. Until services do better (ie don't sell me out for cheap) I'll keep using the latest disposable email address to sign up for your user-hostile websites."

Whether the privacy afforded by email relay services outweighs the risks posed by their abuse remains an ongoing debate.

Firefox Relay's addition to disposable email blocklist upsets users

Major Apple Safari privacy bug means any websites can access your Google ID, other private data

Mon, 17 Jan 2022 03:23:12 +0000

If you care about your privacy you mean need to put down your iPhone, after a serious implementation bug in Safari means any website is able to read some of your private data and recent browsing history, even when using Private Browsing mode.

The issue is with how Safari implements IndexedDB, a browser-based database commonly used by web apps. Most browsers create a new instance of IndexedDB for each website, which can only be accessed from that website.

Safari however creates empty versions of the IndexedDB created by each web page in each other web page, meaning for IndexedDB Safari does not respect same-origin policy properly.

Even though the shadow copies of IndexedDB created for other web pages are empty, they still have the same name as the actual database created by the original web app, which can leak private information. The mere presence of the database will let other web pages know that you visited another website, for example, the presence of the Netflix IndexedDB could tell Amazon that you are a Netflix user. Even worse, however, the name of the database may leak your credentials. The name of the database for Google apps (such as Gmail or YouTube) include your GoogleID for example, which can be used to access your publicly-available information, such as your profile picture.

The bug was discovered and reported by FingerprintJS on the 28th of November, but so far Apple has not taken any action.

You can test out the issue at FingerprintJS’s proof of concept website here, which will check if you visited 30 different major websites recently.

On macOS users can and should use an alternate browser, but on iOS all browsers use the Safari web engine, meaning all iPhone users have no mitigation except to stop using the browser on their phone.

Watch FingerprintJS’s explainer video below:

via the Verge

Major Apple Safari privacy bug means any websites can access your Google ID, other private data

Microsoft: Fake ransomware targets Ukraine in data-wiping attacks

Sun, 16 Jan 2022 20:54:26 +0000

Microsoft is warning of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organizations in Ukraine.

Starting January 13th, Microsoft detected the new attacks that combined a destructive MBRLocker with a data-corrupting malware used to destroy the victim's data intentionally.

A two-stage attack destroys data

Microsoft calls this new malware family 'WhisperGate' and explains in a report that it is conducted through two different destructive malware components.

The first component, named stage1.exe, is launched from the C:\PerfLogs, C:\ProgramData, C:\, or C:\temp folders that overwrites the Master Boot Record to display a ransom note.

An MBR locker is a program that replaces the 'master boot record,' a location on a computer's hard drive that contains information on disk partitions and a small executable that is used to load the operating system.

MBR lockers replace the loader in the master boot record with a program that commonly encrypts the partition table and displays a ransom note. This prevents the operating system from loading and data from being accessible until a ransom is paid and a decryption key is obtained.

The WhisperGate ransom note, shown below, tells the victim to send $10,000 in bitcoin to the 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv address and then contact the threat actors via an included Tox chat ID.

Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

While Microsoft points to the use of Tox as a reason for the ransomware being fake, BleepingComputer knows of numerous ransomware operations that use Tox as a communication method, so this is not unusual.

However, the MBRLocker's ransom note uses the same bitcoin address for all victims and does not provide a method to input a decryption key. When combined, this typically indicates fake ransomware designed for destructive purposes.

The second component, named stage2.exe, is executed simultaneously to download data-destroying malware hosted on Discord that overwrites targeted files with static data.

"If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB)," explains Microsoft's report.

"After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension."

The file extensions targeted by the stage2 component for corruption are:

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

As neither of the two malware components offer means to enter decryption keys to restore the original Master Boot Record and as the files are overwritten with static undecryptable data, Microsoft classifies this as a destructive attack rather than one used to generate a ransom payment.

Microsoft has shared hashes for the two malware samples used in the attacks, which are listed below.

Stage1.exe: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Stage2.exe: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Microsoft is unable to attribute the attacks to any particular threat actor and is tracking the hacker's activities as DEV-0586.

With the geopolitical tensions escalating in the region between Russia and Ukraine, it is believed that these attacks are designed to sow chaos in Ukraine.

A similar attack was conducted in 2017 when thousands of Ukrainian businesses were targeted with the NotPetya ransomware.

While NotPetya was based on real ransomware known as Petya, the NotPetya attacks were conducted as a cyberweapon against Ukraine rather than to generate payments.

In 2020, the USA formally indicted Russian GRU hackers believed to be part of the elite Russian hacking group known as "Sandworm" for the NotPetya attacks.

Ukraine under siege by cyberattacks

This week, at least fifteen websites of Ukrainian public institutions and government agencies were hacked, defaced, and subsequently taken offline.

Hackers defaced these websites to show a message warning visitors that their data was stolen and publicly shared online.

"Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya and for historical lands," reads the translated website defacement.

Ukrainian website defacement

As part of this intimidation campaign, the threat actors created new accounts on the popular RaidForums hacking forum to release the allegedly stolen data.

Allegedly stolen data from Ukrainian government agency

However, threat actors who have reviewed the published data say it is unrelated to Ukraine government agencies and contains data from an old leak.

Ukraine has attributed the attacks to Russia, with the goal of undermining the confidence in the Ukrainian government.

"Russia's cyber-troops are often working against the United States and Ukraine, trying to use technology to shake up the political situation. The latest cyber attack is one of the manifestations of Russia's hybrid war against Ukraine, which has been going on since 2014," the Ukraine government announced today.

"Its goal is not only to intimidate society. And to destabilize the situation in Ukraine by stopping the work of the public sector and undermining the confidence in the government on the part of Ukrainians. They can achieve this by throwing fakes into the infospace about the vulnerability of critical information infrastructure and the "drain" of personal data of Ukrainians."

Microsoft: Fake ransomware targets Ukraine in data-wiping attacks

Russia charges 8 suspected REvil ransomware gang members

Sat, 15 Jan 2022 20:31:36 +0000

Eight members of the REvil ransomware operation that have been detained by Russian officers are currently facing criminal charges for their illegal activity.

On Friday, the Federal Security Service (FSB) of the Russian Federation - the country’s domestic intelligence service, announced raids at the homes of 14 individuals suspected to be part of the REvil ransomware gang.

The operation was done in cooperation with the Russian Interior Ministry after U.S. authorities reported on the leader of the group and demanded action be taken against cybercriminals residing in Russia.

The names of the suspects were unknown until today when Moscow’s Tverskoi Court identified eight of them from the documents of their arrest:

Muromsky Roman
Bessonov Andrey
Golovachuk Mikhail A.
Zayets Artem N.
Khansvyarov Ruslan A.
Korotayev Dmitry V.
Puzyrevsky D.D.
Malozemov Alexei V.

The suspects have been jailed for two months as a preventative measure and all of them are investigated for illegal circulation of means of payment (counterfeit credit cards and other payment documents, cryptocurrency).

Because of this, cybercriminals on some hacker forums believe that the suspects were arrested for carding (trafficking and using stolen credit cards).

Yelisey Boguslavskiy, head of research at AdvIntel threat prevention, says that the arrested individuals were likely low-level affiliates and not the core of the REvil operation, who develop the malware and maintain the ransomware-as-a-service (RaaS) operation.

All arrested individuals are accused of committing a crime under Part 2 of Article 187 of the Criminal Code of the Russian Federation, TASS Russian News Agency says, which carries a sentence (PDF) between five and eight years in prison.

According to Martin Matishak from The Record, a senior Biden administration official said that one of the 14 raided suspects was also responsible for the ransomware attack that disrupted the operations of Colonial Pipeline. The malware was deployed by the DarkSide ransomware gang, later rebranded as BlackMatter.

REvil made a name for itself on Russian-speaking hacker forums by creating a private, highly profitable RaaS business that accepted only professional intruders with access to large enterprise networks.

The gang is responsible for some of the most publicized ransomware incidents, such as the attack on meat JBS, who paid an $11 million ransom, or Kaseya - a developer of IT management software for managed service providers, who REvil demanded $70 million for the decryption tool.

According to the U.S. Department of Justice, the REvil ransomware operation received more than $200 million since it emerged in early 2019 and encrypted at least 175,000 systems.

It is unclear if the eight persons already charged were part of the REvil operation’s core or just affiliates, but the FSB says that it identified all members of the ransomware gang:

“The FSB of Russia established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documented illegal activities” - Federal Security Service of the Russian Federation

In raids at 25 addresses of 14 suspected members of the REvil ransomware gang, law enforcement found and seized more than $6.6 million in fiat and cryptocurrency.

Russia charges 8 suspected REvil ransomware gang members

Linux malware sees 35% growth during 2021

Sat, 15 Jan 2022 15:36:13 +0000

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for DDoS (distributed denial of service) attacks.

IoTs are typically under-powered "smart" devices running various Linux distributions and are limited to specific functionality. However, when their resources are combined into large groups, they can deliver massive DDoS attacks to even well-protected infrastructure.

Besides DDoS, Linux IoT devices are recruited to mine cryptocurrency, facilitate spam mail campaigns, serve as relays, act as command and control servers, or even act as entry points into corporate networks.

A Crowdstrike report looking into the attack data from 2021 summarizes the following:

In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020.
XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all Linux-targeting malware attacks observed in 2021.
Mozi, in particular, had explosive growth in its activity, with ten times more samples circulating in the wild the year that passed compared to the previous one.
XorDDoS also had a notable year-over-year increase of 123%.

Malware overview

XorDDoS is a versatile Linux trojan that works in multiple Linux system architectures, from ARM (IoT) to x64 (servers). It uses XOR encryption for C2 communications, hence the name.

When attacking IoT devices, XorDDoS brute-forces vulnerable devices via SSH. On Linux machines, it uses port 2375 to gain password-less root access to the host.

A notable case of the malware's distribution was shown in 2021 after a Chinese threat actor known as "Winnti" was observed deploying it with other derivative botnets.

Mozi is a P2P botnet relying on the distributed hash table (DHT) lookup system to hide suspicious C2 communications from network traffic monitoring solutions.

The particular botnet has been around for a while, continually adding more vulnerabilities and expanding its targeting scope.

DHT system implemented in Mozi
Source: Crowdstrike

Mirai is a notorious botnet that spawned numerous forks due to its publicly available source code that continues to plague the IoT world.

The various derivatives implement different C2 communication protocols, but they all typically abuse weak credentials to brute-force into devices.

We covered several notable Mirai variants in 2021, like "Dark Mirai," which focuses on home routers, and "Moobot," which targets cameras.

"Some of the most prevalent variants tracked by CrowdStrike researchers involve Sora, IZIH9 and Rekai," says CrowdStrike researcher Mihai Maganu in the report. "Compared to 2020, the numbers of identified samples for all three variants have increased by 33%, 39% and 83% respectively in 2021."

A trend that continues into 2022

The Crowstrike findings aren't surprising as they confirm an ongoing trend that emerged in previous years.

For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year.

Linux malware families recorded in recent years
Source: Intezer

In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms.

This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

Source

Russian government arrests REvil ransomware gang members

Fri, 14 Jan 2022 19:16:53 +0000

The Federal Security Service (FSB) of the Russian Federation says that they shut down the REvil ransomware gang after U.S. authorities reported on the leader.

More than a dozen members of the gang have been arrested following police raids at 25 addresses, the Russian security agency says in a press release today.

“The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption” - Russia’s Federal Security Service

Russian authorities have detained 14 individuals suspected to be part of the REvil ransomware-as-a-service (RaaS) operation and confiscated cryptocurrency and fiat money as follows:

more than 426 million rubles (approximately $5,5 million)
600 thousand US dollars
500 thousand euros (approximately $570,000)

Russian authorities also confiscated 20 luxury cars purchased with money obtained from cyberattacks, computer equipment and cryptocurrency wallets used to develop and maintain the RaaS operation.

Footage from the raids available below shows how officers detained the suspects and confiscated money and electronics:

The raids took place at addresses in Moscow, St. Petersburg, Leningrad, and Lipetsk regions.

The FSB says that it was able to identify all members of the REvil gang, documented their illegal activities, and establish their participation in “illegal circulation of means of payment.”

Apart from creating the file-encrypting malware and deploying it on enterprise networks across the globe, REvil members were also involved in stealing money from the bank accounts of foreign citizens.

“As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized” Russia’s Federal Security Service

The FSB says that they informed the representatives of the competent U.S. authorities about the results of the operation.

REvil ransomware crumbles

REvil ransomware (aka Sodin and Sodinokibi) emerged in April 2019 from the void left behind by the shut down of the GandCrab operation.

In less than a year, the gang became the most prolific ransomware group, asking for some of the highest ransoms from its victims. It rose to infamy in August 2019 when it hit multiple local administrations in Texas and demanded a collective ransom of $2.5 million - the highest to that date.

Soon, asking for huge amounts of money from large organizations and getting paid became the norm. In a year, the gang claimed profits in excess of $100 million.

REvil's most publicized hit was the Kaseya supply-chain attack that crippled around 1,500 businesses all over the world. The ransom demand to decrypt all organizations was $70 million in Bitcoin.

This attack prompted a stern response from the U.S., with President Biden asking President Putin to take action against cybercriminals residing in Russia; otherwise, the U.S. would take action on its own.

The gang was also the first to have a representative going by the forum name UNKN at first, later switching to Unknown, who promoted the REvil RaaS business in the Russian-speaking criminal hacker community.

This public-facing representative disappeared soon after the Kaseya attack (some assumed Unknown was arrested) and pressure from international law enforcement increased.

After the Kaseya attack, the REvil operation took a break and then resumed operations two months later. What the operators did not know was that law enforcement had breached their servers before the hiatus and when they restored the systems from backups the criminals also restored machines controlled by law enforcement.

FSB's action against REvil comes after the U.S. and international law enforcement organizations joined forces to identify and arrest members of ransomware operations.

As a result, the U.S. announced in November 2021 that it had arrested a REvil ransomware affiliate (Ukrainian national Yaroslav Vasinskyi) responsible for the Kaseya attack and seized over $6 million from another Revil partner (Russian national Yevgeniy Polyanin), believed to have deployed about 3,000 ransomware attacks.

The same month, authorities in Romania arrested two REvil ransomware affiliates responsible for 5,000 attacks that brought them EUR 500,000 from collected ransoms.

Update [January 14, 2022, 13:26 EST]: Added background information about the REvil ransomware gang and arrests of its affiliates

Russian government arrests REvil ransomware gang members

Multiple Ukrainian government websites hacked and defaced

Fri, 14 Jan 2022 19:14:29 +0000

At least 15 websites belonging to various Ukrainian public institutions were compromised, defaced, and subsequently taken offline.

This includes the websites of the ministry of foreign affairs, agriculture, education and science, security and defense, and the online portal for the cabinet of ministers.

The defacement messages were posted in Ukrainian, Russian, and Polish, warning the sites' visitors that all citizen data uploaded to the public network had been compromised.

Messages posted on defaced pages
Twitter | Maryna Fedorenko

At the time of writing this, some of the websites remain inaccessible as the country's IT specialists are still in the process of restoring them.

The Ukrainian cyber-police has also posted an announcement where they underline that no personal data was compromised due to these attacks and that the warning messages to visitors were false and only meant to scare citizens.

"In order to prevent the spread of the attack on other resources and localization of the technical problem, the work of other government sites was temporarily suspended," explains the police announcement (translated).

"Currently, the Cyberpolice Department together with the State Special Communications Service and the Security Service of Ukraine are collecting digital evidence and identifying those involved in the cyber attacks."

Sources have told journalist Kim Zetter that all 15 compromised Ukrainian sites were using an outdated version of the October CMS, vulnerable to CVE-2021-32648.

This is a critical (CVSS: 9.1) authentication flaw allowing an attacker to send a specially crafted request to perform a password reset on the platform, thus taking over admin accounts.

This vulnerability was fixed with build 472 version 1.1.5, released in August 2021, but it appears that several Ukrainian government websites hadn't applied the security updates.

A later advisory from the Ukraine cyber-police confirmed Zetter's reporting of the October CMS vulnerability as the intrusion vector.

Poland impacted too?

Today, after Ukraine had acknowledged their attacks, the Polish Ministry of National Defense also announced that some of their databases containing sensitive military information were compromised.

The Ministry underlines that it's not sure whether the accessed database contained test files or actual data, and investigations are still ongoing.

However, members of the local press speak with certainty about the validity of the leaked files and the link to the Ukrainian cybersecurity incident.

Actors unknown

The cyber-police has opened criminal proceedings under Article 361 (unauthorized interference with computers and computer networks), but the actors remain unknown.

Polish people noticed obvious grammatical errors in the messages posted on the defaced pages and claimed this was the product of Yandex translation. As such, the actor could be Russian.

Even though Ukraine is going through extreme tensions with Russia, website defacement acts aren't the typical attack method of a Russian state-sponsored hacking group like GRU.

However, researchers theorize that the attacks could have been conducted by the GhostWriter APT hacking group, which has a history of targeting government entities in Poland and Ukraine.

In November, Mandiant released a report linking the Ghostwriter group to the Belarusian government.

"UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany," explains a report by Mandiant.

The targeting also includes Belarusian dissidents, media entities, and journalists. While there are multiple intelligence services that are interested in these countries, the specific targeting scope is most consistent with Belarusian interests."

Also, yesterday, the Ukrainian cyberpolice announced the arrest of five ransomware affiliates responsible for over 50 attacks against companies worldwide.

The chances of this wave of defacements being a retaliative act are slim, as the messages don't mention anything relevant.

Multiple Ukrainian government websites hacked and defaced

Windows 'RemotePotato0' privilege escalation 0-Day flaw gets unofficial fix after Microsoft refuses

Fri, 14 Jan 2022 03:02:47 +0000

A new 0-Day security vulnerability affecting all prevalent versions of Windows Operating System, has received multiple unofficial patches. The vulnerability, dubbed “RemotePotato0”, can allow potential attackers to elevate their access level, essentially granting them domain admin rights.

The RemotePotato0 was first discovered by SentinelOne researchers Antonio Cocomazzi and Andrea Pierini. The duo disclosed the flaw to Microsoft in April 2021. Microsoft has acknowledged the vulnerability as a 0-Day flaw. However, the bug hasn’t received a CVE ID, reportedly because Microsoft refused to fix the same.

The RemotePotato0 relies on an NTLM relay attack. It allows attackers to trigger authenticated RPC/DCOM calls. By successfully relaying the NTLM authentication to other protocols, attackers can grant themselves elevated privileges on the targeted domain, essentially making them domain administrator.

0patch co-founder Mitja Kolsek has explained the flaw, and even shared unofficial patches to block RemotePotato0 exploitation on impacted servers.

“It allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user's NTLM hash to an IP address chosen by the attacker. Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group.”

NTLM (Windows NT LAN Manager) authentication protocol is old, and Kerberos has already succeeded the same. However, the protocol is still commonly used on Windows servers. Perhaps because the protocol is now obsolete, Microsoft, instead of offering a patch for the RemotePotato0 flaw, has advised to disable NTLM or configure Windows servers to block NTLM relay attacks.

Microsoft’s decision is perhaps risky because RemotePotato0 can be exploited without needing the target's interaction. Hence, until Microsoft changes its mind, it is safe to create a 0patch account and then install the 0patch agent. The platform confirms their patches for RemotePotato0 are available for all Windows versions. This means OS versions from Windows 7 to the latest Windows 10 version, and from Windows Server 2008 to Windows Server 2019, are covered.

Windows 'RemotePotato0' privilege escalation 0-Day flaw gets unofficial fix after Microsoft refuses

New Chrome security measure aims to curtail an entire class of Web attack

Fri, 14 Jan 2022 02:59:14 +0000

Hackers have long used browsers as a beachhead. Google aims for PNA to change that.

For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the private network of the person visiting the site. For the time being, requests that fail won't prevent the connections from happening. Instead, they'll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don't indicate major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can access endpoints behind the browser.

The planned deprecation of this access comes as Google enables a new specification known as private network access, which permits public websites to access internal network resources only after the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header Access-Control-Request-Private-Network: true. For the request to be granted, the browser must respond with the corresponding header Access-Control-Allow-Private-Network: true.

Network intrusion via the browser

Up to now, websites have by default had the ability to use Chrome and other browsers as a proxy for accessing resources inside the local network of the person visiting the site. While routers, printers, or other network assets are often locked down, browsers—because of the need for them to interact with so many services—are by default permitted to connect to virtually any resource inside the local network perimeter. This has given rise to a class of attack known as a CSRF, short for cross-site request forgery.

Such attacks have been theorized for more than a decade and have also been carried out in the wild, often with significant consequences. In one 2014 incident, hackers used CSRFs to change the DNS server settings for more than 300,000 wireless routers.

The change caused the compromised routers to use malicious DNS servers to resolve the IP addresses end users were trying to visit. Instead of visiting the authentic Google.com site, for instance, the malicious server might return the IP address for a boobytrapped imposter site that the end user has no reason to believe is harmful. The image below, from researchers at Team Cymru, shows the three steps involved in those attacks.

Three phases of an attack that changes a router's DNS settings by exploiting a cross-site request vulnerability in the device's Web interface.

Team Cymru

In 2016, people behind the same attack returned to push malware known as DNSChanger. As I explained at the time, the campaign worked against home and office routers made by Netgear, DLink, Comtrend, and Pirelli this way:

DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications. The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router. The attack then compares the accessed router against 166 fingerprints of known vulnerable router firmware images.

Assuming the PNA specification goes fully into effect, Chrome will no longer permit such connections unless devices inside the private network explicitly allow it. Here are two diagrams showing how it works.

Google

The road ahead

Starting in version 98, if Chrome detects a private network request, a "preflight request" will be sent ahead of time. If the preflight request fails, the final request will still be sent, but a warning will be surfaced in the DevTools issues panel.

"Any failed preflight request will result in a failed fetch," Google engineer Titouan Rigoudy and Google developer Eiji Kitamura wrote in a recent blog post. "This can allow you to test whether your website would work after the second phase of our rollout plan. Errors can be diagnosed in the same way as warnings using the DevTools panels mentioned above."

If and when Google is confident there won't be mass disruptions, preflight requests will have to be granted to go through.

New Chrome security measure aims to curtail an entire class of Web attack

Microsoft Defender weakness lets hackers bypass malware detection

Thu, 13 Jan 2022 21:22:19 +0000

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.

Lax permissions

Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.

People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.

Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected.

Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.

Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.

Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes.

Another security expert, Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11.

McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers.

A security architect versed in protecting the Microsoft stack, McNulty warns that Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations.

Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.

By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted.

In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender.

We used a sample of Conti ransomware and when it executed from a normal location Microsoft Defender kicked in and blocked the malware.

After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine.

This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton:

source: Paul Bolton

A senior security consultant says that they noticed the issue about eight years ago and recognized the advantage it provided to a malware developer.

"Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension" - Aura

Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies.

Microsoft Defender weakness lets hackers bypass malware detection

Thunderbird 91.5.0 fixes several security issues

Wed, 12 Jan 2022 20:47:27 +0000

Thunderbird 91.5.0 Stable is a security update that addresses several issues in the open source email client.

The new version of Thunderbird Stable is already available. It is pushed to user systems, provided that automatic updating has not been disabled.

Thunderbird users may run manual checks for updates to install the update early. Select Help > About Thunderbird to display the installed version and have Thunderbird run a check for updates manually. Users who don't see the menubar need to press the Alt-key on the keyboard to display it.

The official release notes list just three entries: two refer to fixed issues in the email client, one links to the security advisories page, which details the fixed security issues in the client.

The two non-security issues that were fixed address a display issue for RSS keyword labels and missing information on Thunderbird's about dialog page.

The security advisories page for Thunderbird 91.5 lists 14 security issues, many of which come from the code that Thunderbird shares with the Firefox web browser.

The highest severity rating of all vulnerabilities is high, second only to the critical rating. Here is the full list of security issues patched in the new Thunderbird version:

CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
CVE-2022-22743: Browser window spoof using fullscreen mode
CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
CVE-2022-22741: Browser window spoof using fullscreen mode
CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
CVE-2022-22737: Race condition when playing audio files
CVE-2021-4140: Iframe sandbox bypass with XSLT
CVE-2022-22748: Spoofed origin on external protocol launch dialog
CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
CVE-2022-22747: Crash when handling empty pkcs7 sequence
CVE-2022-22739: Missing throttling on external protocol launch dialog
CVE-2022-22751: Memory safety bugs fixed in Thunderbird 91.5

Thunderbird 91.5.0 fixes several security issues

Frontpaged: Mozilla Thunderbird 91.5.0

Microsoft: New critical Windows HTTP vulnerability is wormable

Wed, 12 Jan 2022 06:10:23 +0000

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and "in most situations," without requiring user interaction.

Mitigation available (for some Windows versions)

Luckily, the flaw is not currently under active exploitation and there are no publicly disclosed proof of concept exploits.

Furthermore, on some Windows versions (i.e., Windows Server 2019 and Windows 10 version 1809), the HTTP Trailer Support feature containing the bug is not enabled by default.

According to Microsoft, the following Windows registry key has to be configured on these two Windows versions to introduce the vulnerability:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\ 

"EnableTrailerSupport"=dword:00000001

Disabling the HTTP Trailer Support feature will protect systems running the two versions, but this mitigation does not apply to other impacted Windows releases.

Potential targets likely safe from attacks

While home users are yet to apply today's security updates, most companies will likely be protected from CVE-2022-21907 exploits, given that they don't commonly run the latest released Windows versions.

In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server (also known as SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost).

Redmond also addressed another Windows HTTP RCE vulnerability in May 2021 (tracked as CVE-2021-31166 and also tagged as wormable), for which security researchers released demo exploit code that could trigger blue screens of death.

However, threat actors are yet to exploit them to create wormable malware capable of spreading between vulnerable systems running vulnerable Windows software.

Microsoft: New critical Windows HTTP vulnerability is wormable

Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws

Tue, 11 Jan 2022 21:00:47 +0000

Today is Microsoft's January 2022 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 97 flaws.

Microsoft has fixed 97 vulnerabilities (not including 29 Microsoft Edge vulnerabilities ) with today's update, with nine classified as Critical and 88 as Important.

The number of each type of vulnerability is listed below:

41 Elevation of Privilege Vulnerabilities
9 Security Feature Bypass Vulnerabilities
29 Remote Code Execution Vulnerabilities
6 Information Disclosure Vulnerabilities
9 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities

Six zero-days fixed, none actively exploited

This month's Patch Tuesday includes fixes for six publicly disclosed zero-day vulnerabilities. The good news is that none of them have been actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The publicly disclosed vulnerabilities fixes as part of the December 2021 Patch Tuesday are:

CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability
CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability

Both the Curl and Libarchive vulnerabilities had already been fixed by their maintainers but the fixes were not added to Windows until today.

However, as many of these have public proof-of-concept exploits available, they will likely be exploited by threat actors soon.

Recent updates from other companies

Other vendors who released updates in January 2022 include:

Adobe's January updates are released today.
Android's December security updates were released last week.
Cisco released security updates for numerous products this month, including Cisco Prime Infrastructure and Cisco Common Services Platform Collector.
SAP released its January 2022 security updates.
VMWare released fixes for a code execution vulnerability in VMWare Workstation, Fusion, and ESXi.

The January 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the January 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag	CVE ID	CVE Title	Severity
.NET Framework	CVE-2022-21911	.NET Framework Denial of Service Vulnerability	Important
Microsoft Dynamics	CVE-2022-21932	Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability	Important
Microsoft Dynamics	CVE-2022-21891	Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-0105	Chromium: CVE-2022-0105 Use after free in PDF	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0102	Chromium: CVE-2022-0102 Type Confusion in V8	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0104	Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0101	Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0103	Chromium: CVE-2022-0103 Use after free in SwiftShader	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0109	Chromium: CVE-2022-0109 Inappropriate implementation in Autofill	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0110	Chromium: CVE-2022-0110 Incorrect security UI in Autofill	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0108	Chromium: CVE-2022-0108 Inappropriate implementation in Navigation	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0106	Chromium: CVE-2022-0106 Use after free in Autofill	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0107	Chromium: CVE-2022-0107 Use after free in File Manager API	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-21954	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-21970	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-21931	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-21929	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	Moderate
Microsoft Edge (Chromium-based)	CVE-2022-21930	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2022-0099	Chromium: CVE-2022-0099 Use after free in Sign-in	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0100	Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0098	Chromium: CVE-2022-0098 Use after free in Screen Capture	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0096	Chromium: CVE-2022-0096 Use after free in Storage	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0097	Chromium: CVE-2022-0097 Inappropriate implementation in DevTools	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0116	Chromium: CVE-2022-0116 Inappropriate implementation in Compositing	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0117	Chromium: CVE-2022-0117 Policy bypass in Service Workers	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0115	Chromium: CVE-2022-0115 Uninitialized Use in File API	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0113	Chromium: CVE-2022-0113 Inappropriate implementation in Blink	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0114	Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0118	Chromium: CVE-2022-0118 Inappropriate implementation in WebShare	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0111	Chromium: CVE-2022-0111 Inappropriate implementation in Navigation	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0112	Chromium: CVE-2022-0112 Incorrect security UI in Browser UI	Unknown
Microsoft Edge (Chromium-based)	CVE-2022-0120	Chromium: CVE-2022-0120 Inappropriate implementation in Passwords	Unknown
Microsoft Exchange Server	CVE-2022-21969	Microsoft Exchange Server Remote Code Execution Vulnerability	Important
Microsoft Exchange Server	CVE-2022-21846	Microsoft Exchange Server Remote Code Execution Vulnerability	Critical
Microsoft Exchange Server	CVE-2022-21855	Microsoft Exchange Server Remote Code Execution Vulnerability	Important
Microsoft Graphics Component	CVE-2022-21904	Windows GDI Information Disclosure Vulnerability	Important
Microsoft Graphics Component	CVE-2022-21903	Windows GDI Elevation of Privilege Vulnerability	Important
Microsoft Graphics Component	CVE-2022-21915	Windows GDI+ Information Disclosure Vulnerability	Important
Microsoft Graphics Component	CVE-2022-21880	Windows GDI+ Information Disclosure Vulnerability	Important
Microsoft Office	CVE-2022-21840	Microsoft Office Remote Code Execution Vulnerability	Critical
Microsoft Office Excel	CVE-2022-21841	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office SharePoint	CVE-2022-21837	Microsoft SharePoint Server Remote Code Execution Vulnerability	Important
Microsoft Office Word	CVE-2022-21842	Microsoft Word Remote Code Execution Vulnerability	Important
Microsoft Windows Codecs Library	CVE-2022-21917	HEVC Video Extensions Remote Code Execution Vulnerability	Critical
Open Source Software	CVE-2021-22947	Open Source Curl Remote Code Execution Vulnerability	Critical
Role: Windows Hyper-V	CVE-2022-21901	Windows Hyper-V Elevation of Privilege Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-21900	Windows Hyper-V Security Feature Bypass Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-21905	Windows Hyper-V Security Feature Bypass Vulnerability	Important
Role: Windows Hyper-V	CVE-2022-21847	Windows Hyper-V Denial of Service Vulnerability	Important
Tablet Windows User Interface	CVE-2022-21870	Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability	Important
Windows Account Control	CVE-2022-21859	Windows Accounts Control Elevation of Privilege Vulnerability	Important
Windows Active Directory	CVE-2022-21857	Active Directory Domain Services Elevation of Privilege Vulnerability	Critical
Windows AppContracts API Server	CVE-2022-21860	Windows AppContracts API Server Elevation of Privilege Vulnerability	Important
Windows Application Model	CVE-2022-21862	Windows Application Model Core API Elevation of Privilege Vulnerability	Important
Windows BackupKey Remote Protocol	CVE-2022-21925	Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability	Important
Windows Bind Filter Driver	CVE-2022-21858	Windows Bind Filter Driver Elevation of Privilege Vulnerability	Important
Windows Certificates	CVE-2022-21836	Windows Certificate Spoofing Vulnerability	Important
Windows Cleanup Manager	CVE-2022-21838	Windows Cleanup Manager Elevation of Privilege Vulnerability	Important
Windows Clipboard User Service	CVE-2022-21869	Clipboard User Service Elevation of Privilege Vulnerability	Important
Windows Cluster Port Driver	CVE-2022-21910	Microsoft Cluster Port Driver Elevation of Privilege Vulnerability	Important
Windows Common Log File System Driver	CVE-2022-21897	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Common Log File System Driver	CVE-2022-21916	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Connected Devices Platform Service	CVE-2022-21865	Connected Devices Platform Service Elevation of Privilege Vulnerability	Important
Windows Cryptographic Services	CVE-2022-21835	Microsoft Cryptographic Services Elevation of Privilege Vulnerability	Important
Windows Defender	CVE-2022-21921	Windows Defender Credential Guard Security Feature Bypass Vulnerability	Important
Windows Defender	CVE-2022-21906	Windows Defender Application Control Security Feature Bypass Vulnerability	Important
Windows Devices Human Interface	CVE-2022-21868	Windows Devices Human Interface Elevation of Privilege Vulnerability	Important
Windows Diagnostic Hub	CVE-2022-21871	Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability	Important
Windows DirectX	CVE-2022-21898	DirectX Graphics Kernel Remote Code Execution Vulnerability	Critical
Windows DirectX	CVE-2022-21918	DirectX Graphics Kernel File Denial of Service Vulnerability	Important
Windows DirectX	CVE-2022-21912	DirectX Graphics Kernel Remote Code Execution Vulnerability	Critical
Windows DWM Core Library	CVE-2022-21852	Windows DWM Core Library Elevation of Privilege Vulnerability	Important
Windows DWM Core Library	CVE-2022-21902	Windows DWM Core Library Elevation of Privilege Vulnerability	Important
Windows DWM Core Library	CVE-2022-21896	Windows DWM Core Library Elevation of Privilege Vulnerability	Important
Windows Event Tracing	CVE-2022-21872	Windows Event Tracing Elevation of Privilege Vulnerability	Important
Windows Event Tracing	CVE-2022-21839	Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability	Important
Windows Geolocation Service	CVE-2022-21878	Windows Geolocation Service Remote Code Execution Vulnerability	Important
Windows HTTP Protocol Stack	CVE-2022-21907	HTTP Protocol Stack Remote Code Execution Vulnerability	Critical
Windows IKE Extension	CVE-2022-21843	Windows IKE Extension Denial of Service Vulnerability	Important
Windows IKE Extension	CVE-2022-21890	Windows IKE Extension Denial of Service Vulnerability	Important
Windows IKE Extension	CVE-2022-21883	Windows IKE Extension Denial of Service Vulnerability	Important
Windows IKE Extension	CVE-2022-21889	Windows IKE Extension Denial of Service Vulnerability	Important
Windows IKE Extension	CVE-2022-21848	Windows IKE Extension Denial of Service Vulnerability	Important
Windows IKE Extension	CVE-2022-21849	Windows IKE Extension Remote Code Execution Vulnerability	Important
Windows Installer	CVE-2022-21908	Windows Installer Elevation of Privilege Vulnerability	Important
Windows Kerberos	CVE-2022-21920	Windows Kerberos Elevation of Privilege Vulnerability	Important
Windows Kernel	CVE-2022-21881	Windows Kernel Elevation of Privilege Vulnerability	Important
Windows Kernel	CVE-2022-21879	Windows Kernel Elevation of Privilege Vulnerability	Important
Windows Libarchive	CVE-2021-36976	Libarchive Remote Code Execution Vulnerability	Important
Windows Local Security Authority	CVE-2022-21913	Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass	Important
Windows Local Security Authority Subsystem Service	CVE-2022-21884	Local Security Authority Subsystem Service Elevation of Privilege Vulnerability	Important
Windows Modern Execution Server	CVE-2022-21888	Windows Modern Execution Server Remote Code Execution Vulnerability	Important
Windows Push Notifications	CVE-2022-21867	Windows Push Notifications Apps Elevation Of Privilege Vulnerability	Important
Windows RDP	CVE-2022-21851	Remote Desktop Client Remote Code Execution Vulnerability	Important
Windows RDP	CVE-2022-21850	Remote Desktop Client Remote Code Execution Vulnerability	Important
Windows RDP	CVE-2022-21893	Remote Desktop Protocol Remote Code Execution Vulnerability	Important
Windows Remote Access Connection Manager	CVE-2022-21914	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability	Important
Windows Remote Access Connection Manager	CVE-2022-21885	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability	Important
Windows Remote Desktop	CVE-2022-21964	Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability	Important
Windows Remote Procedure Call Runtime	CVE-2022-21922	Remote Procedure Call Runtime Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21961	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21959	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21958	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21960	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21963	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21892	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21962	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Resilient File System (ReFS)	CVE-2022-21928	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	Important
Windows Secure Boot	CVE-2022-21894	Secure Boot Security Feature Bypass Vulnerability	Important
Windows Security Center	CVE-2022-21874	Windows Security Center API Remote Code Execution Vulnerability	Important
Windows StateRepository API	CVE-2022-21863	Windows StateRepository API Server file Elevation of Privilege Vulnerability	Important
Windows Storage	CVE-2022-21875	Windows Storage Elevation of Privilege Vulnerability	Important
Windows Storage Spaces Controller	CVE-2022-21877	Storage Spaces Controller Information Disclosure Vulnerability	Important
Windows System Launcher	CVE-2022-21866	Windows System Launcher Elevation of Privilege Vulnerability	Important
Windows Task Flow Data Engine	CVE-2022-21861	Task Flow Data Engine Elevation of Privilege Vulnerability	Important
Windows Tile Data Repository	CVE-2022-21873	Tile Data Repository Elevation of Privilege Vulnerability	Important
Windows UEFI	CVE-2022-21899	Windows Extensible Firmware Interface Security Feature Bypass Vulnerability	Important
Windows UI Immersive Server	CVE-2022-21864	Windows UI Immersive Server API Elevation of Privilege Vulnerability	Important
Windows User Profile Service	CVE-2022-21895	Windows User Profile Service Elevation of Privilege Vulnerability	Important
Windows User Profile Service	CVE-2022-21919	Windows User Profile Service Elevation of Privilege Vulnerability	Important
Windows User-mode Driver Framework	CVE-2022-21834	Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability	Important
Windows Virtual Machine IDE Drive	CVE-2022-21833	Virtual Machine IDE Drive Elevation of Privilege Vulnerability	Critical
Windows Win32K	CVE-2022-21882	Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2022-21876	Win32k Information Disclosure Vulnerability	Important
Windows Win32K	CVE-2022-21887	Win32k Elevation of Privilege Vulnerability	Important
Windows Workstation Service Remote Protocol	CVE-2022-21924	Workstation Service Remote Protocol Security Feature Bypass Vulnerability	Important

Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws

KCodes NetUSB bug exposes millions of routers to RCE attacks

Tue, 11 Jan 2022 20:44:34 +0000

A high-severity remote code execution flaw tracked as CVE-2021-45388 has been discovered in the KCodes NetUSB kernel module, used by millions of router devices from various vendors.

Successfully exploiting this flaw would allow a remote threat actor to execute code in the kernel, and although some restrictions apply, the impact is broad and could be severe.

The vulnerability discovery comes from researchers at SentinelLabs who shared their technical report with Bleeping Computer before publication.

What is NetUSB and how it's targeted

Some router manufacturers include USB ports on devices, allowing users to share printers and USB drives on the network.

NetUSB is a kernel module connectivity solution developed by KCodes, allowing remote devices in a network to interact with the USB devices directly plugged into a router.

NetUSB operational diagram
Source: KCodes

SentinelOne discovered a vulnerable code segment in the kernel module that doesn't validate the size value of a kernel memory allocation call, resulting in an integer overflow.

The 'SoftwareBus_fillBuf' function may then use this new region for a malicious out-of-bounds write with data from a network socket under the attacker's control.

Some limitations may make it difficult to exploit the vulnerability, as described below.

The allocated object will always be in the kmalloc-32 slab of the kernel heap. As such, the structure must be less than 32 bytes in size to fit.
The size supplied is only used as a maximum receive size and not a strict amount.
The structure must be sprayable from a remote perspective.
The structure must have something that can be overwritten that makes it useful as a target (e.g. a Type-Length-Value structure or a pointer).

However, the vulnerable NetUSB module has a sixteen-second timeout to receive a request, allowing more flexibility when exploiting a device.

"While these restrictions make it difficult to write an exploit for this vulnerability, we believe that it isn’t impossible and so those with Wi-Fi routers may need to look for firmware updates for their router," SentinelOne warned in their report.

Affected vendors and patching

The router vendors that use vulnerable NetUSB modules are Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital.

It is unclear which models are affected by CVE-2021-45388, but it's generally advisable to use actively supported products that receive regular security firmware updates.

Because the vulnerability affects so many vendors, Sentinel One alerted KCodes first, on September 9, 2021, and provided a PoC (proof of concept) script on October 4, 2021, to verify the patch released that day.

Vendors were contacted in November, and a firmware update was scheduled for December 20, 2021.

Netgear released a security update to patch CVE-2021-45388 on affected and supported products on December 14, 2021.

According to the security advisory published on December 20, 2021, the affected Netgear products are the following:

D7800 fixed in firmware version 1.0.1.68
R6400v2 fixed in firmware version 1.0.4.122
R6700v3 fixed in firmware version 1.0.4.122

The solution implemented by Netgear was to add a new size check to the 'supplied size' function, preventing the out-of-bounds write.

Fix applied by Netgear
Source: SentinelLabs

Bleeping Computer has contacted all affected vendors to request a comment on the timeline of releasing a firmware update, but we haven't received a response yet.

KCodes NetUSB bug exposes millions of routers to RCE attacks

Extortion DDoS attacks grow stronger and more common

Tue, 11 Jan 2022 04:01:29 +0000

The end of 2021 saw a rise in the number of distributed denial-of-service incidents that came with a ransom demand from the attackers to stop the assault.

In the fourth quarter of last year, about a quarter of Cloudflare's customers that were the target of a DDoS attack said that they received a ransom note from the perpetrator.

A large portion of these attacks occurred in December 2021, when almost a third of Cloudflare customers reported receiving a ransom letter.

By comparison with the previous month, the number of reported DDoS ransom attacks was double, Cloudflare says in a blog post today.

According to the company, 2021 is when most of these attacks happened, with a 29% recorded year-over-year increase and a 175% quarter-over-quarter jump.

Extortion or ransom DDoS (RDDoS) attacks started to become a new threat in August 2020 and grew bigger and more complex since then.

They started around 200Gbps and then flexed to more than 500Gbps in mid-September. In February 2021, internet security services company Akamai saw its share of a challenge dealing with an 800Gbps RDDoS that targeted a gambling company in Europe.

Last September, a threat actor deployed an RDDoS against VoIP.ms voice-over-Internet provider, disrupting phone services as the company’s DNS servers became unreachable.

Terabit-large attacks

Cloudflare says that application-layer DDoS attacks, HTTP DDoS ones in particular, targeted manufacturing companies and saw a spike of 641% compared to the third quarter of 2021.

Looking at the IP addresses, most of these DDoS incidents originate from China, the U.S., Brazil, and India, deployed by botnets such as Meris, which emerged this year with a record-breaking assault of 21.8 million requests against Russian internet giant Yandex.

Unlike an application-layer DDoS, which denies users access to a service, a network-layer DDoS attack targets the entire network infrastructure of a company trying to take down routers and servers.

One of the largest DDoS attacks that Cloudflare mitigated lasted for 60 seconds and came from a botnet with 15,000 systems that hurled close to 2Tbps of junk packets at a customer.

While this is not the largest DDoS attack recorded to date, “terabit-strong attacks are becoming the norm,” Cloudflare says. This one was deployed from a network of IoT devices running compromised by a variant of the Mirai botnet.

Cloudflare notes that SYN floods remain a popular attack method. The SNMP protocol has seen a dramatic spike of almost 6,000% from one quarter to another, although UDP-based DDoS attacks were the second most used vector.

“When we look at emerging attack vectors — which helps us understand what new vectors attackers are deploying to launch attacks — we observe a massive spike in SNMP, MSSQL, and generic UDP-based DDoS attacks” - Cloudflare

Companies dealing with short-lived DDoS attacks, which are more frequent, should turn to an automated mitigation solution because it acts on the spot and stops the assault on the spot.

Extortion DDoS attacks grow stronger and more common

Avira is adding a crypto miner to its products as well

Mon, 10 Jan 2022 20:35:08 +0000

Et Tu, Avira? Ashwin reported last week that Norton was adding a new component, called Norton Crypto, to its security products. Norton Crypto is a crypto currency miner that will run when the system is detected as idle. It appears that Avira is doing the same.

source: Avira

Avira Crypto is a crypto mining component that is integrated into (some?) Avira products.

Originally announced in October 2021, Avira Crypto was launched to help consumers "mine cryptocurrency more safely and easily, directly through the Avira platform".

Avira goes on to explain the ease of use of the integrated Crypto component in a blog post on the official Avira blog in October 2021.

With Avira Crypto, coinminers can now turn idle time on their PCs into an opportunity to earn digital currency. It is designed to be simple to use, secure and reliable, enabling customers to mine for cryptocurrency with just a few clicks and avoid the general barriers that might otherwise prevent their entry into the cryptocurrency ecosystem.

The company created a FAQ on its support site that provides a few additional details on the integration. According to the FAQ, Avira Crypto is mining Ethereum on systems and comes with a personal wallet.

Avira does not reveal how much, if any, of the mined currency it is taking for itself. Norton revealed last week that it is taking 15% of the earned currency from Norton Crypto users.

Participation in Avira Crypto and Norton Crypto is voluntary. Security expert Brian Krebs notes that the voluntary nature "ultimately hinges on how these crypto programs are pitched and whether users really understand what they’re doing when they enable them".

Whether mining is profitable depends on a number of factors, including the cost of electricity but also wear and tear of the hardware.

Both companies have been critized for the integration of crypto mining components. Previously, security products blocked malicious attempts to run crypto miners on customer PCs. The integration may add a bit of revenue for the companies, but it may also impact the reputation of both companies.

Closing Words

I installed the latest version of Avira Free on a system and it did not include Avira Crypto. Maybe it is being rolled out currently or it is limited to customers from specific regions at the time of writing.

Avira is adding a crypto miner to its products as well

Linux Mint 20.3 released promising security updates until 2025

Mon, 10 Jan 2022 20:32:12 +0000

Linux Mint has released version 20.3, codenamed 'Una,' as a long-term support version that will receive security updates until 2025.

Long-term support releases are for those who favor stability over bleeding-edge software and experimental features, so Linux Mint 20.3 is ideal for those who want to keep the same system without significant changes for years.

Mint is one of the most popular and widely used Linux distributions available today, using a Ubuntu base along with a desktop environment called 'Cinnamon' that will be more familiar to Windows users.

The reason why Mint is so popular mainly has to do with the complete out-of-the-box experience it offers, coming with proprietary format codecs, closed-source GPU drivers, and a variety of helpful multimedia apps pre-installed.

These features allow users to start using the Linux distribution without installing too many other packages.

Linux Mint 20.3 running Cinnamon 5.2
Source: Linux Mint

New in this release

The highlights in Linux Mint 20.3 are the following:

Dark mode is now omnipresent in apps and DE elements, giving a more coherent user experience.
The Hypnotix IPTV player has received UI revamp and a new search function.
A new Document Manager called ‘Thingy’ has been introduced, featuring reading progress history.
The Sticky Notes app now has a search function.
All themes have been tweaked for a modernized look and feel, and were optimized for dark mode.
The printing and scanning system was upgraded to support recent models from HP.
The Xreader PDF reader now has a manga reading mode.
Cinnamon 5.2 has integrated the calendar and added event management function with wider syncing integration potential (Evolution, Google Calendar, Mozilla Thunderbird).

New document manager Thingy
Source: Linux Mint

If the Cinnamon desktop environment isn’t your cup of tea, Linux Mint 20.3 is also available in two more flavors, MATE and XFCE.

MATE is a fork of GNOME 2, a desktop environment that was discontinued ten years ago, so it’s suitable for those who prefer a more old-school look but with GTK 3 support.

The XFCE is a lightweight and speedy desktop environment which thrives by balancing modern looks with simplicity in form and function.

If you’re already using Linux Mint and you’re looking for instructions on how to upgrade to the latest version, you follow the steps in Mint's official guide.

Apart from some theme-related quirks and breakages that are easy to fix, most users who upgraded over the weekend report that it went well.

To download the latest ISO and perform a clean install, which is the recommended way to upgrade, use one of the mirrors provided in the new release announcement.

Linux Mint 20.3 released promising security updates until 2025

WordPress 5.8.3 security update fixes SQL injection, XSS flaws

Mon, 10 Jan 2022 20:29:31 +0000

The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance.

The set includes an SQL injection on WP_Query, a blind SQL injection via the WP_Meta_Query, an XSS attack via the post slugs, and an admin object injection.

All of the issues have prerequisites for their exploitation, and most WordPress sites that use the default automatic core updates setting aren't in danger.

However, sites using WordPress 5.8.2 or older, with read-only filesystems that have disabled automatic core updates in wp-config.php, could be vulnerable to attacks based on the identified flaws.

The four flaws addressed with the latest security update are the following:

CVE-2022-21661: High severity (CVSS score 8.0) SQL injection via WP_Query. This flaw is exploitable via plugins and themes that use WP-Query. Fixes cover WordPress versions down to 3.7.37.
CVE-2022-21662: High severity (CVSS score 8.0) XSS vulnerability allowing authors (lower privilege users) to add a malicious backdoor or take over a site by abusing post slugs. Fixes cover WordPress versions down to 3.7.37.
CVE-2022-21664: High severity (CVSS score 7.4) SQL injection via the WP_Meta_Query core class. Fixes cover WordPress versions down to 4.1.34.
CVE-2022-21663: Medium severity (CVSS score 6.6) object injection issue that can only be exploited if a threat actor has compromised the admin account. Fixes cover WordPress versions down to 3.7.37.

There have been no reports of the above being under active exploitation in the wild, and none of these flaws is thought to have a severe potential impact on most WordPress sites.

Nonetheless, it is recommended that all WordPress site owners upgrade to version 5.8.3, review their firewall configuration, and ensure that WP core updates are activated.

This setting can be seen on the 'define' parameter in wp-config.php, which should be "define('WP_AUTO_UPDATE_CORE', true );"

Automated core updates were introduced in 2013 on WordPress 3.7, and according to official stats, only 0.7% of all WP sites are currently running a version older than that.

WordPress 5.8.3 security update fixes SQL injection, XSS flaws

5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral

Thu, 06 Jan 2022 20:41:58 +0000

Denial-of-service vulnerability can be triggered by sending a malicious HomeKit invite.

Apple has been taking its time fixing an iOS bug that makes it easy for miscreants to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.

HomeKit is an Apple-designed communication protocol that allows people to use their iPhones or iPads to control lights, TVs, alarms, and other home or office appliances. Users can configure their devices to automatically discover appliances on the same network, and they can also share those settings with other people so they can use their own iPhones or iPads to control the appliances. The sharing feature makes it easy to allow new people—say, a housesitter or babysitter—to control a user’s appliances.

Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an unending crash spiral. It can be triggered by using an extremely long name—up to 500,000 characters in length—to identify one of the smart devices and then getting a user to accept an invitation to that network.

As the demonstration videos below show, the device slowly becomes unresponsive until it eventually seizes up completely. Rebooting the device doesn’t help. By the time the login screen appears, it’s impossible to enter a passphrase. The only thing left to do is to perform a factory restore. And even then, once the device is restored, it will once again become unresponsive as soon as it logs back into the user’s iCloud account during setup.

HomeKit Denial of Service Vulnerability (Setup after Restore)

HomeKit Denial of Service Vulnerability (Via Home Invitation)

Spiniolas said that he notified Apple of the bug in August and received a response saying that it would be fixed by the end of the year. Later, the researcher said, Apple said the fix would come in early 2022. That’s when he told the company he planned to disclose the bug publicly.

“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” he wrote. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”

The researcher said Apple recently updated iOS in an attempt to mitigate the problem. The patch limits the number of characters in device names. But that does nothing to prevent an attacker from running an earlier version that allows excessively long device names and then getting someone to accept an invitation. Even if the receiver is running the latest iOS version, the device will be completely locked up.

This denial-of-service bug is relatively tame when compared to the zero-click vulnerabilities that frequently allow attackers to execute malicious code on iPhones. But if Apple wants to encourage users to trust their iOS devices, it really ought to fix this bug. Apple representatives didn’t respond to an email seeking comment for this article.

5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral