Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s

bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”

The research paper, which dubbed the vulnerability “Trojan Source,” notes that while both comments and strings will have syntax-specific semantics indicating their start and end, these bounds are not respected by Bidi overrides. From the paper:

“Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.”

“Bringing all this together, we arrive at a novel supply-chain attack on source code. By injecting Unicode Bidi override characters into comments and strings, an adversary can produce syntactically-valid source code in most modern languages for which the display order of characters presents logic that diverges from the real logic. In effect, we anagram program A into program B.”

Anderson said such an attack could be challenging for a human code reviewer to detect, as the rendered source code looks perfectly acceptable.

“If the change in logic is subtle enough to go undetected in subsequent testing, an adversary could introduce targeted vulnerabilities without being detected,” he said.

Equally concerning is that Bidi override characters persist through the copy-and-paste functions on most modern browsers, editors, and operating systems.

“Any developer who copies code from an untrusted source into a protected code base may inadvertently introduce an invisible vulnerability,” Anderson told KrebsOnSecurity. “Such code copying is a significant source of real-world security exploits.”

Matthew Green, an associate professor at the Johns Hopkins Information Security Institute, said the Cambridge research clearly shows that most compilers can be tricked with Unicode into processing code in a different way than a reader would expect it to be processed.

“Before reading this paper, the idea that Unicode could be exploited in some way wouldn’t have surprised me,” Green told KrebsOnSecurity. “What does surprise me is how many compilers will happily parse Unicode without any defenses, and how effective their right-to-left encoding technique is at sneaking code into codebases. That’s a really clever trick I didn’t even know was possible. Yikes.”

Green said the good news is that the researchers conducted a widespread vulnerability scan, but were unable to find evidence that anyone was exploiting this. Yet.

“The bad news is that there were no defenses to it, and now that people know about it they might start exploiting it,” Green said. “Hopefully compiler and code editor developers will patch this quickly! But since some people don’t update their development tools regularly there will be some risk for a while at least.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the Cambridge research presents “a very simple, elegant set of attacks that could make supply chain attacks much, much worse.”

“It is already hard for humans to tell ‘this is OK’ from ‘this is evil’ in source code,” Weaver said. “With this attack, you can use the shift in directionality to change how things render with comments and strings so that, for example ‘This is okay” is how it renders, but ‘This is’ okay is how it exists in the code. This fortunately has a very easy signature to scan for, so compilers can [detect] it if they encounter it in the future.”

The latter half of the Cambridge paper is a fascinating case study on the complexities of orchestrating vulnerability disclosure with so many affected programming languages and software firms. The researchers said they offered a 99-day embargo period following their initial disclosure to allow affected products to be repaired with software updates.

“We met a variety of responses ranging from patching commitments and bug bounties to quick dismissal and references to legal policies,” the researchers wrote. “Of the nineteen software suppliers with whom we engaged, seven used an outsourced platform for receiving vulnerability disclosures, six had dedicated web portals for vulnerability disclosures, four accepted disclosures via PGP-encrypted email, and two accepted disclosures only via non-PGP email. They all confirmed receipt of our disclosure, and ultimately nine of them committed to releasing a patch.”

Eleven of the recipients had bug bounty programs offering payment for vulnerability disclosures. But of these, only five paid bounties, with an average payment of $2,246 and a range of $4,475, the researchers reported.

Anderson said so far about half of the organizations maintaining the affected computer programming languages contacted have promised patches. Others are dragging their feet.

“We’ll monitor their deployment over the next few days,” Anderson said. “We also expect action from Github, Gitlab and Atlassian, so their tools should detect attacks on code in languages that still lack bidi character filtering.”

As for what needs to be done about Trojan Source, the researchers urge governments and firms that rely on critical software to identify their suppliers’ posture, exert pressure on them to implement adequate defenses, and ensure that any gaps are covered by controls elsewhere in their toolchain.

“The fact that the Trojan Source vulnerability affects almost all computer languages makes it a rare opportunity for a system-wide and ecologically valid cross-platform and cross-vendor comparison of responses,” the paper concludes. “As powerful supply-chain attacks can be launched easily using these techniques, it is essential for organizations that participate in a software supply chain to implement defenses.”

Weaver called the research “really good work at stopping something before it becomes a problem.”

“The coordinated disclosure lessons are an excellent study in what it takes to fix these problems,” he said. “The vulnerability is real but also highlights the even larger vulnerability of the shifting stand of dependencies and packages that our modern code relies on.”

Rust has released a security advisory for this security weakness, which is being tracked as CVE-2021-42574 and CVE-2021-42694. Additional security advisories from other affected languages will be added as updates here.

The Trojan Source research paper is available here (PDF).

‘Trojan Source’ Bug Threatens the Security of All Code

Apple’s app tracking policy reportedly cost social media platforms nearly $10 billion

The cyberattack by Black Shadow also hit the websites of the Israeli public transportation companies Kavim and Dan, the Pegasus tourism company and other sites such as a children’s museum, a private medical service and a blog of Kan public radio. The sites were off-line on Saturday.

The hackers reportedly have demanded a ransom in order to halt the data leaks; it is not known if Cyberserve intends to pay.

The attack comes days after a crippling cyberattack on Iran’s gas distribution system that Iran blames on Israel.

Source

The arrests were made earlier this week on October 26 in Ukraine and Switzerland, resulting in the seizure of cash worth $52,000, five luxury vehicles, and a number of electronic devices that the agencies said are being examined to uncover new forensic evidence of their malicious activities and pursue new investigative leads.

The suspects have been primarily linked to LockerGoga, MegaCortex, and Dharma ransomware, in addition to being in charge of laundering the ransom payments by funneling the ill-gotten Bitcoin proceeds through mixing services and cashing them out.

"The targeted suspects all had different roles in these professional, highly organised criminal organisations," Europol said in a press release. "Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments."

Following a successful break-in, the suspects are said to have focused on lateral movement within the compromised networks by deploying malware such as TrickBot or post-exploitation frameworks like Cobalt Strike or PowerShell Empire with the goal of staying undetected for extended periods of time and gaining entrenched access, leveraging the opportunity to probe for more weaknesses in the IT networks before installing ransomware.

The arrested individuals are also believed to have carried out the ransomware attack on Norwegian aluminum processor Norsk Hydro in March 2019, the country's National Criminal Investigation Service said in a separate statement.

The joint task force involved authorities from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, the U.K., and the U.S., along with Europol and Eurojust, under the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The development also arrives weeks after representatives from the U.S., the European Union, and 30 other countries pledged to mitigate the risk of ransomware and harden the financial system from exploitation with the goal of disrupting the ecosystem, calling it an "escalating global security threat with serious economic and security consequences."

Source

However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality.

The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path.

It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files.

The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.

"Just like the Windows version, these variants are written in Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said.

Hive ransom note (ESET Research Labs)

Ransomware now interested in Linux servers

Hive, a ransomware group active since at least June 2021, has already hit over 30 organizations, counting only victims who refused to pay the ransom.

They're just one of many ransomware gangs that have begun targeting Linux servers after their enterprise targets have slowly migrated to virtual machines for easier device management and more efficient use of resources.

By targeting virtual machines, ransomware operators can also encrypt multiple servers at once with a single command.

In June, researchers spotted a new REvil ransomware Linux encryptor designed to target VMware ESXi virtual machines, a popular enterprise virtual machine platform.

Emsisoft CTO Fabian Wosar told BleepingComputer that other ransomware groups, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created their own Linux encryptors.

"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar said.

HelloKitty and BlackMatter ransomware Linux encryptors were later discovered in the wild by security researchers in July and August, confirming Wosar's statement.

One month later, it was discovered that some of these Linux malware strains are also buggy and could damage victims' files during encryption.

In the past, the Snatch and PureLocker ransomware operations have also used Linux variants on their attacks.

Source

Google yesterday (Oct. 28) pushed out an update for Chrome on the desktop that fixes eight security vulnerabilities, including two serious "zero-day" flaws that are already under attack by hackers unnamed.

The update takes Chrome to version 95.0.4638.69 for Windows, Mac and Linux. Windows and Mac users can usually just relaunch the browser to install the update, while Linux users may have to wait until their distribution bundles the update into its regular update package.

Otherwise, you can force a Chrome update by clicking the three vertical dots at the top right of the browser window, then mousing down and clicking Help. Click "About Google Chrome" in the fly-out menu that appears, and a new tab will either tell you that Chrome is up-to-date or will download the update.

How these Chrome flaws can be exploited

The first of the two zero-day flaws patched involves "insufficient validation of untrusted input in Intents," a protocol whereby Chrome finds the best web app to handle a particular purpose (catalogued as vulnerability CVE-2021-38000). The other allows "inappropriate implementation in V8," Chrome's JavaScript engine (catalogued as vulnerability CVE-2021-38003).

We're going to guess that the first permits a web app to do naughty things, while the second permits a website to do the same. Google isn't saying anything further.

Because the reporters of these flaws all work for Google, they likely won't be getting any bug-bounty money. But external researchers will be for some of the other flaws patched, including Wei Yuan of MoyunSec VLab, who will net $10,000 for his discovery of a "use-after-free" bug in Chrome's sign-in protocol. 

Use-after-free means that the memory space wasn't properly reallocated after the protocol finished using it, potentially allowing a malicious program to literally invade the space.

The other four described flaws also have to do with use-after-free issues, insufficient validation, V8 or some combination of those. Google isn't saying anything about the eighth vulnerability being patched.

Zero-days as far as the eye can see

Some other browsers that share the Chromium open-source underpinnings with Chrome have also updated to the new version, including Brave and Microsoft Edge. (Like Chrome, you can just relaunch those to update them.) Others, such as Opera and Vivaldi, are not quite there yet.

Google has patched more than a dozen zero-days flaws already in this exceptionally busy year. We're not sure if that's a good thing, indicating a greater share of flaws may be being found, or a bad thing that there may be more zero-days in general.

Here's a list of recent Chrome desktop updates.

• Oct. 28: 95.0.4638.69
• Oct. 19: 95.0.4638.54
• Oct. 7: 94.0.4606.81
• Sept. 30: 94.0.4606.71
• Sept. 24: 94.0.4606.61
• Sept. 21: 94.0.4606.54
• Sept. 13: 93.0.4577.82
• Aug. 31: 93.0.4577.63
• Aug. 16: 92.0.4515.159
• Aug. 2: 92.0.4515.131
• July 20: 92.0.4515.107
• July 15: 91.0.4472.164

Source

Microsoft has announced a campaign to bring 250,000 more people into the US cybersecurity industry by 2025 by offering colleges and students alike the support they need to enter the field.

"The country’s cybersecurity challenges in part reflect a serious workforce shortage," Microsoft President Brad Smith says in a blog post. "Until we redress the cybersecurity workforce shortage, we will fall short in strengthening the country’s cybersecurity protection."

Smith cites data from LinkedIn and Cyber Seek (a US government-run website devoted to this very issue) that shows one-third of America's cybersecurity-related jobs remain unfilled due to a lack of qualified applicants, even though some of those positions offer six-figure salaries.

"Currently there are 464,200 open jobs in the United States that require cybersecurity skills," Smith says. "They account for 6% of all open jobs in the country." The problem—according to Microsoft—is that cybersecurity education isn't preparing enough people for those roles.

Microsoft wants to change that. Smith says the company will offer free curriculum to the roughly 4,000 colleges throughout the US, provide cybersecurity training to faculty at 150 community colleges, and support 25,000 students via the new Microsoft Cybersecurity Scholarship Program.

Smith says that scholarship recipients will also receive "mentorship from Microsoft employees and student supports, as well as free LinkedIn Premium accounts to help close the networking gap and connect them to jobs," along with "access to GitHub education benefits, including student developer packs and access to local GitHub sponsored events" via this program.

"We want to give people across the country the opportunity to see more clearly something we see directly at Microsoft every day," Smith says. "If we’re going to protect the nation’s future, we need to strengthen cybersecurity protection. And we need a larger and more diverse cybersecurity workforce to succeed. Great jobs are waiting to be filled. Now we need to recruit the talent and provide the skills that people need."

Those efforts will take time, however, with Smith saying that Microsoft plans to support those 25,000 students over the next four years. It's also worth noting that many people can't enter the cybersecurity field directly—which is part of the reason why these jobs are vacant.

Cyber Seek itself notes in its career pathway that entry-level cybersecurity positions follow what it calls a "feeder role" such as IT support, software development, and networking. Many positions also seek applicants with certifications as well as a bachelor's or master's degree. Some of those certifications (and the trainings associated with them) cost thousands of dollars a pop.

This problem is so prevalent that Copado Head of Security Kyle Tobener's TikTok videos about entry-level cybersecurity job postings requiring years of experience—as well as relatively advanced certifications or degrees and top secret clearance—can receive over 10,000 likes.

Microsoft is addressing one part of the industry's hiring problem, a lack of qualified applicants, via this campaign. But the other part—companies demanding bachelor's degrees, expensive certifications, and years of experience for entry-level jobs—will also need to be rectified.

Source

The internet and the online services we rely on are under attack. In the past month alone, hackers have targeted Office 365 accounts, launched phishing attacks on YouTube creators, and and breached Twitch's data bases. But online entities aren't the only ones at risk from nefarious actors—ransomware has made everyone a target.

According to NordLocker, there are now thousands of ransomware attacks per day, which has cost businesses an estimated $20 billion overall. And since the most successful attacks are never publicly disclosed, these figures could be on the low end. Recent attacks include Sinclair Broadcast Group, Colonial Pipeline, and multiple municipal water systems.

By analyzing 1,200 ransomware cases since 2020, NordLocker found that internet companies and online services are hardly the top targets. Instead, the data shows that construction companies have been hit the hardest with 93 affected companies from the industry. This is closely followed by 86 manufacturing companies.

It turns out that technology and IT businesses are just the 6th most targeted industry, with 62 companies hit by a ransomware attack—which seems surprising. Despite our reliance on these types of companies, hitting financial institutions and healthcare providers seems like the preferred ransomware targets.

Nordlocker also found that the Conti ransomware group was responsible for 450 attacks, making it the most dangerous attacker over the past year. REvil was responsible for 210 attacks, Dopple Paymer was linked to 200 attacks, and PYSA was responsible for 188 attacks.

Ransomware is typically spread through malicious emails or fake websites to gain access to valuable files and systems, so it's important to invest in ransomware protection and avoid phishing scams. If you do find yourself falling victim to such an attack, though, we do not recommend paying the ransom.

Source

Court documents showed that Vladimir Dunaev, 38, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses.

Starting its roots as a banking trojan in 2016, TrickBot has evolved into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also notorious for its resilience, having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command a year ago.

However, on the legal front, the U.S. government earlier this year charged a 55-year-old Latvian woman, named Alla Witte, who the prosecutors said worked as a programmer "overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware."

Dunaev is the second Trickbot defendant to be arrested in 2021.

Dunaev, specifically, is said to have worked as a developer for the group, in charge of creating, deploying, and managing the Trickbot malware beginning in November 2015, while also overseeing the malware's execution, as well as designing Firefox web browser modifications and helping to hide the malware from detection by security software.

In early September, South Korean media outlets reported the arrest of Dunaev (then identified only as "Mr. A") at the Incheon International Airport when attempting to depart for Russia after being stranded in the country for over a year due to COVID-19. The suspect, who arrived in February 2020, also had his passport expired in the interim period, forcing him to stay in a hotel while awaiting for a replacement.

But once the passport was re-issued, the defendant tried to leave for his native home in Russia, leading to his arrest pursuant to an extradition request from the U.S. Dunaev has been charged with conspiracy to commit computer fraud and aggravated identity theft, conspiracy to commit wire and bank fraud, conspiracy to commit money laundering, and multiple counts of wire fraud, bank fraud, and aggravated identity theft.

If found guilty on all counts, the defendant faces a total prison term of 60 years.

"Trickbot attacked businesses and victims across the globe and infected millions of computers for theft and ransom, including networks of schools, banks, municipal governments, and companies in the health care, energy, and agriculture sectors," said Deputy Attorney General Lisa O. Monaco in a statement.

Source

The malware has been named "AbstractEmu" owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. Notably, the global mobile campaign is engineered to target users and infect as many devices as possible indiscriminately.

Lookout Threat Labs said it found a total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps, seven of which contained the rooting functionality. Only one of the rogue apps, called Lite Launcher, made its way to the official Google Play Store, attracting a total of 10,000 downloads before it was purged.

The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.

"While rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction," Lookout researchers said. "Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances."

Once installed, the attack chain is designed to one of five exploits for older Android security flaws that would allow it to gain root permissions and take over the device, extract sensitive data, and transmit to a remote attack-controlled server —

• CVE-2015-3636 (PongPongRoot)

• CVE-2015-1805 (iovyroot)

• CVE-2019-2215 (Qu1ckr00t)

• CVE-2020-0041, and

• CVE-2020-0069

Lookout attributed the mass distributed rooting malware campaign to a "well-resourced group with financial motivation," with telemetry data revealing that Android device users in the U.S. were the most impacted. The ultimate objective of the infiltrations remains unclear as yet.

"Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device," the researchers said, adding "mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data."

Source

The principle of auto-renewal is quite simple. Antivirus software is almost always sold as a service, that is to say, it is not a one-off purchase, but requires regular subscription payments to ensure that the program continues to receive updates. Auto-renewal of the subscription means that when the customer first purchases the software, the vendor retains the customer’s payment details; then, when the initial subscription period (typically one year) expires, the vendor will take payment for the next period, and extend the service provision, without any action being required of the customer. 

Auto-renewal is likely to be of benefit to the software vendor, as it means a continued source of income for them, without any additional effort or expense on their part. For customers who are satisfied with the service, auto-renewal brings convenience, and the peace of mind that their computers will remain protected. However, the CMA article notes that some antivirus vendors have been investigated to determine whether their autorenewal policies comply with UK consumer protection laws.  

UK laws do not prohibit the use of auto-renewal with antivirus subscriptions. However, the CMA stipulates conditions that vendors should adhere to when offering automatic renewal. In essence, these ensure that consumers are fully informed of the auto-renewal process, what it will cost them (relative to buying a new subscription), and how to cancel it. The full list of CMA’s Compliance Principles is shown below: 

1. “Make sure your customers are able to make a fully informed choice about auto-renewal” 
2. “Make sure that any price claims you make are accurate and do not mislead your customers” 
3. “Confirm to the customer the key points of the auto-renewing contract” 
4. “Make sure that your customers can easily turn off auto-renewal” 
5. “Remind your customers about auto-renewal in good time before it happens” 
6. “Once off, auto-renewal stays off” 
7. “Give your customers the chance to change their mind” 
8. “Make it easy for your customers to obtain a refund if they want one” 
9. Provide appropriate safeguards for customers who are no longer using the product following auto-renewal” 

AV-Comparatives reports that it is aware of numerous complaints from customers regarding subscription auto-renewal. Last year, the Austrian antivirus testing lab investigated the auto-renewal policies of various consumer security-software vendors. Their findings were published in the testing lab’s  Consumer Summary Report 2020.  

The report noted that in the most extreme case, the auto-renewal price was over three times the cost of the first year’s subscription. This is not in itself illegal or improper. However, it appears that some customers feel they were not suitably informed about the auto-renewal procedure, how to cancel it, or what the renewal price would be.  

Another important factor with auto-renewal is whether it is compulsory or optional at the time of purchase. If it is optional, the customer can complete the purchase without activating auto-renewal at all. If it is compulsory, the customer has to proactively contact the vendor to prevent the subscription renewing. AV-Comparatives found that over half of the products it investigated had compulsory auto-renewal, and that 7 out of 8 users it surveyed were not happy to have mandatory auto-renewal when purchasing security software. AV-Comparatives encourages AV vendors to let customers decide at the time of purchase whether they want auto-renewal or not. 

Source

A critical vulnerability in popular CI/CD tool GoCD could allow unauthenticated attackers to extract encrypted secrets and poison software build processes – potentially paving the way to supply chain attacks.

The maintainers of the open source, Java-built platform have addressed the arbitrary file read flaw along with several other bugs discovered by Swiss security firm SonarSource.

Miscreants who abuse the vulnerability could take over GoCD servers and execute arbitrary code, as well as impersonate GoCD agents and seize control of software delivery pipelines.

SolarWinds-style threat

“Attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes,” said SonarSource security researcher Simon Scannell in a blog post.

The flaw, he added, could serve as a springboard for attacks of a similar nature to the SolarWinds hack, “where attackers gained access to the software delivery pipeline and added a backdoor to critical software, leading to one of the most impactful supply-chain attacks thus far”.

The lack of public data on how widely GoCD is used makes it hard to gauge the impact of a hypothetical supply chain attack, Scannell tells The Daily Swig, “but we know that it is used by Fortune 500 companies”.

He adds: “An attacker who has compromised a CI/CD pipeline can push malicious code into anything the pipeline produces – for example Docker images, JAR files, executables, libraries, etc.

“The malicious code would then impact anyone who uses and trusts the produced software.”

Broken authentication

The researchers unearthed the vulnerability after discovering a breaking change made in August 2018 that removed support for OAuth and made endpoints exposed by add-ons responsible for enforcing authentication. “Prior to this commit, these endpoints were accessible to authenticated users only,” said Scannell.

The issue was ushered into existence by the introduction in 2020 of Business Continuity, an add-on designed to mitigate the impact of a GoCD server failure or that of its database node.

This add-on has been removed from the latest version, but Scannell says he is unsure how the wider breaking change “will be addressed in the long-term”.

Timeline and patches

All GoCD instances running versions between v20.6.0 and v21.2.0 are affected by the flaw.

GoCD’s security team were alerted to the vulnerabilities on October 18 through the tool’s vulnerability disclosure program on HackerOne. The issues were subsequently addressed in version v21.3.0, which landed on Tuesday (October 26).

“If no update can be run immediately, we recommend setting up firewall rules to prevent any HTTP requests to the /add-on/** and/or /add-on/business-continuity/** endpoints,” said Scannell.

The researcher also warned that SonarSource had found “hundreds of instances exposed to the internet” in violation of best practices.

“We would like to thank the GoCD security team who have been exceptionally responsive in the disclosure process,” added Scannell.

SonarSource says a forthcoming, follow-up blog post will detail a cross-site scripting (XSS) vulnerability and remote code execution (RCE) bug chain in GoCD.

Source

CyberArk security researcher Ido Hoorvitch, who used a Wi-Fi sniffing equipment costing about $50 to collect 5,000 network hashes for the study, said "the process of sniffing Wi-Fis and the subsequent cracking procedures was a very accessible undertaking in terms of equipment, costs and execution."

The new Wi-Fi attack builds on previous findings by Jens "atom" Steube in 2018 that involves capturing what's called the PMKIDs associated with a client (aka SSID) in order to attempt a brute-force attack using password recovery tools like hashcat.

PMKID is a unique key identifier used by the access point (AP) to keep track of the pre-shared key — i.e., pairwise master key aka PMK — being used for the client. PMKID is a derivative of AP'S MAC address, client's MAC address, PMK and PMK Name.

"Atom's technique is clientless, making the need to capture a user's login in real time and the need for users to connect to the network at all obsolete," Hoorvitch said in the report. "Furthermore, it only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process."

The collected hashes were then subjected to a "mask attack" to determine if cell phone numbers were used as Wi-Fi passwords, a practice common in Israel, uncovering 2,200 passwords in the process. In a subsequent dictionary attack using "RockYou.txt" as a password source, the researcher was able to crack an additional 900 hashes, with the number of breached passwords decreasing as the password length increased.

A successful compromise of the Wi-Fi network could enable a threat actor to mount man-in-the-middle (MiTM) attacks to gain access to sensitive information, not to mention pivot laterally across the network to breach other critical systems that are connected to the same network.

"The lesson here? The longer the password, the better," Hoorvitch said. "A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long."

Source

Cyber crooks hope to eventually stumble across a working combination that gives them access to someone's email or social media accounts.

From there, they can attempt to break into more sensitive accounts such as your bank or iCloud.

The attacks were identified by Microsoft's Detection and Response Team (DART), which is dedicated to identifying the latest cyber attack methods.

"This threat is a moving target with techniques and tools always changing," researchers wrote on Tuesday.

"They are different from brute-force attacks, which involve attackers ... attempting to attack a small number of user accounts."

The researchers identified two commonly used kinds of password sprays.

One involves matching known usernames to commonly used passwords, such as "password" or "123456".

The hope is that they will eventually “guess” the correct combination for as many users as possible.

The second technique highlighted by Microsoft involves usernames and passwords that have been leaked online by crooks in the past.

The 2012 LinkedIn hack, for instance, saw the usernames and passwords of 6.5million users stolen by cyber crooks and sold online.

Google estimates that over 4billion username and password combinations have leaked in recent years.

Hackers can plug these combinations into other websites in the hope that you've reused them across multiple online accounts.

Microsoft said: "Once attackers have gained the credentials to an account, they can access any sensitive resources that users can access and have the malicious activity appear as normal.

"This creates a repeating cycle attack pattern, where one compromised account can lead to access to resources where additional credentials can be harvested, and thus even further resource access."

How to check if your passwords are safe

The free Password Checkup software can be loaded onto Google Chrome and lets you know if your account details have been compromised in a cyber attack or data breach.

Once installed, the Chrome extension runs in the background of your browser and checks any login details you used.

If your password or username matches a Google database of more than 4billion compromised credentials, the software will flag them.

An alert that pops up on your screen reads: "Password Checkup detected that your password for [website] is no longer safe due to a data breach. You should change your password now."

If a new data breach occurs, the tool will let you if any of your passwords were compromised the next time you login to Chrome.

It gives you any exposed accounts in a small list that you can click through to change your passwords.

All information is encrypted, and Google says it has no way of seeing your data.

"We built Password Checkup so that no one, including Google, can learn your account details," Google said.

"Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords or device."

You can download Password Checkup from the Chrome webstore by clicking here.

Alternatively, popular web-tool Have I Been Pwned also lets you check if you've ever been hacked.

Hackers are using leaked username and password combinations to break into online accountsCredit: Getty

Source

The goal of the new bill is to modernize the legislative context that underpins online data protection and security and make new laws tight enough to enforce data handling practices by Internet entities. 

Four main pillars of reform

The first draft of the Online Privacy Bill includes the following four main objectives: 

1. Development of an OP Code that will determine which entities are subject to the legislation and precisely how they are expected to apply its provisions.
2. Enforce the Privacy Act, and more specifically ‘Section 13G’, which prohibits online entities from breaching the privacy rights of their users.
3. Enable law enforcement bodies, the state, and foreign privacy regulators to request information and/or documents from online platforms.
4. Enforce all of the above on extra-territorial entities that are not incorporated in Australia but carry business in the country.

The OP code will be applicable to organizations that provide social media services, data brokerage, and any online platform that has had over 2,500,000 unique visitors from Australia in the past year. 

These entities must ensure that their privacy policy is clearly communicated to ots users, that consent for data collection from the users is sought and acquired, and that children under the age of 16 enjoy elevated protections on that front. 

The enforcement of the Privacy Act increases the penalty for privacy violations from AU$2.2 million to AU$10,000,000 ($7.5 million). 

Alternatively, the violating entity will pay three times the value of the benefit obtained from confirmed data privacy violations, or 10% of their annual turnover from the previous year. 

A year in review

The discussion paper contains several other changes in its 200+ pages, like broadening the definition of personal information to include technical data like unique identifiers and removing the employee records exemption. 

All reform proposals need to be be submitted to the Attorney General by January 10, 2022, so there's over a year left for stakeholders to express their opinion on the matter. 

From the first draft, though, it is clear that Australia plans on bolstering the protection of users' data online. However, there is plenty of time for online entities to lobby for fewer protections, weakening the proposed privacy changes.

Australia drafts Online Privacy Bill to bolster data security

The add-ons (named Bypass and Bypass XM) were using the API to intercept and redirect web requests to block users from downloading updates, updating remotely configured content, and accessing updated blocklists.

"To prevent additional users from being impacted by new add-on submissions misusing the proxy API, we paused on approvals for add-ons that used the proxy API until fixes were available for all users," Mozilla's  Rachel Tublitz and Stuart Colville said.

"Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails.

"Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users."

To block similar malicious add-ons to abuse the same API, Mozilla has added a system add-on (hidden, impossible to disable, and updateable restartlessly) dubbed Proxy Failover.

This new add-on prevents attempts to interfere with update mechanisms in current and older Firefox versions.

While Mozilla didn't share if the two add-ons were doing anything else malicious in the background, BleepingComputer found after analyzing them that they likely were using a reverse proxy to bypass paywalled sites.

However, the add-ons also had Mozilla's domain in the paywall list which inadvertently also blocked browser updates.

A Mozilla spokesperson wasn't able to provide more details when contacted by BleepingComputer earlier today.

How to make sure you're not affected

Mozilla advises users to update their web browsers to at least the latest release version (Firefox 93), which can make sure that they're protected from add-ons abusing the proxy API.

"It is always a good idea to keep Firefox up to date, and if you’re using Windows to make sure Microsoft Defender is running. Together, Firefox 93 and Defender will make sure you’re protected from this issue," Tublitz and Colville added.

Microsoft Defender is the only anti-malware solution detecting the add-ons as malicious, tagging them as BrowserModifier:JS/BypassPaywall.A.

If you're not running Firefox 93 and have not disabled browser updates, you could be impacted by this issue. To make sure, try to update Firefox to the latest versions since it bundles an updated blocklist designed to disable these malicious add-ons automatically.

If you still can't update Firefox, you also have the option to find the add-ons that block you from upgrading to a newer version and remove them by going through these steps:

1. Visit the Troubleshooting Information page.

2. In the Add-ons section, search for one of the following entries:

Name: Bypass

ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}

Name: Bypass XM

ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}

NOTE: Make sure the IDs match exactly as there might be other, unrelated add-ons using those or similar names. If none of those IDs are shown in the list, you are not affected.

If you want to ensure that there are no traces left, you can also refresh Firefox to reset all add-ons and settings or start from scratch by downloading and installing a new copy of Firefox.

Mozilla blocks malicious add-ons installed by 455K Firefox users

The group behind the attack, Nobelium, is reportedly being directed by the Russian intelligence service. And they're at it again.

According to Microsoft, one of the victims of the SolarWinds hack, the group is targeting technology companies that resell and provide cloud services for customers.

"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain," Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, said in a blog post on the company's website.

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," he added.

The hacker group hasn't tried to ferret out vulnerabilities in software, Burt said, but rather has been using techniques like phishing and password spray to gain entry to the targeted networks.

A senior Biden administration official declined to comment on who it believed was responsible for the latest attacks. But in responding to the latest news from Microsoft, they pointed out that the hacking attempts were both unsophisticated and largely unsuccessful, unlike the SolarWinds campaign, which involved a complex intrusion using a software update which impacted an indiscriminate number of victims.

In this case, this latest spying campaign by the Russian SVR appears to be classic espionage, and out of the 141 companies Microsoft notified, only about 14 concluded there might have been a successful compromise, with limited impact.

The targets — cloud service providers — are particularly popular recently as bad actors focus on the all-important supply chain to try and gain access to the more attractive targets: their clients, including government agencies.

"Broadly speaking, the federal government is aggressively using our authorities to protect the Nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnerships to deploy cybersecurity technologies, bilateral and multilateral diplomacy, and measures we do not speak about publicly for national security reasons," said the senior administration official.

Jenna McLaughlin contributed to this report.

Source

Academics from Texas A&M University dubbed the attack system "Gummy Browsers," likening it to a nearly 20-year-old "Gummy Fingers" technique that can impersonate a user's fingerprint biometrics.

"The idea is that the attacker 𝐴 first makes the user 𝑈 connect to his website (or to a well-known site the attacker controls) and transparently collects the information from 𝑈 that is used for fingerprinting purposes (just like any fingerprinting website 𝑊 collects this information)," the researchers outlined. "Then, 𝐴 orchestrates a browser on his own machine to replicate and transmit the same fingerprinting information when connecting to 𝑊, fooling 𝑊 to think that 𝑈 is the one requesting the service rather than 𝐴."

Browser fingerprinting, also called machine fingerprinting, refers to a tracking technique that's used to uniquely identify internet users by gathering attributes about the software and hardware of a remote computing system — such as the choice of browser, timezone, default language, screen resolution, add-ons, installed fonts, and even preferences — as well as behavioral characteristics that emerge when interacting with the web browser of the device.

Thus in the event the website populates targeted ads based on only the users' browser fingerprints, it could result in a scenario where the remote adversary can profile any target of interest by manipulating their own fingerprints to match that of the victim for extended periods of time, all the while the user and the website remain oblivious to the attack.

Put differently, by exploiting the fact that the server treats the attacker's browser as the victim's browser, not only would the former receive same or similar ads like that of the impersonated victim, it also allows the malicious actor to infer sensitive information about the user (e.g., gender, age group, health condition, interests, salary level, etc.) and build a personal behavioral profile.

In experimental tests, the researchers found that the attack system achieved average false-positive rates of greater than 0.95, indicating that most of the spoofed fingerprints were misrecognized as legitimate ones, thereby successfully tricking the digital fingerprinting algorithms. A consequence of such an attack is a breach of ad privacy and a bypass of defensive mechanisms put in place to authenticate users and detect fraud.

"The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser-fingerprinting is starting to get widely adopted in the real world," the researchers concluded. "In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale."

Source

Surfshark, maker of the popular VPN (we gave it a rating of 4, which is excellent) did some digging in a report called Who's Tracking You? to find which websites do the most tracking. Using a site list comprising the most popular websites according to SimilarWeb and AllYouCanRead, Surfshark found that the Big Tech companies with the most trackers are Google with 18, Microsoft with 17, and Amazon with 11.

Of other popular sites it included, the worst offender is click-bait bro-site theChive, with 143 trackers alone. Others in the top five include news outlets Salon and NY Daily News, and HGTV. Surfshark posits the possibility that such sites don't like to carry too many advertisements—so this may be how they make up for that lack of revenue.

Just as interesting are the sites not doing much tracking. That top five includes Wikipedia and TikTok, which are tied for first place with only three trackers found on each. Porn site XVideos is fourth (tied with Instagram), and Netflix is fifth. You can see the full top 10 at the top and bottom of the list here, or click over to Who's Tracking You? for an interactive list you can reorder by the type of sites you visit. It reveals that lifestyle sites led by theChive, LADbible, and Refinery29 had the most trackers on average. And in general, music and science sites had the least number of trackers.

If you're worried about your privacy after reading this, Surfshark suggests you install a VPN (of course) to foil trackers. That’s not 100% effective, so the company also has an infographic in the report that covers different kinds of trackers, such as cookies, tracking pixels, and fingerprinting, and how to go deeper in blocking trackers. We suggest you also read How to Hide Your Browser Fingerprint, How to Control and Delete Cookies on Your Browser, and How to Get Google to Quit Tracking Your Location.

< Watch the video at the source page. >

Source

Microsoft, which disclosed details of the campaign on Monday, said it notified more than 140 resellers and technology service providers since May. Between July 1 and October 19, 2021, Nobelium is said to have singled out 609 customers, who were collectively attacked a grand total of 22,868 times.

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government," said Tom Burt, Microsoft's corporate vice president of customer security and trust.

The newly disclosed attacks do not exploit any specific security weaknesses in software but rather leverage a diverse range of techniques such as password spraying, token theft, API abuse, and spear-phishing to siphon credentials associated with privileged accounts of service providers, enabling the attackers to move laterally in cloud environments and mount further intrusions.

The goal, according to Microsoft, appears that "Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers."

If anything, the attacks are yet another manifestation of Nobelium's oft-repeated tactics, which has been found abusing trust relationships enjoyed by service providers to burrow into multiple victims of interest for intelligence gain. As mitigations, the company is recommending companies to enable multi-factor authentication (MFA) and audit delegated administrative privileges (DAP) to prevent any potential misuse of elevated permissions.

The development also arrives less than a month after the tech giant revealed a new passive and highly targeted backdoor dubbed "FoggyWeb" deployed by the hacking group to deliver additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers.

Source

"Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used," the FTC said.

This was found as part of a study, started in 2019, into the privacy practices of U.S. broadband companies and related entities and how they collect, retain, use, and disclose info about consumers and their devices.

The six broadband providers included in FTC's report are AT&T Mobility, Cellco Partnership (aka Verizon Wireless), Charter Communications Operating, Comcast (aka Xfinity), T-Mobile U.S., and Google Fiber.

The FTC also included in the study three advertising entities affiliated with these companies: AT&T's Appnexus rebranded as Xandr, Verizon's Verizon Online, and Oath Americas rebranded as Verizon Media.

Together, the six companies currently control roughly 98 percent of the nation's mobile Internet market, according to the FTC.

The FTC also noted that these tech giants have expanded beyond fixed residential internet and mobile internet services into other areas.

By including voice, content, smart devices, advertising, and analytics services, they could further increase the volume of customer data they can collect and share with third parties.

Troubling data collection, protection, and sharing practices

"The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties," the FTC said.

As the FTC further discovered, the ISPs amass huge pools of sensitive consumer data and use it in ways their customers do not expect and could cause them harm, primarily when classifying them by demographic characteristics, including race, ethnicity, gender, or sexuality.

Although many ISPs claim to offer consumers choices, the choices they provide are often a sham, at times nudging them toward even more data sharing.

"Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies," the FTC added.

"For example, several news outlets noted that subscribers' real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers' knowledge and consent, according to the report."

Furthermore, because of their problematic privacy practices and protections, they can be at least as privacy-intrusive as large advertising platforms, given that they have direct access to their consumers' entire unencrypted internet traffic.

Even when connecting to sites that encrypt their traffic or using VPNs, ISPs can still collect the domains their customers connect to and analyze their browsing behavior.

Former FCC Chair Ajit Pai blamed for current state of things

U.S. Senator Ron Wyden said in a statement following FTC's report that Ajit Pai, the former head of the FCC, is likely the one who made it possible for tech firms to disregard their users' privacy by harvesting and using their data for business purposes.

"If Congress needed any more proof that America desperately needs a consumer privacy law, the Federal Trade Commission's report about internet service providers' rampant abuse of their customers' private, personal browsing information should be enough to get Washington to act," Wyden said.

"Whether it's advertisers, tech companies or Big Cable, corporate America is showing absolute contempt for the idea that consumers can control personal details about their lives. Democrats have introduced multiple comprehensive privacy bills that would crack down on this flagrant abuse.

"Finally, it's worth remembering that former Federal Communications Commission Chair Ajit Pai opened the floodgates to ISPs' unchecked use of browsing data when he repealed the Obama-era broadband privacy and net neutrality regulations.

"The FCC needs every tool available to stop cable companies from gouging consumers and selling their data."

Source

Proton calls itself the world's largest secure email provider, using end-to-end encryption and state-of-the-art security features.

The Swiss Federal Administrative Court upheld its appeal against the Swiss Post and Telecommunications Surveillance Service (PTSS) over its status and obligations to monitor traffic.

The court confirmed that email services cannot be considered telecommunications providers in Switzerland, and thus are not subject to the data retention requirements imposed on them.

Proton founder and Chief Executive Andy Yen said Friday's ruling was an "important first step" in its campaign to advance privacy and freedom.

"We expect there to be further attempts to force tech companies to undermine privacy in both Switzerland and abroad, and we are committed to continuing to challenge this through both our encryption technology and through the courts," he said.

PTSS had decided in September 2020 that Proton and ProtonVPN could no longer benefit from limited surveillance obligations, but had to store data necessary for surveillance and be available to answer its questions around the clock.

The court overturned that ruling and sent the case back for a fresh decision.

The verdict followed a Swiss Supreme Court ruling in April that providers of chat, instant messaging, Internet video or telephone services, or email services such as Threema, WhatsApp, iMessage, Zoom, Teams, Chime or Skype were not telecom service providers but rather "over-the-top" (OTT) service providers.

"Together, these two rulings are a victory for privacy in Switzerland and a victory for Swiss tech startups as they exempt them from onerous telco regulations and handing over certain user information in response to Swiss legal orders," Proton said in a statement.

Still, Proton has faced criticism after a police report revealed that it provided the IP address of a user in a French investigation that led to the arrest of climate activists.

PTSS, which coordinates approaches to companies from Swiss police, prosecutors or intelligence services seeking information on users, did not respond immediately to a call seeking comment.

Additional reporting by Silke Koltrowitz; Editing by Clarence Fernandez and Chizu Nomiyama

Source

Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS (JBSS3.SA). The crime group's "Happy Blog” website, which had been used to leak victim data and extort companies, is no longer available.

Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.

VMWare (VMW.N) head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies.

"The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. “REvil was top of the list.”

A leadership figure known as "0_neday," who had helped restart the group's operations after an earlier shutdown, said REvil's servers had been hacked by an unnamed party.

"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off."

U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July.

That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls.

DECRYPTION KEY

Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom.

But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged.

According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.

After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet.

When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. “Ironically, the gang's own favorite tactic of compromising the backups was turned against them.”

Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.

A spokesperson for the White House National Security Council declined to comment on the operation specifically.

"Broadly speaking, we are undertaking a whole of government ransomware effort, including disruption of ransomware infrastructure and actors, working with the private sector to modernize our defenses, and building an international coalition to hold countries who harbor ransom actors accountable," the person said.

The FBI declined to comment.

One person familiar with the events said that a foreign partner of the U.S. government carried out the hacking operation that penetrated REvil's computer architecture. A former U.S. official, who spoke on condition of anonymity, said the operation is still active.

The success stems from a determination by U.S. Deputy Attorney General Lisa Monaco that ransomware attacks on critical infrastructure should be treated as a national security issue akin to terrorism, Kellermann said.

In June, Principal Associate Deputy Attorney General John Carlin told Reuters the Justice Department was elevating investigations of ransomware attacks to a similar priority.

Such actions gave the Justice Department and other agencies a legal basis to get help from U.S. intelligence agencies and the Department of Defense, Kellermann said.

"Before, you couldn't hack into these forums, and the military didn't want to have anything to do with it. Since then, the gloves have come off."

Reporting by Joseph Menn and Christopher Bing; Editing by Chris Sanders and Grant McCool

Source

Bucharest-headquartered cybersecurity technology company Bitdefender named the malware "FiveSys," calling out its possible credential theft and in-game-purchase hijacking motives. The Windows maker has since revoked the signature following responsible disclosure.

"Digital signatures are a way of establishing trust," Bitdefender researchers said in a white paper, adding "a valid digital signature helps the attacker navigate around the operating system's restrictions on loading third-party modules into the kernel. Once loaded, the rootkit allows its creators to gain virtually unlimited privileges."

Rootkits are both evasive and stealthy as they offer threat actors an entrenched foothold onto victims' systems and conceal their malicious actions from the operating system (OS) as well as from anti-malware solutions, enabling the adversaries to maintain extended persistence even after OS reinstallation or replacement of the hard drive.

In the case of FiveSys, the malware's main objective is to redirect and route internet traffic for both HTTP and HTTPS connections to malicious domains under the attacker's control via a custom proxy server. The rootkit operators also employ the practice of blocking the loading of drivers from competing groups using a signature blocklist of stolen certificates to prevent them from taking control of the machine.

"To make potential takedown attempts more difficult, the rootkit comes with a built-in list of 300 domains on the '.xyz' [top-level domain]," the researchers noted. "They seem to be generated randomly and stored in an encrypted form inside the binary."

The development marks the second time wherein malicious drivers with valid digital signatures issued by Microsoft through the Windows Hardware Quality Labs (WHQL) signing process have slipped through the cracks. In late June 2021, German cybersecurity company G Data disclosed details of another rootkit dubbed "Netfilter" (and tracked by Microsoft as "Retliften"), which, like FiveSys, also aimed at gamers in China.

Source

Tracked as CVE-2021-35052, the bug impacts the trial version of the software running version 5.70. "This vulnerability allows an attacker to intercept and modify requests sent to the user of the application," Positive Technologies' Igor Sak-Sakovskiy said in a technical write-up. "This can be used to achieve remote code execution (RCE) on a victim's computer."

Sak-Sakovskiy noted that investigation into WinRAR began after observing a JavaScript error rendered by MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents, leading to the discovery that the error window is displayed once every three times when the application is launched post the expiry of the trial.

By intercepting the response code sent when WinRAR alerts the user about the end of the free trial period via "notifier.rarlab[.]com" and modifying it to a "301 Moved Permanently" redirect message, Positive Technologies found that it could be abused to cache the redirection to an attacker-controlled malicious domain for all subsequent requests.

On top of that, an attacker already having access to the same network domain can stage ARP spoofing attacks to remotely launch applications, retrieve local host information, and even run arbitrary code.

"One of the biggest challenges an organization faces is the management of third-party software. Once installed, third-party software has access to read, write, and modify data on devices which access corporate networks," Sak-Sakovskiy noted.

"It's impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences."

Source