A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services.

The user interface for Downthem[.]org.

Prosecutors for the Central District of California charged Gatrel, 32, and his business partner Juan “Severon” Martinez of Pasadena, Calif. with operating two DDoS-for-hire or “booter” services — downthem[.]org and ampnode[.]com.

Despite admitting to FBI agents that he ran these booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Facing the prospect of a hefty sentence if found guilty at trial, Martinez pleaded guilty on Aug. 26 to one count of unauthorized impairment of a protected computer.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Investigators say Downthem helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking, university and gaming Web sites.

Prosecutors alleged that in addition to running and marketing Downthem, the defendants sold huge, continuously updated lists of Internet addresses tied to devices that could be used by other booter services to make attacks far more powerful and effective. In addition, other booter services also drew firepower and other resources from Ampnode.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

Gatrel’s sentencing is scheduled for January 27, 2022. He faces a statutory maximum sentence of 35 years in federal prison. However, given the outcome of past prosecutions against other booter service operators, it seems unlikely that Gatrel will spend much time in jail.

The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in Dec. 2018, when the FBI joined with law enforcement partners overseas to seize 15 different booter service domains.

Federal prosecutors and DDoS experts interviewed at the time said the operation had three main goals: To educate people that hiring DDoS attacks is illegal, to destabilize the flourishing booter industry, and to ultimately reduce demand for booter services.

The jury is still out on whether any of those goals have been achieved with lasting effect.

The original complaint against Gatrel and Martinez is here (PDF).

Trial Ends in Guilty Verdict for DDoS-for-Hire Boss

Growing network of hackers sharing data leaks on encrypted messaging app.

Telegram emerges as new dark web for cyber criminals

The "distinct tradecraft" marks the first instance where a threat actor has been found abusing WSL to install subsequent payloads.

"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs said in a report published on Thursday.

Windows Subsystem for Linux, launched in August 2016, is a compatibility layer that's designed to run Linux binary executables (in ELF format) natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup.

The earliest artifacts date back to May 3, 2021, with a series of Linux binaries uploaded every two to three weeks till August 22, 2021. Not only are the samples written in Python 3 and converted into an ELF executable with PyInstaller, but the files are also orchestrated to download shellcode from a remote command-and-control server and employ PowerShell to carry out follow-on activities on the infected host.

This secondary "shellcode" payload is then injected into a running Windows process using Windows API calls for what Lumen described as "ELF to Windows binary file execution," but not before the sample attempts to terminate suspected antivirus products and analysis tools running on the machine. What's more, the use of standard Python libraries makes some of the variants interoperable on both Windows and Linux.

"Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development," the researchers said. "As the once distinct boundaries between operating systems continue to become more nebulous, threat actors will take advantage of new attack surfaces."

Source

In the wild exploitation of this vulnerability (tracked as CVE-2021-40444) began on August 18 according to the company, more than two weeks before Microsoft published a security advisory with a partial workaround.

According to telemetry data analyzed by security analysts at the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC), the small number of initial attacks (less than 10) used maliciously crafted Office documents.

These attacks targeted the CVE-2021-40444 bug "as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders."

Beacons deployed on the network of at least one victim communicated with malicious infrastructure connected with several cybercrime campaigns, including human-operated ransomware.

Some of the Cobalt Strike infrastructure used in the August CVE-2021-40444 attacks was also used in the past to deliver BazaLoader and Trickbot payloads — activity overlapping with associated with the DEV-0193 activity cluster, tracked by Mandiant as UNC1878, aka WIZARD SPIDER / RYUK according to RiskIQ.

Payloads delivered also overlapped with DEV-0365, an activity cluster associated with infrastructure possibly used as Cobalt Strike command-and-control (C2) service (CS-C2aaS) for other groups.

Exploited by ransomware gangs after public disclosure

Microsoft also observed a massive increase in exploitation attempts within 24 hours after the CVE-2021-40444 advisory was published.

"Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits," the researchers added.

"Microsoft continues to monitor the situation and work to deconflict testing from actual exploitation."

MSTIC Threat Intelligence analyst Justin Warner added that other threat groups and actors will likely continue adding CVE-2021-40444 exploits to their arsenal in the coming days and weeks.

Microsoft recommends immediately applying the CVE-2021-40444 security updates released during the September 2021 Patch Tuesday to block incoming attacks.

CVE-2021-40444 impacts systems running Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.

The security updates released by Microsoft address the vulnerability for all affected Windows versions and include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update.

BleepingComputer has independently confirmed that known CVE-2021-40444 exploits no longer work after applying the September 2021 security patches.

To reduce the attack surface, customers who cannot apply the security updates should implement Microsoft's workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer).

Microsoft: Windows MSHTML bug now exploited by ransomware gangs

The REvil master decryptor was created by cybersecurity firm Bitdefender in collaboration with a trusted law enforcement partner.

While Bitdefender could not share details about how they obtained the master decryption key or the law enforcement agency involved, they told BleepingComputer that it works for all REvil victims encrypted before July 13th.

"As per our blog post, we received the keys from a trusted law enforcement partner, and unfortunately, this is the only information we are at liberty to disclose right now," Bitdefender's Bogdan Botezatu, Director of Threat Research and Reporting, told BleepingComputer.

"Once the investigation progresses and will come to an end, further details will be offered upon approval."

REvil ransomware victims can download the master decryptor from Bitdefender (instructions) and decrypt entire computers at once or specify specific folders to decrypt.

To test the decryptor, BleepingComputer encrypted a virtual machine with an REvil sample used in an attack earlier this year. After encrypting our files, we could use Bitdefender's decryptor to easily recover our files, as shown below.

Law enforcement likely compromised REvil servers

The REvil ransomware operation, aka Sodinokibi, is believed to be a rebrand or successor to the now "retired" ransomware group known as GandCrab.

Since launching in 2019, REvil has conducted numerous attacks against well-known companies, including JBS, Coop, Travelex, and Grupo Fleury.

Finally, in a massive July 2nd attack using a Kaseya zero-day vulnerability, the ransomware gang encrypted sixty managed service providers and over 1,500 businesses worldwide.

After facing intense scrutiny by international law enforcement and increased political tensions between Russia and the USA, REvil suddenly shut down its operation on July 13th and disappeared.

While REvil was shut down, Kaseya mysteriously received a master decryptor for their attack, allowing MSPs and their customers to recover files for free.

As Bitdefender states that victims who REvil encrypted before July 13th can use this decryptor, it is safe to assume that the ransomware operation's disappearance was tied to this law enforcement investigation.

It is also likely that Kaseya obtaining the REvil master decryption key for the attack on their customers is also tied to the same investigation.

While REvil has returned to attacking victims earlier this month, the release of this master decryptor comes as a massive boon for existing victims who chose not to pay or simply couldn't after the ransomware gang disappeared.

Free REvil ransomware master decrypter released for past victims

patched Chrome for Windows, Mac and Linux Monday (Sept. 13) to fix two zero-day flaws being actively used by hackers in attacks. Nine other vulnerabilities were also fixed. You'll want to update your browser ASAP to make sure you're not a sitting duck.

To update Chrome in Windows or Mac, it's usually enough to just close the browser and relaunch it again. Users of some Linux distributions, however, may have to wait for their distro to package the Chrome fix along with other software updates.

If relaunching Chrome doesn't update it, then move your mouse cursor up to the three little vertical dots in the top right of the browser window. Click the dots, then move your cursor down to hover over "Help" in the drop-down menu. 

A smaller window will pop out to the left. Click "About Google Chrome." Your browser will either tell you that it's up to date or will update itself and then prompt you to relaunch. The version of Chrome that you want to be on right now is 93.0.4577.82.

No time to prepare

The two patched zero-day flaws, catalogued as CVE-2021-30632 and CVE-2021-30633, were both reported to Google by anonymous sources (possibly the same source) on Sept. 8. 

They're called "zero days" because hackers were already using them in attacks before Chrome found out, giving the developers no time to prepare fixes before exploitation began. These are the first zero-days patched in Chrome since mid-July.

The first is described as an "out-of-bounds write in V8," which is Chrome's JavaScript engine and handles many of the moving parts on a web page. Google has patched half-a-dozen zero-days this year related to V8. 

The second flaw is characterized as "use after free in Indexed DB API," meaning that hackers figured out a way to hijack running memory allocated to a programming interface that handles JavaScript interactions with a database.

JavaScript is one of the chief components that make interactive websites possible. Before JavaScript, websites were largely static. Without JavaScript and similar technologies, you wouldn't be able to open a Gmail message without reloading the entire page. 

Possible international espionage 

There's no information yet on who was using these two zero-days flaws, or who was being targeted. But most of the Chrome zero-days fixed in 2021 have involved highly resourced nation-state attackers — i.e., government spies — going after high-value targets, which can include political dissidents, foreign diplomats or others whose computers and smartphones might contain lots of valuable information.

The other flaws fixed included three in the Blink rendering engines that builds web pages in Chrome, and two in the ANGLE graphics engine. Most of their discoverers were named, but we liked the one identified only as "@SorryMybad."

Chrome shares its open-source Chromium codebase with several other browsers, and not all had been updated yet at the time of this writing. Despite yesterday's (Sept. 14) Patch Tuesday round of Microsoft updates, the Microsoft Edge browser was still based on Chromium 93.0.4577.63, while Opera was even further back with Chromium 92.0.4515.159.

However, both Brave and Vivaldi have updated themselves to the current version of Chromium.

Source

iPhone users are facing a software vulnerability that independent researchers say was used to spy on a Saudi activist. On Monday, Apple issued an urgent update to fix the issue.

The company's head of security engineering said in a statement that the vulnerability is used to target specific individuals and is "not a threat to the overwhelming majority of our users." But it's particularly dangerous because it opens the door to being hacked without users having to click on a corrupted link, as is the case with most other cyberattacks.

And it can affect anyone who uses iMessage.

Now, iPhone users can update their phones to iOS 14.8 to be protected from potential attacks. It's as simple as going to your settings, clicking on "General" and checking the field that says "Software Update."

There has been a proliferation of so-called "zero click" attacks in recent months, largely believed to be enabled by spyware from Israeli firm NSO Group. The firm says it only sells its services to government agencies in order to combat terrorism and crime.

In a statement on Monday, NSO Group did not address the allegations, only saying it "will continue to provide intelligence and law enforcement agencies around the world with life saving technologies to fight terror and crime."

Researchers, however, say they have found multiple cases in which the spyware was deployed on dissidents or journalists. And the increasing prevalence of attacks that can infiltrate devices without the user's knowledge or involvement mean keeping your phone's software up to date has never been more important.

Source

The trio in question — Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 — are accused of "knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, "furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets.

"The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government," the DoJ said in a statement.

"Despite being informed on several occasions that their work for [the] U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a 'defense service' requiring a license from the State Department's Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license."

Besides charging the individuals for violations of U.S. export control, computer fraud and access device fraud laws, the hackers-for-hire are alleged to have supervised the creation of sophisticated 'zero-click' exploits that were subsequently weaponized to illegally amass credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to mobile phones around the world.

The development follows a prior investigation by Reuters in 2019, which revealed how former U.S. National Security Agency (NSA) operatives helped the U.A.E. surveil prominent Arab media figures, dissidents, and several unnamed U.S. journalists as part of a clandestine operation dubbed Project Raven undertaken by a cybersecurity company named DarkMatter. The company's propensity to recruit "cyberwarriors from abroad" to research offensive security techniques first came to light in 2016.

The deep-dive report also detailed a zero-click exploit called Karma that made it possible to remotely hack into iPhones of activists, diplomats and rival foreign leaders "simply by uploading phone numbers or email accounts into an automated targeting system." The sophisticated tool was used to retrieve photos, emails, text messages and location information from the victims' phones as well as harvest saved passwords, which could be abused to stage further intrusions.

According to unsealed court documents, Baier, Adams and Gericke designed, implemented, and used Karma for foreign intelligence gathering purposes starting in May 2016 after obtaining an exploit from an unnamed U.S. company that granted zero-click remote access to Apple devices.

But after the underlying security weakness was plugged in September, the defendants allegedly contacted another U.S. firm to acquire a second exploit that utilized a different vulnerability in iOS, ultimately using it to rearchitect and modify the Karma exploitation toolkit.

The charges also arrive a day after Apple divulged that it acted to close a zero-day vulnerability (CVE-2021-30860) exploited by NSO Group's Pegasus spyware to target activists in Bahrain and Saudi Arabia.

"The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity," said Assistant Director Bryan Vorndran of the FBI's Cyber Division. "This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences."

Source

Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today's update, with three classified as Critical, one as Moderate, and 56 as Important.

Of the total 86 vulnerabilities (including Microsoft Edge):

• 27 Elevation of Privilege Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities
• 16 Remote Code Execution Vulnerabilities
• 11 Information Disclosure Vulnerabilities
• 1 Denial of Service Vulnerabilities
• 8 Spoofing Vulnerabilities

For information about the non-security Windows updates, you can read about today's Windows 10 KB5005565 & KB5005566 cumulative updates.

Microsoft fixes Windows MSHTML zero-day

Microsoft has released a security update for the Windows MSHTML remote code execution vulnerability tracked as CVE-2021-40444.

Last Tuesday, Microsoft disclosed a new zero-day Windows MSHTML remote code execution vulnerability that threat actors actively used in phishing attacks.

These attacks distributed malicious Word documents that exploited the CVE-2021-40444 to download and execute a malicious DLL file that installed a Cobalt Strike beacon on the victim's computer.

This beacon allows a threat actor to gain remote access to the device to steal files and spread laterally throughout the network.

Soon after Microsoft disclosed the vulnerability, threat actors and security researchers began sharing guides on exploiting the vulnerability, which allowed anyone to start using it in attacks, as demonstrated below.

With the September 2021 Patch Tuesday updates, Microsoft has released a security update for this vulnerability.

As researchers discovered numerous ways to exploit the bug, including a bypass to mitigations, it is not clear if the security update fixes all of the techniques.

Two zero-days fixed, with one actively exploited

September's Patch Tuesday includes fixes for two zero-day vulnerabilities, with the MSHTML bug actively exploited in the wild.

Microsoft classifies a vulnerability as a zero-day if publicly disclosed or actively exploited with no official security updates released.

The publicly disclosed, but not actively exploited, zero-day vulnerability is:

• CVE-2021-36968 - Windows DNS Elevation of Privilege Vulnerability

The only actively exploited vulnerability is the Windows MSHTML remote code execution vulnerability, as previously discussed:

• CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability

Recent updates from other companies

Other vendors who released updates in July include:

• Adobe released security updates for two products.
• Android's September security updates were released last week.
• Apple released security updates for iOS and macOS yesterday that fix two zero-day vulnerabilities exploited in the wild. One of the vulnerabilities was used to install the NSO Pegasus spyware on activists's devices.
• Cisco released security updates for numerous products this month.
• SAP released its September 2021 security updates.

The September 2021 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the September 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws

In June, a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527) was accidentally disclosed. This vulnerability exploits the Windows Point and Print feature to perform remote code execution and gain local SYSTEM privileges.

While Microsoft released two security updates to fix various PrintNightmare vulnerabilities, another vulnerability publicly disclosed by security researcher Benjamin Delpy still allowed threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server.

As demonstrated below, Delpy's vulnerability abused the CopyFiles directive to copy and execute malicious DLL using SYSTEM privileges when a user installed a remote printer. Once the exploit launched the DLL, it would open a console Window where all commands are executed with SYSTEM privileges.

To make matters worse, ransomware gangs, such as Vice Society, Magniber, and Conti, began utilizing the bug to gain elevated privileges on compromised devices.

This remaining PrintNightmare vulnerability is tracked as CVE-2021-36958 and is attributed to Victor Mata of FusionX, Accenture Security, who privately disclosed the bug to Microsoft in December 2020.

New security update fixes PrintNightmare bug

In today's September 2021 Patch Tuesday security updates, Microsoft has released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.

Delpy, who tested his exploit against the new security update, confirmed to BleepingComputer that the bug is now fixed.

In addition to fixing the vulnerability, Delpy told BleepingComputer that Microsoft has disabled the CopyFiles feature by default and added an undocumented group policy that allows admins to enable it again.

This policy can be configured in the Windows Registry under HKLM\Software\Policies\Microsoft\Windows NT\Printers key and by adding a value named CopyFilesPolicy. When set to '1', CopyFiles will be enabled again.

However, even when enabled, Delpy told BleepingComputer that it would only allow Microsoft's C:\Windows\System32\mscms.dll file to be used with this feature.

As this change will affect the default behavior of Windows, it is unclear what issues it will cause when printing in Windows.

Microsoft has not released any information on this new group policy at this time, and it is not available in the Group Policy Editor.

In addition to the PrintNightmare vulnerability, today's updates also fix an actively exploited Windows MSHTML zero-day vulnerability.

As both of these vulnerabilities are known to be abused by the threat actors in attacks, it is critical to install today's Patch Tuesday security updates as soon as possible.

Microsoft fixes remaining Windows PrintNightmare vulnerabilities

The remote code execution (RCE) security flaw, tracked as CVE-2021-40444, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents.

According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.

"Microsoft has released security updates to address this vulnerability," the company said today in an advisory update published as part of this month's Patch Tuesday.

"Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately."

Security updates released after built-in defenses bypassed

The targeted attacks detected by Microsoft tried to exploit the vulnerability by sending specially-crafted Office documents with malicious ActiveX controls to potential victims.

Luckily, these attacks were thwarted if Microsoft Office ran with the default configuration, which opens untrusted documents in Protected View mode (or with Application Guard for Office 365 customers).

However, as CERT/CC vulnerability analyst Will Dormann later told BleepingComputer, this built-in protection against CVE-2021-40444 exploits would likely be bypassed either by users ignoring Protected View warnings or by attackers delivering the malicious documents bundled within 7Zip archives or ISO containers.

Furthermore, Dormann also found that threat actors could exploit this vulnerability using maliciously-crafted RTF files, which don't benefit from Office's Protected View security feature.

How to apply the security updates

Today's security updates address the vulnerability for all affected versions of Windows and include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update.

"Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates," according to Microsoft.

"The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.

"Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability."

BleepingComputer independently confirmed that known CVE-2021-40444 exploits no longer work after applying today's patches.

Those who cannot immediately apply today's security updates should implement Microsoft's workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer) to reduce the attack surface.

Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug

Apple hits the alarm with multi-OS emergency update to patch zero-click flaw

(May require free registration to view)

According to Microsoft's stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10.

The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites.

From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness," said SentinelLabs security researchers Antonio Pirozzi and Antonio Cocomazzi in a report published today.

"The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.

Attacks focused on Australian and German banking customers

Zloader (also known as Terdot and DELoader) is a banking trojan initially spotted back in August 2015 when it was used to attack several British financial targets' customers.

Like Zeus Panda and Floki Bot, this malware is almost entirely based on the Zeus v2 Trojan's source code leaked online more than a decade ago.

The banking trojan targeted banks worldwide, from Australia and Brazil to North America, attempting to harvest financial data via web injections that use social engineering to convince infected customers to hand out auth codes and credentials.

More recently, it has also been used to deliver ransomware payloads such as Ryuk and Egregor. Zloader also comes with backdoor and remote access capabilities, and it can also be used as a malware loader to drop further payloads on infected devices.

According to SentinelLabs' research, this latest campaign is primarily focused on targeting customers of German and Australian banking institutions.

"This is the first time we have observed this attack chain in a ZLoader campaign," SentinelLabs' researchers concluded.

"At the time of writing, we have no evidence that the delivery chain has been implemented by a specific affiliate or if it was provided by the main operator."

MalwareBytes, who tracks this malvertising campaign they named Malsmoke since the start of 2020, saw the threat actors infecting their targets with the Smoke Loader malware dropper using the Fallout exploit kit via adult-themed malicious sites.

They've switched to sites imitating Discord, TeamViewer, Zoom, and QuickBooks starting with the end of August 2021, and are likely targeting businesses rather than individuals according to security researcher nao_sec.

New Zloader attacks disable Windows Defender to evade detection

Security researchers at Citizen Lab have discovered an exploit that they believe has been used by government clients of NSO Group, the Israeli spyware company, to silently hack into iPhones and other Apple devices since February 2021.

The discovery, which was made as the researchers were examining the mobile phone of a Saudi activist, was shared with Apple, which on Monday released a patch to fix the vulnerability.

Researchers said the speed with which Apple was seeking to fix the vulnerability to its operating system, which in effect has allowed the latest iPhones and operating systems to be vulnerable to attack by NSO Group’s government clients, underscored the “absolute seriousness” of their findings.

“Today is going to be a rough day at NSO because the lights are going to go out on one of their most productive exploits,” said John Scott-Railton, a senior Citizen Lab researcher.

When it is successfully deployed against a target, NSO Group’s spyware, called Pegasus, can silently hack into a phone, collect a user’s personal and private information, intercept calls and messages, and even turn a mobile phone into a remote listening device.

NSO Group has said that its spyware is only meant to be used by licensed law enforcement agencies to target criminals and terrorists. But investigations – including the recent publication of the Pegasus Project by the Guardian and other outlets – have revealed ways in which the spyware has been used by government clients to target journalists and human rights activists around the world.

Asked for comment, NSO Group issued a statement saying: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”

Citizen Lab said it was able to make a “high-confidence attribution” that the exploit had been created by NSO Group because they observed “multiple distinctive elements” in the spyware. An exploit is a technical vulnerability that allows spyware to infect a phone, and the code of the exploit discovered by Citizen Lab contained a specific bug that the researchers had only ever associated with NSO Group’s Pegasus in the past.

“We believe that the bug is distinctive enough to point back to NSO,” Citizen Lab said in a blogpost.

The researchers also found that the spyware, which they have called FORCEDENTRY, used multiple process names – identifying features of the malware code – including one that was used in a previous attack that used NSO Group spyware on an Al Jazeera journalist in July 2020.

NSO Group has said it cannot reveal the identity of its clients. But the Guardian has previously reported that NSO Group dropped Saudi Arabia as a client in the wake of Citizen Lab’s report that the kingdom was the likely culprit behind dozens of attacks against Al Jazeera journalists in 2020.

The development marks more bad news for Apple. Forensic examinations of mobile phones conducted both by Citizen Lab and Amnesty International’s security lab have found that even the most up-to-date iPhones, using the most up to date operating system, have been vulnerable to attacks by Pegasus.

Ivan Krstić, head of Apple security engineering and architecture, said in a statement to the Guardian: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly.”

He added: “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Citizen Lab said in its statement that the company was releasing a fix for the exploit on Monday, and urged all Apple users to update devices as soon as possible, including all Apple devices that use iOS versions prior to 14.8.

The exploit discovered by Citizen Lab is known as a “zero-day” vulnerability, which allows users of the spyware to infect a phone without the user having any idea that their mobile phones have been hacked. In this case, the FORCEDENTRY exploit used a weakness in Apple’s iMessage function to silently send corrupt files to a phone that appeared to be GIF extensions, but were actually Adobe PDF files containing malicious code.

“Our latest discovery of yet another Apple zero-day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” researchers said.

Bill Marczak, who first discovered the exploit at Citizen Lab, said the findings also highlighted the importance of securing popular messaging apps, which were increasingly being used as a target by sophisticated threat actors.

“As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited,” Citizen Lab said.

Source

ExpressVPN said it would remain a separate service, and its team would continue to grow. Of its approximately 290 employees, ExpressVPN has 48% involved in research and development. Kape called out ExpressVPN's OEM arrangements with HP, HMD Global, Acer, Dynabook, and Philips.

The VPN service has over 3 million customers, with over 40% in North America. During the 2020 fiscal year, ExpressVPN posted revenue of $279 million, up 37%, and adjusted EBITDA of $75 million, up 35%, Kape said in its regulatory filing.

Cross-selling aside, ExpressVPN claimed it would be able to provide better protection from a "wider range of threats".

"We've been impressed by Kape's clear commitment to protecting the privacy of users," ExpressVPN said in a blog post.

"Their track record with upholding the exacting privacy practices and policies of other privacy protection services under the Kape umbrella is a strong testament to how seriously they take their responsibility to respect user privacy and rights."

Source : https://www.zdnet.com/article/expressvpn-sells-to-kape-technologies-for-936-million/

There are no new features in any of these releases—just security updates.

Apple fixes security vulnerabilities in new versions of iOS, macOS, and watchOS

The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a "threat emulation software," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions.

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report published today and shared with The Hacker News.

The Israeli cybersecurity company's findings come from an artifact uploaded to VirusTotal on August 10 from Malaysia. As of writing, only two anti-malware engines flag the file as malicious.

Once installed, the malware runs itself in the background and decrypt the configuration necessary for the beacon to function, before fingerprinting the compromised Linux machine and establishing communications with a remote server over DNS or HTTP to retrieve base64-encoded and AES-encrypted instructions that allow it run arbitrary commands, write to files, and upload files back to the server.

Interestingly, additional samples identified during the course of the investigation have shed light on the Windows variant of the malware, sharing overlaps in the functionality and the C2 domains used to remotely commandeer the hosts. Intezer also called out the espionage campaign's limited scope, noting the malware's use in specific attacks as opposed to large-scale intrusions, while also attributing it to a "skilled threat actor" owing to the fact that Vermilion Strike has not been observed in other attacks to date.

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment," the researchers said.

Source

The flaw, tracked as CVE-2021-23406, has a severity rating of 8.1 on the CVSS vulnerability scoring system and affects Pac-Resolver versions before 5.0.0.

A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname. PAC files are how proxy rules are distributed in enterprise environments.

"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy auto-detection and configuration in Node.js," Tim Perry said in a write-up published late last month. "It's very popular: Proxy-Agent is used everywhere from AWS's CDK toolkit to the Mailgun SDK to the Firebase CLI."

CVE-2021-23406 has to do with how Pac-Proxy-Agent doesn't sandbox PAC files correctly, resulting in a scenario where an untrusted PAC file can be abused to break out of the sandbox entirely and run arbitrary code on the underlying operating system. This, however, necessitates that the attacker either resides on the local network, has the capability to tamper with the contents of the PAC file, or chains it with a second vulnerability to alter the proxy configuration.

"This is a well-known attack against the VM module, and it works because Node doesn't isolate the context of the 'sandbox' fully, because it's not really trying to provide serious isolation," Perry said. "The fix is simple: use a real sandbox instead of the VM built-in module."

Red Hat, in an independent advisory, said the vulnerable package is shipped with its Advanced Cluster Management for Kubernetes product, but noted it's "currently not aware of the vector to trigger the vulnerability in the affected component, furthermore the affected component is protected by user authentication lowering the potential impact of this vulnerability."

Source

Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, the technique is a JavaScript-based line of attack that specifically aims to get around barriers Google put in place after Spectre and Meltdown vulnerabilities came to light in January 2018, thereby potentially preventing leakage by ensuring that content from different domains is not shared in the same address space.

"An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled," the researchers said, adding "the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension."

As a consequence, any data stored in the memory of a website being rendered or a Chrome extension can be extracted, including personally identifiable information displayed on the website, and auto-filled usernames, passwords, and credit card numbers.

Spectre, designated as CVE-2017-5753 and CVE-2017-5715, refers to a class of hardware vulnerabilities in CPUs that breaks the isolation between different applications and permits attackers to trick a program into accessing arbitrary locations associated with its memory space, abusing it to read the content of accessed memory, and thus potentially obtain sensitive data.

"These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory," Google noted. "Effectively, this means that untrustworthy code may be able to read any memory in its process's address space."

Site Isolation, rolled out in July 2018, is Google's software countermeasure designed to make the attacks harder to exploit, among others that involve reducing timer granularity. With the feature enabled, Chrome browser versions 67 and above will load each website in its own process, and as a result, thwart attacks between processes, and thus, between sites.

However, researchers of the latest study found scenarios where the site isolation safeguards do not separate two websites, effectively undermining Spectre protections. Spook.js exploits this design quirk to result in information leakage from Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors.

"Thus, Chrome will separate 'example.com' and 'example.net' due to different [top-level domains], and also 'example.com' and 'attacker.com.'" the researchers explained. "However, 'attacker.example.com' and 'corporate.example.com' are allowed to share the same process [and] this allows pages hosted under 'attacker.example.com' to potentially extract information from pages under 'corporate.example.com.'"

"Spook.js shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks," the researchers added. That said, as with other Spectre variants, exploiting Spook.js is difficult, requiring substantial side-channel expertise on the part of the attacker.

In response to the findings, the Chrome Security Team, in July 2021, extended Site Isolation to ensure that "extensions can no longer share processes with each other," in addition to applying them to "sites where users log in via third-party providers." The new setting, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.

"Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the researchers said. "This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."

Source

Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.

However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft's mitigations.

Guides and PoCs shared on hacking forums

When Microsoft first disclosed the Windows MSHTML zero-day, tracked as CVE-2021-40444, security researchers quickly found the malicious documents used in attacks.

While they soon reproduced the exploits, modified them for further capabilities, and discovered a new document preview vector, the researchers did not disclose details for fear other threat actors would abuse it.

Unfortunately, threat actors have been able to reproduce the exploit on their own from information, and malicious document samples posted online and have begun sharing detailed guides and information on hacking forums.

The information is simple to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a python server to distribute the malicious documents and CAB files.

Using this information, BleepingComputer could reproduce the exploit in about 15 minutes, as demonstrated in the video below.

Defending against the CVE-2021-40444 MSHTML vulnerability 

The good news is that since the vulnerability was disclosed, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.

For example, you can see below Microsoft Defender blocking the exploit as 'Trojan:Win32/CplLoader.a' and 'TrojanDownloader:HTML/Donoff.SA' detections.

Microsoft has also provided the following mitigations to block ActiveX controls in Internet Explorer, the default handler for the MSHTML protocol, and block document preview in Windows Explorer.

Disable ActiveX controls in Internet Explorer

To disable ActiveX controls, please follow these steps:

1. Open Notepad and paste the following text into a text file. Then save the file as disable-activex.reg. Make sure you have the displaying of file extensions enabled to properly create the Registry file.
   
   Alternatively, you can download the registry file from here.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
   "1001"=dword:00000003
   "1004"=dword:00000003

2. Find the newly created disable-activex.reg and double-click on it. When a UAC prompt is displayed, click on the Yes button to import the Registry entries.
3. Reboot your computer to apply the new configuration.

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

You can enable ActiveX controls again by deleting the above Registry keys or using this Registry file.

Disable document preview in Windows Explorer

Security researchers have also found that this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.

Since this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:

1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key:

   For Word documents, navigate to these keys:

   • HKEY_CLASSES_ROOT.docx\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
   • HKEY_CLASSES_ROOT.doc\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
   • HKEY_CLASSES_ROOT.docm\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}

   For rich text files (RTF), navigate to this key:

   • HKEY_CLASSES_ROOT.rtf\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
2. Export a copy of the Registry key as a backup.
3. Now double-click Name and in the Edit String dialog box, delete the Value Data.
4. Click OK,

Word document and RTF file previews are now disabled in Windows Explorer.

To enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.

While these mitigations will help, as the exploit has been modified not to use ActiveX controls, users are still at risk until an official security update is released.

Until Microsoft releases a security update, everyone should treat all Word and RTF attachments suspiciously and their source manually verified before opening them.

Windows MSHTML zero-day exploits shared on hacking forums

T-Mobile’s most recent data breach leaked the personal information of 53 million people, with names, addresses and even social security numbers leaked online. 

Those affected face not only the risk of identity theft, but also the growing threat of SIM-swapping that can allow attackers to hijack their online accounts. 

While security experts have given consumers advice about how to protect themselves, some well known companies are actively preventing them from securing their accounts.

SIM-swaps

In a SIM-swap, criminals steal their victim’s phone number by convincing the mobile carrier to transfer the victim’s phone service to a SIM-card that they control.  

The T-Mobile breach makes it easier for criminals to do this because it leaked answers to questions the mobile carrier might ask before agreeing to switch the victim’s SIM. 

“In a hypothetical scenario, if customer service asks an attacker for the last four digits of your social security number and credit card in order to access your account, the attacker can now correctly answer those challenges,” notes  Kevin Lee, a security researcher and PhD student in the computer science department at Princeton University. 

“Once inside, the attacker can ask the customer service agent to update the SIM card on your account to a new one in his possession, which will essentially divert all your incoming calls and messages … to the attacker.”

As many online accounts allow users to reset their passwords and receive two factor authentication (2FA) codes via SMS, once an attacker steals a user’s phone number they can also hijack their online accounts.  Security experts have advised those affected by the T-Mobile breach to protect their accounts by enabling non-SMS based 2FA methods, such as authentication apps or security keys.  But not all companies give their users this option and even when they do, many still have vulnerabilities in the way they authenticate their users, putting customer accounts at risk. 

Companies are putting their customers at risk

Last year, Lee and a team of researchers warned many well-known companies about these vulnerabilities in how they authenticate their users.

Venmo, the mobile payment app, is one of the companies they contacted. A Venmo user can request a password reset via SMS and will also receive 2FA codes via SMS — they do not have the option to use a more secure method such as an authenticator. This means that if a user is SIM-swapped the attacker has everything they need to hijack their victim’s Venmo account and take control of their money.

WordPress.com is another offender Lee and his colleagues contacted.  Like Venmo, they allow users to reset their password via SMS. Unlike Venmo they allow users to set up an authenticator, but require users to receive 2FA codes via SMS as a backup, completely undermining the security benefits of the authenticator. 

If a WordPress.com user is SIM-swapped the attacker can reset their password and bypass the need for an authenticator by having a code sent via SMS, allowing them to hijack their victim’s account and take over their websites.  

WordPress.com’s situation is made worse by the fact that there is no indication in a user’s 2FA settings that when an authenticator is set up, SMS is enabled as a backup.  In my account, for example, it tells me “You've enabled two-step authentication on your account — smart move! When you log in to WordPress.com, you'll need to enter your username and password, as well as a unique passcode generated by an app on your mobile device.”  If I scroll down, I can see my backup methods, but SMS is not listed.  It’s only when I go to log in that I see SMS is provided as a backup option.

The 2FA settings in WordPress.com make no mention that SMS 2FA is enabled as a mandatory backup method. (Image credit: Rebecca Morris)

(Image credit: Rebecca Morris)

Overall Lee and his colleagues identified 17 websites that were putting their customers’ accounts at risk of hijacking after a SIM-swap.  Only 4 of the 17 fixed the issue.

Venmo and WordPress.com are among the 13 that failed to take any action, as I confirmed by testing with my own accounts and contacting customer service. In some cases, companies did not take action because they did not understand that the way they were authenticating users was insecure, which Lee described as “concerning.” Others recognized the problem, he said, but opted not to make changes “for fear of inconveniencing customers.” 

What companies can do

Companies don’t have to take drastic measures to protect their customers’ accounts from hijacking after a SIM-swap.

Lee emphasized the importance of threat modeling, a process in which companies analyze potential ways for an attacker to interact with their site in order to identify vulnerabilities and fix them ahead of time.

A few of the more secure sites they analyzed had presumably engaged in threat modeling and had themselves identified the problem with allowing password resets and 2FA codes to be sent via SMS.

These companies “would disallow SMS-authenticated recovery for accounts that had SMS 2-step login enabled,” Lee said. This provides at least some protection if a user is SIM-swapped, as the attackers won’t be able to gain access to the victim’s account unless they have also obtained their password through other means.

Lee and his colleagues also recommended companies give their customers at least one secure 2FA option, like an authenticator app or security key.

As they highlighted, these options are not just more secure, but allow for quicker authentication and can be used without an internet connection. 

Lee emphasized via email that mandating SMS 2FA as a backup “might not fit everyone’s security needs, and could even be hurting users,”

especially when it is done without their knowledge. He added that “transparency is crucial,” and that companies need to provide users with clear information about the methods they can use to access their account.

That way at least a user who has an authenticator set up won’t be blindsided if they are SIM-swapped and find their account is still hijacked because SMS 2FA was silently enabled as a backup.

Companies that continue to do nothing, however, are helping cybercriminals, not their customers.

Source

Since 2019, the REvil ransomware operation, aka Sodinokibi, has been conducting attacks on organizations worldwide where they demand million-dollar ransoms to receive a decryption key and prevent the leaking of stolen files.

While in operation, the gang has been involved in numerous attacks against well-known companies, including JBS, Coop, Travelex, GSMLaw, Kenneth Cole, Grupo Fleury, and others.

REvil's disappearance act

REvil shut down their infrastructure and completely disappeared after their biggest caper yet - a massive attack on July 2nd that encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform.

REvil then demanded $50 million for a universal decryptor for all Kaseya victims, $5 million for an MSP's decryption, and a $44,999 ransom for individual file encryption extensions at affected businesses.

This attack had such wide-ranging consequences worldwide that it brought the full attention of international law enforcement to bear on the group.

Likely feeling pressure and concerns about being apprehended, the REvil gang suddenly shut down on July 13th, 2021, leaving many victims in a lurch with no way of decrypting their files.

The last we had heard of REvil, was that Kaseya received a universal decryptor that victims could use to decrypt files for free. It is unclear how Kaseya received the decryptor but stated it came from a "trusted third party."

REvil returns with new attacks

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point.

However, much to our surprise, the REvil ransomware gang came back to life this week under the same name.

On September 7th, almost two months after their disappearance, the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. A day later, it was once again possible to log in to the Tor payment site and negotiate with the ransomware gang.

All prior victims had their timers reset, and it appeared that their ransom demands were left as they were when the ransomware gang shut down in July.

However, there was no proof of new attacks until September 9th, when someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal.

Today, we have seen further proof of their renewed attacks as the ransomware gang has published screenshots of stolen data for a new victim on their data leak site.

If you have first-hand information about REvil's return, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or Jabber at lawrence.abrams@anonym.im.

New REvil representative emerges

In the past, REvil's public representative was a threat actor known as 'Unknown' or 'UNKN,' who frequently posted at hacking forums to recruit new affiliates or post news about the ransomware operation.

On September 9th, after the return of the ransomware operation, a new representative simply named 'REvil' had begun posting at hacking forums claiming that the gang briefly shut down after they though Unknown was arrested and servers were compromised.

This translation of these posts can be read below:

"As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited - he did not show up and we restored everything from backups.

After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward. 

Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor." - REvil

Based on these claims, Kaseya's universal decryptor was obtained by law enforcement after they gained access to some of REvil's servers.

However, BleepingComputer has been told by numerous sources that REvil's disappearance surprised law enforcement as much as everyone else.

A chat between what is believed to be a security researcher and REvil, paints a different story, with an REvil operator claiming they simply took a break.

While we may never know the real reason for the disappearance or how Kaseya obtained the decryption key, what is most important is to know that REvil is back to targeting corporations worldwide.

With their skilled affiliates and ability to perform sophisticated attacks, all network admins and security professionals must become familiar with their tactics and techniques.

REvil ransomware is back in full attack mode and leaking data

On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. The assault came from “Meris,” the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer.

Cloudflare recently wrote about its attack, which clocked in at 17.2 million bogus requests-per-second. To put that in perspective, Cloudflare serves over 25 million HTTP requests per second on average.

In its Aug. 19 writeup, Cloudflare neglected to assign a name to the botnet behind the attack. But on Thursday DDoS protection firm Qrator Labs identified the culprit — “Meris” — a new monster that first emerged at the end of June 2021.

Qrator says Meris has launched even bigger attacks since: A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second.

While last night’s Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday’s attack on this site was was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.

According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world’s MikroTik systems connected to the Internet (followed by China — 18.9 percent– and a long tail of one- and two-percent countries).

 

The darker areas indicate larger concentrations of potentially vulnerable MikroTik routers. Qrator says there are about 328,000 MikroTik devices currently responding to requests from the Internet. Image: Qrator.

It’s not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris.

“The spectrum of RouterOS versions we see across this botnet varies from years old to recent,” the company wrote. “The largest share belongs to the version of firmware previous to the current stable one.”

 

Qrator’s breakdown of Meris-infected MikroTik devices by operating system version.

It’s fitting that Meris would rear its head on the five-year anniversary of the emergence of Mirai, an Internet of Things (IoT) botnet strain that was engineered to out-compete all other IoT botnet strains at the time. Mirai was extremely successful at crowding out this competition, and quickly grew to infect tens of thousands of IoT devices made by dozens of manufacturers.

And then its co-authors decided to leak the Mirai source code, which led to the proliferation of dozens of Mirai variants, many of which continue to operate today.

The biggest contributor to the IoT botnet problem — a plethora of companies white-labeling IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states — hasn’t changed much, mainly because these devices tend to be far cheaper than more secure alternatives.

The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks [full disclosure: Akamai is an advertiser on this site].

More importantly, the Internet community at large has gotten better at putting their heads together to fight DDoS attacks, by disrupting the infrastructure abused by these enormous IoT botnets, said Richard Clayton, director of Cambridge University’s Cybercrime Centre.

“It would be fair to say we’re currently concerned about a couple of botnets which are larger than we have seen for some time,” Clayton said. “But equally, you never know they may peter out. There are a lot of people who spend their time trying to make sure these things are hard to keep stable. So there are people out there defending us all.”

KrebsOnSecurity Hit By Huge New IoT Botnet “Meris”

Until now when you backup WhatsApp message history via Google Drive or iCloud, WhatsApp does not have access to these backups, but Google or Apple can access them. With the upcoming end-to-end encrypted (E2EE) backups, neither WhatsApp nor the backup service provider (Apple or Google) will be able to access their backup or their backup encryption key.

Here’s how encrypted backups work:

• To enable E2EE backups, WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android.
• With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key.
• People can choose to secure the key manually or with a user password.
• When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys.
• When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.
• The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it.
• These security measures provide protection against brute-force attempts to retrieve the key.
• WhatsApp will know only that a key exists in the HSM. It will not know the key itself.

Source: Facebook

WhatsApp will enable end-to-end encrypted backups later this year

Sept 10 (Reuters) - A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.

The SEC is asking companies to turn over records into "any other" data breach or ransomware attack dating back to October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp (SWI.N) , which delivers products used across corporate America, according to details of the letters shared with Reuters.

People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.

"I've never seen anything like this," said a consultant who works with dozens of publicly traded companies that recently received the request. "What companies are concerned about is they don't know how the SEC will use this information. And most companies have had unreported breaches since then." The consultant spoke on condition of anonymity to discuss his experience.

An SEC official said the request's intent was to find other breaches relevant to the SolarWinds incident.

The SEC told companies they would not be penalized if they shared data about the SolarWinds hack voluntarily, but did not offer that amnesty for other compromises.

Cyberattacks have grown in both frequency and impact, prompting deep concern in the White House over the last year. U.S. officials have faulted companies for failing to disclose such events, arguing that it conceals the extent of the problem from shareholders, policymakers and law enforcement looking for the worst offenders.

People familiar with the SEC investigation told Reuters the letters went to hundreds of companies, including many in the technology, finance and energy sectors, thought to be potentially affected by the SolarWinds attacks. That number exceeds the 100 that the Department of Homeland Security said had downloaded the bad SolarWinds software and then had it exploited.

Since last year, only about two dozen firms have been publicly identified as impacted, including Microsoft Corp (MSFT.O), Cisco Systems (CSCO.O), FireEye Inc (FEYE.O) and Intel Corp (INTC.O). Of those contacted for this story only Cisco confirmed receiving the SEC letter. A Cisco spokesperson said it has responded to the SEC's request.

Cybersecurity research has also suggested software maker Qualys Inc (QLYS.O) and oil energy company Chevron Corp (CVX.N) were among those targeted in the Russian cyber operation. Both declined to comment on the SEC investigation.

About 18,000 clients of SolarWinds downloaded a hacked version of its software, which the cyber criminals manipulated for potential future access. Yet only a small subset of those customers saw follow-on hacking activity, suggesting the attackers infected far more companies than they ultimately victimized.

The SEC sent letters last month to companies believed to have been affected, following an initial round sent in June, according to six sources who have seen the letters.

The second wave of requests were addressed to recipients at companies from the first round who had not responded. The exact number of recipients is unclear.

The current probe is “unprecedented” in terms of the lack of clarity over the SEC's goal in such a large sweep, said Jina Choi, a partner at Morrison & Foerster LLP and former SEC director who has worked on cybersecurity cases.

Though the SEC issued guidance a decade ago calling for companies to disclose hacks that could be material, then updated that guidance in 2018, most admissions have been vague.

Gary Gensler, who took the helm at the SEC in April, has tasked the agency with issuing new disclosure requirements ranging from cybersecurity to climate risk.

While the hack was first reported by Reuters more than nine months ago, the actual impact of the wide-scale digital spying operation, which U.S. officials say came from a Russian intelligence service, remains largely unknown.

Government officials have shied away from sharing a comprehensive account of what was stolen or what the Russians were after, but described it as traditional government espionage.

Scores of companies have referred to the hacks in SEC filings, but many cite the events only as an example of the sort of intrusion they might one day experience. Most that say they had SolarWinds software installed add that they do not believe their most sensitive data was taken.

John Reed Stark, former head of the SEC’s office of internet enforcement, said “companies will struggle to answer these questions – not just because these are broad, sweeping and all-encompassing requests, but also because the SEC is bound to discover some sort of mistake" in what they've previously disclosed.