The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote.

Abnormal Security documented how it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. In June 2021, the Nigerian government officially placed an indefinite ban on Twitter, restricting it from operating in Nigeria after the social media platform deleted tweets by the Nigerian president.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

After he deleted his LinkedIn profile, I received the following message through the “contact this domain holder” link at KrebsOnSecurity’s domain registrar [curiously, the date of that missive reads “Dec. 31, 1969.”]. Apparently, Mr. Krebson is a clout-chasing monger.

A love letter from the founder of the ill-fated Sociogram.

Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter.

On Friday, Nigerian police arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week.

The petition for arrest.

Medayedupin being booked.

Seized laptop.

KrebsOnSecurity spoke with a fraud investigator who is performing the forensic analysis of the devices seized from Medayedupin’s home. The investigator spoke on condition of anonymity out of concern for his physical safety.

The investigator — we’ll call him “George” — said the 23-year-old Medayedupin lives with his extended family in an extremely impoverished home, and that the young man told investigators he’d just graduated from college but turned to cybercrime at first with ambitions of merely scamming the scammers.

George’s team confirmed that Medayedupin had around USD $2,000 to his name, which he’d recently stolen from a group of Nigerian fraudsters who were scamming people for gift cards. Apparently, he admitted to creating a phishing website that tricked a member of this group into providing access to the money they’d made from their scams.

Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea.

George described Medayedupin as smart, a quick learner, and fairly dedicated to his work.

“He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.”

What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks.

After all, the majority of the cybercrime that originates from Africa — think romance scams, Business Email Compromise (BEC) fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria.

How much money are we talking about? The financial losses from these scams dwarf other fraud categories — such as identity theft or credit card fraud. According to the FBI’s Internet Crime Complaint Center (IC3), consumers and businesses reported more than $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60 percent of those losses.

Source: FBI/IC3 2020 Internet Crime Report.

If the influx of a few billion US dollars into the Nigerian economy each year from cybercrime seems somehow insignificant, consider that (according to George) the average police officer in the country makes the equivalent of less than USD $100 a month.

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind BEC scams. Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said, in a June 2021 interview. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

Source

We confirmed the exploit on a Windows 10 version 21H2 test system. Executed locally on a standard user account, we managed to gain elevated privileges using the exploit. Bleeping Computer did test the exploit as well and found it to be working.

Microsoft did patch CVE-2021-41379 in the November 2021 patches, a Windows Installer Elevation of Privilege Vulnerability, which was discovered by Naceri as well.

Naceri found a variant of the patched exploit "during analysis of CVE-2021-41379", noting that the initial issue was not patched correctly. He decided against publishing a bypass for the patch that Microsoft released, stating that the new variant that he published instead "is more powerful than the original one".

The researcher describes the proof of concept in the following way:

I have also made sure that the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges.

While this technique may not work on every installation, because windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself.

Running standard user accounts, instead of accounts with administrative privileges, is considered a good security practice as doing so may limit what successful exploits and attacks may do on a system.

Naceria notes that his exploit is not affected by a policy that may prevent standard users from performing MSI operations.

He plans to drop the bypass to the vulnerability patched in November 2021 after Microsoft produces a patch for the vulnerability discussed in this article.

Windows administrators and users should wait for a patch nevertheless according to Naceri, as "any attempt to patch the binary directly will break windows installer".

Bleeping Computer asked Naceri why he did not report the vulnerability to Microsoft before publication. Naceri responded that it is a reaction to Microsoft cutting bug bounties for reported vulnerabilities.

Unpatched Windows vulnerability allows attackers to gain admin rights

The report conducted a comprehensive analysis of the cyber attacks launched by the organization called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear “invisible clothes” and hide behind screens.

The company’s vice chief engineer, Li Bosong, told the Global Times that they first detected “baby elephant” activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defense departments of South Asian countries were found.

According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named “white elephant.”

The organization had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. “That’s why we’ve named this new, advanced threat organization ‘baby elephant,'” Li said.

Four years since, the “baby elephant” is on the rampage, expanding their targets. “Since 2017, the number of ‘baby elephant’ attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia,” Li said. “In 2021, the group began targeted attacks on Chinese institutions for intelligence theft.”

The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers.

For example, the “baby elephant” used to disguise itself as the mail system of the Nepalese army, police, and government, including Nepal’s Ministry of Foreign Affairs, the Ministry of National Defense, and the Prime Minister’s office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.

It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim’s mobile phone.

The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020.

Those samples shared a high degree of similarity in code content with those from the “baby elephant.”

Judging from previous activities, some hacking organizations from India are not very concealed. One is because of its imperfect attacking capability, but more importantly, it reflects the have-nothing-to-fear mindset of those attackers. The physical location of one attacker most likely represents the location of the entire hacking organization, Li said.

“Despite constantly diversifying attacking methods and more abundant functions of the malicious files, attacks could still be traced to the “baby elephant” based on its targets, tactics and decoys and Trojan homology,” Li said.

The targets of the attacks overlap, such as those in Nepal, Pakistan, and Afghanistan. Techniques and tactics that they used are similar to the behavior of the “baby elephant” in the early stage, including malicious shortcuts, malicious HTA scripts and Python Trojan horses, according to Li.

Li also pointed out the similarity of their domain names, which all tend to imitate the official domain names of government organs and state-owned enterprises in Pakistan, Nepal and Sri Lanka. They also tended to adopt the dynamic domain names under the US network service provider No-IP, such as hopto.organd myftp.org.

Multiple signs showed that the “baby elephant” has already become one of the most active and mature cyber attack organizations that threaten the cyber security of South Asia and Asia-Pacific.

It is also likely to become the main attack group in South Asia in the future, Li said, calling for attention to be paid on the “baby elephant.”

Victim countries attacked by the “baby elephant” are usually weak economically, in digital maintenance and cyber security capabilities. But like any other country, they enjoy the right to defend their sovereignty, security and interests, Li pointed out.

In a previous interview, Antiy Labs told the Global Times that since March, they have detected several phishing activities targeting government, defense and military units, as well as state-owned enterprises in China, Pakistan, and Nepal. The organization behind the attacks is from India and its activities can be traced to as early as April 2019.

More first-hand materials the Global Times obtained from several of China’s leading cybersecurity companies have further revealed a sophisticated network: top hackers from South Asia, mainly from India, have constantly attacked defense and military units as well as state-owned enterprises in China, Nepal and Pakistan in the past few years, and such attacks are on the rise under new disguises of international trending topics.

Source

Has this happened to anyone else, or was this user error of some sort? If this is real, can some reporter write about it?

(Not that “user error” is a good justification. Any system where making a simple mistake means that you’ve forever lost your privacy isn’t a good one. We see this same situation with sharing contact lists with apps on smartphones. Apps will repeatedly ask, and only need you to accidentally click “okay” once.)

EDITED TO ADD: It’s actually worse than I thought. Edge urges users to store passwords, ID numbers, and even passport numbers, all of which get uploaded to Microsoft by default when synch is enabled.

Source

The e-commerce giant had more than 1,000 contacts from his phone. It had records of exactly which part of the Quran that Samirah, who was raised as a Muslim, had listened to on Dec. 17 of last year. The company knew every search he had made on its platform, including one for books on "progressive community organizing" and other sensitive health-related inquiries he thought were private.

"Are they selling products, or are they spying on everyday people?" asked Samirah, a Democratic member of the Virginia House of Delegates.
Samirah was among the few Virginia legislators who opposed an industry-friendly, Amazon-drafted state privacy bill that passed earlier this year. At Reuters' request, Samirah asked Amazon to disclose the data it collected on him as a consumer.

The company gathers a vast array of information on its U.S. customers, and it started making that data available to all upon request early last year, after trying and failing to defeat a 2018 California measure requiring such disclosures. (U.S. Amazon customers can obtain their data by filling out a form on Amazon.com. https://www.amazon.com/gp/help/customer/display.html?nodeId=GXPU3YPMBZQRWZK2)

Seven Reuters reporters also obtained their Amazon files. The data reveals the company's ability to amass strikingly intimate portraits of individual consumers.

Amazon collects data on consumers through its Alexa voice assistant, its e-commerce marketplace, Kindle e-readers, Audible audiobooks, its video and music platforms, home-security cameras and fitness trackers. Alexa-enabled devices make recordings inside people's homes, and Ring security cameras capture every visitor.

Such information can reveal a person's height, weight and health; their ethnicity (via clues contained in voice data) and political leanings; their reading and buying habits; their whereabouts on any given day, and sometimes whom they have met.

One reporter's dossier revealed that Amazon had collected more than 90,000 Alexa recordings of family members between December 2017 and June 2021 – averaging about 70 daily. The recordings included details such as the names of the reporter's young children and their favorite songs.

Amazon captured the children asking how they could convince their parents to let them "play," and getting detailed instructions from Alexa on how to convince their parents to buy them video games. Be fully prepared, Alexa advised the kids, to refute common parent arguments such as "too violent," "too expensive" and "you're not doing well enough in school." The information came from a third-party program used by Alexa called "wikiHow" that provides how-to advice from more than 180,000 articles, according to Amazon's website.

Amazon said it does not own wikiHow, but that Alexa sometimes responds to requests with information from websites.

Some recordings involved conversations between family members using Alexa devices to communicate across different parts of the house. Several recordings captured children apologizing to their parents after being disciplined. Others picked up the children, ages 7, 9 and 12, asking Alexa questions about terms like "pansexual."

In one recording, a child asks: "Alexa, what is a vagina?" In another: "Alexa, what does bondage mean?"

The reporter did not realize Amazon was storing the recordings before the company disclosed the data it tracked on the family.

Amazon says its Alexa products are designed to record as little as possible, starting with the trigger word, "Alexa," and stopping when the user's command ends. The recordings of the reporter's family, however, sometimes captured longer conversations.

In a statement, Amazon said it has scientists and engineers working to improve the technology and avoid false triggers that prompt recording. The company said it alerts customers that recordings are stored when they set up Alexa accounts.

Amazon said it collects personal data to improve products and services and customize them to individuals. Asked about the records of Samirah listening to the Quran on Amazon's audiobooks service, Amazon said such data allows customers to pick up where they left off from a prior session.

The only way for customers to delete much of this personal data is to close their account, Amazon said. The company said it retains some information, such as purchase history, after account closure to comply with legal obligations.

Amazon said it allows customers to adjust their settings on voice assistants and other services to limit the amount of data collected. Alexa users, for instance, can stop Amazon from saving their recordings or have them automatically deleted periodically. And they can disconnect their contacts or calendars from their smart-speaker devices if they don't want to use Alexa's calling or scheduling functions.

A customer can opt out of having their Alexa recordings examined, but they must navigate a series of menus and two warnings that say: "If you turn this off, voice recognition and new features may not work well for you." Asked about the warnings, Amazon said consumers who limit data collection may not be able to personalize some features, such as music playback.

Samirah, 30, got an Amazon Alexa-enabled smart speaker during last year's holiday season. He said he only used it for three days before returning it after realizing it was collecting recordings. "It really sketched me out," he said.

The device had already gathered all of his phone contacts, part of a feature that allows users to make calls through the device. Amazon said Alexa users must give permission for the company to access phone contacts. Customers must disable access to phone contacts, not just delete the Alexa app, in order to delete the records from their Amazon account.

Samirah said he was also unnerved that Amazon had detailed records of his audiobook and Kindle reading sessions. Finding information about his listening to the Quran disclosed in his Amazon file, he said, made Samirah think about the history of U.S. police and intelligence agencies surveilling Muslims for suspected terrorist links after the attacks of Sept. 11, 2001.

"Why do they need to know that?" he asked. Samirah's term ends in January, after he lost a bid for re-election earlier this year.

At times, law-enforcement agencies seek data on customers from technology companies. Amazon discloses that it complies with search warrants and other lawful court orders seeking data the company keeps on an account, while objecting to "overbroad or otherwise inappropriate requests."

Amazon data for the three years ending in June 2020, the latest available, show the company complied at least partially with 75% of subpoenas, search warrants and other court orders seeking data on U.S. customers. The company fully complied with 38% of those requests.

Amazon stopped disclosing how often it complies with such requests last year. Asked why, Amazon said it expanded the scope of the U.S. report to make it global, and "streamlined" the information from each country on law enforcement inquiries. The company said it is obligated to comply with "valid and binding orders," but that its goal is to release "the minimum" required by law.

Amazon's 3,500-word privacy policy, which links to more than 20 other pages related to privacy and user settings, gives the company wide latitude to collect data. Amazon said the policy describes its collection, use and sharing of data "in a way that is easy for consumers to understand."

That information can get quite personal. Amazon's Kindle e-readers, for instance, precisely track a user's reading habits, another reporter's Amazon data file showed. The disclosure included records of more than 3,700 reading sessions since 2017, including timestamped logs – to the millisecond – of books read. Amazon also tracks words highlighted or looked up, pages turned and promotions seen.

It showed, for instance, that a family member read "The Mitchell Sisters: A Complete Romance Series" on Aug. 8, 2020, from 4:52 p.m. until 7:36 p.m., flipping 428 pages.

Florian Schaub, a privacy researcher at the University of Michigan, said businesses are not always transparent about what they're doing with users' data. "We have to rely on Amazon doing the right thing," he said, "rather than being confident the data can't be misused."

(Reporting by Chris Kirkham and Jeffrey Dastin; editing by Peter Hirschberg and Brian Thevenot)

Source

"The victimized websites belong to media outlets in the U.K., Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa," ESET said in a new report. "The attackers also created a website mimicking a medical trade fair in Germany."

The strategic web compromises are believed to have occurred in two waves, the first commencing as early as March 2020 before ending in August 2020, and the second string of attacks beginning in January 2021 and lasting until early August 2021, when the targeted websites were stripped clean off the malicious scripts.

Watering hole attacks are a form of highly targeted intrusions in that they tend to infect a specific group of end-users by backdooring websites that members of the group are known to frequent with the goal of opening a gateway into their machines for follow-on exploitation activities.

"The compromised websites are only used as a jumping-off point to reach the final targets," the Slovak cybersecurity firm said, linking the second wave to a threat actor tracked by Kaspersky as Karkadann citing overlaps in the tactics, techniques, and procedures (TTPs). The Russian company described the group as targeting government bodies and news outlets in the Middle East since at least October 2020.

The original attack chains involved injecting JavaScript code into the websites from a remote attacker-controlled domain that's designed to collect and exfiltrated I.P. geolocation and system information about the victim machine, opting to proceed further only if the operating system in question is either Windows or macOS, suggesting the campaign was orchestrated to target computers and not mobile devices. The final step led to a likely browser remote code execution exploit that enabled the attackers to hijack control of the machines.

The second wave observed in January 2021 was characterized by more stealth, as the JavaScript modifications were made to legitimate WordPress scripts ("wp-embed.min.js") used by the websites instead of adding the malicious code straight to the main HTML page, using the method to load a script from a server under the attacker's control. What's more, the fingerprinting script also went beyond harvesting system metadata to capture the default language, the list of fonts supported by the browser, the time zone, and the list of browser plugins.

The exact exploit and the final payload delivered remain unknown as yet. "This shows that the operators choose to narrow the focus of their operations and that they don't want to burn their zero-day exploits," ESET malware researcher Matthieu Faou said.

The campaign's links to Candiru stems from the fact that some of the command-and-control servers utilized by the attackers are similar to domains previously identified as belonging to the Israeli company, not to mention feature browser-based remote code execution exploits in its arsenal, raising the possibility that "the operators of the watering holes are customers of Candiru."

ESET noted that the attackers ceased operations at the end of July 2021, coinciding with the public disclosures about Candiru related to the use of multiple zero-day vulnerabilities in the Chrome browser to target victims located in Armenia. "It seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier," Faou said. "We expect to see them back in the ensuing months."

Source

"While attacks can exceed 95% accuracy when monitoring a small set of five popular websites, indiscriminate (non-targeted) attacks against sets of 25 and 100 websites fail to exceed an accuracy of 80% and 60%, respectively," researchers Giovanni Cherubin, Rob Jansen, and Carmela Troncoso said in a newly published paper.

Tor browser offers "unlinkable communication" to its users by routing internet traffic through an overlay network, consisting of more than six thousand relays, with the goal of anonymizing the originating location and usage from third parties conducting network surveillance or traffic analysis. It achieves this by building a circuit that traverses via an entry, middle, and exit relay, before forwarding the requests to the destination IP addresses.

On top of that, the requests are encrypted once for each relay to further hinder analysis and avoid information leakage. While the Tor clients themselves are not anonymous with respect to their entry relays, because the traffic is encrypted and the requests jump through multiple hops, the entry relays cannot identify the clients' destination, just as the exit nodes cannot discern a client for the same reason.

Website fingerprinting attacks on Tor aim to break these anonymity protections and enable an adversary observing the encrypted traffic patterns between a victim and the Tor network to predict the website visited by the victim. The threat model devised by the academics presupposes an attacker running an exit node — so as to capture the diversity of traffic generated by real users — which is then used as a source to collect Tor traffic traces and devise a machine-learning-based classification model atop the gathered information to infer users' website visits.

The adversary model involves an "online training phase that uses observations of genuine Tor traffic collected from an exit relay (or relays) to continuously update the classification model over time," explained the researchers, who ran entry and exit relays for a week in July 2020 using a custom version of Tor v0.4.3.5 to extract the relevant exit information.

To mitigate any ethical and privacy concerns arising out of the study, the paper's authors stressed the safety precautions incorporated to prevent leakage of sensitive websites that users may visit via the Tor browser.

"The results of our real-world evaluation demonstrate that WF attacks can only be successful in the wild if the adversary aims to identify websites within a small set," the researchers concluded. "In other words, untargetted adversaries that aim to generally monitor users' website visits will fail, but focused adversaries that target one particular client configuration and website may succeed."

Source

• Intel® Xeon® Processor E Family

• Intel® Xeon® Processor E3 v6 Family

• Intel® Xeon® Processor W Family

• 3rd Generation Intel® Xeon® Scalable Processors

• 11th Generation Intel® Core™ Processors

• 10th Generation Intel® Core™ Processors

• 7th Generation Intel® Core™ Processors

• Intel® Core™ X-series Processors

• Intel® Celeron® Processor N Series

• Intel® Pentium® Silver Processor Series

The second bug with ID "CVE-2021-0146" seems to affect lower-end CPUs like the Pentium and Celeron with the following CPU IDs. Embedded SOCs are also affected and have been classified separately.

CPU IDs:

• Desktop/Mobile :
  • 506C9
  • 706A1
  • 706A8
• Embedded:
  • 506CA
  • 506F1

Desktop/Mobile (ID 506C9) :

• Intel® Pentium® Processor J Series, N Series

• Intel® Celeron® Processor J Series, N Series

• Intel® Atom® Processor A Series

• Intel® Atom® Processor E3900 Series

Desktop/Mobile (ID 706A1):

• Intel® Pentium® Processor Silver Series/ J&N Series

Desktop/Mobile (ID 706A8):

• Intel® Pentium® Processor Silver Series/ J&N Series - Refresh

Embedded (ID 506CA):

• Intel® Pentium® Processor N Series

• Intel® Celeron® Processor N Series

• Intel® Atom® Processor E3900 Series

Embedded (ID 506F1):

• Intel® Atom® Processor C3000

As far as recommendations, Intel has advised users to update the systems' BIOS to the firmware version that patches the issue. Hence, users should be on the lookout for when their OEMs or motherboard vendors release the patched firmware.

Source: Crucial BIOS update rolling out for Intel 11th Gen, 10th Gen, and more CPUs, fixes LPE bug (via Neowin)

• Escalation of privilege
• Denial of service
• Information disclosure
• KASLR bypass
• Arbitrary write to kernel memory
   

The image below shows the CVE IDs assigned to these exploits, a short description, and the level of threat they posed.

AMD was made aware of these bugs by security researchers among whom, Ori Nimron (Twitter username @orinimron123) made the biggest contribution. The company states it gradually patched these exploits with graphics driver updates, the most recent one being the 21.4.1 driver which was the 2020-21 mega driver update for Radeon that brought in a ton of new features as well lower power draw. You can find more details on AMD's official announcement here.
 

Curiously, Intel too got stuck in this situation since the company built its Kaby Lake G SKUs using AMD's Vega graphics. As such, Team Blue had to release a new graphics driver version 21.10.03.11 for Kaby Lake G even though it was already announced as an End-of-Life (EOL) product earlier.
 

Aside from the bugs already noted by AMD, Intel also adds one more by itself dubbed "CVE-2021-33105". More details can be found on Intel's official page.

Source: AMD confirms its Windows driver was at the mercy of hackers due to a dozen security exploits (via Neowin)

While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.

How HTML smuggling works

HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in encoded strings in an HTML attachment or webpage. These strings are then decoded by a browser when a user opens the attachment or clicks a link.

For example, a phishing HTML attachment could include a harmless link to a known website, thus not being seen as malicious. However, when a user clicks on the link, JavaScript will decode an included encrypted or encoded string and convert it into a malicious attachment that is downloaded instead, as shown in the code below.

Since the malicious payload is encoded initially, it looks harmless to security software and is not detected as malicious. Furthermore, as JavaScript assembles the payload on the target system, it bypasses any firewalls and security defenses that would usually catch the malicious file at the perimeter.

Deployment cases

Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking trojans and also in highly-targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to drop the AsyncRAT or NJRAT remote access trojans, or the TrickBot trojan used to breach networks and deploy ransomware.

The attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.

If either is clicked, a ZIP file is dropped using HTML smuggling. This archive contains a JavaScript file downloader that fetches additional files from a command and control server (C2) to install on the victim's device.

In some cases, the created archives are password-protected for additional detection evasion against endpoint security controls. However, the password to open it is provided in the original HTML attachment, so the victim must enter it manually.

Once the script is launched, a base64-encoded PowerShell command is executed that downloads and installs the TrickBot trojan or other malware.

A 2020 report from Menlo Security also mentions the Duri malware group as one of the actors who actively uses HTML smuggling for payload distribution, but the technique was first seen in the wild since at least 2018.

Microsoft first warned about a sudden uptick in this activity in July 2021, urging admins to raise their defenses against it.

How to defend against HTML smuggling

Microsoft suggests admins use behavior rules to check for commonly characteristics of HTML smuggling, including:

• An attached ZIP file contains JavaScript
• An attachment is password-protected
• An HTML file contains a suspicious script code
• An HTML file decodes a Base64 code or obfuscates a JavaScript

For endpoints, admins should block or audit activity associated with HTML smuggling, including:

• Block JavaScript or VBScript from launching downloaded executable content
• Block execution of potentially obfuscated scripts
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion

In addition to the above, users may prevent automatic JavaScript code execution by associating .js and .jse files with a text editor like Notepad.

Ultimately, the best defense is to train users not to open files downloaded via links in emails and attachments. All files downloaded from an email should be treated with caution and checked carefully before being opened.

Furthermore, if an attachment or email link downloads an attachment ending with a .js extension (JavaScript), it should never be opened and automatically be deleted.

Unfortunately, Windows disables the showing of file extensions by default, leading to extensions not being seen in many cases. This is why it is always suggested that users enable the viewing of file extensions to prevent the opening of malicious files.

Microsoft warns of surge in HTML smuggling phishing attacks

The bug, tracked as CVE-2021-34484, was incompletely patched by Microsoft during the August Patch Tuesday. The company only addressed the impact of the proof-of-concept (PoC) provided by security researcher Abdelhamid Naceri who reported the issue.

Naceri later discovered that threat actors could still bypass the Microsoft patch to elevate privileges to gain SYSTEM privileges if certain conditions are met, getting an elevated command prompt while the User Account Control (UAC) prompt is displayed.

CERT/CC vulnerability analyst Will Dormann tested the CVE-2021-34484 bypass PoC exploit and found that, while it worked, it would not always create the elevated command prompt. However, in BleepingComputer's tests, it launched an elevated command prompt immediately, as shown below.

Luckily, the exploit requires attackers to know and log in with other users' credentials for exploiting the vulnerability, which means that it will likely not be as widely abused as other LPE bugs (including PrintNightmare).

The bad news is that it impacts all Windows versions, including Windows 10, Windows 11, and Windows Server 2022, even if fully patched.

Additionally, the researcher told BleepingComputer threat actors will only need another domain account to deploy the exploits in attacks, so it's definitely something admins should be concerned about.

After BleepingComputer's report on the CVE-2021-34484 bypass, Microsoft told us that they are aware of the issue and "will take appropriate action to keep customers protected."

Free patch available until Microsoft addresses the bug

While Microsoft is still working on a security update to address this zero-day flaw, the 0patch micropatching service has released Thursday a free unofficial patch (known as a micropatch).

0patch developed the micropatch using the info provided by Naceri in his write-up and PoC for the Windows User Profile Service 0day LPE.

You can apply this free patch to block attacks using the CVE-2021-34484 bypass on the following Windows versions:

1. Windows 10 v21H1 (32 & 64 bit) updated with October or November 2021 Updates
2. Windows 10 v20H2 (32 & 64 bit) updated with October or November 2021 Updates
3. Windows 10 v2004 (32 & 64 bit) updated with October or November 2021 Updates
4. Windows 10 v1909 (32 & 64 bit) updated with October or November 2021 Updates
5. Windows Server 2019 64 bit updated with October or November 2021 Updates

"While this vulnerability already has its CVE ID (CVE-2021-33742), we're considering it to be without an official vendor fix and therefore a 0day," 0patch co-founder Mitja Kolsek explained. "Micropatches for this vulnerability will be free until Microsoft has issued an official fix."

To install this unofficial patch on your system, you will first need to register a 0patch account and then install the 0patch agent.

Once you launch the agent, the micropatch is applied automatically (if there is no custom patching enterprise policy in place blocking it), without the need to reboot the device.

While this issue in theory also impacts older Windows versions, Kolsek said that "the vulnerable code is different there, making the window for winning the race condition extremely narrow and probably unexploitable."

A video demo of the CVE-2021-33742 micropatch in action is embedded below.

Zero-day bug in all Windows versions gets free unofficial patch

According to a report by Barracuda, who surveyed 10,500 organizations, 35% of them received at least one bait attack email in September 2021 alone.

What is a baiting attack?

A "bait attack" is a sub-class of phishing where threat actors attempt to gather basic information about a specific target and use it for more targeted and effective attacks in the future.

It is a preparatory reconnaissance step that seldom comes with payloads or embedded links on the email body.

Although some of these emails contain a basic question or something that has higher chances of receiving a response, many don't include any text at all.

While it may be strange to send an almost empty email, the threat actors are using them with the following goals:

• Confirm that the recipient’s email address is valid
• Confirm that the email address is actively used
• Confirm targets' susceptibility to unsolicited emails
• Test the effectiveness of automated spam-detection solutions

Since these emails don't include any links to phishing sites and don't carry any attachments, they usually pass through phishing defense systems as they are not seen as malicious.

Why Gmail?

Barracuda's stats show that 91% of all these bait emails are sent from newly-created Gmail accounts, while all other email platforms account for just 9%.

This preference is because Gmail is a very popular service that people associate with legitimacy and trustworthiness.

The same applies to email security solutions that treat Google's email service as a highly reputable one.

Moreover, Gmail is a platform that allows the quick and easy creation of pseudonymous accounts without much fuss.

Finally, Gmail supports "read receipt" functionality, which tells the actors that the recipient opened the message even if they never replied.

This stealthily fulfills the purpose of the baiting attack, which is to confirm that the mailbox is valid and actively used.

What if the bait is taken?

Barracuda decided to experiment by replying to these baiting emails, which aren't supposed to initiate the phishing process.

Within 48 hours, the security firm employee received a targeted phishing attack used after a false Norton LifeLock purchase claim.

This quick response demonstrates the readiness of the actors and the tight connection between these innocuous-looking empty emails and fully-fledged phishing attacks.

Remember, one doesn’t even have to reply to these emails to confirm that they are available for potential exploitation, so if you see one, delete it without opening it.

However, replying puts the victim in a higher priority category for the actors, as users who respond to bait emails are typically more susceptible and easier to exploit.

Gmail accounts are used in 91% of all baiting email attacks

Microsoft has fixed 55 vulnerabilities with today's update, with six classified as Critical and 49 as Important. The number of each type of vulnerability is listed below:

• 20 Elevation of Privilege vulnerabilities
• 2 Security Feature Bypass vulnerabilities
• 15 Remote Code Execution vulnerabilities
• 10 Information Disclosure vulnerabilities
• 3 Denial of Service vulnerabilities
• 4 Spoofing vulnerabilities

For information about the non-security Windows updates, you can read about today's Windows 10 KB5007186 & KB5007189 cumulative updates and the Windows 11 KB5007215 cumulative update.

Six zero-days fixed, with two actively exploited

November's Patch Tuesday includes fixes for six zero-day vulnerabilities, two actively exploited against Microsoft Exchange and Microsoft Excel.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited vulnerabilities fixed this month are:

• CVE-2021-42292 - Microsoft Excel Security Feature Bypass Vulnerability
• CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability

The Microsoft Exchange CVE-2021-42321 vulnerability is an authenticated remote code execution bug used as part of the Tianfu Cup hacking contest last month.

However, the Microsoft Excel CVE-2021-42292 was discovered by the Microsoft Threat Intelligence Center and has been actively used in malicious attacks.

The security updates for Microsoft Office for Mac have not been released as of yet.

Microsoft also fixed four other publicly disclosed vulnerabilities that are not known to be exploited in attacks.

• CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
• CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
• CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability
• CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability

Recent updates from other companies

Other vendors who released updates in November include:

• Adobe's November security updates were released for various applications.
• Android's November security updates were released last week.
• Cisco released security updates for numerous products this month, including a hard-coded password and SSH key vulnerability.
• SAP released its November 2021 security updates.

The November 2021 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the November 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws

The Tor Browser is a customized version of Firefox ESR that allows users to browse the web anonymously and access special .onion domains only accessible via Tor.

You can download the Tor Browser from the Tor Project site, and if you are an existing user, you can upgrade to the latest version by going to the Tor Menu > Help > About Tor Browser.

What's new in Tor 11

Tor Browser 11 uses Firefox ESR 91, which brings an updated user interface containing new icons, a new toolbar, streamlined menus, dialogs, and an updated tabs interface.

However, the most significant change is the deprecation of V2 onion services, meaning TOR URLs using short 16 character hostnames domains are no longer supported.

When attempting to open a V2 onion service, Tor Browser will show users an "Invalid Onionsite Address" with an error code of 0xF6.

"Last year we announced that v2 onion services would be deprecated in late 2021, and since its 10.5 release Tor Browser has been busy warning users who visit v2 onion sites of their upcoming retirement," the Tor Project explained in the Tor Browser 11 release notes.

"At long last, that day has finally come. Since updating to Tor 0.4.6.8 v2 onion services are no longer reachable in Tor Browser, and users will receive an “Invalid Onion Site Address” error instead."

With this change, Tor sites using V2 onion services will no longer be reachable, but admins can upgrade to a V3 onion service by adding the following lines to the torrc file.

HiddenServiceDir /full/path/to/your/hs/v3/directory/
HiddenServicePort  :

As with all releases, there are always known issues and bugs that users need to be aware.

The known issues in Tor 11 are listed below:

• Bug 40668: DocumentFreezer & file scheme
• Bug 40671: Fonts don't render
• Bug 40679: Missing features on first-time launch in esr91 on MacOS
• Bug 40689: Change Blockchair Search provider's HTTP method
• Bug 40667: AV1 videos shows as corrupt files in Windows 8.1
• Bug 40677: Since the update to 11.0a9 some addons are inactive and need disabling-reenabling on each start
• Bug 40666: Switching svg.disable affects NoScript settings
• Bug 40690: Browser chrome breaks when private browsing mode is turned off

You can download Tor 11.0 from the Tor Browser download page and the distribution directory.

Tor Browser 11 removes V2 Onion URL support, adds new UI

The U.S. Department of Justice today announced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted hundreds of millions from victim organizations. The DOJ also said it had seized $6.1 million in cryptocurrency sent to another REvil affiliate, and that the U.S. Department of State is now offering up to $10 million for the name or location any key REvil leaders, and up to $5 million for information on REvil affiliates.

If it sounds unlikely that a normal Internet user could make millions of dollars unmasking the identities of REvil gang members, take heart and consider that the two men indicted as part this law enforcement action do not appear to have done much to separate their cybercriminal identities from their real-life selves.

Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian national accused of being REvil Affiliate #22. Vasinskyi was arrested Oct. 8 in Poland, which maintains an extradition treaty with the United States. Prosecutors say Vasinskyi was involved in a number of REvil ransomware attacks, including the July 2021 attack against Kaseya, Miami-based company whose products help system administrators manage large networks remotely.

Yaroslav Vasinksyi’s Vkontakte profile reads “If they tell you nasty things about me, believe every word.”

According to his indictment (PDF), Vasinskyi used a variety of hacker handles, including “Profcomserv” — the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.”

These last two nicknames correspond to accounts on several top cybercrime forums way back in 2013, where a user named “Yaroslav2468” registered using the email address yarik45@gmail.com.

That email address was used to register an account at Vkontakte (the Russian version of Facebook/Meta) under the profile name of “Yaroslav ‘sell the blood of css’ Vasinskyi.” Vasinskyi’s Vkontakte profile says his current city as of Oct. 3 was Lublin, Poland. Perhaps tauntingly, Vasinskyi’s profile page also lists the FBI’s 1-800 tip line as his contact phone number. He’s now in custody in Poland, awaiting extradition to the United States.

Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian national who is alleged to be REvil Affiliate #23. The DOJ said it seized $6.1 million in funds traceable to alleged ransom payments received by Polyanin, and that the defendant had been involved in REvil ransomware attacks on multiple U.S. victim organizations.

Polyanin’s indictment (PDF) says he also favored numerous hacker handles, including LK4D4, Damnating, Damn2life, Noolleds, and Antunpitre. Some of these nicknames go back more than a decade on Russian cybercrime forums, many of which have been hacked and relieved of their user databases over the years.

Among those was carder[.]su, and that forum’s database says a user by the name “Damnating” registered with the forum in 2008 using the email address damnating@yandex.ru. Sure enough, there is a Vkontakte profile tied to that email address under the name “Yevgeniy ‘damn’ Polyanin” from Barnaul, a city in the southern Siberian region of Russia.

The apparent lack of any real operational security by either of the accused here is so common that it is hardly remarkable. As exhibited by countless investigations in my Breadcrumbs story series, I have found that if a cybercriminal is active on multiple forums over more than 10 years, it is extremely likely that person has made multiple mistakes that make it relatively easy to connect his forum persona to his real-life identity.

As I explained earlier this year in The Wages of Password Re-use: Your Money or Your Life, it’s possible in many cases to make that connection thanks to two factors. The biggest is password re-use by cybercriminals (yes, crooks are lazy, too). The other is that cybercriminal forums, services, etc. get hacked just about as much as everyone else on the Internet, and when they do their user databases can reveal some very valuable secrets and connections.

In conjunction with today’s REvil action, the U.S. Department of State said it was offering a reward of up to $10 million for information leading to the identification or location of any individual holding a key leadership position in the REvil ransomware group. The department said it was also offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a REvil ransomware incident.

I really like this bounty offer and I hope we see more just like it for other ransomware groups. Because as we can see from the prosecutions of both Polyanin and Vasinskyi a lot of these guys simply aren’t too hard to find. Let the games begin.

REvil Ransom Arrest, $6M Seizure, and $10M Reward

• SlowMist estimated the total haul at $55 million, The Block, a crypto blog, reported on Friday.

• "Roughly 25% of this figure is personal losses from the team wallet," bZx said on Twitter.

Crypto company bZx said on Friday that a hacker stole millions in various currencies after one of its developers fell for a phishing attack.

SlowMist, an outside security company, estimated the total haul at $55 million, The Block, a crypto blog, reported on Friday.

"Roughly 25% of this figure is personal losses from the team wallet that was compromised," bZx said on Twitter, responding to The Block's reporting.

Source

The open source browser Firefox is making some policy changes for add-on developers.

No big deal, Philipp Kewisch, the add-ons product operations manager at Firefox’s parent Mozilla, said in a blog announcing the upcoming changes on Wednesday. The organization is mostly clarifying their add-on policies to make them easier for developers to understand — although there are a few small changes in the works.

“While this has resulted in a substantially rewritten and reorganized document, the policy changes are modest and unlikely to surprise anyone,” he said.

According to Kewisch, only a few changes are likely to require action from add-on developers, with most of them centering around user privacy and security:

• “Collecting browsing activity data, such as visited URLs, history, associated page data or similar information, is only permitted as part of an add-on’s primary function. Collecting user data or browsing information secretively remains prohibited.
• Add-ons that serve the sole purpose of promoting, installing, loading or launching another website, application or add-on are no longer permitted to be listed on addons.mozilla.org.
• Encryption – standard, in-browser HTTPS – is now always required when communicating with remote services. In the past, this was only required when transporting sensitive information.”

The section on cookie policies has been removed, he said, meaning obtaining user consent before accessing cookies is no longer a requirement.

“Note however, that if you use cookies to access or collect technical data, user interaction data, or personal data, you will still require a consent experience at first run of the add-on,” he added.

Add-on developers might also benefit from reviewing several other changes that were primarily focused on making the policies more clear, he said:

• “If your add-on collects technical data, user interaction data, or personal data, you must show a consent experience at the first run of the add-on. This update improves our description of these requirements, and we encourage you to review both the requirements and our recommended best practices for implementing them.
• There are certain types of prohibited data collection. We do this to ensure user privacy and to avoid add-ons collecting more information than necessary, and in this update we’ve added a section describing the types of data collection that fall under this requirement.
• Most add-ons require a privacy policy. For add-ons listed on addons.mozilla.org, the policy must be included in the listing in its full text. We’ve created a section specific to the privacy policy that lays out these requirements in more detail.
• If your add-on makes use of monetization, the monetization practices must adhere to the data collection requirements in the same way the add-on does. While we have removed duplicate wording from the monetization section, the requirements have not changed and we encourage you to review them as well.”

Firefox has published a complete preview of the policies that will go into effect on December 1st, 2021. In addition, the organization has provided direct access to a forum thread for developers who have questions about the updated policies or who would like to provide feedback.

Source

1.8TB of Police Helicopter Surveillance Footage Leaks Online

(May require free registration to view)

Microsoft has announced it's adding even more security features to the protection it offers to open-source operating systems.

Defender for Endpoint on Linux server gained endpoint detection and response (EDR) abilities a few months ago and now has extra capabilities for Azure Defender customers. It makes sense for Microsoft to develop security products for Linux, given that Linux distributions dominate virtual machine OSes on its Azure cloud.  

One key change is that Linux EDR detection and live response is now in public preview. Live response allows for in-depth investigations and quick threat containment by giving security teams forensic data, the ability to run scripts, share suspicious entities, and hunt for possible threats. 

Microsoft has also extended support for Amazon Linux 2 and Fedora 33+. And it now has a public preview of RHEL6.7+, CentOS 6.7+. Previously, EDR was available for: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.

"The complete set of the previously released antivirus (AV) and EDR capabilities now applies to these newly added Linux distributions. [Threat and vulnerability management] coverage will be expanded with Amazon Linux and Fedora in coming months," Microsoft says. 

Users need to be on Microsoft Defender for Endpoint version 101.45.13. It also notes that previously released AV and EDR capabilities also apply to RHEL6.7+, CentOS 6.7+. Supported kernel versions are listed here. 

Microsoft is also bringing TVM to Linux Debian. A public preview of TVM for Debian 9+ public preview will be available in coming weeks. 

It's also making Defender antivirus generally available on Linux, bringing the ability to monitor processes, file system activities, and how processes interact with the OS using Microsoft's cloud security. 

"With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated," Microsoft notes. 

It promises to address ransomware threats too with machine-learning techniques. 

"Behavior monitoring provides effective measures against ransomware attacks which can be achieved using a variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way."

Admins can also explore security events locally using the Microsoft Defender for Endpoint on Linux command line interface. 

Source

Calling the hacker group "an FSB special project, which specifically targeted Ukraine," the Security Service of Ukraine (SSU) said the perpetrators "are officers of the 'Crimean' FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014."

The names of the five individuals the SSU alleges are part of the covert operation are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych.

Since its inception in 2013, the Russia-linked Gamaredon group (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) has been responsible for a number of malicious phishing campaigns, primarily aimed at Ukrainian institutions, with the goal of harvesting classified information from compromised Windows systems for geopolitical gains.

The threat actor is believed to have carried out no fewer than 5,000 cyberattacks against public authorities and critical infrastructure located in the country, and attempted to infect over 1,500 government computer systems, with most attacks directed at security, defense, and law enforcement agencies to obtain intelligence information.

"Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar," Slovak cybersecurity firm ESET noted in an analysis published in June 2020. "Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group's main focus is to spread as far and fast as possible in their target's network while trying to exfiltrate data."

Besides its heavy reliance on social engineering tactics as an intrusion vector, Gamaredon is known to have invested in a range of tools for scything through organizations' defenses that are coded in a variety of programming languages such as VBScript, VBA Script, C#, C++, as well as using CMD, PowerShell, and .NET command shells.

"The group's activities are characterized by intrusiveness and audacity," the agency pointed out in a technical report.

Chief among its malware arsenal is a modular remote administration tool named Pterodo (aka Pteranodon) that comes with remote access capabilities, keystroke logging, the ability to take screenshots, access microphone, and also download additional modules from a remote server. Also put to use is a .NET-based file stealer that's designed to collect files with the following extensions: *.doc, *.docx, *.xls, *.rtf, *.odt, *.txt, *.jpg, and *.pdf.

A third tool concerns a malicious payload that's engineered to distribute the malware through connected removable media, in addition to collecting and siphoning data stored in those devices.

"The SSU is continuously taking steps to contain and neutralize Russia's cyber aggression against Ukraine," the agency said. "Established as a unit of the so-called 'FSB Office of Russia in the Republic of Crimea and the city of Sevastopol,' this group of individuals acted as an outpost […] from 2014 purposefully threatening the proper functioning of state bodies and critical infrastructure of Ukraine."

Source

On top of that, the State Department is offering bounties of up to $5 million for intel and tip-offs that could result in the arrest and/or conviction in any country of individuals who are conspiring or attempting to participate in intrusions affiliated with the transnational organized crime syndicate.

"In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals," the State Department said in a statement. "The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware."

The development comes in response to DarkSide's high-profile attack on Colonial Pipeline in May 2021, taking down the largest fuel pipeline in the U.S. and disrupting fuel supply to the East Coast for roughly a week, after the hackers managed to gain entry into the company's networks using a compromised virtual private network (VPN) account password that was circulating in the dark web.

The ensuing heightened scrutiny in the wake of the attacks led to the DarkSide group shuttering its operations on May 17, citing a mysterious law enforcement seizure of its online attack infrastructure. The cartel has since attempted to resurrect itself in the form of BlackMatter, only for it to close shop a second time owing to pressure from local authorities and the disappearance of a part of its members last month.

While it's common for ransomware gangs to go underground, regroup, and reincarnate, often under a new name, law enforcement agencies in the U.S., Europe, and Asia have sought to put pressure on the operators in various ways, forcing the cybercriminals to cease operations over fears of being outed and arrested.

Source

Microsoft is a major proponent of the Zero Trust security model, alongside organizations like Google. Time and time again, the Redmond tech giant has emphasized that passwords are on their way out as companies around the world adopt Zero Trust. It is also driving U.S. President Joe Biden's Executive Order about U.S. firms evolving to adopt Zero Trust technologies. Now, Microsoft has shared its updated stance on the implementation and how organizations should cater to it.

Over the past couple of year, Microsoft has learned lots of things when it comes to implementing Zero Trust for multiple organizations around the globe. Based on that, it has shared it general architecture for the implementation, which can be seen above.

Microsoft has also published a whitepaper called "Evolving Zero Trust" that describes its learnings over the years in more detail. The paper emphasizes the company's renewed focus on capturing telemetry to better secure an organization with threat intelligence, measurement of user experience, policy-making, and proactive remediation.

Additionally, it discusses the importance of automation in reducing cost and enhancing a firm's security posture. That said, Microsoft has highlighted that Zero Trust is a very dynamic landscape and firms must evolve to meet its needs. Microsoft has noted that 76% of large organizations have adopted Zero Trust already, and over time, it expects more companies around the world to adopt the security model and its associated tooling and technologies. You can find out more about Microsoft's learnings and relevant insights from its whitepaper here.

 Microsoft: Telemetry is essential in implementing a Zero Trust architecture

Two-factor authentication is coming to Google accounts whether you want it or not.

Google wants every account to use 2FA, starts auto-enrolling users

New Delhi: The US government on Wednesday morning said that Israeli spyware maker NSO Group had been added to the Commerce Department’s “entity list”, a federal blacklist which would restrict exports of US technology to the company.

This move came after the Joe Biden administration determined that the NSO’s phone hacking tools had been used by foreign governments to “maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

In July 2021, a group of media organisations around the world including The Wire, reported how the NSO Group’s Pegasus spyware had been used to target activists, journalists and academics across 10 countries.

NSO and a smaller Tel Aviv-based company, Candiru, were among four companies added by the US commerce department to the entity list.

“NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” it said in a press release.

“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

According to reports, companies on the entity list are prohibited from receiving US software or hardware exports, thus cutting off the firm from a vital source of technology.

“The impact is broader than just the legal prohibition,” said Kevin Wolf, an international trade lawyer at the firm Akin Gump who previously ran the entity list process, told the Washington Post. “It’s a huge red flag.”

In the past, Chinese companies like Huawei have been added to the entity list for their alleged contributions to human rights abuses regarding the Uyghurs.

However, as experts have noted, it is less common for the US government to target companies that are based in countries that are allies of the United States.

“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organisations here and abroad,” secretary of commerce Gina M. Raimondo was quoted as saying in the statement.

“Today’s action is a part of the Biden-Harris administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression. This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance…,” the press release added.

NSO response

In a statement put out on Wednesday evening, the NSO group said it was  “dismayed” by the decision and that it would advocate for the decision to be reversed.

“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products,” a company spokesperson said.

Source

To that end, the company is expected to issue rewards worth $31,337 for exploiting privilege escalation in a lab environment for each patched vulnerability, an amount that can climb up to $50,337 for working exploits that take advantage of zero-day flaws in the kernel and other undocumented attack techniques.

Specifically, the program aims to uncover attacks that could be launched against Kubernetes-based infrastructure to defeat process isolation barriers (via NSJail) and break out of the sandbox to leak secret information.

The program is expected to last until January 31, 2022.

"It is important to note, that the easiest exploitation primitives are not available in our lab environment due to the hardening done on Container-Optimized OS," Eduardo Vela of Google Bug Hunters Team said.

The rewards program also exists in conjunction with Android's VRP rewards, allowing researchers to demonstrate exploits that work on the mobile operating system, which could be eligible for up to $250,000 in bug bounties. More details about the contest can be found here.

Source