Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers.

Starting September 25th at 3:31 PM EST, Bandwidth began reporting that they were experiencing unexpected failures with their voice and messaging services.

"Bandwidth is investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged," reported Bandwidth on their status page.

Since then, Bandwidth has been providing frequent status updates detailing outages affecting voice, Enhanced 911 (E911) services, messaging, and access to the portal.

As Bandwidth is one of the leading telephony providers for US voice over IP companies, many other VoIP vendors reported outages over the past few days, including Twilio, Accent, DialPad, Phone.com, and RingCentral.

While it has not been confirmed if these outages are related to Bandwidth's service disruption, all of the above carriers stated that another upstream provider has caused their outages.

"The upstream provider has indicated that service has returned to normal operation. We will continue to monitor this situation and report any new information as it becomes available. Customers should be prepared for potential impairments of inbound services within 12-16 hours as the potential exists for this DDoS attack to return. We will not close this issue until services have returned to the normal operation for a period of 72 hours." - Accent's status page.

Twilio initially told BleepingComputer that they were not affected by Bandwidth's attack, but their status page states that they had issues with Bandwidth today.

"Monitoring - We are observing recovery in Twilio Voice call quality and connection issues. Bandwidth is reporting the issue resolved as well. We will continue monitoring the service to ensure a full recovery. We will provide another update in 2 hours or as soon as more information becomes available." Twilio's status page.

Bandwidth.com hit with a DDoS attack

Earlier this month, VoIP provider VoIP.ms suffered a catastrophic week-long DDoS attack that took down almost all of their services and portals, leaving their customers without voice services.

The VoIP.ms attack was an extortion DDoS attack where threat actors impersonating the ransomware group 'REvil' initially demanded one bitcoin ($45,000) to halt their attacks but later increased it to 100 bitcoins ($4.5 million).

Due to this recent attack, Bandwidth customers immediately suspected that Bandwidth was also suffering from a similar DDoS attack.

As VoIP services are commonly routed over the Internet and require their servers and endpoints to be publicly accessible, they are prime targets for DDoS extortion attacks.

To conduct these DDoS attacks, threat actors will overwhelm servers, portals, and gateways by sending more requests than can be handled and thus making the targeted devices and servers inaccessible to anyone else.

At this time, Bandwidth has not publicly disclosed the cause of its outage and has not responded to our queries.

However, Bandwidth customers have told BleepingComputer that employees said a DDoS attack caused the outages.

Another customer shared a screenshot on Reddit of a customer support message allegedly from a Technical Assistance Center manager who states that a DDoS attack is responsible for the outages.

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit.

At this time, Bandwidth is reporting that their services are restored, and it is not clear if the threat actors stopped their attacks or were paid an extortion demand.

Unfortunately, it is common for threat actors to briefly halt attacks while they push extortion attempts, so we will not know for sure if the DDoS attack is over until tomorrow.

When we hear back from Bandwidth, we will update our story.

This is a developing story.

Bandwidth.com is latest victim of DDoS attacks against VoIP providers

Cloudflare Is Taking a Shot at Email Security

(May require free registration to view)

The “Linux Threat Report 2021 1H: Linux Threats in the Cloud and Security Recommendations” features research on the state of Linux cloud security in the first half of 2021.

The report by Trend Micro, a cybersecurity company, was released last month

The “Linux Threat Report” indicates the pervasive threats that make up the Linux threat landscape. 

For instance, over 13 million malware events targeted Linux-based cloud environments.

Ninety percent of public clouds workloads ran on Linux as of 2017, according to Trend Micro.

Linux helps organizations to make the “most of their cloud-based environments and power their digital transformation strategies,” Trend Micro said. 

Many Internet of Things (IoT) devices and cloud-based applications run on some flavor of Linux, making it “a critical area of modern technology to secure.”

Yet, the report reveals that most detections arose from systems running end-of-life versions of Linux distributions, including 44% from CentOS versions 7.4 to 7.9. 

The report also shows 200 different vulnerabilities were targeted in Linux environments, meaning attacks on Linux are likely taking advantage of outdated software with unpatched vulnerabilities.

“It’s safe to say that Linux is here to stay, and as organizations continue to move to Linux-based cloud workloads, malicious actors will follow,” said Aaron Ansari, VP of cloud security, Trend Micro. 

“We have seen this as a main priority to ensure our customers receive the best security across their workloads, no matter the operating system they choose to run it on.”

Top Malware Families Affecting Linux Servers 

• Coinminers (25%): The high prevalence of cryptocurrency miners is of little surprise given the clear motive of the seemingly endless amount of computing power the cloud holds, making it the perfect environment

• Web shells (20%): The recent Microsoft Exchange Attack, which leveraged web shells, showed the importance of patching against this type of malware

• Ransomware (12%): The most prevalent detected was the modern ransomware family DoppelPaymer. However, some other notable ransomware families seen targeting Linux systems as well are RansomExx, DarkRadiation, and the DarkSide.

Source

The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases "how threat actors continue to develop their attacks to become more efficient and evasive." The Israeli company said it's currently investigating the scale and scope of the attacks.

First documented in November 2020, Jupyter (aka Solarmarker) is likely Russian in origin and primarily targets Chromium, Firefox, and Chrome browser data, with additional capabilities that allow for full backdoor functionality, including features to siphon information and upload the details to a remote server and download and execute further payloads. Forensic evidence gathered by Morphisec shows that multiple versions of Jupyter began emerging starting May 2020.

In August 2021, Cisco Talos attributed the intrusions to a "fairly sophisticated actor largely focused on credential and residual information theft." Cybersecurity firm CrowdStrike, earlier this February, described the malware as packing a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a .NET compiled backdoor.

While previous attacks incorporated legitimate binaries of well-known software such as Docx2Rtf and Expert PDF, the latest delivery chain puts to use another PDF application called Nitro Pro. The attacks start with a deployment of an MSI installer payload that's over 100MB in size, allowing them to bypass anti-malware engines, and obfuscated using a third-party application packaging wizard called Advanced Installer.

Running the MSI payload leads to the execution of a PowerShell loader embedded within a legitimate binary of Nitro Pro 13, two variants of which have been observed signed with a valid certificate belonging to an actual business in Poland, suggesting a possible certificate impersonation or theft. The loader, in the final-stage, decodes and runs the in-memory Jupyter .NET module.

"The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating," Morphisec researcher Nadav Lorber said. "That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions."

Source

Cisco Talos attributed the attacks to the Turla advanced persistent threat (APT) group, coining the malware "TinyTurla" for its limited functionality and efficient coding style that allows it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020.

"This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed," the researchers said. "It could also be used as a second-stage dropper to infect the system with additional malware." Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while also polling the command-and-control (C2) station every five seconds for any new commands.

Also known by the monikers Snake, Venomous Bear, Uroburos, and Iron Hunter, the Russian-sponsored espionage outfit is known for its cyber offensives targeting government entities and embassies spanning across the U.S., Europe, and Eastern Bloc nations. The TinyTurla campaign involves the use of a .BAT file to deploy the malware, but the exact intrusion route remains unclear as yet.

The novel backdoor — which camouflages as an innocuous but fake Microsoft Windows Time Service ("w32time.dll") to fly under the radar — is orchestrated to register itself and establish communications with an attacker-controlled server to receive further instructions that range from downloading and executing arbitrary processes to uploading the results of the commands back to the server.

TinyTurla's links to Turla come from overlaps in the modus operandi, which has been previously identified as the same infrastructure used by the group in other campaigns in the past. But the attacks also stand in stark contrast to the outfit's historical covert campaigns, which have included compromised web servers and hijacked satellite connections for their C2 infrastructure, not to mention evasive malware like Crutch and Kazuar.

"This is a good example of how easy malicious services can be overlooked on today's systems that are clouded by the myriad of legit services running in the background at all times," the researchers noted.

"It's more important now than ever to have a multi-layered security architecture in place to detect these kinds of attacks. It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them."

Source

Apple started its security bounty program several years ago. The idea is that non-Apple employees can examine Apple's products and code and try to identify vulnerabilities. Security researchers who identify vulnerabilities are monetarily rewarded. Apple overhauled its program back in 2019, hoping to make it more accessible and to increase payouts to researchers. Unfortunately, the program has been receiving complaints from security researchers who claim that the team at Apple is difficult to reach. In this new effort, illusionofchaos suggests that Apple is putting its user base at risk by not making fixes to its new operating system that are found by researchers such as himself.

Illusionofchaos claims that the first vulnerability he found allowed user-installed apps to access iOS data without first being granted permission. He further claims that after sending Apple a report of his findings, he received messages suggesting the company would look into the issue. Later, he found that the issue has been resolved, but he was not credited with the find.

Illusionofchaos claims also that he has three other outstanding vulnerabilities he has reported to Apple. The first he calls gamed zero-day—he describes it as a vulnerability that exposes Apple ID email, name and other information. The second, which he calls Nehelper Wi-Fi zero-day, exposes Wi-Fi information. And the third, which he calls NeHelpler Enumerate zero-day, allows interested parties to see information about apps that are installed on a device.

Illusionofchaos claims that he notified Apple about all three vulnerabilities and received an initial response, but since then, has only received messages telling him that Apple is investigating the issue. After threatening to make the vulnerabilities public and still receiving no feedback, Illusionofchaos followed through with his threat by posting his findings on a blog. Apple has not yet publicly responded to the claims made by Illusionofchaos.

Source

The vulnerability has been assigned the ID "CVE-2021-37973" and the flaw was discovered by a Google Security engineer Clément Lecigne with assistance from Sergei Glazunov and Mark Brand, among others.

Google states it found the UAF vulnerability in its Portals feature and according to CERT, "a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system".

Use-After-Free is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.

A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.

It has been assured however that both Edge 94.0.992.31 and Chrome 94.0.4606.61 have patched this critical memory-based security flaw and it is probably recommended that users update their browsers to these versions.

Latest Chrome and Edge stable channel builds fix critical memory UAF security vulnerability

The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4. However, the company silently patched one of them in July with the release of 14.7 without giving credit in the security advisory.

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," the researcher said earlier today. "There were three releases since then and they broke their promise each time."

"Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day.

Since then, all attempts made to get an explanation for Apple's failure to fix the rest of these unpatched vulnerabilities and for their refusal to credit them were ignored even though more security advisories, for iOS 14.7.1, iOS 14.8, and iOS 15.0, have since been published.

An Apple spokesperson was not available for comment when BleepingComputer reached out for more details.

PoC exploit code published on GitHub

After Apple refused to respond to explanation requests, today the researcher published proof-of-concept exploit code for all four iOS zero-days he reported on GitHub, together with apps that harvest sensitive information and displays it in the user interface:

• Gamed 0-day (iOS 15.0): Bug exploitable through user-installed apps from App Store and giving unauthorized access to sensitive data normally protected by a TCC prompt or the platform sandbox ($100,000 on the Apple Security Bounty Program page):

  • Apple ID email and full name associated with it

  • Apple ID authentication token which allows accessing at least one of the endpoints on *.apple.com on behalf of the user

  • Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

  • Complete file system read access to the Speed Dial database and the Address Book database, including contact pictures and other metadata like creation and modification dates (I've just checked on iOS 15, and this one is inaccessible, so that one must have been quietly fixed recently)

• Nehelper Enumerate Installed Apps 0-day (iOS 15.0): Allows any user-installed app to determine whether any app is installed on the device given its bundle ID.

• Nehelper Wifi Info 0-day (iOS 15.0): Makes it possible for any qualifying app (e.g., possessing location access authorization) to gain access to Wifi information without the required entitlement.

• Analyticsd (fixed in iOS 14.7): Allows any user-installed app to access analytics logs:

• • medical information (heart rate, count of detected atrial fibrillation and irregular heart rhythm events)

  • menstrual cycle length, biological sex and age, whether the user is logging sexual activity, cervical mucus quality, etc.

  • device usage information (device pickups in different contexts, push notifications count and user's action, etc.)

  • screen time information and session count for all applications with their respective bundle IDs

  • information about device accessories with their manufacturer, model, firmware version, and user-assigned names

  • application crashes with bundle IDs and exception codes

  • languages of web pages that users viewed in Safari

Exploit code confirmed to work on 15.0

Apple did not reply to BleepingComputer's email to validate any of the researcher's claims.

However, software engineer Kosta Eleftheriou confirmed that the app designed to exploit Gamed zero-day and harvest sensitive user information works on iOS 15.0, the latest iOS version.

"All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected," the researcher said, referring to the analyticsd zero-day silently patched in iOS 14.7.

"That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if 'Share analytics' was turned off in settings.

"My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case," the researched added.

Other security researchers and bug bounty hunters have also gone through a similar experience when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program.

Just this year, some of them have reported that they weren't paid the amount listed on the official bounty page [1, 2] or haven't received any payment at all, others that they have been kept in the dark for months on end with no replies to their messages.

Others have also said their bugs were silently fixed with Apple refusing to give them credit, just as it happened in this case.

 Researcher drops three iOS zero-days that Apple refused to fix

"Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products," Google Threat Analysis Group's Neel Mehta said in a write-up published on Thursday.

The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that's used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software.

The findings come from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August.

Not only are the artifacts signed with an invalid leaf X.509 certificate that's edited in such a manner that the 'parameters' element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag. Although such encodings are rejected as invalid by-products using OpenSSL to retrieve signature information, checks on Windows systems would permit the file to be run without any security warnings.

"This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files," Mehta said.

"Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems."

Source

He Escaped the Dark Web's Biggest Bust. Now He's Back

"This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," Guardicore's Amit Serper said in a technical report.

"Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains]."

The Exchange Autodiscover service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and passwords to be utilized to retrieve other predefined settings required to set up their email clients.

The weakness discovered by Guardicore resides in a specific implementation of Autodiscover based on the POX (aka "plain old XML") XML protocol that causes the web requests to Autodiscover domains to be leaked outside of the user's domain but in the same top-level domain.

In a hypothetical example where a user's email address is "user@example.com," the email client leverages the Autodiscover service to construct a URL to fetch the configuration data using any of the below combinations of the email domain, a subdomain, and a path string, failing which it instantiates a "back-off" algorithm —

• https://Autodiscover.example.com/Autodiscover/Autodiscover.xml

• https://Autodiscover.example.com/Autodiscover/Autodiscover.xml

• https://example.com/Autodiscover/Autodiscover.xml

• https://example.com/Autodiscover/Autodiscover.xml

"This 'back-off' mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to 'fail up,' so to speak," Serper explained. "Meaning, the result of the next attempt to build an Autodiscover URL would be:

'https://Autodiscover.com/Autodiscover/Autodiscover.xml.' This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain."

Armed with this discovery and by registering a number of Autodiscover top-level domains (e.g., Autodiscover.com[.]br, Autodiscover.com[.]cn, Autodiscover[.]in, etc.) as honeypots, Guardicore said it was able to access requests to Autodiscover endpoints from different domains, IP addresses, and clients, netting 96,671 unique credentials sent from Outlook, mobile email clients, and other applications interfacing with Microsoft's Exchange server over a four-month period between April 16, 2021, and August 25, 2021.

The domains of those leaked credentials belonged to several entities from multiple verticals spanning publicly traded corporations in China, investment banks, food manufacturers, power plants, and real estate firms, the Boston-based cybersecurity company noted.

To make matters worse, the researchers developed an "ol' switcheroo" attack that involved sending a request to the client to downgrade to a weaker authentication scheme (i.e., HTTP Basic authentication) in place of secure methods like OAuth or NTLM, prompting the email application to send the domain credentials in cleartext.

"Oftentimes, attackers will try to cause users to send them their credentials by applying various techniques, whether technical or through social engineering," Serper said. "However, this incident shows us that passwords can be leaked outside of the organization's perimeter by a protocol that was meant to streamline the IT department's operations with regards to email client configuration without anyone from the IT or security department even being aware of it, which emphasises the importance of proper segmentation and Zero Trust."

Source

The IC, which also includes the parts of the FBI, DEA, and DHS, and various DoD elements, has deployed ad-blocking technology on a wide scale, according to a copy of a letter sent by Congress and shared with Motherboard.

The news highlights the continued risk from the online advertising ecosystem. Some hackers leverage how adverts are delivered to send target devices malware. Data brokers and potentially intelligence agencies can leverage the ecosystem to gather information on devices and by extension people, sometimes including their physical location. The IC taking steps to protect itself from the dangers of the advertising ecosystem shows just how malicious it can be.

"The IC has implemented network-based ad-blocking technologies and uses information from several layers, including Domain Name System information, to block unwanted and malicious advertising content," the CIO recently told Wyden's office, according to the letter.

With malvertising, hackers upload a malicious advertisement to an ad network, which then distributes it to targets. Previous cases of malvertising have redirected victims to exploit kits, which then break into the victim's computer to steal data.

In addition, Motherboard has reported on how data brokers may obtain information via a process called real-time bidding. Before an advertisement is placed into a person's app or browsing session, companies bid on whether their own advert will win the ad spot. As part of that process, participating companies can gather data on people, known as bidstream data, even if they don't win the ad placement. Motherboard previously reported that Venntel, a U.S. government contractor, obtains some of its location data from the real-time bidding process.

But that access could extend to foreign entities. Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy previously wrote to a group of tech companies including AT&T, Verizon, Google, and Twitter, with their concerns that ad networks might be leveraged by foreign intelligence services.

"This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," the letter read. Responses from some of the tech companies showed that hundreds of relatively obscure and overlooked companies are potentially provided with sensitive data on Americans. The companies included ones based in Russia, China, and the United Arab Emirates, as Motherboard reported in June.

The Office of the Direction of National Intelligence (ODNI) did not respond to a request for comment on the ad-blocking practices. A DEA spokesperson told Motherboard in an email that "For the safety and protection of our environment, the Drug Enforcement Administration (DEA) does not disclose its cybersecurity measures; however, similar to the Intelligence Community, the DEA also considers recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) and other governing bodies when implementing cybersecurity controls."

An NSA spokesperson told Motherboard in an email that "In order to maintain secure unclassified networks for standard business operations, NSA’s CIO institutes a defense-in-depth set of network protections to ensure network security across our enterprise. While we are unable to detail these protections for operational reasons, NSA’s dynamic security approach constantly adjusts and improves our network defenses."

The IC's chief information officer's quote was included in a letter Wyden sent to Clare Martorana, the federal chief information officer for the Office of Management and Budget (OMB), this week asking her to set rules for other agencies as well.

"I write to urge the Office of Management and Budget (OMB) to protect federal networks from foreign spies and criminals who misuse online advertising for hacking and surveillance, by setting clear new rules for agencies in its forthcoming “zero trust” cybersecurity policy," Wyden wrote.

Wyden pointed to previously published recommendations from the NSA and Cybersecurity and Infrastructure Security Agency (CISA), encouraging readers to use ad-blocking technology. The NSA also published guidelines around the threat of the collection and sale of location data.

"While the intelligence community has acted to protect its personnel and computers from malvertising based threats, many other federal agencies have not, and are unlikely to until they are required to do so. To that end, as OMB finalizes its recently released draft Federal Zero Trust Strategy, detailing the specific actions that OMB is requiring federal agencies to take to secure their systems from hackers, I urge OMB to also require agencies to implement the CISA and NSA guidance to block ads," Wyden's letter continued.

"This administration is committed to strengthening federal cybersecurity and moving the U.S. government towards a zero trust architecture," an OMB spokesperson told Motherboard in an email. "As part of this effort, the Office of Management and Budget asked for public feedback on a draft federal zero trust strategy that calls for strong multifactor authentication, encrypting network traffic, and other important cybersecurity practices. Over the coming weeks, we’ll be reviewing and considering each comment we received as part of this process, as we finalize this strategy.”

Source

Discovered by Neel Mehta, a security researcher for the Google Threat Analysis Group (TAG), the technique was seen abused by an adware strain named OpenSUpdater.

In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).

Neel Mehta, analyst for the Google Threat Analysis Group

While the technical explanation is a bit hard to understand for non-technical users, Mehta is referring to a tiny edit the OpenSUpdater gang made in a small field inside the digital signature of their payloads.

On Windows systems, this tiny edit does not impact the operating system’s file signature checks, which when passed, allow the file to run without any security warnings.

However, Mehta says that security products, most of which use the OpenSSL library to parse and extract a file’s signature information, will fail to scan files that had their digital signature modified by this method.

“This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta explained today.

The Google researcher said he reported the issue to Microsoft so the Redmond-based company can start work on modifying its signature checking algorithms.

Files infected with the OpenSUpdater adware are currently distributed via game cracks and pirated software.

Once they infect a system, the adware is used to download and install unwanted software, part of pay-per-install schemes.

Google said most OpenSUpdater victims are located in the US.

Source

"These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables," researchers from Eclypsium said in a report published on Monday. "These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI [Advanced Configuration and Power Interface] and WPBT."

WPBT, introduced with Windows 8 in 2012, is a feature that enables "boot firmware to provide Windows with a platform binary that the operating system can execute."

In other words, it allows PC manufacturers to point to a signed portable executables or other vendor-specific drivers that come as part of the UEFI firmware ROM image in such a manner that it can be loaded into physical memory during Windows initialization and prior to executing any operating system code.

The main objective of WPBT is to allow critical features such as anti-theft software to persist even in scenarios where the operating system has been modified, formatted, or reinstalled. But given the functionality's ability to have such software "stick to the device indefinitely," Microsoft has warned of potential security risks that could arise from misuse of WPBT, including the possibility of deploying rootkits on Windows machines.

"Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions," the Windows maker notes in its documentation. "In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent)."

The vulnerability uncovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check, thus permitting an attacker to sign a malicious binary with an already available expired certificate and run arbitrary code with kernel privileges when the device boots up.

In response to the findings, Microsoft has recommended using a Windows Defender Application Control (WDAC) policy to tightly control what binaries can be permitted to run on the devices.

The latest disclosure follows a separate set of findings in June 2021, which involved a set of four vulnerabilities — collectively called BIOS Disconnect — that could be weaponized to gain remote execution within the firmware of a device during a BIOS update, further highlighting the complexity and challenges involved in securing the boot process.

"This weakness can be potentially exploited via multiple vectors (e.g., physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc)," the researchers said. "Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices."

Source

Codenamed FamousSparrow, this new APT was discovered by Slovak security firm ESET, which said it’s been tracking its attacks as far back as 2019.

“FamousSparrow’s victims are located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan), and Africa (Burkina Faso),” the company said in a report shared with The Record.

Besides hotels, other attacks also hit governments, international organizations, engineering companies, and law firms.

“The targeting suggests that FamousSparrow’s intent is cyberespionage,” ESET researchers said today.

Entering via unpatched web applications

Most of the attacks followed the same pattern, with the group using vulnerabilities in web applications as entry points into its victims’ networks. According to ESET, past attacks exploited security flaws in:

• Microsoft Exchange
• Microsoft SharePoint
• Oracle Opera (business software for hotel management)

Particularly interesting was also the fact that FamouseSparrow was one of the first APTs to mount attacks using the ProxyLogon vulnerability in Microsoft Exchange email servers.

ESET said the group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability’s existence, with the first attacks recorded on March 3, 2021/

Once FamousSparrow had a foothold inside a target network, ESET researchers said the attackers deployed a custom backdoor named SparrowDoor, which they used as a pivot point to orchestrate ways to move laterally inside a hacked organization using public tools like Mimikatz and Metasploit.

But while ESET noted that the FamousSparrow group used tools previously linked to espionage operations carried out by other groups such as DRDControl [PDF] and SparklingGoblin, researchers also said they aren’t ready just yet to attribute the group to any particular state.

Hotels are often targeted for intelligence gathering

The group now joins the ranks of other APTs that have historically targeted hotels, such as the infamous DarkHotel, APT28, and the Rana Group, which didn’t target hotels directly but hotel room booking systems.

The purpose of attacking and compromising hotels is simple, as it allows cyber-espionage groups to track the movement of persons of interest.

For the same reason, APTs often also target telcos and airline companies, seeking to gain insight, intercept targets, or track the movements of their targets.

Source

TLS is a secure communication protocol designed to protect users from eavesdropping, tampering, and message forgery while accessing and exchanging information over an Internet connection using client/server applications.

The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years (with TLS 1.0 first defined in 1999 and TLS 1.1 in 2006).

The Internet Engineering Task Force (IETF) approved TLS 1.3, the next major version of the TLS protocol, in March 2018, after four years of discussions and 28 protocol drafts.

TLS 1.0/1.1 deprecation update

"As part of ongoing efforts to modernize platforms, and to improve security and reliability, TLS 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF) as of March 25, 2021," Apple said.

"These versions have been deprecated on Apple platforms as of iOS 15, iPadOS 15, macOS 12, watchOS 8, and tvOS 15, and support will be removed in future releases."

The company advised developers whose apps still use the legacy TLS protocols to begin planning for a transition to TLS 1.2 or higher in the near future.

For apps using the App Transport Security (ATS) networking security feature on all connections (enabled by default for apps linked against iOS 9.0 or macOS 10.11 SDKs or later), which requires that all connections are secured with reliable TLS certificates and ciphers, no action is required.

Apple recommends switching directly to TLS 1.3 as it is a faster and more secure protocol than TLS 1.2 by adding support to the latest TLS version and removing these deprecated Security.framework symbols from apps:

• tls_protocol_version_t.TLSv10
• tls_protocol_version_t.TLSv11
• tls_protocol_version_t.DTLSv10

Ongoing effort to move away from outdated traffic encryption protocols

Apple's update follows a joint announcement from Microsoft, Google, Apple, and Mozilla from October 2018, saying that the four organizations will start retiring insecure TLS protocols starting with the first half of 2020.

In August 2020, Microsoft enabled TLS 1.3 by default in the latest Windows 10 Insider builds.

"TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible," Microsoft said.

In January, the NSA shared guidance on detecting and replacing outdated Transport Layer Security (TLS) protocol versions with up-to-date and secure variants.

"Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks," the NSA said.

"Attackers can exploit outdated transport layer security (TLS) protocol configurations to gain access to sensitive data with very few skills required."

Apple will disable insecure TLS in future iOS, macOS releases

The collection, obtained by The Record from a source, is currently being shared in private Telegram channels in the form of a torrent file containing approximately 187 GB of archived data.

IMAGE: THE RECORD

The Record analyzed files from this collection and found the data to be authentic, with data points such as:

• LinkedIn profile names
• LinkedIn ID
• LinkedIn profile URL
• Location information (town, city, country)
• Email addresses

IMAGE: THE RECORD

While the vast majority of the data points contained in the leak are already public information and pose no threat to LinkedIn users, the leak also contains email addresses that are not normally viewable to the public on the official LinkedIn site.

Linked to users’ real-life names and personas, the email addresses and the leak are a gold mine for threat actors looking to target high-profile executives or employees working in sensitive areas of a company, such as financial departments or security teams.

Fortunately, the leak does not include email addresses for each and every user, meaning that the vast majority of the entries included in this leak are worthless.

Contacted via email earlier this week, LinkedIn deferred comment to its June 2021 official statement.

At the time, LinkedIn said that no data breach occurred, and the data was scraped off LinkedIn but also other sites as well.

In fairness, the company might be getting the raw end of the stick in this situation, as data scraped off its website and enriched with email addresses from other sources might not be something that LinkedIn can control, and the company can’t be blamed for threat actors collecting public data needed to power its service in the first place.

But in the general picture, incidents of scraping public sites have also been getting more common, such as scrapes of Clubhouse, Instagram, and Facebook data.

While the data they collect is typically considered public information and not particularly sensitive in any way, these collections are still sought after for other purposes, such as building OSINT databases and enriching them with information from multiple sources in order to have a better understanding of the would-be victims threat actors would like to select and target in the future.

Source

CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:  

• Updating your operating system and software, 
• Requiring multi-factor authentication, and  
• Implementing network segmentation.

Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.

Source

"With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today," Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report.

"BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators."

The tech giant said it uncovered the operation during its investigation of a credential phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.

Phishing-as-a-service differs from traditional phishing kits in that unlike the latter, which are sold as one-time payments to gain access to packaged files containing ready-to-use email phishing templates, they are subscription-based and follow a software-as-a-service model, while also expanding on the capabilities to include built-in site hosting, email delivery, and credential theft.

Believed to have been active since at least 2018, BulletProofLink is known to operate an online portal to advertise their toolset for as much as $800 a month and allow cybercrime gangs to register and pay for the service. Customers can also avail of a 10% discount should they opt to subscribe to their newsletter, not to mention pay anywhere between $80 to $100 for credential phishing templates that allow them to steal credentials entered by unsuspected victims upon clicking a malicious URL in the email message.

Troublingly, the stolen credentials are not only sent to the attackers but also to the BulletProofLink operators using a technique called "double theft" in a modus operandi that mirrors the double extortion attacks employed by ransomware gangs.

"With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it," the researchers said. "This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell."

Source

While one would expect the attack vector exposed by Circle security flaw (tracked as CVE-2021-40847) would be removed after the service is stopped, the Circle update daemon containing the bug is enabled by default and it can be exploited even if the service is disabled.

"The update process of the Circle Parental Control Service on various Netgear routers allows remote attackers with network access to gain RCE as root via a Man-in-the-Middle (MitM) attack," GRIMM security researcher Adam Nichols explained.

"While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default."

Successfully exploiting this vulnerability requires the attackers to modify network traffic or intercept traffic while on the same network to gain RCE as root on the targeted router.

After gaining root access, the attacker can take complete control of the network traffic passing through the compromised router allowing for reading encrypted data exchanged with other devices, including those on the victim's corporate network.

Nichols also shared a potential chain of attack threat actors can use to breach an enterprise network after compromising one of its employee's Netgear routers:

How to update your router's firmware

In a security advisory published on Monday, Netgear urged customers to download the latest firmware for their devices as soon as possible.

The complete list of Netgear routers vulnerable to CVE-2021-40847 exploits and patched firmware versions are listed below.

To download and install the latest firmware for your Netgear device, you have to follow this procedure:

1. Visit NETGEAR Support.
2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
   If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3. Click Downloads.
4. Under Current Versions, select the first download whose title begins with Firmware Version.
5. Click Release Notes.
6. Follow the instructions in the firmware release notes to download and install the new firmware.

If you cannot immediately install these firmware updates, you can also use Nichols' mitigation advice.

"To mitigate the risks to corporate environments posed by vulnerable SOHO routers, GRIMM recommends the provisioning and use of Virtual Private Network (VPN) clients," the researcher said.

"These clients should be configured to handle all traffic to ensure that an attacker cannot read or modify network traffic in a way that cannot be detected by the VPN endpoints."

Earlier this month, Netgear fixed three severe security vulnerabilities dubbed Demon's Cries, Draconian Fear, and Seventh Inferno, impacting over a dozen of its smart switches, allowing threat actors to bypass authentication and take over unpatched devices.

In June, Microsoft disclosed critical firmware vulnerabilities found in some Netgear routers that can let attackers breach corporate networks after successful exploitation.

Last year, GRIMM and VNPT ISC security researchers also independently discovered a zero-day bug in 79 Netgear router models allowing attackers to take control of vulnerable devices remotely.

Netgear fixes dangerous code execution bug in multiple routers

The iOS 15 Privacy Settings You Should Change Right Now

"The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar said in a write-up published last week.

The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a Golang binary with decryption functionality, with the obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET request from an actor-controlled domain.

Also included is a feature to decrypted and execute additional payloads, while the Golang binary takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.

What's more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that's then subsequently used to copy itself into the new location on the system before deleting the malware upon execution.

"The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible," Cashdollar said. "The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here."

"Don't use weak or default credentials for servers or deployed applications," Cashdollar added. "Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time. Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts and suspicious access log entries, etc., will help you potentially identify compromised machines."

Source

"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today.

Park Minchan, an independent security researcher, has been credited with reporting the vulnerability which affects macOS versions of Big Sur and prior.

The weakness arises due to the manner macOS processes INETLOC files — shortcuts to internet locations such as RSS feeds or Telnet connections containing username and password for SSH — resulting in a scenario that allows commands embedded in those files to be executed without any warning.

"The case here INETLOC is referring to a 'file://' protocol which allows running locally (on the user's computer) stored files," SSD said. "If the INETLOC file is attached to an email, clicking on the attachment will trigger the vulnerability without warning."

Although newer versions of macOS have blocked the 'file://' prefix, using 'File://' or 'fIle://' has been found to circumvent the check effectively. We have reached out to Apple, and we will update the story if we hear back.

Source

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid million of dollars in recovery costs, analysts estimate.

But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

The previously unreported episode highlights the trade-offs law enforcement officials face between trying to damage cyber criminal networks and promptly helping the victims of ransomware — malware that encrypts data on computers, rendering them unusable.

The White House has made fighting ransomware a priority, and President Biden has urged Russian President Vladimir Putin to rein in ransomware criminals operating out of Russia.

“The questions we ask each time are, what would be the value of a key if disclosed? How many victims are there? Who could be helped?” said one individual familiar with the matter, who, like others, spoke on the condition of anonymity to discuss a sensitive matter. “And on the flip side, what would be the value of a potential longer term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”

The FBI finally shared the key with Kaseya, the IT company whose software was infected with malware, on July 21 — nineteen days after it was hit.

By then, it was too late for some victims.

“The decryptor key would have been nice three weeks before we got it, but we had already begun a complete restoration of our clients’ systems,” Joshua Justice, owner of the Maryland IT company JustTech which had about 120 clients affected by the attack.

The FBI, without commenting on the specific case, said delays are inevitable when working with other U.S. agencies and international partners.

“In general,” said an FBI official, “a lot of our cyber investigations focus on our interagency collaboration because that’s imperative to the success of any of our operations. Although this takes time, it also allows us to have the largest impact while helping the most victims or even potential victims.”

“What sometimes can be seen as a perceived delay” can be justified by “the complexities” of carrying out operations with other agencies and international partners, said the official, who spoke on the condition of anonymity in accordance with FBI rules.

The official added, “the FBI must be cautious and deliberate in what is provided to victims. The solution must be rigorously tested and risks associated with decryptors must be mitigated.”

The Justice Department and White House declined to comment.

Source

Before you dismiss these scams, saying that no one falls for them, similar crypto scams have been hugely successful and have generated hundreds of thousands of dollars in the past.

For example, scammers made $180K in a single day in 2018, Twitter suffered a massive attack where crypto scammers earned $580K in a week in January 2021, and then another scam stole $145K in February.

Just last week, someone sent three bitcoin, or $150,074 at the time, to a known crypto giveaway scam.

The Elon Musk Club scam

While most cryptocurrency scams target social media users, scammers now use email spam to promote a new "Elon Musk Club" or "Elon Musk Mutual Aid Fund" giveaway.

The phishing emails themselves are low effort and include strange non-descriptive subjects and messages. However, they include an HTML attachment named simply 'Get Free Bitcoin - [id].htm' or "Elon Musk Club - [id].htm," as shown below.

These HTML attachments contain a single line of code that uses JavaScript to redirect the browser to the https://msto.me/elonmusk/ webpage.

The https://msto.me/elonmusk/ site will pretend to be an "Elon Musk - Mutual aid fund" that promises to send 0.001 to 0.055 bitcoins to all users who participate.

When you click on the 'Accept an invitation" button, the site will bring you to another site called "Bitcoin Donate," located at https://bitcoindonateur.site/.

You are prompted to enter a bitcoin address to receive the free bitcoin, your name, and an optional picture at this site.

When you click the 'Accept donate' button, the site will redirect you through a series of pages that pretend to be users donating .001 bitcoin to your account.

After your account has accrued 0.055 of fake bitcoin donations, you will be brought to a final page stating that you must first donate 0.001 bitcoins to another user to receive your "financial assistance."

However, these bitcoin addresses are owned by the scammers who take your "donation" but do not send anything in return.

So far, BleepingComputer has seen two bitcoin addresses associated with these scams:

• 32hU2JrkmMmgmka2rUuKXc3yd3S9WKxWnp received 73 transactions of 0.05734407 bitcoins, worth approximately $2,731.98.
• 3EbUB9wdQCxJwW5neH3xnTGjuoCA8THU5D received 23 transactions of 0.01953376, worth approximately $930.99.

While the scammers have only earned ~$3,661 from these two addresses, many other bitcoin addresses are likely used in this scam.

Even worse, while writing this article, the second bitcoin address received three more "donations." showing that this scam continues to be successful.

As these scams have the potential to generate a large amount of money for threat actors, they are not going away any time soon and will likely continue to spread to other messaging platforms.

Therefore, everyone needs to recognize that almost every crypto giveaway site is a scam, especially those that pretend to be from Elon Musk, Tesla, SpaceX, and Gemini.

If you receive emails, tweets, or other messages on social media promoting these types of giveaways, it is safer to realize that cryptocurrency you send will not produce anything in return.

New "Elon Musk Club" crypto giveaway scam promoted via email