News: Security & Privacy News

Ransomware Gang Masquerades as Real Company to Recruit Tech Talent

Thu, 21 Oct 2021 13:38:32 +0000

Group linked to Colonial Pipeline hack has made offers to potential employees in new ransomware expansion push, researchers say

A criminal organization believed to have built the software that shut down a U.S. fuel pipeline has set up a fake company to recruit potential employees, according to researchers at the intelligence firm Recorded Future and Microsoft Corp.

The fake company is using the name Bastion Secure, according to the researchers. On a professional-looking website, the company says it sells cybersecurity services. But the site’s operator is a well-known hacking group called Fin7, Recorded Future and Microsoft say.

Fin7 is believed to have hacked hundreds of businesses, stolen more than 20 million customer records and written the software used in a hack that disrupted gasoline delivery in parts of the Southeastern U.S., federal prosecutors and researchers say.

The Bastion Secure website, which uses the logo BS, has listed jobs that are technical in nature and appear similar to work that would be performed at any security company—programmers, system administrators and people who are good at finding bugs in software. Prospective hires will work nine-hour days on a predictable schedule: Monday to Friday, according to the company website. Lunch breaks are provided, the site says.

The attempt to impersonate a legitimate company for recruiting purposes represents a new development by purveyors of ransomware to grow and spread a scourge that has disrupted meat production, hospital care, education and hundreds of businesses. With hundreds of millions of dollars in illegal earnings, ransomware operators are increasingly operating like criminal startups with professionalized support staff, software development, cloud-computing services and media relations, security researchers say.

Recorded Future shared its findings with The Wall Street Journal and planned to publish them in a blog post Thursday. Microsoft officials gave a presentation on their discovery earlier this month at a conference hosted by the cybersecurity firm Mandiant.

Emails to an address listed on the Bastion Secure website went unanswered. A phone call to an Israeli number listed on the site was answered by a Russian-speaking man. “I’m just a person. I have nothing to do with any cybersecurity company,” he said before hanging up.

The recruiting effort appears concentrated on Russian speakers, the researchers said. While criminals have traditionally operated in the shadows—recruiting partners in criminal forums—the demands of Fin7’s growing business appear to have pushed it to recruit in the open, security researchers say.

“You can find more qualified people when you search more broadly,” said Andrei Barysevich, the head of Gemini Advisory, a division of Recorded Future. “There’s a lot of embedded law-enforcement agents on the dark web.”

Information-technology jobs advertised by Bastion Secure offer salaries between $800 and $1,200 a month. That is decent pay in former Soviet countries such as Ukraine, but “a small fraction of a cybercriminal’s portion of the criminal profits from a successful ransomware extortion or large-scale payment-card-stealing operation,” according to the Recorded Future report.

< Watch the video at the source page. >

Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann

Fin7 has hacked thousands of computer systems and for years focused on stealing and selling credit-card information. The 70-person group caused more than $3 billion in damages to companies and individuals, federal prosecutors say.

The group has recently shifted from stealing card information to ransomware, and it now manages a ransomware service and conducts intrusions to deploy the file-encrypting software, said Nick Carr, a security analyst at Microsoft, while speaking at the Mandiant conference.

Microsoft believes Fin7 produced the software used in the hack that disrupted Colonial Pipeline Co.’s operations in the spring. The actual hack is believed to have been carried out by a criminal affiliate of Fin7, Mr. Carr said in his presentation. Fin7 marketed its ransomware business under the name DarkSide, but more recently has called it BlackMatter, researchers say.

On Monday, three federal agencies—the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the National Security Agency—published an alert, explaining how companies can protect themselves from BlackMatter and warning that in recent months, the ransomware “has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”

Bastion Secure isn’t the first fake company Fin7 has used to recruit employees. In August 2015 it used another fake cybersecurity company called Combi Security to recruit a Ukrainian man named Fedir Hladyr as a systems administrator, according to federal prosecutors.

Mr. Hladyr didn’t realize that he was engaged in a criminal enterprise until many months after his hiring, according to his attorney, Arkady Bukh. He said Fin7 had compartmentalized its business to keep its different employees ignorant of the group’s criminal activity. “At some stage, some would figure it out,” the attorney said. “Sometimes not.”

Mr. Hladyr maintained Fin7’s communications servers as well as a world-wide network of servers used to launch and manage cyberattacks, according to federal prosecutors. After pleading guilty to hacking charges, he was sentenced to 10 years in prison in April.

With Bastion Secure, the company made offers to prospective recruits, the researchers say. The Microsoft researchers were able to find a copy of an employment agreement from Bastion Secure sent to a potential employee. “If you actually work there, you’re not supposed to talk about it at speeches or media events,” Mr. Carr said.

It didn’t take long for one potential recruit—applying for an information-technology job—to spot red flags, said Mr. Barysevich, the researcher at Recorded Future whose firm said it spoke with the potential recruit. The first warning sign was that nobody with the company would meet face-to-face or talk via a voice call, the recruit told Mr. Barysevich. Instead, they would communicate only via the encrypted messaging software Telegram or Tox, according to Recorded Future.

Later, the recruit was sent software that Bastion Secure told him he would be using on the job, Mr. Barysevich said. He was asked to connect to what was described as a “client” network and collect information, but not told why or how it would be used. The software tools he was given were in fact hacking tools that a Recorded Future analysis linked to Fin7, Mr. Barysevich said.

Much of the text on the Bastion Secure website appears to have been lifted word-for-word from a legitimate U.K.-based cybersecurity company, Convergent Network Solutions Ltd, researchers say. A spokesman for Convergent said the company is treating the Bastion Secure site as a “malicious website” and is taking steps to get it removed, he said.

The website includes a quote that claims to be from Tom Deevy, described as a managing director of Bastion Secure. The Mr. Deevy quoted on the site couldn’t be reached for comment. Another man named Tom Deevy is a managing director of a company called Bastion Security Products Ltd., a builder of panic rooms and other armored enclosures.

“It’s completely fake,” Mr. Deevy said of the quote. “We’ve never even dealt in the cybersecurity world.”

Mr. Deevy added that a Gateshead, U.K., address listed by Bastion Secure as its U.K. business location was formerly occupied by his company. “That’s an address that we held seven years ago,” he said.

—Valentina Ochirova contributed to this article.

Source

Google: YouTubers’ accounts hijacked with cookie-stealing malware

Thu, 21 Oct 2021 12:24:43 +0000

Google says YouTube creators have been targeted with password-stealing malware in phishing attacks coordinated by financially motivated threat actors.

Researchers with Google's Threat Analysis Group (TAG), who first spotted the campaign in late 2019, found that multiple hack-for-hire actors recruited via job ads on Russian-speaking forums were behind these attacks.

The threat actors used social engineering (via fake software landing pages and social media accounts) and phishing emails to infect YouTube creators with information-stealing malware, chosen based on each attacker's preference.

Channels hijacked in pass-the-cookie attacks

Malware observed in the attacks includes commodity strains like RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, as well as open-source ones like AdamantiumThief and leaked tools such as Sorano.

Once delivered on the targets' systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims' accounts in pass-the-cookie attacks.

"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," said Ashley Shen, a TAG Security Engineer.

"Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking."

Google identified at least 1,011 domains linked to these attacks and roughly 15,000 actor accounts specifically created for this campaign and used to deliver phishing emails containing links redirecting to malware landing pages to YouTube creators' business emails.

Image: Google

Sold for up to $4,000 on underground markets

A significant number of YouTube channels hijacked in these attacks were later rebranded to impersonate high-profile tech executives or cryptocurrency exchange firms and used for live streaming cryptocurrency scams.

Others were sold on underground account-trading markets, where they're worth anything between $3 to $4,000, depending on their total number of subscribers.

Shen added that Google's Threat Analysis Group cut down phishing emails linked to these attacks on Gmail by 99.6% since May 2021.

"We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts," Shen said.

"With increased detection efforts, we've observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com)."

Google also reported this malicious activity to the FBI for further investigation to protect YouTube users and creators targeted in the campaign.

Source

Microsoft 365 will tell your boss if you're misbehaving online

Wed, 20 Oct 2021 13:44:04 +0000

New Microsoft 365 features will held admins identify potential insider threats

Microsoft is working on a couple of updates for its productivity suite that will help businesses keep closer tabs on the ways their employees are using the web.

As per a new entry in the company’s product roadmap, the Microsoft 365 compliance center (a service for IT administrators) will soon provide “increased visibility of risky activity using browsers and associated insider risk policy templates”.

A second entry, meanwhile, suggests Microsoft will deploy new machine learning (ML) techniques to more accurately detect potential threats and “uncover hidden insider risks”.

In a break from the norm, Microsoft has simply marked these roadmap items as “in development”, without providing more specific timelines.

Microsoft 365 tackles insider threat

Although businesses face a wide range of threats from external actors, the security risk created by employees (either intentionally or otherwise) is also significant. According to projections from security firm Mandiant, for example, insider threat will account for a third of all incidents this year.

To help businesses combat this challenge, Microsoft 365 compliance center has long provided administrators with ways to configure alerts that trigger when employees perform certain actions online.

“Web browsers are often used to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome,” a Microsoft guide explains.

Under this system, administrators can choose to be alerted when a member of staff copies files to personal cloud storage or a USB flash drive, for example, or when files are transferred to an insecure network share.

Although the new roadmap entries are rather vague, the suggestion is that the upgrades will provide admins with an increased level of visibility over employee behavior online (perhaps at an interface level), as well improving the likelihood that these kinds of risky activities are detected.

Source

NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to 'Let's talk cyber' event

Wed, 20 Oct 2021 12:48:25 +0000

It's like rai-iiiiiin on your wedding day

NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages.

The first email sent yesterday morning thanked participants for "registering for NHS Digital's Full Digital Breakfast: Let's talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am."

Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, "along with guest speakers, will have a conversation about the ongoing protection and how an increasingly digitised world means we must be super vigilant and cyber secure, where cyber hygiene is essential in protecting patients."

According to sources caught up in the email chain, NHS Digital were sending the emails in an attempt to change the invite details. The fourth was a cancellation "again with every single person copied in," one healthcare techie told us.

"They have subsequently put an email out to a BCC list that just reiterates the meeting is on but does not acknowledge the data breach.

"Oh and it's still doing the rounds as some people have done the usual 'Reply All', which is a frustration to anyone who didn't want their emails sharing or their inboxes clogging."

The event, which is scheduled for tomorrow morning, is open to anyone who wants to register. It was estimated by people on the email chain that between 100 to 200 email addresses were shared across the attendee list. It included a mix of private individuals and private company addresses.

As one of those registered told us, the irony wasn't lost on them given the breakfast briefing subject matter. "So, not so conscious of security then."

As email blunders go, this is ranked pretty low down in terms of seriousness – just think of this story, or this one – but it is more than a little embarrassing.

An NHS Digital spokesperson said of the issue: "We take our responsibility to safeguard personal data extremely seriously. This was an invitation to a closed event sent to individuals who had confirmed they wished to attend.

"As soon as we became aware of concerns we took immediate remedial action including reporting the incident for further investigation and deleting the original invitation.

"We seek to continually improve our processes and will ensure we provide delegates with an alternative means of attending our events in future."

The Reg has also asked the Information Commissioner's Office if anyone has reported the screwup, and it said it hadn't yet received a report. A spokesperson said: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms." ®

Source

Company That Buys Zero-Day Hacks Now Wants Exploits for Popular VPNs

Tue, 19 Oct 2021 21:18:02 +0000

Zerodium is looking to acquire exploits for NordVPN, ExpressVPN, and Surfshark, signaling that its government clients may want to spy on some VPN users.

Uh oh. An infamous company that pays thousands of dollars for iOS and Android hacking techniques is now out to acquire zero-day exploits for three popular VPN services.

Zerodium today sent out a tweet calling for “zero-days” or publicly unknown attacks that work against ExpressVPN, NordVPN, or Surfshark. The attacks must be capable of leaking information from the VPNs, such as a computer’s IP address. Zerodium will also pay for exploits that can trigger a VPN to remotely execute computer code.

Zerodium didn't say how much it's willing to pay for the hacking techniques. But its bounties can range from $100,000 up to $2.5 million for the most powerful zero-day exploits against Android and iOS. For now, Zerodium is merely calling on hackers and security researchers to submit “pre-offers” for the zero-day exploits via its website.

Zerodium's tweet is unsettling, given that ExpressVPN, NordVPN, and Surfshark are highly rated and popular VPN services. But it's also true that hackers and fraudsters rely on VPN services too.

The technology works by rerouting your internet activity to the VPN provider’s servers and encrypting the connection, which can prevent an internet service provider from learning what you’ve been browsing. However, the zero-day exploits Zerodium is asking for could unravel the encryption and even hijack your PC or smartphone.

The bounty from Zerodium also suggests the company’s clients are looking to spy on some users of the three VPN apps. Those customers include government institutions in the US and Europe “in need of advanced zero-day exploits and cybersecurity capabilities,” according to Zerodium’s website.

“At Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process,” the site adds. “Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.”

Zerodium—along with ExpressVPN, NordVPN, and Surfshark—didn’t immediately respond to a request for comment. However, both ExpressVPN and NordVPN offer bug bounties, which means they'll pay you for uncovering vulnerabilities in their software. Still, the rewards are far lower than what Zerodium can potentially offer.

< View the video at the source page. >

Source

Ireland’s Facebook decision triggers argument over limits of GDPR

Tue, 19 Oct 2021 15:08:20 +0000

Ireland largely upheld Facebook’s argument that it doesn’t need consent to collect data.

EU officials are gearing up for a fight over how much leeway companies should have to process personal data after a decision targeting Facebook from Ireland’s privacy regulator prompted pushback from campaigners.

Ireland's Data Protection Commission (DPC) said last week it plans to fine Facebook between €28 million and €36 million over an alleged lack of transparency over what it does with users' data.

But for privacy campaigners and officials at other EU watchdogs, Ireland's decision gives Facebook too much leeway to collect data on users without first obtaining their explicit consent to do so.

The argument over the limits of Europe's flagship data protection law, the GDPR, is expected to heat up in coming weeks as data protection watchdogs from 27 EU countries are invited to weigh in Ireland's draft Facebook decision before a final decision is made.

If Ireland's decision is upheld, that would "entail the end of data protection as we know it," said an official at a national privacy regulator who asked not to be named in order to discuss confidential deliberations between regulators.

That criticism echoed Austrian privacy campaigner Max Schrems, who filed the original complaint against Facebook and said that Ireland's decision amounted to a "GDPR bypass" because it allowed companies to gather data without consent.

"It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract,'" he said.

Contract or consent?

At the heart of the spat is Facebook's claim that it collects personal data as part of a contract with users, who know that the platform requires personal data in order to run its advertising-based business model and provide them with the Facebook service.

By invoking this "performance of a contract" clause in the GDPR, Facebook circumvents the need to obtain explicit consent from users to collect their data — which may otherwise take the form of a "yes" or "no" option to hand over personal data.

In its draft decision the DPC did not dispute Facebook's argument, but instead said it lacked the authority to rule on the question of whether the contract with users was fair. A ruling on that point would best be made by a consumer or competition authority, the regulator said.

The official at another data protection agency rejected that argument. "The whole idea that people sign up to Facebook to receive personalized advertising is pretty absurd. Not so much part of the offering as something that is unilaterally imposed on users against the wishes of the majority of them. There is no indication that the legislator wanted to legitimize this," the official said.

The Dublin regulator was set to collide with peers over its interpretation of the legal basis and particularly the point of what is "necessary" to fulfill a contract, the person added.

Yet the DPC is not the first European watchdog to approve Facebook's central argument about collecting data as part of a contract with users.

In December, an Austrian court backed Facebook’s argument that it needed to process data to earn money through advertising in order to fulfill its contract with users to provide them with a “personalized communication platform” free of charge — even though Austria’s Supreme Court referred that case to the EU’s top court on appeal, highlighting the difficulty of the issues at hand.

A Dublin-based expert backed up the argument that there is a limit to what the regulator can say about Facebook's terms of service.

“Much as one would like the DPC to be able to make determinations on all aspects of a matter, inevitably questions arise which need to be referred to another forum or to another court,” said Daragh O’Brien, a privacy expert at Castlebridge, a consultancy.

The spat reflects ongoing disagreements over just how far the GDPR should go toward regulating data, at a time when lawmakers in the United States are debating whether to enact federal privacy rules.

For example, Germany competition authority tried to use data protection law to hobble Facebook’s data practices. But the move faced tough legal pushback and now sits with the EU’s top court, with questions focusing on whether the authority has strayed beyond its remit by invoking the GDPR to enforce competition rules.

Other EU privacy regulators now have a month in which to weigh in on Ireland's decision.

If other recent cross-border cases are anything to go by, they could push for a much higher fine than the the €36 million upper-range sum proposed by Facebook.

September’s €225 million fine for WhatsApp, for instance, started off as a €50 million penalty. Similarly, Luxembourg’s proposal to fine Amazon around €357 million eventually lead to a record €746 million penalty after input from other EU regulators.

Source

Hacker steals government ID database for Argentina’s entire population

Tue, 19 Oct 2021 13:46:47 +0000

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

Lionel Messi and Sergio Aguero data leaked on Twitter

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

IMAGE: THE RECORD

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

Hacker has a copy of the data, plans to sell and leak it

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

“Maybe in a few days I’m going to publish [the data of] 1 million or 2 millon people,” the RENAPER hacker told The Record earlier today. They also said they plan to continue selling access to this data to all interested buyers.

When The Record shared a link to the government’s press release in which officials blamed the intrusion on a possibly compromised VPN account, the hacker simply replied “careless employees yes,” indirectly confirming the point of entry.

According to a sample provided by the hacker online, the information they have access to right now includes full names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs.

Argentina currently has an estimated population of more than 45 million, although it’s unclear how many entries are in the database. The hacker claimed to have it all.

This is the second major security breach in the country’s history after the Gorra Leaks in 2017 and 2019 when hacktivists leaked the personal details of Argentinian politicians and police forces.

Source

A New Variant of FlawedGrace Spreading Through Mass Email Campaigns

Tue, 19 Oct 2021 13:32:01 +0000

Cybersecurity researchers on Tuesday took the wraps off a mass volume email attack staged by a prolific cybercriminal gang affecting a wide range of industries, with one of its region-specific operations notably targeting Germany and Austria.

Enterprise security firm Proofpoint tied the malware campaign with high confidence to TA505, which is the name assigned to the financially motivated threat group that's been active in the cybercrime business since at least 2014, and is behind the infamous Dridex banking trojan and other arsenals of malicious tools such as FlawedAmmyy, FlawedGrace, Neutrino botnet, and Locky ransomware, among others.

The attacks are said to have started as a series of low-volume email waves, delivering only several thousand messages in each phase, before ramping up in late September and as recently as October 13, resulting in tens to hundreds of thousands of emails.

"Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020," the researchers said.

"The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT)."

The group has a track record of striking research institutes, banks, retail businesses, energy companies, healthcare institutions, airlines, and government agencies for profit-seeking motives, with the malicious activities typically commencing upon opening malware-laced attachments in phishing messages purported to be related to COVID-19 updates, insurance claims, or notifications about Microsoft OneDrive shared files.

"Over time, TA505 evolved from a lesser partner to a mature, self-subsisting and versatile crime operation with a broad spectrum of targets," NCC Group said in an analysis published in November 2020. "Throughout the years the group heavily relied on third party services and tooling to support its fraudulent activities, however, the group now mostly operates independently from initial infection until monetization."

The success of the latest campaign, however, hinges on users enabling macros after opening the malicious Excel attachments, post which an obfuscated MSI file is downloaded to fetch next-stage loaders before the delivery of an updated version of the FlawedGrace RAT that incorporates support for encrypted strings and obfuscated API calls.

FlawedGrace — first observed in November 2017 — is a fully-featured remote access trojan (RAT) written in C++ that's deliberately designed to thwart reverse-engineering and analysis. It comes with a roster of capabilities that allow it to establish communications with a command-and-control server to receive instructions and exfiltrate the results of those commands back to the server.

The actor's October attack wave is also significant for its shift in tactics, which include the use of retooled intermediate loaders scripted in unusual languages like Rebol and KiXtart in place of Get2, a downloader previously deployed by the group to perform reconnaissance, and download and install final-stage RAT payloads.

"TA505 is an established threat actor that is financially motivated and known for conducting malicious email campaigns on a previously unprecedented scale," Proofpoint said. "The group regularly changes their TTPs and are considered trendsetters in the world of cybercrime. This threat actor does not limit its target set, and is, in fact, an equal opportunist with the geographies and verticals it chooses to attack."

"This combined with TA505's ability to be flexible, focusing on what is the most lucrative and shifting its TTPs as necessary, make the actor a continued threat," the cybersecurity firm added.

Source

Windows 10, Linux, iOS, Chrome and Many Others at Hacked Tianfu Cup 2021

Mon, 18 Oct 2021 13:28:57 +0000

Windows 10, iOS 15, Google Chrome, Apple Safari, Microsoft Exchange Server, and Ubuntu 20 were successfully broken into using original, never-before-seen exploits at the Tianfu Cup 2021, the fourth edition of the international cybersecurity contest held in the city of Chengdu, China.

Targets this year included Google Chrome running on Windows 10 21H1, Apple Safari running on Macbook Pro, Adobe PDF Reader, Docker CE, Ubuntu 20/CentOS 8, Microsoft Exchange Server 2019, Windows 10, VMware Workstation, VMware ESXi, Parallels Desktop, iPhone 13 Pro running iOS 15, domestic mobile phones running Android, QEMU VM, Synology DS220j DiskStation, and ASUS RT-AX56U router.

The Chinese version of Pwn2Own was started in 2018 in the wake of government regulation in the country that barred security researchers from participating in international hacking competitions because of national security concerns.

With the exception of Synology DS220j NAS, Xiaomi Mi 11 smartphone, and an unnamed Chinese electric vehicle, attacks were mounted successfully against every other target —

Adobe PDF Reader

Apple iPhone 13 Pro (running iOS 15)

Apple Safari

ASUS RT-AX56U

Docker CE

Google Chrome

Microsoft Exchange Server

Microsoft Windows 10

Parallels Desktop

QEMU VM

Ubuntu 20/CentOS 8

VMware ESXi

VMWare Workstation

The two-day tournament, which took place over the weekend on October 16 and 17, saw security researchers winning 1.88 million in prize money, with Kunlun Lab taking the top spot ($654,500) for demonstrating successful exploits in iOS 15, including a remote code execution flaw in mobile Safari within 15 seconds. Researchers from the cybersecurity firm also pwned Google Chrome "to get Windows system kernel level privilege with only two bugs," Kunlun Lab's CEO @mj0011 tweeted.

Team PangU emerged second with a total haul of $522,500 for showing off a remote jailbreak in iPhone13 Pro running iOS 15, marking the first time the newly released iPhone model has been cracked at a public forum, while the Vulnerability Research Institute (VRI) came third with $392,500.

Details of the flaws have not been made public, but the companies are expected to release patches for the newly uncovered flaws in the upcoming weeks.

Source

REvil ransomware shuts down again after Tor sites were hijacked

Mon, 18 Oct 2021 01:59:45 +0000

The REvil ransomware operation has likely shut down once again after an unknown person hijacked their Tor payment portal and data leak blog.

The Tor sites went offline earlier today, with a threat actor affiliated with the REvil operation posting to the XSS hacking forum that someone hijacked the gang's domains.

The thread was first discovered by Recorded Future's Dmitry Smilyanets, and states that an unknown person hijacked the Tor hidden services (onion domains) with the same private keys as REvil's Tor sites and likely has backups of the sites.

"But since we have today at 17.10 from 12:00 Moscow time, someone brought up the hidden-services of a landing and a blog with the same keys as ours, my fears were confirmed. The third party has backups with onion service keys," a threat actor known as '0_neday' posted to the hacking forum.

The threat actor went on to say that they found no signs of compromise to their servers but will be shutting down the operation.

The threat actor then told affiliates to contact him for campaign decryption keys via Tox, likely so affiliates could continue extorting their victims and provide a decryptor if a ransom is paid.

XSS forum topic about REvil sites being hijacked

To launch a Tor hidden service (an .onion domain), you need to generate a private and public key pair, which is used to initialize the service.

The private key must be secured and only accessible to trusted admins, as anyone with access to this key could use it to launch the same .onion service on their own server.

As a third party was able to hijack the domains, it means they too have access to the hidden service's private keys.

This evening, 0_neday once again posted to the hacking forum topic, but this time saying that their server was compromised and that whoever did it was targeting the threat actor.

Forum post stating the REvil server was compromised

At this time, it is unknown who compromised their servers.

As Bitdefender and law enforcement gained access to the master REvil decryption key and released a free decryptor, some threat actors believe that the FBI or other law enforcement have had access to the servers since they relaunched.

As no one knows what happened to Unknown, it is also possible that the threat actor is trying to regain control over the operation.

REvil likely shut down for good

After REvil conducted a massive attack on companies through a zero-day vulnerability in the Kaseya MSP platform, the REvil operation suddenly shut down, and their public-facing representative, Unknown, disappeared.

After Unknown did not return, the rest of the REvil operators launched the operation and websites again in September using backups.

Since then, the ransomware operation has been struggling to recruit users, going as far as to increase affiliate's commissions to 90% to entice other threat actors to work with them.

With this latest mishap, the operation in its current forum will likely be gone for good.

However, no good thing lasts forever when it comes to ransomware, and we will likely see them rebrand as a new operation shortly.

Thx to @_TheEmperors_ for the tip!

REvil ransomware shuts down again after Tor sites were hijacked

By strange coincidence, Apple’s tracking clampdown has boosted its ad business by $5 billion

Sun, 17 Oct 2021 23:28:02 +0000

In April Apple implemented their App Tracking Transparency plan, which required apps not to collect and share information about users across platforms without their permission, permission a vanishingly small percentage of users granted.

The result was that ad companies were having great difficulty targeting Apple users with relevant ads, but it turns out Apple’s own ad business was not similarly encumbered.

FT reports that Apple’s share of app-install ad business more than tripled since April, as their share of iPhone app downloads that result from clicking on an advert increased from 17% to 58% of installs.

“It’s like Apple Search Ads has gone from playing in the minor leagues to winning the World Series in the span of half a year,” said Alex Bauer, head of product marketing at Branch.

The market is expected to grow from $58bn in 2019 to $118bn in 2022.

One unnamed mobile advertising executive said Apple had “given itself a free pass” because it is “not subject to the same policy that every other ad network is”.

The parking app SpotHero said the precision with which it was possible to focus ads on users through Apple’s advertising service jarred with the company’s rhetoric around privacy.

Chris Stevens, SpotHero’s chief marketing officer, pointed to the “retargeting” tool, a service offered by Apple to let companies follow users to re-engage with them at a future date.

“Apple was unable to validate for us that Apple’s solutions are compliant with Apple’s policy,” he said. “Despite multiple requests and trying to get them to confirm that their products are compliant with their own solutions, we were unable to get there.”

Despite the clear boost to Apple as the result of their policies, Apple said its privacy features were designed to protect users. “The technologies are part of one comprehensive system designed to help developers implement safe advertising practices and protect users — not to advantage Apple.”

By strange coincidence, Apple’s tracking clampdown has boosted its ad business by $5 billion

Bank manager tricked into handing $35m to scammers using fake 'deep voice' tech

Sat, 16 Oct 2021 13:48:31 +0000

Plus: Microsoft Translator machine learning software now supports over 100 languages

Authorities in the United Arab Emirates have requested the US Department of Justice's help in probing a case involving a bank manager who was swindled into transferring $35m to criminals by someone using a fake AI-generated voice.

The employee received a call to move the company-owned funds by someone purporting to be a director from the business. He also previously saw emails that showed the company was planning to use the money for an acquisition, and had hired a lawyer to coordinate the process. When the sham director instructed him to transfer the money, he did so thinking it was a legitimate request.

But it was all a scam, according to US court documents reported by Forbes. The criminals used "deep voice technology to simulate the voice of the director," it said. Now officials from the UAE have asked the DoJ to hand over details of two US bank accounts, where over $400,000 from the stolen money were deposited.

Investigators believe there are at least 17 people involved in the heist.

AI systems need to see the human perspective

Facebook has teamed up with 13 universities across nine countries to compile Ego4D, a dataset containing more than 2,200 hours of video shot in first-person, where 700 participants were filmed performing everyday activities like cooking or playing video games.

The antisocial network is hoping Ego4D will unlock new capabilities in augmented and virtual reality or robotics. New models trained on this data can be tested on a range of tasks, including episodic memory, predicting what happens next, coordinating hand movement to manipulate objects, and social interaction.

"Imagine your AR device displaying exactly how to hold the sticks during a drum lesson, guiding you through a recipe, helping you find your lost keys, or recalling memories as holograms that come to life in front of you," Facebook said in a blog post.

"Next-generation AI systems will need to learn from an entirely different kind of data – videos that show the world from the center of the action, rather than the sidelines," added Kristen Grauman, lead research scientist at Facebook.

Researchers will have access to Ego4D later next month subject to a data use agreement.

Microsoft Translator's AI software

Microsoft Translator, language translation software powered by neural networks, can now translate over 100 different languages.

Twelve new languages and dialects were added to Microsoft Translator this week, including: endangered ones like Bashkir spoken by a Kipchak Turkic ethnic group indigenous to Russia to more common lingos like Mongolian. Microsoft Translator now supports 103 languages.

"One hundred languages is a good milestone for us to achieve our ambition for everyone to be able to communicate regardless of the language they speak," said Xuedong Huang, Microsoft technical fellow and Azure AI chief technology officer.

Xuedong said the software is based on a multilingual AI model called Z-code. The system deals with text, and is part of Microsoft's efforts to build a larger multimodal system capable of handling images, text, and audio dubbed the XYZ-code vision. Microsoft Translator is deployed in a range of services, including search engine Bing and offered as an API on its cloud platform Azure Cognitive Services.

ShotSpotter sues Vice for defamation and wants $300m in damages

The controversial AI gunshot-detection company Shotspotter has sued Vice, claiming its business has been unfairly tarnished by a series of articles published by the news outlet.

"On July 26, 2021, Vice launched a defamatory campaign in which it falsely accused ShotSpotter of conspiring with police to fabricate and alter evidence to frame Black men for crimes they did not commit," the complaint said.

ShotSpotter accused the publication of portraying the company's technology and actions inaccurately to "cultivate a 'subversive' brand" used to sell products advertised in its "sponsored content".

The company made headlines when evidence used to try to prove a Black man shot and killed another man in a court trial was retracted. The defense lawyer accused ShotSpotter employees of tampering with the evidence to support the police's case. Vice allegedly made false claims that the biz routinely used its software to tag loud sounds as gunshots to help law enforcement prosecute innocent suspects in shooting cases.

When Vice's journalists were given proof to show that wasn't the case, they refused to correct their factual inaccuracies, the lawsuit claimed. ShotSpotter argued the articles had ruined its reputation and now it wants Vice to cough up a whopping $300m in damages.

State of AI 2021

The annual State of AI report is out, compiled by two British tech investors, recapping this year's trends and developments in AI.

The fourth report from Nathan Benaich, a VC at Air Street Capital, and Ian Hogarth, co-founder of music app Songkick and an angel investor, focuses on transformers, a type of machine learning architecture best known for powering giant language models like OpenAI's GPT-3 or Google's BERT.

Transformers aren't just useful for generating text; they've proven adept in other areas, like computer vision or biology too. Machine learning technology is also continuing to mature – developers are deploying more systems to tackle real-world problems such as optimising energy through national electric grids or warehouse logistics for supermarkets.

That also applies to military applications, the pair warned. "AI researchers have traditionally seen the AI arms race as a figurative one – simulated dogfights between competing AI systems carried out in labs – but that is changing with reports of recent use of autonomous weapons by various militaries."

You can read the full report here. ®

Source

CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems

Fri, 15 Oct 2021 14:34:21 +0000

The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021.

"This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities," CISA, along with the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), said in a joint bulletin.

Citing spear-phishing, outdated operating systems and software, and control system devices running vulnerable firmware versions as the primary intrusion vectors, the agencies singled out five different cyber attacks from 2019 to early 2021 targeting the WWS Sector —

A former employee at Kansas-based WWS facility unsuccessfully attempted to remotely access a facility computer in March 2019 using credentials that hadn't been revoked

Compromise of files and potential Makop ransomware observed at a New Jersey-based WWS facility in September 2020

An unknown ransomware variant deployed against a Nevada-based WWS facility in March 2021

Introducing ZuCaNo ransomware onto a Maine-based WWS facility's wastewater SCADA computer in July 2021

A Ghost variant ransomware attack against a California-based WWS facility in August 2021

The advisory is notable in the wake of a February 2021 attack at a water treatment facility in Oldsmar where an intruder broke into a computer system and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water supply, before it was spotted by a plant operator, who quickly took steps to reverse the remotely issued command.

In addition to requiring multi-factor authentication for all remote access to the operational technology (OT) network, the agencies have urged WWS facilities to limit remote access to only relevant users, implement network segmentation between IT and OT networks to prevent lateral movement, and incorporate abilities to failover to alternate control systems in the event of an attack.

Source

Brave improves bounce tracking protection with new Debouncing feature

Fri, 15 Oct 2021 06:09:22 +0000

The Nightly version of the Brave desktop browser supports a new privacy feature that Brave calls Debouncing.

Debouncing is designed to disarm a tracking method called Bounce Tracking, or Redirect Tracking. Bounce tracking refers to methods of tracking Internet users through the use of intermediary domains that get loaded when users click on links. It relies on tracking domains that get injected between a website and the destination of a link.

Site A and Site B may link to Destination Y and Destination Z. These sites act independently from each other. Add bounce tracking, and the opening of Destination Y and Destination Z takes a detour by loading Bounce Q first, before redirecting the user to the destination site.

With Q involved in the process, operators of the bounce tracker can identify the user and create a tracking profile. Clearly, the bigger the operator, the better the tracking.

Internet users may sometimes notice that links that they clicked on get redirected through other sites before the actual destination is opened.

Debouncing in Brave Browser

Brave Browser protects users against bounce tracking with its new Debouncing feature. Brave maintains a list of known bounce tracking URLs, which it sources from various places, including extensions such as Clear URLs, URL Tracking Stripper, and Link Clearer. The list is available on GitHub; it includes widely used bounce trackers such as linksynergy, out.reddit.com, instagram, facebook.com/1.php, youtube.com/redirect, and others.

The browser blocks access to tracking sites found on its block list and loads the destination immediately. Brave Browser applies the list to all links that users encounter while using the web browser.

The feature is integrated and enabled in the Nightly version of Brave on the desktop already. The company plans to push it to the desktop release channel "shortly", according to the announcement.

Closing Words

Brave's Debouncing feature improves the privacy of users of the desktop version. The next stable release version of Brave for the desktop includes the protective feature, which is enabled automatically in the browser.

The company is not the only browser maker with support for such a feature. Mozilla integrated Redirect Tracking protection in Firefox 79 Stable, which it released in mid-2020.

Brave improves bounce tracking protection with new Debouncing feature

Broadcom Software's Symantec Threat Hunter Team discovers first-of-its-kind ransomware

Thu, 14 Oct 2021 21:15:07 +0000

The new ransomware family, called Yanluowang, appears to still be under development and lacks some sophisticated features found in similar code. Nonetheless, Symantec said, it's dangerous.

The Symantec Threat Hunter Team at Broadcom Software has discovered what appears to be a brand new family of ransomware named after the Chinese deity that judges the souls of the dead.

Yanluowang is the perfect ransomware for the Halloween season, though this particular malevolent digital spirit lacks the subtlety and sophistication of some of its more established (and more terrifying) brethren.

The lack of sophisticated features (and its unknownness) clued researchers into the fact that Yanluowang was likely new, rather than just poorly coded. "It's possible that implementing this was beyond the ability of the developers, but we think it's more likely that they plan to implement it at a later date and this was a minimum viable product," said Symantec principal editor Dick O'Brien.

It's unknown where Yanluowang came from, who's behind it or if it has been used in any attacks other than the one that Symantec responded to against an unnamed "large organization." Among the files it obtained was code that Symantec said seemed to come from an underdeveloped ransomware family, and they were clued in by some suspicious use of the Active Directory query tool AdFind.

"This tool is often abused by ransomware attackers as a reconnaissance tool, as well as to equip the attackers with the resources that they need for lateral movement via Active Directory. Just days after the suspicious AdFind activity was observed on the victim organization, the attackers attempted to deploy the Yanluowang ransomware," Symantec's report said.

Yanluowang also leaves a few signs behind on a compromised computer before it actually deploys the ransomware itself: a .txt file with the number of remote machines on the network is created, which is run against Windows Management Instrumentation to get a list of processes running on those machines, which are in turn logged to the .txt file for later retrieval.

Once installed, the Yanluowang ransomware itself stops all hypervisor VMS running on a compromised machine, ends processes listed in the .txt file, encrypts files and drops a readme with a ransom note in it on the infected machine.

The note itself warns victims not to call law enforcement or a negotiator, the result of which would be DDoS attacks against the victim and calls to business partners to inform them of the infection. That chain of events would repeat, with data deletion being the eventual outcome.

O'Brien said that, while new, no element of the Yanluowang ransomware is unique. That doesn't mean Yanluowang isn't a threat, though. "[Yanluowang] may not be as sophisticated as some of its peers, but a successful attack would nevertheless be highly disruptive to any organization," O'Brien said.

Ransomware isn't a problem set to go away anytime soon. If anything, it'll only get worse as ransomware actors become better at writing code and exploiting vulnerabilities. Be sure your organization is following best practices for ransomware, like using zero-trust security and other next-generation security products and architectures.

Source

Google: We're Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries

Thu, 14 Oct 2021 21:08:14 +0000

Google's Threat Analysis Group (TAG) on Thursday said it's tracking more than 270 government-backed threat actors from more than 50 countries, adding it has approximately sent 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021.

The warnings mark a 33% increase from 2020, the internet giant said, with the spike largely stemming from "blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear."

Additionally, Google said it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed "Operation SpoofedScholars" aimed at think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS).

Details of the attack were first publicly documented by enterprise security firm Proofpoint in July 2021.

Other past attacks involved the use of a spyware-infested VPN app uploaded to the Google Play Store that, when installed, could be leveraged to siphon sensitive information such as call logs, text messages, contacts, and location data from the infected devices. Furthermore, an unusual tactic adopted by APT35 concerned the use of Telegram to notify the attackers when phishing sites under their control have been visited in real-time via malicious JavaScript embedded into the pages.

The threat actor is also said to have impersonated policy officials by sending "non-malicious first contact email messages" modeled around the Munich Security and Think-20 (T20) Italy conferences as part of a phishing campaign to lure high-profile individuals into visiting rogue websites.

"For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google TAG's Ajax Bash said.

Source

VirusTotal Releases Ransomware Report Based on Analysis of 80 Million Samples

Thu, 14 Oct 2021 15:43:36 +0000

As many as 130 different ransomware families have been found to be active in 2020 and the first half of 2021, with Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the U.K. emerging as the most affected territories, a comprehensive analysis of 80 million ransomware-related samples has revealed.

Google's cybersecurity arm VirusTotal attributed a significant chunk of the activity to the GandCrab ransomware-as-a-service (RaaS) group (78.5%), followed by Babuk (7.61%), Cerber (3.11%), Matsnu (2.63%), Wannacry (2.41%), Congur (1.52%), Locky (1.29%), Teslacrypt (1.12%), Rkor (1.11%), and Reveon (0.70%).

"Attackers are using a range of approaches, including well-known botnet malware and other Remote Access Trojans (RATs) as vehicles to deliver their ransomware," VirusTotal Threat Intelligence Strategist Vicente Diaz said. "In most cases, they are using fresh or new ransomware samples for their campaigns."

Some of the other key points uncovered in the study are as follows —

GandCrab accounted for most of the ransomware activity in the first two quarters of 2020, with the Babuk ransomware family driving a surge of infections in July 2021.

95% of ransomware files detected were Windows-based executables or dynamic link libraries (DLLs), while 2% were Android-based.

Around 5% of the analyzed samples were associated with exploits related to Windows elevation of privileges, SMB information disclosures, and remote execution.

Emotet, Zbot, Dridex, Gozi, and Danabot were the primary malware artifacts used to distribute ransomware.

The findings come in the wake of a relentless wave of ransomware attacks aimed at critical infrastructure, with cybercriminal gangs aggressively pursuing victims in critical sectors, including pipeline operators and healthcare facilities, even as the landscape has witnessed a continuous shift wherein ransomware groups evolve, splinter, and reorganize under new names, or fall off the radar to evade scrutiny.

If anything, the explosion of new malware families has drawn new actors into participating in these lucrative schemes, turning ransomware into a profitable criminal business model.

"While big campaigns come and go, there is a constant baseline of ransomware activity of approximately 100 ransomware families that never stops," the report said. "In terms of ransomware distribution attackers don't appear to need exploits other than for privilege escalation and for malware spreading within internal networks."

Source

How Coinbase Phishers Steal One-Time Passwords

Wed, 13 Oct 2021 23:32:40 +0000

A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

A Google-translated version of the now-defunct Coinbase phishing site, coinbase.com.password-reset[.]com

Coinbase is the world’s second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site’s default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

Holden’s team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline.

The Coinbase phishing panel.

Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud “ding” — presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook.

In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app.

“These guys have real-time capabilities of soliciting any input from the victim they need to get into their Coinbase account,” Holden said.

Pressing the “Send Info” button prompted visitors to supply additional personal information, including their name, date of birth, and street address. Armed with the target’s mobile number, they could also click “Send verification SMS” with a text message prompting them to text back a one-time code.

SIFTING COINBASE FOR ACTIVE USERS

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in “.it”.

But the phishers in this case likely weren’t interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails.

Holden’s data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase’s systems. The following day, they attempted to register 174,000 new Coinbase accounts.

In an emailed statement shared with KrebsOnSecurity, Coinbase said it takes “extensive security measures to ensure our platform and customer accounts remain as safe as possible.” Here’s the rest of their statement:

“Like all major online platforms, Coinbase sees attempted automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mixture of in-house machine learning models and partnerships with industry-leading bot detection and abuse prevention vendors. We continuously tune these models to block new techniques as we discover them. Coinbase’s Threat Intelligence and Trust & Safety teams also work to monitor new automated abuse techniques, develop and apply mitigations, and aggressively pursue takedowns against malicious infrastructure. We recognize that attackers (and attack techniques) will continue to evolve, which is why we take a multi-layered approach to combating automated abuse.”

Last month, Coinbase disclosed that malicious hackers stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

“To conduct the attack, Coinbase says the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account,” Bleeping Computer’s Lawrence Abrams wrote. “While it is unknown how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common.”

This phishing scheme is another example of how crooks are coming up with increasingly ingenious methods for circumventing popular multi-factor authentication options, such as one-time passwords. Last month, KrebsOnSecurity highlighted research into several new services based on Telegram-based bots that make it relatively easy for crooks to phish OTPs from targets using automated phone calls and text messages.These OTP phishing services all assume the customer already has the target’s login credentials through some means — such as through a phishing site like the one examined in this story.

Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

In the phishing domain at issue here — coinbase.com.password-reset[.]com — password-reset[.]com is the destination domain, and the “coinbase.com” is just an arbitrary subdomain of password-reset[.]com. However, when viewed in a mobile device, many visitors to such a domain may only see the subdomain portion of the URL in their mobile browser’s address bar.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages or other media. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Also, never provide any information in response to an unsolicited phone call. It doesn’t matter who claims to be calling: If you didn’t initiate the contact, hang up. Don’t put them on hold while you call your bank; the scammers can get around that, too. Just hang up. Then you can call your bank or wherever else you need.

By the way, when was the last time you reviewed your multi-factor settings and options at the various websites entrusted with your most precious personal and financial information? It might be worth paying a visit to 2fa.directory (formerly twofactorauth[.]org) for a checkup.

How Coinbase Phishers Steal One-Time Passwords

MyKings botnet still active and making massive amounts of money

Wed, 13 Oct 2021 23:26:51 +0000

The MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, making massive amounts of money in crypto, five years after it first appeared in the wild.

Being one of the most analyzed botnets in recent history, MyKings is particularly interesting to researchers thanks to its vast infrastructure and versatile features, including bootkits, miners, droppers, clipboard stealers, and more.

The latest team of researchers to look into MyKings is Avast Threat Labs, which gathered 6,700 unique samples to analyze since the beginning of 2020.

During the same period, Avast actively prevented over 144,000 attacks MyKings against its clients, most of them based in Russia, India, and Pakistan.

Victims heat map
Source: Avast

The botnet uses many cryptocurrency wallet addresses, with the balances in some of them being quite high. Avast believes that these wallets' cryptocurrency was amassed by the clipboard stealer and the crypto mining components.

The earnings reflected in the wallet addresses linked to MyKings are approximately $24.7 million. However, since the botnet uses more than 20 cryptocurrencies in total, this amount is only a part of its total financial gains.

Earnings concerning three cryptocurrencies
Source: Avast

To protect the hardcoded wallet address value from extraction and analysis, the malware encrypts it with a simple ROT cipher. In general, though, no notable upgrades have been spotted on that front in the recent samples.

New URL substitution tricks

Apart from the wallet address substitution that diverts transactions, Avast has also spotted a new monetization technique used by MyKings operators involving the Steam gaming platform.

Victimized Steam users complaining about the trade link changes
Source: Avast

The latest versions of the malware also feature a new URL manipulation system in the clipboard stealer module, which the attackers created to hijack Steam item trade transactions. The module changes the trade offer URL, so the actor is placed at the receiving end, stealing valuable in-game items, etc.

Similar functionality was added for the Yandex disk storage cloud service, with MyKing manipulating the URLs sent by users to their acquaintances.

The modified links point to Yandex storage addresses containing RAR or ZIP archives named "photos," which deliver a copy of the MyKings malware to these machines.

Fake 'photos' archive delivering malware
Source: Avast

In 2018, MyKings was growing steadily, with the malware reaching 520,000 infections and making millions of dollars for its operators.

Today, it appears that the botnet has grown to new proportions while still managing to remain hidden and free from law enforcement crackdowns.

MyKings botnet still active and making massive amounts of money

Apple silently fixes iOS zero-day, asks bug reporter to keep quiet

Wed, 13 Oct 2021 23:24:17 +0000

Apple has silently fixed a 'gamed' zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information.

The company addressed the bug without acknowledging or crediting software developer Denis Tokarev for the discovery even though he reported the flaw seven months before iOS 15.0.2 was released.

Failures to credit bug reports

In July, Apple also silently patched an 'analyticsd' zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update.

Since then, Apple published multiple security advisories (iOS 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS vulnerabilities but, each time, they failed to credit his analyticsd bug report.

"Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day.

Two days ago, after iOS 15.0.2 was released, Tokarev emailed again about the lack of credit for the gamed and analyticsd flaws in the security advisories. Apple replied, asking him to treat the contents of their email exchange as confidential.

This wouldn't be the first time Apple's security team asked for confidentiality: the first time happened in August when he was told the gamed zero-day would be fixed in a future security update and urged not to disclose the bug publicly.

"All things considered, they treat gamed vulnerability a bit better that analyticsd, at least they don't ignore me and lie to me this time," Tokarev told BleepingComputer.

Other bug bounty hunters and security researchers have also reported having similar experiences when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program.

Some said bugs reported to Apple were silently fixed, with the company failing to give them credit, just as it happened in this case.

Others weren't paid the amount listed on Apple's official bounty page [1, 2] or haven't received any payment at all, while some have been kept in the dark for months on end with no replies to their emails.

Two zero-days left to (silently) patch

In total, Tokarev found four iOS zero-days and reported them to Apple between March 10 and May 4. In September, he published proof-of-concept exploit code and details on all iOS vulnerabilities after the company failed to credit him after patching the gamed zero-day in July.

If attackers would successfully exploit the four vulnerabilities on unpatched iOS devices (i.e., iPhones and iPads), they could gain access and harvest Apple ID emails, full names, Apple ID authentication tokens, installed apps info, WiFi info, and analytics logs (including medical and device information).

The complete list of iOS zero-days reported by Tokarev includes:

Gamed 0-day (fixed in iOS 15.0.2): Bug exploitable through user-installed apps from App Store and giving unauthorized access to sensitive data normally protected by a TCC prompt or the platform sandbox ($100,000 on the Apple Security Bounty Program page)
Nehelper Enumerate Installed Apps 0-day (iOS 15.0): Allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
Nehelper Wifi Info 0-day (iOS 15.0): Makes it possible for any qualifying app (e.g., possessing location access authorization) to gain access to Wifi information without the required entitlement.
Analyticsd (fixed in iOS 14.7): Allows any user-installed app to access analytics logs.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told Tokarev 24 hours after publishing the zero-days and the exploit code on his blog.

"We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance."

Apple has also fixed a second zero-day vulnerability in iOS 15.0.2 and iPadOS 15.0.2, actively exploited in the wild to target iPhones and iPads.

This bug, tracked as CVE-2021-30883, is a critical memory corruption flaw in the IOMobileFrameBuffer, allowing malicious applications to execute commands on vulnerable devices with kernel privileges.

Apple has not replied to emails BleepingComputer sent since September 24, asking for an official statement and more details.

Apple silently fixes iOS zero-day, asks bug reporter to keep quiet

Russia and China left out of global anti-ransomware meetings

Wed, 13 Oct 2021 23:22:04 +0000

The White House National Security Council facilitates virtual meetings this week with senior officials and ministers from more than 30 countries in a virtual international counter-ransomware event to rally allies in the fight against the ransomware threat.

Publicly disclosed ransomware payments have reached more than $400 million globally in 2020 and over $81 million in the first quarter of 2021, according to a fact sheet published today by the White House.

International counter-ransomware virtual meetings

President Joe Biden announced on October 1 that the U.S. would bring together allies and partners from 30 countries to join efforts to crack down on ransomware groups behind a barrage of attacks impacting organizations worldwide.

The Counter-Ransomware Initiative meetings come in response to ongoing attacks, including ransomware attacks on Colonial Pipeline, JBS Foods, and Kaseya in the U.S., which have revealed significant vulnerabilities across critical worldwide infrastructure.

"We're hosting — we're facilitating a virtual meeting. It'll be joined by ministers and senior officials from over 30 countries and the European Union to accelerate cooperation to counter ransomware," a senior administration official told reporters in a background press call today.

"The Counter-Ransomware Initiative will meet over two days, and participants will cover everything from efforts to improve national resilience, to experiences addressing the misuse of virtual currency to launder ransom payments, our respective efforts to disrupt and prosecute ransomware criminals, and diplomacy as a tool to counter ransomware."

The areas that will be covered during this week's meetings (national resilience, countering illicit finance, disruption, and diplomacy) line up with the Biden Administration's counter-ransomware endeavors, which are organized along four different lines of effort:

Disrupt Ransomware Infrastructure and Actors: The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks, and financial infrastructure;
Bolster Resilience to Withstand Ransomware Attacks: The Administration has called on the private sector to step up its investment and focus on cyber defenses to meet the threat. The Administration has also outlined the expected cybersecurity thresholds for critical infrastructure and introduced cybersecurity requirements for critical transportation infrastructure;
Address the Abuse of Virtual Currency to Launder Ransom Payments: Virtual currency is subject to the same Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls applied to fiat currency, and those controls and laws must be enforced. The Administration is leveraging existing capabilities and acquiring innovative capabilities to trace and interdict ransomware proceeds; and
Leverage International Cooperation to Disrupt the Ransomware Ecosystem and Address Safe Harbors for Ransomware Criminals: Responsible states do not permit criminals to operate with impunity from within their borders.

As part of this ongoing fight against ransomware cybercrime groups, President Biden also issued a U.S. security memorandum to bolster critical infrastructure cybersecurity by setting baseline performance goals for owners and operators.

Deputy National Security Advisor Anne Neuberger told U.S. businesses to take ransomware seriously after the Colonial Pipeline and JBS ransomware attacks.

White House Press Secretary Jen Psaki added that the U.S. administration will take action against ransomware groups operating within Russia's borders if "the Russian government cannot or will not."

In July, Interpol also urged police agencies and industry partners worldwide to fight together against the ransomware threat after G7 leaders asked Russia to disrupt Russian-based ransomware gangs within its borders.

Russia and China left out

Even though Moscow and Washington have managed to resume cooperation in several areas, which led to several hits on Evil Corp., TrickBot, and REvil gangs, according to Kommersant, Russia and China were not invited to this week's counter-ransomware meetings.

"We've worked with allies and partners to hold nation-states accountable for malicious cyberactivity as evidenced by, really, the broadest international support we had ever in our attributions for Russia and China's malicious cyber activities in the last few months," the official added.

"The Experts Group continues to meet to address the ransomware threat and to press Russia to act against criminal ransomware activities emanating from its territory. In this first round of discussions, we did not invite the Russians to participate for a host of reasons, including various constraints."

The official also said that the Biden admin has observed the Russian government taking steps towards cracking down on ransomware gangs active on its territory, with more results and follow-up actions being expected.

"We do look to the Russian government to address ransomware criminal activity coming from actors within Russia. I can report that we've had, in the Experts Group, frank and professional exchanges in which we've communicated those expectations.

"We've also shared information with Russia regarding criminal ransomware activity being conducted from its territory. We've seen some steps by the Russian government and are looking to see follow-up actions."

Russia and China left out of global anti-ransomware meetings

Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws

Tue, 12 Oct 2021 23:49:35 +0000

Today is Microsoft's October 2021 Patch Tuesday, and with it comes fixes for four zero-day vulnerabilities and a total of 74 flaws.

Microsoft has fixed 74 vulnerabilities (81 including Microsoft Edge) with today's update, with three classified as Critical, and 70 as Important, and one as Low.

These 81 vulnerabilities (including Microsoft Edge) are classified as:

21 Elevation of Privilege Vulnerabilities
6 Security Feature Bypass Vulnerabilities
20 Remote Code Execution Vulnerabilities
13 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
9 Spoofing Vulnerabilities

For information about the non-security Windows updates, you can read about today's Windows 11 KB5006674 cumulative update and the Windows 10 updates KB5006670 & KB5006667 cumulative updates.

Four zero-days fixed, with one actively exploited

October's Patch Tuesday includes fixes for four zero-day vulnerabilities, with a Win32k Elevation of Privilege Vulnerability vulnerability known to have been actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited vulnerability was discovered by Kaspersk's Boris Larin (oct0xor) and allows malware or a threat actor to gain elevated privileges on a Windows device.

CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability

Kaspersky disclosed today that the vulnerability was used by threat actors in "widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities."

As part of the attacks, the threat actors installed a remote access trojan (RAT) that was elevated with higher permissions using the zero-day Windows vulnerability.

Kaspersky calls this cluster of malicious activity MysterSnail and is attributed to the IronHusky and Chinese-speaking APT activity.

Microsoft also fixed three other publicly disclosed vulnerabilities that are not known to be exploited in attacks.

CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability
CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

Recent updates from other companies

Other vendors who released updates in July include:

Adobe's October security updates were released for various applications.
Android's October security updates were released last week.
Apache released HTTP Web Server 2.4.51 to fix an incompete patch for an actively exploited vulnerability.
Apple released security updates for iOS and iPadOS yesterday that an actively exploited zero-day vulnerability.
Cisco released security updates for numerous products this month.
SAP released its October 2021 security updates.
VMware released a two security updates [1. 2, 3] for VMware vRealize Operations.

The October 2021 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the October 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag	CVE ID	CVE Title	Severity
.NET Core & Visual Studio	CVE-2021-41355	.NET Core and Visual Studio Information Disclosure Vulnerability	Important
Active Directory Federation Services	CVE-2021-41361	Active Directory Federation Server Spoofing Vulnerability	Important
Console Window Host	CVE-2021-41346	Console Window Host Security Feature Bypass Vulnerability	Important
HTTP.sys	CVE-2021-26442	Windows HTTP.sys Elevation of Privilege Vulnerability	Important
Microsoft DWM Core Library	CVE-2021-41339	Microsoft DWM Core Library Elevation of Privilege Vulnerability	Important
Microsoft Dynamics	CVE-2021-40457	Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability	Important
Microsoft Dynamics	CVE-2021-41353	Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability	Important
Microsoft Dynamics	CVE-2021-41354	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2021-37978	Chromium: CVE-2021-37978 Heap buffer overflow in Blink	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37979	Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37980	Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37977	Chromium: CVE-2021-37977 Use after free in Garbage Collection	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37974	Chromium: CVE-2021-37974 Use after free in Safe Browsing	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37975	Chromium: CVE-2021-37975 Use after free in V8	Unknown
Microsoft Edge (Chromium-based)	CVE-2021-37976	Chromium: CVE-2021-37976 Information leak in core	Unknown
Microsoft Exchange Server	CVE-2021-26427	Microsoft Exchange Server Remote Code Execution Vulnerability	Important
Microsoft Exchange Server	CVE-2021-34453	Microsoft Exchange Server Denial of Service Vulnerability	Important
Microsoft Exchange Server	CVE-2021-41348	Microsoft Exchange Server Elevation of Privilege Vulnerability	Important
Microsoft Exchange Server	CVE-2021-41350	Microsoft Exchange Server Spoofing Vulnerability	Important
Microsoft Graphics Component	CVE-2021-41340	Windows Graphics Component Remote Code Execution Vulnerability	Important
Microsoft Intune	CVE-2021-41363	Intune Management Extension Security Feature Bypass Vulnerability	Important
Microsoft Office Excel	CVE-2021-40473	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office Excel	CVE-2021-40472	Microsoft Excel Information Disclosure Vulnerability	Important
Microsoft Office Excel	CVE-2021-40471	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office Excel	CVE-2021-40474	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office Excel	CVE-2021-40485	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office Excel	CVE-2021-40479	Microsoft Excel Remote Code Execution Vulnerability	Important
Microsoft Office SharePoint	CVE-2021-40487	Microsoft SharePoint Server Remote Code Execution Vulnerability	Important
Microsoft Office SharePoint	CVE-2021-40483	Microsoft SharePoint Server Spoofing Vulnerability	Low
Microsoft Office SharePoint	CVE-2021-40484	Microsoft SharePoint Server Spoofing Vulnerability	Important
Microsoft Office SharePoint	CVE-2021-40482	Microsoft SharePoint Server Information Disclosure Vulnerability	Important
Microsoft Office SharePoint	CVE-2021-41344	Microsoft SharePoint Server Remote Code Execution Vulnerability	Important
Microsoft Office Visio	CVE-2021-40480	Microsoft Office Visio Remote Code Execution Vulnerability	Important
Microsoft Office Visio	CVE-2021-40481	Microsoft Office Visio Remote Code Execution Vulnerability	Important
Microsoft Office Word	CVE-2021-40486	Microsoft Word Remote Code Execution Vulnerability	Critical
Microsoft Windows Codecs Library	CVE-2021-40462	Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability	Important
Microsoft Windows Codecs Library	CVE-2021-41330	Microsoft Windows Media Foundation Remote Code Execution Vulnerability	Important
Microsoft Windows Codecs Library	CVE-2021-41331	Windows Media Audio Decoder Remote Code Execution Vulnerability	Important
Rich Text Edit Control	CVE-2021-40454	Rich Text Edit Control Information Disclosure Vulnerability	Important
Role: DNS Server	CVE-2021-40469	Windows DNS Server Remote Code Execution Vulnerability	Important
Role: Windows Active Directory Server	CVE-2021-41337	Active Directory Security Feature Bypass Vulnerability	Important
Role: Windows AD FS Server	CVE-2021-40456	Windows AD FS Security Feature Bypass Vulnerability	Important
Role: Windows Hyper-V	CVE-2021-40461	Windows Hyper-V Remote Code Execution Vulnerability	Critical
Role: Windows Hyper-V	CVE-2021-38672	Windows Hyper-V Remote Code Execution Vulnerability	Critical
System Center	CVE-2021-41352	SCOM Information Disclosure Vulnerability	Important
Visual Studio	CVE-2020-1971	OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference	Important
Visual Studio	CVE-2021-3450	OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT	Important
Visual Studio	CVE-2021-3449	OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing	Important
Windows AppContainer	CVE-2021-41338	Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability	Important
Windows AppContainer	CVE-2021-40476	Windows AppContainer Elevation Of Privilege Vulnerability	Important
Windows AppX Deployment Service	CVE-2021-41347	Windows AppX Deployment Service Elevation of Privilege Vulnerability	Important
Windows Bind Filter Driver	CVE-2021-40468	Windows Bind Filter Driver Information Disclosure Vulnerability	Important
Windows Cloud Files Mini Filter Driver	CVE-2021-40475	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability	Important
Windows Common Log File System Driver	CVE-2021-40443	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Common Log File System Driver	CVE-2021-40467	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Common Log File System Driver	CVE-2021-40466	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Important
Windows Desktop Bridge	CVE-2021-41334	Windows Desktop Bridge Elevation of Privilege Vulnerability	Important
Windows DirectX	CVE-2021-40470	DirectX Graphics Kernel Elevation of Privilege Vulnerability	Important
Windows Event Tracing	CVE-2021-40477	Windows Event Tracing Elevation of Privilege Vulnerability	Important
Windows exFAT File System	CVE-2021-38663	Windows exFAT File System Information Disclosure Vulnerability	Important
Windows Fastfat Driver	CVE-2021-41343	Windows Fast FAT File System Driver Information Disclosure Vulnerability	Important
Windows Fastfat Driver	CVE-2021-38662	Windows Fast FAT File System Driver Information Disclosure Vulnerability	Important
Windows Installer	CVE-2021-40455	Windows Installer Spoofing Vulnerability	Important
Windows Kernel	CVE-2021-41336	Windows Kernel Information Disclosure Vulnerability	Important
Windows Kernel	CVE-2021-41335	Windows Kernel Elevation of Privilege Vulnerability	Important
Windows MSHTML Platform	CVE-2021-41342	Windows MSHTML Platform Remote Code Execution Vulnerability	Important
Windows Nearby Sharing	CVE-2021-40464	Windows Nearby Sharing Elevation of Privilege Vulnerability	Important
Windows Network Address Translation (NAT)	CVE-2021-40463	Windows NAT Denial of Service Vulnerability	Important
Windows Print Spooler Components	CVE-2021-41332	Windows Print Spooler Information Disclosure Vulnerability	Important
Windows Print Spooler Components	CVE-2021-36970	Windows Print Spooler Spoofing Vulnerability	Important
Windows Remote Procedure Call Runtime	CVE-2021-40460	Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability	Important
Windows Storage Spaces Controller	CVE-2021-40489	Storage Spaces Controller Elevation of Privilege Vulnerability	Important
Windows Storage Spaces Controller	CVE-2021-41345	Storage Spaces Controller Elevation of Privilege Vulnerability	Important
Windows Storage Spaces Controller	CVE-2021-26441	Storage Spaces Controller Elevation of Privilege Vulnerability	Important
Windows Storage Spaces Controller	CVE-2021-40478	Storage Spaces Controller Elevation of Privilege Vulnerability	Important
Windows Storage Spaces Controller	CVE-2021-40488	Storage Spaces Controller Elevation of Privilege Vulnerability	Important
Windows TCP/IP	CVE-2021-36953	Windows TCP/IP Denial of Service Vulnerability	Important
Windows Text Shaping	CVE-2021-40465	Windows Text Shaping Remote Code Execution Vulnerability	Important
Windows Win32K	CVE-2021-40449	Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2021-41357	Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2021-40450	Win32k Elevation of Privilege Vulnerability	Important

Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws

Apache OpenOffice users should upgrade to newest security release!

Tue, 12 Oct 2021 21:16:17 +0000

The Apache Software Foundation (ASF) has released Apache OpenOffice 4.1.11, which fixes a handful of security vulnerabilities, including CVE-2021-33035, a recently revealed RCE vulnerability that could be triggered via a specially crafted document.

About Apache OpenOffice

Apache OpenOffice is an open-source office productivity suite that includes a word processor (Writer), a spreadsheet tool (Calc), a presentation editor (Impress), a vector graphics drawing editor (Draw), a mathematical formula editor (Math), and a database management program (Base).

It is developed by the Apache Software Foundation and welcomes contributions from its code community. According to the ASF, since its initial release it has been downloaded by hundreds of millions of users: individuals as well as businesses and organizations.

The suite is available for Windows, macOS and Linux.

The fixed vulnerabilities

As previously mentioned, the fix for CVE-2021-33035 has finally found its way into an official release of the suite.

Apache OpenOffice 4.1.11 also comes with a fix for CVE-2021-40439, a security vulnerability in the third-party XML parser library included in the suite that allowed billion laughs (DoS) attacks.

CVE-2021-41830 and CVE-2021-41832 allow attackers to manipulate signed documents and macros to appear to come from a trusted source, and CVE-2021-41831 allows the manipulation of the timestamp of signed documents. These vulnerabilities were uncovered by researchers Simon Rohlmann, Vladislav Mladenov, Christian Mainka, and Jorg Schwenk of Ruhr University Bochum, Germany, and also affect LibreOffice (they have been fixed in LibreOffice 7.0.6/7.1.2).

Finally, Apache has fixed CVE-2021-28129, a potential security issue with the suite’s DEB package.

For information about other bugs fixed and enhancements/features introduced in Apache OpenOffice 4.1.11, check out the release notes.

“All users of Apache OpenOffice 4.1.10 or earlier are strongly advised to upgrade,” the ASF noted. “Windows 11 users can now also get Apache OpenOffice for selected languages in the Microsoft Store.”

Source

1Password now lets you share login details safely with a link

Tue, 12 Oct 2021 21:06:32 +0000

Securely share any item from your vault with anyone

Although sharing your passwords with others isn't usually recommended, sometimes you need to do so when guests are visiting your house or you have a contractor on site working on something for your business.

For this reason, 1Password has introduced a new feature (detailed in this blog post) that allows users of its password manager to share virtually anything from their 1Password vault with others even if they don't use the service themselves.

The company's new tool is called Psst! which stands for Password secure sharing tool and it allows users to generate shareable links from its software's share menu. By default, these links expire in seven days but you can also choose to let them expire after 30 days, 14 days, one day, one hour or after a single person views them.

1Password users also have the option to let anyone with a link view an item in their vault or they can restrict sharing to only the people whose email addresses they've specified. When a user selects the “Get link to share” option in the company's password manager, they can send the link directly or through any channel they choose. This feature also allows them to share links directly through their operating system's built-in share menu.

1Password Psst!

When a recipient opens the shared link in their browser, they'll either be taken directly to a web view of the shared item if anyone is allowed to view the link or they'll receive an email with a one-time verification code if the person who shared the link initially specified the people they want to share with.

After verification, users who have received a link will see the web view of the shared item exactly as it exists in 1Password. This means if there are extra fields such as notes, security questions or anything else, a recipient will see those too. If a recipient is also a 1Password user, they'll be able to save a copy of the item directly in their own vault.

It's worth noting that when using Psst!, 1Password users aren't sharing an original item but a shared copy that is more like a snapshot of the item as it existed when it was shared. This means if you share a password with a contractor or guest, they can only view the item as it existed when shared. If it's changed afterwards, recipients won't be able to see the updated item, only the original copy.

IT admins worried about employees sharing passwords using this new feature can rest easy as well since all shared items appear in the software's Activity Log. Admins will be able to see the name of the shared item, who its shared with along with their IP address, the date and time it was shared, when the link expires, the email addresses of recipients, how many times each recipient viewed the shared item and the IP addresses of recipients that viewed an item.

Source

Study reveals Android phones constantly snoop on their users

Tue, 12 Oct 2021 16:23:23 +0000

A new study by a team of university researchers in the UK has unveiled a host of privacy issues that arise from using Android smartphones.

The researchers have focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, two forks of Android that aim to offer long-term support and a de-Googled experience

The conclusion of the study is worrying for the vast majority of Android users .

With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps. - Researchers.

As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook.

Summary of collected data
Source: Trinity College Dublin

And to make matters worse, Google appears at the receiving end of all collected data almost across the entire table.

No way to "turn it off"

It is important to note that this concerns the collection of data for which there’s no option to opt-out, so Android users are powerless against this type of telemetry.

This is particularly concerning when smartphone vendors include third-party apps that are silently collecting data even if they’re not used by the device owner, and which cannot be uninstalled.

For some of the built-in system apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei), the researchers found that the encrypted data can sometimes be decoded, putting the data at risk to man-in-the-middle (MitM) attacks.

Volume of data (KB/h) transmitted by each vendor
Source: Trinity College Dublin

As the study points out, even if the user resets the advertising identifiers for their Google Account on Android, the data-collection system can trivially re-link the new ID back to the same device and append it to the original tracking history.

The deanonymisation of users takes place using various methods, such as looking at the SIM, IMEI, location data history, IP address, network SSID, or a combination of these.

Potential cross-linking data collection points
Source: Trinity College Dublin

Privacy-conscious Android forks like /e/OS are getting more traction as increasing numbers of users realize that they have no means to disable the unwanted functionality in vanilla Android and seek more privacy on their devices.

However, the majority of Android users remain locked into never ending stream of data collection, which is where regulators and consumer protection organizations need to step in and to put an end to this.

BleepingComputer has contacted Google for a statement regarding this study but has not heard back at this time.

Gael Duval, the creator of /e/OS has told BleepingComputer:

Today, more people understand that the advertising model that is fueling the mobile OS business is based on the industrial capture of personal data at a scale that has never been seen in history, at the world level. This has negative impacts on many aspects of our lives, and can even threaten democracy as seen in recent cases. I think regulation is needed more than ever regarding personal data protection. It has started with the GDPR, but it's not enough and we need to switch to a "privacy by default" model instead of "privacy as an option".

Source