Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws.

Across the tech industry, similar “bug bounty” programs have become a prized tool in maintaining security — a way to find vulnerabilities and encourage hackers to report them rather than abuse them.

But many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they’re owed. Ultimately, they say, Apple’s insular culture has hurt the program and created a blind spot on security.

“It’s a bug bounty program where the house always wins,” said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple’s bad reputation in the security industry will lead to “less secure products for their customers and more cost down the line.”

Apple said its program, launched in 2016, is a work in progress. Until 2019, the program was not officially opened to the public, although researchers say the program was never exclusive.

“The Apple Security Bounty program has been a runaway success,” Ivan Krstic, head of Apple Security Engineering and Architecture, said in an emailed statement. Apple has nearly doubled the amount it has paid in bug bounties this year compared to last, and it leads the industry in the average amount paid per bounty, he said.

“We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world,” he added.

In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, the approaches taken by Apple’s rivals were held up for comparison. Facebook, Microsoft and Google publicize their programs and highlight security researchers who receive bounties in blog posts and leader boards. They hold conferences and provide resources to encourage a broad international audience to participate.

And most of them pay more money each year than Apple, which is at times the world’s most valuable company. Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstic said in his statement. He said that number is likely to increase this year.

Payment amounts aren’t the only measure of success, however. The best programs support open conversations between the hackers and the companies. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.

Apple also has a massive backlog of bugs that it hasn’t fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” said Moussouris, who helped create Microsoft’s bug bounty program. She says she asks prospective clients, “What do you expect is going to happen if they report a bug that you already knew about but haven’t fixed? Or if they report something that takes you 500 days to fix it?”

The unfriendly nature of its bug bounty program has discouraged some security researchers from pointing out flaws to Apple, these people said. That’s prompted some to sell them to “gray market” customers like government agencies or companies that sell sophisticated hacking services, or go public without notifying Apple, which could put customers at risk.

Cedric Owens, 39, earlier this year chose to tell Apple when he found a massive flaw that allowed hackers to install malicious software on Mac computers, bypassing Apple’s security measures. Patrick Wardle, an expert in Mac security, said in a blog post that the vulnerability put Mac users “at grave risk.” And Jamf, a cybersecurity firm, said it found evidence that hackers were already using it.

Apple’s bug bounty program offers $100,000 for attacks that gain “unauthorized access to sensitive data.” Apple defines sensitive data as access to contacts, mail, messages, notes, photos or location data. While Owens’s hack didn’t allow access to those specific areas, Owens and others in the industry argued that the data hackers were getting was, indeed, sensitive. Owens created a hypothetical attack that gave hackers access to the victim’s files. He said in an interview that it could have hypothetically allowed hackers to access corporate servers, if the target computer were used by a corporation. That would be valuable in use for ransomware attacks, for instance.

Apple paid the Charlotte-based security researcher $5,000, or 5 percent of what Owens believed he deserved, he said. Apple declined to reconsider. While he said he will continue to submit bugs despite a higher payout on the gray market, other researchers probably won’t. Apple declined to comment on Owens’s bug bounty.

“The end result could be more gaping holes in Apple’s processes and in their products they’re releasing,” he said.

Apple’s Krstic said the company has gathered feedback and would “continue to scale and improve” what it said was a rapidly growing program, reducing response times and improving communication.

“We are also planning to introduce new rewards for researchers to keep expanding participation in the program, and we are continuing to investigate paths to offer new and even better research tools that meet our rigorous, industry-leading platform security model,” he added.

The security of Apple products, particularly iPhones, has come under more scrutiny after revelations this summer by the Pegasus Project, an investigation by The Washington Post and 16 other media organizations that showed how software licensed by the Israeli company NSO Group had been used to hack phones belonging to human rights advocates, journalists and politicians. The investigation uncovered forensic evidence of successful or attempted hacks on 34 iPhones, including the latest models with the latest updates.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place,” Krstic said in a statement at the time.

Krstic pushed for Apple’s program to be implemented in 2016, when select researchers were allowed to submit bugs in exchange for payment. In 2019, Apple opened the program to all researchers and announced that it would begin paying up to $1 million to anyone who could hack an iPhone remotely, without requiring the target to do anything (many hacks require clicking on a link or email).

It also announced it would provide “security research devices” — special iPhones designed for security research — to people who have a proven track record of finding bugs.

Apple declined to say how many of the devices it has given to researchers or whether it has paid a $1 million bounty.

Sam Curry, a prominent 21-year-old security researcher in Omaha, set his sights on Apple’s bug bounty program last summer. He and four friends got together for late-night, soda-fueled hacking sessions, poking holes in Apple’s defenses. The group submitted a new bug every couple of days. Apple paid $50,000 for one of the bugs, and, in all, they earned about $500,000, Curry said.

The group was so successful, collecting at least 13 percent of what Apple paid in bug bounties over the course of the year, that Apple took notice, Curry said. He had conversations with some of the security researchers at the company. He said the time it takes Apple to pay researchers for bug bounties is too long compared with the rest of the industry.

“I think they’re aware of how they’re seen in the community, and they’re trying to move forward,” Curry said.

Apple, according to some of the people, hired a new leader for its bug bounty program this year with the goal of reforming it. Apple declined to make the person, who works under Krstic, available for an interview.

In the endless and messy global war over Internet security, even the most vigilant companies have seen their defenses fall at the hands of nameless and faceless foes. Apple is no exception. This year alone, Apple has patched 13 zero-day exploits, or previously unknown security vulnerabilities, that could have been used by malicious hackers to breach its devices.

Nevertheless, Apple is considered a leader in cybersecurity and has implemented advanced techniques, such as specialized microprocessors in iPhones devoted to stopping hacks. IPhones are often compared favorably to competing handsets running Google’s Android, including in Apple’s advertisements.

The security of iPhones is one of Apple’s key marketing claims. One company advertisement around 2017 depicted a burglar easily breaking into the “competing” mobile operating system and then being locked out of iOS.

But there is one aspect of cybersecurity that doesn’t mix with Apple’s cultural DNA. The field of cybersecurity grew out of a hacker culture in which the open and free flow of information is among the most important values.

The open nature of the cybersecurity industry contrasts with Apple’s corporate culture. The company, like its competitors, prefers to keep its products secret until they’re released. The methods Apple uses to ensure secrecy are more stringent than those employed by its peers. For instance, Apple employees are told not to discuss their work even with co-workers.

“It’s not a surprise they haven’t embraced this public security researcher culture until recently, when their hand was forced into launching a bug bounty program,” said Jay Kaplan, a founder and the chief executive of Synack, which helps companies crowdsource vulnerabilities in critical technology. Kaplan said researchers weren’t coming to Apple to report bugs. “Instead, they were going to security conferences and speaking about it publicly and selling it on the black market,” he said.

Indeed, some researchers think Apple would prefer not to see its software picked apart by researchers, even if the result is that more flaws are fixed. Apple makes it as difficult as possible for researchers to remove software protections that limit the kinds of research that can be conducted on iPhones. According to the current and former security employees, the company’s view is that such protections make its phones more secure.

Apple is appealing its loss in a federal copyright lawsuit against a small Florida company called Corellium that makes a tool that allows researchers more easily to search for flaws in iPhone software.

Tian Zhang, an iOS software engineer, first reported a bug to Apple in 2017. After months of waiting for Apple to fix the bug, Zhang lost patience and decided to blog about his discovery. The second time he reported a security flaw, he says, Apple fixed it but ignored him. In July, Zhang submitted another bug to Apple that he says was eligible for a reward. The software was quickly fixed, but Zhang didn’t receive a reward. Instead, he was kicked out of the Apple Developer Program. Membership in the program is required to be able to submit apps to the App Store. Apple did not comment on Zhang’s allegations.

“It’s a mixed feeling,” Zhang said in an interview. “On one side, as an engineer, you want to make sure the products you’re building are safe for other people,” he said. On the other hand, he says, “it seems like Apple thinks people reporting bugs are annoying and they want to discourage people from doing so.”

Alex Rice, chief technology officer and co-founder of HackerOne, which provides bug bounty services to companies, said it can take time to fix bugs in more complicated software systems but that it is important to educate researchers on why it is taking so long. “It takes a little bit of good faith. And it takes a little bit of transparency and collaboration,” he said. Still, “faster is always better.”

Despite Apple’s bounty program, there continues to be a big market for vulnerabilities on Apple devices. Researchers can sell exploits for iPhones for as much as $2 million, according to a price list published by Zerodium, a company that buys and sells exploits for use by firms such as NSO Group. The same kind of exploit for Google’s Android operating system goes for $2.5 million.

People who have sold exploits to companies like Zerodium told The Post that they view the price list as a rough proxy of how difficult it is to find an exploit. The higher the price, the more secure the operating system. But there is no objective way to measure or compare iOS security to Android, in part because the people buying and selling the exploits keep that information secret. Zerodium, which says on its website that it sells to government agencies, mainly in Europe and North America, did not respond to a request for comment.

The Wayback Machine, a service run by the Internet Archive, which saves old webpages, shows how quickly the difficulty of hacking Android devices increased in five years. In 2016, Zerodium would pay only $200,000 for the most valuable exploit.

Dave Aitel, a former National Security Agency research scientist and co-author of “The Hacker’s Handbook,” said Apple’s closed-off approach hinders its security efforts.

“Having a good relationship with the security community gives you a strategic vision that goes beyond your product cycle. It lets you know what’s coming down the pike,” he said. “Hiring a bunch of smart people only gets you so far.”

Some of Apple’s poor reputation in the bug bounty world could be improved with some minor changes, according to experts in the field.

Casey Ellis, founder of Bugcrowd, an Australian firm that operates bug bounty programs for companies, said one “core rule” in the industry is that if a company changes its code in response to a bug report, it should pay the person who reports it, even if it doesn’t meet the company’s strict interpretation of the guidelines.

“The more good faith that goes on, the more productive bounty programs are going to be,” he said.

Other big Silicon Valley companies have worked for years to earn favor in the research world. Facebook and Google co-host a conference called BountyCon, which is aimed at bringing security researchers with different skills together to collaborate and identify talent through the two companies’ bug bounty programs.

Nicolas Brunner was developing an app for the Swiss Federal Railways last year that would help blind people navigate the train system. While testing the app, Brunner noticed that even if users declined to share their location, he could still see their every move.

Brunner had stumbled upon a serious security bug in Apple’s location tracking system, he said in an interview. A colleague recommended he submit it to Apple’s bug bounty program.

Expecting to be paid somewhere around $50,000, Brunner told his 30 colleagues that when he received his check, he would throw a barbecue for all of them. Apple thanked him for reporting the bug and said it would credit him with finding it. But eight months later, Apple responded to Brunner with disappointing news: His bug did not qualify for the program, despite Apple’s promising rewards ranging from roughly $25,000 to $100,000 for flaws that allow access to “sensitive data,” including “real-time or precise location data.” After months of delays, Apple decided not to pay him at all, saying the bug he had found did not qualify for the program.

“I like the idea of Apple’s bug bounty program. I don’t like the implementation,” Brunner said in an interview.

“When we make mistakes, we work hard to correct them quickly, and learn from them to rapidly improve the program,” Krstic said in the statement when asked to comment on Brunner’s case.

Source

Being able to see inside a closed room was a skill once reserved for super heroes. But researchers at the Stanford Computational Imaging Lab have expanded on a technique called non-line-of-sight imaging so that just a single point of laser light entering a room can be used to see what physical objects might be inside.

Non-line-of-sight (NLOS, for short) imaging is by no means a new idea. It’s a clever technique that’s been refined in research labs over the years to create cameras that can remarkably see around corners and generate images of objects that otherwise aren’t in the camera’s field of view, or are blocked by a series of obstacles. Previously, the technique has leveraged flat surfaces like floors or walls that are in the line of sight of both the camera and the obstructed object. A series of light pulses originating from the camera, usually from lasers, bounce off these surfaces and then bounce off the hidden object before eventually making their way back to the camera’s sensors. Algorithms then use the information about how long it took these reflections to return to generate an image of what the camera can’t see. The results aren’t high resolution, but they’re usually detailed enough to easily determine what the object in question is.

It’s an incredibly clever technique, and one day it could be a very useful technology for devices like autonomous cars that would potentially be able to spot potential hazards hidden around corners long before they’re visible to passengers in a vehicle, improving safety and obstacle avoidance. But the current NLOS techniques have a big limitation: They’re dependent on a large reflective surface where light reflections coming off a hidden object can be measured. Trying to image what’s inside a closed room from the outside is all but impossible—or at least it was until now.

The keyhole imaging technique, developed by researchers at Stanford University’s Computational Imaging Lab, is so named because all that’s needed to see what’s inside a closed room is a tiny hole (such as a keyhole or a peephole) large enough to shine a laser beam through, creating a single dot of light on a wall inside. As with previous experiments, the laser light bounces off a wall, an object in the room, and then off the wall again, with countless photons eventually being reflected back through the hole and to the camera which utilizes a single-photon avalanche photodetector to measure the timing of their return.

Screenshot: YouTube - Stanford Computational Imaging Lab

When an object hidden in the room is static, the new keyhole imaging technique simply can’t calculate what it’s seeing. But the researchers have found that a moving object paired with pulses of light from a laser generate enough usable data over a long period of exposure time for an algorithm to create an image of what it’s seeing. The quality of the results is even worse than with previous NLOS techniques, but it still provides enough detail to make an educated guess on the size and shape of the hidden object. A wooden mannequin ends up looking like a ghostly angel, but when paired with a properly trained image recognition AI, determining that a human (or human-shaped object) was in the room seems very feasible.

The research could one day provide a way for police or the military to assess the risks of entering a room before actually breaking down the door and storming their way inside, using nothing but a small crack in the wall or a gap around a window or doorway. The new technique could also provide new techniques for autonomous navigation systems to spot hidden hazards long before they become a threat in situations where the previous NLOS techniques weren’t practical given the environment.

Source

It created a peculiar situation where CentOS 7 users that did the right thing and upgraded quickly to CentOS 8 were left using an OS with just a year's official support remaining – while users of CentOS 7 still get full support until June 30, 2024.

Worse, the fact that stable releases of CentOS were discontinued in exchange for the rolling-release CentOS Stream means that to secure their workloads most CentOS 8 users have to opt for an entirely different Linux distribution, with just a year to choose, evaluate and implement an alternative.

Red Hat's unexpected decision underlined to what degree software users depend on official support windows for their software security. Countless organizations are now left scrambling to secure or replace CentOS 8 – or run the risk of relying on an OS that's no longer supported, with no official fixes for new vulnerabilities.

The free, enterprise-grade Linux OS everyone liked

Want to run an enterprise-grade Linux OS and do so free of charge, while enjoying an official, predictable support window? That was the deal with CentOS.

The CentOS project has its roots in an independent project that produced a 1:1 binary compatible clone of Red Hat Enterprise Linux (RHEL). Every CentOS release was perfectly matched to RHEL – any applications that work on a RHEL release also worked on the matching CentOS release, simple as that.

CentOS was eventually taken over by Red Hat. Red Hat's oversight brought some benefits including fixed reliable support windows which, for recent releases, was set to ten years. These support windows really matter: organizations that run thousands of Linux instances require a predictable support window to plan upgrades or migrations.

And that's why CentOS was such a good deal. CentOS was a free enterprise-grade Linux OS supported by a big enterprise Linux player – including what everyone thought was bullet-proof support commitments.

CentOS is alive – but the deal is gone

CentOS is not dead. Red Hat will continue to release new versions of CentOS through CentOS Stream, but it is a rolling release: updates can come at any time, and it will inevitably mean that CentOS Stream is quickly out of sync with the most recent RHEL release.

Packages intended for a future RHEL release are guaranteed to land in CentOS Stream first before these packages are published into a fixed RHEL release.

In other words, users that run CentOS Stream simply won't know what updates will come their way, and in which ways these upgrades will break binary compatibility with RHEL.

Losing binary compatibility means users lose the guarantee that an application certified for a RHEL release will work with a matching CentOS release – and for CentOS Stream users, that could happen at any point in time.

The fact that CentOS Stream breaks binary compatibility with RHEL complicates the efforts to secure CentOS 8 now that it is unexpectedly end of life. So while CentOS lives on as CentOS Stream, the key characteristics that made CentOS so appealing are now gone.

While it is somewhat understandable that Red Hat may not want to support a free enterprise-grade Linux OS forever, there was a real sting in Red Hat's announcement last year, as it leaves CentOS 8 users in a tough spot, needing to secure their CentOS 8 workloads rapidly.

Securing CentOS 8 fleets is becoming critical

CentOS 8 support ends in just a few months so there isn't a lot of time to think about securing CentOS 8 instances. Doing nothing isn't an option, once Red Hat's official support for CentOS 8 stops there will be no future bug fixes or patches for new vulnerabilities.

An unsupported OS brings significant risks. New vulnerabilities, once in the public domain, can rapidly lead to exploits in the wild. Where an OS is officially supported a vendor patch will quickly fix that problem.

Not so where official support is discontinued, in which case users are left with a vulnerable OS, unless they try to develop a patch themselves. Given how rapidly new CVEs are reported there is really no acceptable window during which a user can go without the guarantee of official vendor patches.

In some use cases, using CentOS 8 past its official support window also creates a compliance risk as some organizations will violate their compliance obligations by relying on an unsupported OS for workloads.

Options for securing CentOS 8

Downgrading to CentOS 7 to obtain a few additional years of support from Red Hat looks like an easy solution but it isn't – there is no simple way to roll a CentOS 8 instance back to CentOS 7.

Switching, and switching right now, is the best way to secure CentOS 8 workloads as it stands. However, rapidly switching is only possible where the alternative distribution is also 1:1 binary compatible with RHEL.

Less feasible for most organizations is switching to a non-binary compatible Linux alternative – Ubuntu, or Debian perhaps. In some use cases that could be relatively easy, but most CentOS users would need to plan such a migration carefully – and perform it relatively slowly. There just isn't enough time left to do that.

Distributions that are binary compatible with CentOS 8

There are essentially three workable options. First up is RockyLinux, a 1:1 binary-compatible clone of RHEL launched by one of the CentOS project's founders – Gregory Kurtzer. RockyLinux successfully published an official release, it's free to download, and it is binary compatible, so everything that runs on RHEL should run just fine on RockyLinux.

Similarly, AlmaLinux is a community-driven project sponsored by CloudLinux. AlmaLinux also released a stable, 1:1 binary compatible clone of RHEL and promises to continue releasing a new edition every time a new RHEL release comes out.

Oracle Linux is the third alternative: it is established, and (currently at least) guarded by similar cast-iron support guarantees from Oracle. Oracle Linux 8 is also 1:1 binary compatible with RHEL 8.

There are scripts available to perform in-place migrations between those distributions, so the process itself is not overly complicated. For organizations looking to migrate, test deployments should (have) start(ed) now (long ago).

Buying time to decide on a CentOS alternative

For many CentOS users the news about CentOS dawned relatively recently, and as we outlined – deciding on an alternative and preparing to switch takes time, something that CentOS 8 users don't have right now.

As an alternative to switching away from CentOS 8, users could choose to buy extended lifecycle support from a third party. A good solution will include coverage for critical CentOS 8 bug fixes and any new CVEs for a specified period of time.

For example, TuxCare's extended lifecycle support for CentOS 8 runs into 2025 and promises to deliver patches for vulnerabilities as fast as – if not faster than – the speed at which the CentOS team rolled out updates.

Subscribing for extended support ensures CentOS 8 workloads remain secure past 2021, including for the new and emerging threats that are so common in today's cybersecurity environment. Extended support is a simple way to stay compliant with regulatory requirements too.

Securing CentOS 8 before Dec 2021 is critical

Users that currently rely on CentOS 8 are in a difficult position. There are few viable options to secure CentOS 8 right now, including moving to a binary compatible alternative. These options are not without their complexities, however. What many CentOS 8 users need right now is time.

Opting into the extended support immediately secures CentOS 8 and is a relatively affordable way to acquire the time to decide on a CentOS alternative that meets your requirements – without the need to perform a rushed migration and incur the associated risks.

The only thing that's not an option is ignoring CentOS 8's rapid and unexpected end of life. There are considerable costs associated with running an OS past its end of life. We created this calculator to give you a rough estimate of the financial impact it may have. We also analyzed in detail the issues that may arise from having an unsupported OS running inside your IT perimeter.

From Dec 31, 2021 CentOS 8 will become increasingly vulnerable to security threats – and so would any workload that runs on CentOS 8. For many organizations buying extended support may well be the best solution right now.

Source

In late August, Slovakian cybersecurity firm ESET disclosed details of an implant called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server.

The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti (aka APT41) malware family.

But latest research published by researchers from Broadcom's Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware's overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwan, the U.S., and Vietnam.

"A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors," Symantec's Threat Hunter Team said in a write-up published on Thursday.

Known to be active at least since March 2017, Grayfly functions as the "espionage arm of APT41" notorious for targeting a variety of industries in pursuit of sensitive data by exploiting publicly facing Microsoft Exchange or MySQL web servers to install web shells for initial intrusion, before spreading laterally across the network and install additional backdoors that enable the threat actor to maintain remote access and exfiltrate amassed information.

In one instance observed by Symantec, the adversary's malicious cyber activity commenced with targeting an internet reachable Microsoft Exchange server to gain an initial foothold into the network. This was followed by executing a string of PowerShell commands to install an unidentified web shell, ultimately leading to the deployment of the Sidewalk backdoor and a custom variant of the Mimikatz credential-dumping tool that's been put to use in previous Grayfly attacks.

"Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media," the researchers said. "It's likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks."

Source

The botnet received the name Mēris, and it gets its power from tens of thousands of compromised devices that researchers believe to be primarily powerful networking equipment.

Large and powerful botnet

News about a massive DDoS attack hitting Yandex broke this week in the Russian media, which described it as being the largest in the history of the Russian internet, the so-called RuNet.

Details have emerged today in joint research from Yandex and its partner in providing DDoS protection services, Qrator Labs.

Information collected separately from several attacks deployed by the new Mēris (Latvian for ‘plague’) botnet, showed a striking force of more than 30,000 devices.

From the data that Yandex observed, assaults on its servers relied on about 56,000 attacking hosts. However, the researchers have seen indications that the number of compromised devices may be closer to 250,000.

The difference between the attacking force and the total number of infected hosts forming Mēris is explained by the fact that the administrators do not want to parade the full power of their botnet, Qrator Labs says in a blog post today.

The researchers note that the compromised hosts in Mēris are “not your typical IoT blinker connected to WiFi” but highly capable devices that require an Ethernet connection.

Mēris is the same botnet responsible for generating the largest volume of attack traffic that Cloudflare recorded and mitigated to date, as it peaked at 17.2 million requests per second (RPS).

However, Mēris botnet broke that record when hitting Yandex, as its flux on September 5 reached a force of 21.8 million RPS.

The botnet’s history of attacks on Yandex begins in early August with a strike of 5.2 million RPS and kept increasing in strength:

• 2021-08-07 - 5.2 million RPS
• 2021-08-09 - 6.5 million RPS 
• 2021-08-29 - 9.6 million RPS
• 2021-08-31 - 10.9 million RPS
• 2021-09-05 - 21.8 million RPS

Technical data points to MikroTik devices

To deploy an attack, the researchers say that Mēris relies on the SOCKS4 proxy at the compromised device, uses the HTTP pipelining DDoS technique, and port 5678.

As for the compromised devices used, the researchers say that they are related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes.

Most of the attacking devices had open ports 2000 and 5678. The latter points to MikroTik equipment, which uses it for the neighbor discovery feature (MikroTik Neighbor Discovery Protocol).

Qrator Labs found that while MikroTik provides its standard service through the User Datagram Protocol (UDP), compromised devices also have an open Transmission Control Protocol (TCP).

This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners,” Qrator Labs researchers believe.

When searching the public internet for open TCP port 5678, more than 328,000 hosts responded. The number is not all MikroTik devices, though, as LinkSys equipment also uses TCP on the same port.

Port 2000 is for "Bandwidth test server," the researchers say. When open, it replies to the incoming connection with a signature that belongs to MikroTik’s RouterOS protocol.

MikroTik has been informed of these findings. The vendor told Russian publication Vedomosti that it is not aware of a new vulnerability to compromise its products.

The network equipment maker also said that many of its devices continue to run old firmware, vulnerable to a massively exploited security issue tracked as CVE-2018-14847 and patched in April 2018.

However, the range of RouterOS versions that Yandex and Qrator Labs observed in attacks from Mēris botnet varies greatly and includes devices running newer firmware versions, such as the current stable one (6.48.4) and its predecessor, 6.48.3.

New Mēris botnet breaks DDoS record with 21.8 million RPS attack

Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have resurfaced online, with the most recent victim added on July 8, five days before the sites mysteriously went off the grid on July 13. It's not immediately clear if REvil is back in the game or if they have launched new attacks.

"Unfortunately, the Happy Blog is back online," Emsisoft threat researcher Brett Callow tweeted on Tuesday.

The development comes a little over two months after a wide-scale supply chain ransomware attack aimed at Kaseya, which saw the Russia-based cybercrime gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote management software.

In late May, REvil also spearheaded the attack on the world's largest meat producer JBS, forcing the company to shell out $11 million in ransom to the extortionists to recover from the incident.

Following the attacks and increased international scrutiny in the wake of the global ransomware crisis, the group took its dark web infrastructure down, leading to speculations that it may have temporarily ceased operations with the goal of rebranding under a new identity so as to attract less attention.

REvil, also known as Sodinokibi, emerged as the fifth most commonly reported ransomware strains in Q1 2021, accounting for 4.60% of all submissions in the quarter, according to statistics compiled by Emsisoft.

Source

"These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday.

The disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called RAMP that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel noting that the "breach list contains raw access to the top companies" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. "2,959 out of 22,500 victims are U.S. entities," the researchers said.

CVE-2018-13379 relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.

Although the bug was rectified in May 2019, the security weakness has been repeatedly exploited by multiple adversaries to deploy an array of malicious payloads on unpatched devices, prompting Fortinet to issue a series of advisories in August 2019, July 2020, April 2021, and again in June 2021, urging customers to upgrade affected appliances.

CVE-2018-13379 also emerged as one of the top most exploited flaws in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.

In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that "you may remain vulnerable post-upgrade if your users' credentials were previously compromised."

Source

The firm adds in the details that an attacker could create an ActiveX control to be used by Office’s MSHTML browser rendering engine, which when opened by the user could allow for remote code execution. However, those that use the default option to open files from the internet in Protected View or via Application Guard for Office will be able to fend off the attack. Additionally, Microsoft Defender Antivirus and Defender for Endpoint can successfully detect the threat. The Defender for Endpoint alert displayed for this threat is “Suspicious Cpl File Execution”.

Another workaround posted by the firm involves disabling the installation of all ActiveX controls via the registry. The firm notes that the change will not affect controls that were already installed but will still be protected. You can head to the workarounds section in the MSRC post for the detailed workaround and the resulting impacts.

As for a permanent fix or mitigation, Microsoft says that it will take an “appropriate action” on completion of its investigation. This might come in the way of fixes during next week’s Patch Tuesday updates or via an out-of-band security update before the scheduled monthly patches. A researcher from one of the cybersecurity organization that helped uncover this vulnerability, Haifei Li, said in a statement to BleepingComputer that the attach method is “100% reliable”, making it a significant risk. EXPMON researches could also reproduce the attack on Windows 10 running the latest Office 365 build.

Another Office-related issue reported this week involved a bug in Outlook that allowed suspicious email IDs seem genuine, opening users to potential phishing attacks. While the firm denied fixing the vulnerability, it reportedly did so in the latest version.

Microsoft acknowledges Windows zero-day that leverages Office files for attacks

Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.

According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.

On of the researchers credited — EXPMON — said on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.

“The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON tweeted.

Windows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly “Patch Tuesday” bundle of security updates.

This year has been a tough one for Windows users and so-called “zero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.

Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn’t release a patch to fix at least one zero-day attack in Windows or supported software.

Many of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft officially retired support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft rushed out a fix for the Print Nightmare vulnerability that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users.

On June’s Patch Tuesday, Microsoft addressed six zero-day security holes. And of course in March, hundreds of thousands of organizations running Microsoft Exchange email servers found those systems compromised with backdoors thanks to four zero-day flaws in Exchange.

Microsoft: Attackers Exploiting Windows Zero-Day Flaw

These alphabets trick users into believing that the emails have come from genuine contacts. The vulnerability was discovered by "Dobby1Kenobi" (via Windows Central).

I registered an email address that looked like my own organization email address and sent myself a test email to distinguish what factors in the email stood out as suspicious.

This means if a company’s domain is 'somecompany[.]com', an attacker that registers an IDN such as 'ѕomecompany[.]com' (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within 'somecompany.com' that used Microsoft Outlook for Windows.

What differed between my organization domain and the phishing domain was a Cyrillic “s” at the start of the domain name.

Mike Manzotti from Dionach.com also reported the bug. Even though Microsoft acknowledged the vulnerability, it said that it won't release a fix for it.

Microsoft told Manzotti:

We've finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case.  In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways.

However, it seems like Microsoft has in fact gone ahead and fixed it. According to Manzotti, Outlook version 16.0.14228.20216 does not have the vulnerability anymore. We recommend users update Outlook to the latest version, and beware of phishing scams like these.

New Outlook bug lets phishing emails seem genuine

According to Facebook, encrypted messages on WhatsApp cannot be accessed by anyone, nor do the company can get access to them. However, in a clicking report published by a non-profit investigative journalism organization ProPublica, WhatsApp’s encrypted messages aren’t as protected as the company describes them to be.

According to the report, both Facebook and WhatsApp can get access to your private WhatsApp messages, which is in direct disagreement with what Facebook says to the world — that encrypted messages can only be decrypted by the users and the recipients.

ProPublica report notes:

[An] assurance automatically appears on-screen before users send messages: “No one outside of this chat, not even WhatsApp, can read or listen to them.”

Those assurances are not true. WhatsApp has more than 1,000 contract workers filling floors of office buildings in Austin, Texas, Dublin and Singapore, where they examine millions of pieces of users’ content. Seated at computers in pods organized by work assignments, these hourly workers use special Facebook software to sift through streams of private messages, images and videos that have been reported by WhatsApp users as improper and then screened by the company’s artificial intelligence systems. These contractors pass judgment on whatever flashes on their screen — claims of everything from fraud or spam to child porn and potential terrorist plotting — typically in less than a minute […]

Many of the assertions by content moderators working for WhatsApp are echoed by a confidential whistleblower complaint filed last year with the U.S. Securities and Exchange Commission. The complaint, which ProPublica obtained, details WhatsApp’s extensive use of outside contractors, artificial intelligence systems and account information to examine user messages, images and videos. It alleges that the company’s claims of protecting users’ privacy are false. “We haven’t seen this complaint,” the company spokesperson said. The SEC has taken no public action on it; an agency spokesperson declined to comment.

In a statement to 9to5Mac, Facebook has clarified that it can view the content of not only the reported messages but also the four preceding messages within the same chat. The four preceding messages are important for content moderators in order the understand the context, which may help in the process of evaluation. The statement also says that reported messages are automatically sent to Facebook for moderation.

Maintaining that neither Facebook nor WhatsApp can view the content of messages that are not reported, WhatsApp has issued a statement, which takes issue with the idea that “accepting reports a user chooses to send us is incompatible with end-to-end encryption.”

WhatsApp provides a way for people to report spam or abuse, which includes sharing the most recent messages in a chat. This feature is important for preventing the worst abuse on the internet. We strongly disagree with the notion that accepting reports a user chooses to send us is incompatible with end-to-end encryption.

The fact that both Facebook and WhatsApp can view the content of the reported messages and four messages preceding messages suggests your WhatsApp messages are encrypted, but the company can break the rules for a good reason.

via XDA

WhatsApp can read your encrypted messages, but you may not need to worry

These new privacy tools being developed were first spotted on WABetaInfo and will allow users to set who within their contacts can see parts of your profile. At the moment, your 'Last Seen,' 'Profile Picture,' and 'About' info can be set so that everyone or no one sees it. There is no way to customize these settings within the app. This is quite restrictive, especially when you compare it to other messaging apps such as Signal. This can also be a privacy issue for some, as you may not want your status to be visible to everyone, such as your boss, work colleagues, or even certain family members.

WhatsApp is working to lift these limitations by letting users decide who can see their information in their contacts. This feature will allow the user to exclude specific contacts from seeing their status. This means you'll be able to hide your 'Last Seen' and other info from selected contacts without having to disable it for everyone.

Setting this feature is a two-way street. Once you've set it so that specific contacts can no longer see your status, it will also hide their info from you. When it comes to a matter of privacy, that is how it should be.

The feature was first spotted in WhatsApp beta on iOS, but Android users with WhatsApp beta should also start seeing this feature soon enough. Having this feature available will make a big difference in users' privacy. 'Last Seen' can be useful between close family and friends, but it also opens up a channel for abuse.

Closing words

It is refreshing to see WhatsApp actively taking an interest in their users' privacy and finally adding more features that will allow users to customize who can see their personal information and profiles. I look forward to seeing how this feature will work once it is released on Android.

New privacy controls for WhatsApp will let you hide your 'Last Seen' status

Encrypted email service ProtonMail has become embroiled in a minor scandal after responding to a legal request to hand over a user's IP address and details of the devices he used to access his mailbox to Swiss police – resulting in the user's arrest.

Police were executing a warrant obtained by French authorities and served on their Swiss counterparts through Interpol, according to social media rumours that ProtonMail chief exec Andy Yen acknowledged to The Register.

Etienne - Tek
@tenacioustek

So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police

At the time of writing, the company's website said: "We believe privacy and security are universal values which cross borders."

After data from ProtonMail was handed to the Swiss and then French police, the author of a left-wing political activists' blog in France wrote (en français) that a group called Youth for Climate had been targeted:

The police also noticed that the collective communicated via a ProtonMail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. ProtonMail responded to this request by providing the IP address and the fingerprint of the browser used by the collective. It is therefore imperative to go through the tor network (or at least a VPN) when using a ProtonMail mailbox (or another secure mailbox) if you want to guarantee sufficient security.

ProtonMail has said in the past that it does not collect user data and implements end-to-end encryption and repeated that over the weekend, saying: "Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders."

This statement, while bold, seems to be borne out by the service's privacy policy which states that it can access the following user information:

• Sender and recipient email addresses
• The IP address incoming messages originated from
• Message subject
• Message sent and received times

These are all standard unencrypted information from email headers, inherent to the SMTP email specification, though it appears that ProtonMail's previous promises about user information logging were a bit over-generous. Back in January this year, the company's homepage stated: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."

Today that boast has been replaced with a mealy-mouthed version: "ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that. We also provide an anonymous email gateway."

The firm's privacy policy, which was updated yesterday, now says: "If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation."

In a statement posted to Reddit, which Yen forwarded to El Reg in lieu of making a statement of his own, ProtonMail said: "In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)."

As a Swiss company, ProtonMail is obliged to obey Swiss law and comply with Swiss legal demands, though it's unclear why the company was logging user-agent strings and IP addresses of client logins. An option exists in ProtonMail's user interface to enable access logging, though there is no information in public to suggest whether or not the French environmental protestor had enabled that. ®

Source

In May 2015, KrebsOnSecurity briefly profiled “The Manipulaters,” the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting, hosting and deploying malicious email. Six years later, a review of the social media postings from this group shows they are prospering, while rather poorly hiding their activities behind a software development firm in Lahore that has secretly enabled an entire generation of spammers and scammers.

The Web site in 2015 for the “Manipulaters Team,” a group of Pakistani hackers behind the dark web identity “Saim Raza,” who sells spam and malware tools and services.

The Manipulaters’ core brand in the underground is a shared cybercriminal identity named “Saim Raza,” who for the past decade across dozens of cybercrime sites and forums has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” etc.

The common acronym in nearly all of Saim Raza’s domains over the years — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

One of several current Fudtools sites run by The Manipulaters.

The current website for Saim Raza’s Fud Tools (above) offers phishing templates or “scam pages” for a variety of popular online sites like Office365 and Dropbox. They also sell “Doc Exploit” products that bundle malicious software with innocuous Microsoft Office documents; “scampage hosting” for phishing sites; a variety of spam blasting tools like HeartSender; and software designed to help spammers route their malicious email through compromised sites, accounts and services in the cloud.

For years leading up to 2015, “admin@manipulaters.com” was the name on the registration records for thousands of scam domains that spoofed some of the world’s top banks and brand names, but particularly Apple and Microsoft. When confronted about this, The Manipulaters founder Madih-ullah Riaz replied, “We do not deliberately host or allow any phishing or any other abusive website. Regarding phishing, whenever we receive complaint, we remove the services immediately. Also we are running business since 2006.”

The IT network of The Manipulaters, circa 2013. Image: Facebook

Two years later, KrebsOnSecurity received an email from Riaz asking to have his name and that of his business partner removed from the 2015 story, saying it had hurt his company’s ability to maintain stable hosting for their stable of domains.

“We run web hosting business and due to your post we got very serious problems especially no data center was accepting us,” Riaz wrote in a May 2017 email. “I can see you post on hard time criminals we are not criminals, at least it was not in our knowledge.”

Riaz said the problem was his company’s billing system erroneously used The Manipulators’ name and contact information instead of its clients in WHOIS registration records. That oversight, he said, caused many researchers to erroneously attribute to them activity that was coming from just a few bad customers.

“We work hard to earn money and it is my request, 2 years of my name in your wonderful article is enough punishment and we learned from our mistakes,” he concluded.

The Manipulaters have indeed learned a few new tricks, but keeping their underground operations air-gapped from their real-life identities is mercifully not one of them.

ZERO OPERATIONAL SECURITY

Phishing domain names registered to The Manipulaters included an address in Karachi, with the phone number 923218912562. That same phone number is shared in the WHOIS records for 4,000+ domains registered through domainprovider[.]work, a domain controlled by The Manipulaters that appears to be a reseller of another domain name provider.

One of Saim Raza’s many ads in the cybercrime underground for his Fudtools service promotes the domain fudpage[.]com, and the WHOIS records for that domain share the same Karachi phone number. Fudpage’s WHOIS records list the contact as “admin@apexgrand.com,” which is another email address used by The Manipulaters to register domains.

As I noted in 2015, The Manipulaters Team used domain name service (DNS) settings from another blatantly fraudulent service called ‘FreshSpamTools[.]eu,’ which was offered by a fellow Pakistani who also conveniently sold phishing toolkits targeting a number of big banks.

The WHOIS records for FreshSpamTools briefly list the email address bilal.waddaich@gmail.com, which corresponds to the email address for a Facebook account of a Bilal “Sunny” Ahmad Warraich (a.k.a. Bilal Waddaich).

Bilal Waddaich’s current Facebook profile photo includes many current and former employees of We Code Solutions.

Warraich’s Facebook profile says he works as an IT support specialist at a software development company in Lahore called We Code Solutions.

The We Code Solutions website.

A review of the hosting records for the company’s website wecodesolutions[.]pk show that over the past three years it has shared a server with just a handful of other domains, including:

-saimraza[.]tools
-fud[.]tools
-heartsender[.]net
-fudspampage[.]com
-fudteam[.]com
-autoshopscript[.]com
-wecodebilling[.]com
-antibotspanel[.]com
-sellonline[.]tools

FUD CO

The profile image atop Warraich’s Facebook page is a group photo of current and former We Code Solutions employees. Helpfully, many of the faces in that photo have been tagged and associated with their respective Facebook profiles.

For example, the Facebook profile of Burhan Ul Haq, a.k.a. “Burhan Shaxx” says he works in human relations and IT support for We Code Solutions. Scanning through Ul Haq’s endless selfies on Facebook, it’s impossible to ignore a series of photos featuring various birthday cakes and the words “Fud Co” written in icing on top.

Burhan Ul Haq’s photos show many Fud Co-themed cakes the We Code Solutions employees enjoyed on the anniversary of the Manipulaters Team.

Yes, from a review of the Facebook postings of We Code Solutions employees, it appears that for at least the last five years this group has celebrated an anniversary every May with a Fud Co cake, non-alcoholic sparkling wine, and a Fud Co party or group dinner. Let’s take a closer look at that delicious cake:

The head of We Code Solutions appears to be a guy named Rameez Shahzad, the older individual at the center of the group photo in Warraich’s Facebook profile. You can tell Shahzad is the boss because he is at the center of virtually every group photo he and other We Code Solutions employees posted to their respective Facebook pages.

We Code Solutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.

Shahzad’s postings on Facebook are even more revelatory: On Aug. 3, 2018, he posted a screenshot of someone logged into a WordPress site under the username Saim Raza — the same identity that’s been pimping Fud Co spam tools for close to a decade now.

“After [a] long time, Mailwizz ready,” Shahzad wrote as a caption to the photo:

We Code Solutions boss Rameez Shahzad posted on Facebook a screenshot of someone logged into a WordPress site with the username Saim Raza, the same cybercriminal identity that has peddled the FudTools spam empire for more than 10 years.

Whoever controlled the Saim Raza cybercriminal identity had a penchant for re-using the same password (“lovertears”) across dozens of Saim Raza email addresses. One of Saim Raza’s favorite email address variations was “game.changer@[pick ISP here]”. Another email address advertised by Saim Raza was “bluebtcus@gmail.com.”

So it was not surprising to see Rameez Shahzad post a screenshot to his Facebook account of his computer desktop, which shows he is logged into a Skype account that begins with the name “game.” and a Gmail account beginning with “bluebtc.”

Image: Scylla Intel

KrebsOnSecurity attempted to reach We Code Solutions via the contact email address on its website — info@wecodesolutions[.]pk — but the message bounced back, saying there was no such address. Similarly, a call to the Lahore phone number listed on the website produced an automated message saying the number is not in service. None of the We Code Solutions employees contacted directly via email or phone responded to requests for comment.

FAIL BY NUMBERS

This open-source research on The Manipulaters and We Code Solutions is damning enough. But the real icing on the Fud Co cake is that sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations.

That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Whoops.

Scylla co-founder Sasha Angus said the messages that flooded their inbox once they set up an email server on that domain quickly filled in many of the details they didn’t already have about The Manipulaters.

“We know the principals, their actual identities, where they are, where they hang out,” Angus said. “I’d say we have several thousand exhibits that we could put into evidence potentially. We have them six ways to Sunday as being the guys behind this Saim Raza spammer identity on the forums.”

Angus said he and a fellow researcher briefed U.S. prosecutors in 2019 about their findings on The Manipulaters, and that investigators expressed interest but also seemed overwhelmed by the volume of evidence that would need to be collected and preserved about this group’s activities.

“I think one of the things the investigators found challenging about this case was not who did what, but just how much bad stuff they’ve done over the years,” Angus said. “With these guys, you keep going down this rabbit hole that never ends because there’s always more, and it’s fairly astonishing. They are prolific. If they had halfway decent operational security, they could have been really successful. But thankfully, they don’t.”

 “FudCo” Spam Empire Tied to Pakistani Software Firm

When conducting a cyberattack, ransomware gangs must first gain access to a corporate network to deploy their ransomware.

With the massive profits being generated in attacks, instead of finding and breaching targets themselves, ransomware gangs are commonly purchasing initial access to high-value targets through initial access brokers (IABs).

IABs are other threat actors who breach a network, whether through brute-forcing passwords, exploits, or phishing campaigns and then sell that access to other cybercriminals.

After examining ransomware gang's "want ads," cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.

Targeting certain companies

KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs.

These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend.

For example, in a want ad from the BlackMatter ransomware gang, the threat actors are looking for targets specifically in the USA, Canada, Australia, and Great Britain with revenue of $100 million or more. For this access, they are willing to pay $3,000 to $100,000, as shown in the want ad below.

By analyzing the want ads from close to twenty posts created by threat actors related to ransomware gangs, the KELA researchers were able to come up with the following company characteristics that are being targeted:

• Geography: Ransomware gangs prefer victims located in the USA, Canada, Australia, and Europe.

  "The majority of requests mentioned the desired location of victims, with the US being the most popular choice - 47% of the actors mentioned it. Other top locations included Canada (37%), Australia (37%), and European countries (31%). Most of the advertisements included a call for multiple countries," said KELA's report.

  "The reason behind this geographical focus is that actors choose the most wealthy companies which are expected to be located in the biggest and the most developed countries."

• Revenue: KELA states that the average minimum revenue desired by ransomware gangs is $100 million. However, this can be different depending on the geographic location of the victim..

  "For example, one of the actors described the following formula: revenue should be more than 5 million USD for US victims, more than 20 million USD for European victims, and more than 40 million USD for “the third world” countries," explained KELA.

• Blacklist of sectors: While some gangs said they avoided healthcare, they were less picky about other industries of the companies they encrypt. However, after the Colonial Pipeline, Metropolitan Police Department, and JBS attacks, many ransomware gangs began avoiding specific sectors.

  "47% of ransomware attackers refused to buy access to companies from the healthcare and education industries. 37% prohibited compromising the government sector, while 26% claimed they will not purchase access related to non-profit organizations. "

  "When actors prohibit healthcare or non-profit industries offers, it is more likely due to the moral code of the actors. When the education sector is off the table, the reason is the same or the fact that education victims simply cannot afford to pay much. "

  "Finally, when actors refuse to target government companies, it is a precaution measure and an attempt to avoid unwanted attention from law enforcement."

• Blacklist of countries: Most large ransomware operations specifically avoid attacking companies located in the Commonwealth of Independent States (CIS) as they believe if they don't target those countries, the local authorities will not target them.

  These blacklisted countries include Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia, Tajikistan, Turkmenistan, and Uzbekistan.

Unfortunately, even if a company does not meet the above criteria, it does not mean that they are safe.

Many ransomware gangs, such as Dharma, STOP, Globe, and others, are less picky, and you can wind up being targeted by a ransomware operation.

Furthermore, even though these gangs prefer victims with these characteristics, it does not necessarily mean they won't breach a network independently.

BleepingComputer has commonly seen ransomware gangs, such as DarkSide, REvil, BlackMatter, and LockBit, target smaller companies and demand much smaller ransoms.

Ransomware gangs target companies using these criteria

"These malware included an assortment of click fraud bots, other information stealers, and even ransomware," researchers from cybersecurity firm Sophos said in a report published last week.

The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain "download" links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions.

"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location."

Using techniques like search engine optimization, links to the websites appear at the top of search results when individuals search for pirated versions of a wide range of software apps. The activities, considered to be the product of an underground marketplace for paid download services, allows entry-level cyber actors to set up and tailor their campaigns based on geographical targeting.

Traffic exchanges, as the distribution infrastructure is also called, typically require a Bitcoin payment before affiliates can create accounts on the service and begin distributing installers, with sites like InstallBest offering advice on "best practices," such as recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord's CDN, Bitbucket, or other cloud platforms.

On top of that, the researchers also found some of the services that act as "go-betweens" to established malvertising networks that pay website publishers for traffic. One such established traffic supplier is InstallUSD, a Pakistan-based advertising network, which has been linked to a number of malware campaigns involving the cracked software sites.

This is far from the first time "warez" websites have been put to use as an infection vector by threat actors. Earlier this June, a cryptocurrency miner called Crackonosh was found abusing the method to install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero.

A month later, the attackers behind a piece of malware dubbed MosaicLoader were found targeting individuals searching for cracked software as part of a global campaign to deploy a fully-featured backdoor capable of roping the compromised Windows systems into a botnet.

Source

The Switzerland-based company said it received a "legally binding order from the Swiss Federal Department of Justice" related to a collective called Youth for Climate, which it was "obligated to comply with," compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account.

On its website, ProtonMail advertises that: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."

Despite its no IP logs claims, the company acknowledged that while it's illegal for the company to abide by requests from non-Swiss law enforcement authorities, it will be required to do so if Swiss agencies agree to assist foreign services such as Europol in their investigations.

"There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)," the company said in a lengthy response posted on Reddit.

Put simply, ProtonMail will not only have to comply with Swiss government orders, it will be forced to hand over data when individuals use the service to engage in activities that are deemed illegal in the country.

"Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities," ProtonMail founder and CEO Andy Yen tweeted, adding "It's deplorable that legal tools for serious crimes are being used in this way. But by law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced."

If anything, ProtonMail users who are concerned about the visibility of their IP addresses should use a VPN or access the email service over the Tor network for additional anonymity.

"The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used)," the company said.

Source

Security researchers believe that the adversary behind the campaign may be the FIN7 cybercrime group, also known as Carbanak and Navigator, that specializes in stealing payment card data.

Tried and tested method

The adversary took advantage of the buzz created around the details for Microsoft’s development of its next operating system release, which started in early June.

Cybercriminals laced Microsoft Word documents with macro code that ultimately downloads a JavaScript backdoor that lets the attacker deliver any payload they want.

Researchers at cybersecurity company Anomali analyzed six such documents and say that the delivered backdoor appears to be a variation of a payload commonly used by the FIN7 group since at least 2018.

The names used in the campaign seem to indicate that the activity may have occurred between late June and late July, a period immediate to when news about Windows 11 started to emerge on a more regular basis.

It is unclear how the malicious files were delivered but phishing email is typically how it happens. Opening the document shows Windows 11 imagery with text designed to trick the recipient into enabling macro content.

The claim that the document was generated with a newer operating system may make some users believe that there is a compatibility issue that prevents accessing the content and that following the instructions eliminate the problem.

If the user acts on the indication, they activate and execute the malicious VBA macro that the threat actor planted inside the document.

The code is obfuscated to hinder analysis but there are ways to clean it of the surplus and leave only the relevant strings.

Anomali researchers found that the included VBScript relies on some values encoded inside a hidden table in the document to perform language checks on the infected computer.

Detecting a specific language (Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian) puts a stop to the malicious activity and deletes the table with encoded values.

The code also looks for the domain CLEARMIND, which Anomali researchers say appears to refer to a point-of-sale (PoS) provider.

Other checks that the code makes include:

• Reg Key language preference for Russian
• Virtual machine - VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels (if a VM is detected the script is killed)
• Available memory (stops if there is less than 4GB)
• Check for RootDSE via LDAP

FIN7 indications

The JavaScript is heavily obfuscated and cleaning it up reveals a backdoor that resembles other backdoors connected to the FIN7 cybercrime group, Anomali researchers say.

There is moderate confidence for the attribution, which is based on the following factors:

• Targeting of a POS provider aligns with previous FIN7 activity
• The use of decoy doc files with VBA macros also aligns with previous FIN7 activity
• FIN7 have used Javascript backdoors historically
• Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages
• Password protected document
• Tool mark from Javascript file "group=doc700&rt=0&secret=7Gjuyf39Tut383w&time=120000&uid=" follows similar pattern to previous FIN7 campaigns

FIN7 has been around since at least 2013 but became known on a larger scale since 2015. Some of its members got arrested and sentenced but attacks and malware continued to be attributed to the group even beyond 2018 when several of its members got arrested [1, 2].

The attackers focused on stealing payment card data belonging to customers of various businesses. Their activity in the U.S. caused above $1 billion in losses from stealing over 20 million card records processed by more than 6,500 point-of-sale terminals at around 3,600 separate business locations.

Among the companies that FIN7 hit are Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Watch out for new malware campaign’s 'Windows 11 Alpha' attachment

Apple issues vague statement promising "improvements" but still plans to scan photos.

Amid backlash, Apple will change photo-scanning plan but won’t drop it completely

The set of issues impact a wide variety of devices, from consumer electronics to industrial equipment. The associated risk ranges from denial-of-service, deadlock condition of the device to arbitrary code execution.

Wide variety of products impacted

Researchers from the Singapore University of Technology and Design have published details about BrakTooth - a new family of security vulnerabilities in commercial Bluetooth stacks.

They assessed 13 Bluetooth devices from close to a dozen SoC vendors counting Intel, Qualcomm, Texas Instruments, and Cypress.

Digging deeper, the researchers discovered that more than 1,400 product listings are affected by BrakTooth, and the list includes but is not limited to the following types of devices:

• Smartphones
• Infotainment systems
• Laptop and desktop systems
• Audio devices (speakers, headphones)
• Home entertainment systems
• Keyboards
• Toys
• Industrial equipment (e.g. programmable logic controllers - PLCs)

Considering the variety of products affected, saying that BrakTooth affects billions of devices is likely an accurate estimation. 

The researchers say that the risk associated with the BrakTooth set of security flaws ranges from denial-of-service (DoS) by crashing the device firmware, or a deadlock condition where Bluetooth communication is no longer possible, to arbitrary code.

Someone pulling a BrakTooth attack would need an ESP32 development kit, a custom Link Manager Protocol (LMP) firmware, and a computer to run the proof-of-concept (PoC) tool.

Of the 16 BrakTooth vulnerabilities, one of them tracked as CVE-2021-28139 presents a higher risk than others because it allows arbitrary code execution.

It affects devices with an ESP32 SoC circuit, which is found in numerous IoT appliances for home or industry automation.

The researchers demonstrate the attack in the video below by changing the state of an actuator using an LMP Feature Response Extended packet:

Devices running on the AX200 SoC from Intel and Qualcomm’s WCN3990 SoC are vulnerable to a DoS condition triggered when sending a malformed packet.

The list of products impacted includes laptops and desktops from Dell (Optiplex, Alienware), Microsoft Surface devices (Go 2, Pro 7, Book 3), and smartphones (e.g. Pocophone F1, Oppo Reno 5G).

The researchers informed all vendors whose products they found to be vulnerable to BrakTooh ahead of the publication of their findings but only some of them have been patched.

The vulnerabilities in the Braktooth collection target the LMP and baseband layers. Currently, they’ve been assigned 20 identifiers with a few more pending, and refer to the following 16 issues:

1. Feature Pages Execution (CVE-2021-28139 - arbitrary code execution/deadlock)
2. Truncated SCO Link Request (CVE-2021-34144 - deadlock)
3. Duplicated IOCAP (CVE-2021-28136 - crash)
4. Feature Response Flooding (CVE-2021-28135, CVE-2021-28155, CVE-2021-31717 - crash)
5. LMP Auto Rate Overflow (CVE-2021-31609, CVE-2021-31612 - crash)
6. LMP 2-DH1 Overflow (pending CVE - deadlock)
7. LMP DM1 Overflow (CVE-2021-34150 - deadlock)
8. Truncated LMP Accepted (CVE-2021-31613 - crash)
9. Invalid Setup Complete (CVE-2021-31611 - deadlock)
10. Host Conn. Flooding (CVE-2021-31785 - deadlock)
11. Same Host Connection (CVE-2021-31786 - deadlock)
12. AU Rand Flooding (CVE-2021-31610, CVE-2021-34149, CVE-2021-34146, CVE-2021-34143 - crash/deadlock)
13. Invalid Max Slot Type (CVE-2021-34145 - crash)
14. Max Slot Length Overflow (CVE-2021-34148 - crash)
15. Invalid Timing Accuracy (CVE-2021-34147 and two more pending CVEs - crash)
16. Paging Scan Deadlock (pending CVE - deadlock)

Bluetooth BrakTooth bugs could affect billions of devices

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf victims, when that option is available.  For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

The Gift Card Gang’s Footprint

How do the compromised email credentials break down in terms of ISPs and email providers? There are victims on nearly all major email networks, but Bill said several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said.  “I don’t know why they’re getting popped so heavily.”

That may sound like a lot of hacked inboxes, but Bill said some of the bigger ISPs represented in his data have tens or hundreds of millions of customers.

Measuring which ISPs and email providers have the biggest numbers of compromised customers is not so simple in many cases, nor is identifying companies with employees whose email accounts have been hacked.

This kind of mapping is often more difficult than it used to be because so many organizations have now outsourced their email to cloud services like Gmail and Microsoft Office365 — where users can access their email, files and chat records all in one place.

“It’s a little complicated with Office 365 because it’s one thing to say okay how many Hotmail connections are you seeing per day in all this credential-stuffing activity, and you can see the testing against Hotmail’s site,” Bill said. “But with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.”

On top of that, it’s also difficult to know how much activity you’re not seeing.

Looking at the small set of Internet address blocks he knows are associated with Microsoft 365 email infrastructure, Bill examined the IMAP traffic flowing from this group to those blocks. Bill said that in the first week of April 2021, he identified 15,000 compromised Office365 accounts being accessed by this group, spread over 6,500 different organizations that use Office365.

“So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,” Bill explained. “And with our puny visibility into probably less than one percent of overall password stuffing traffic aimed at Microsoft, we’re seeing 600 Office accounts being breached a day. So if I’m only seeing one percent, that means we’re likely talking about tens of thousands of Office365 accounts compromised daily worldwide.”

In a December 2020 blog post about how Microsoft is moving away from passwords to more robust authentication approaches, the software giant said an average of one in every 250 corporate accounts is compromised each month. As of last year, Microsoft had nearly 240 million active users, according to this analysis.

“To me, this is an important story because for years people have been like, yeah we know email isn’t very secure, but this generic statement doesn’t have any teeth to it,” Bill said. “I don’t feel like anyone has been able to call attention to the numbers that show why email is so insecure.”

Bill says that in general companies have a great many more tools available for securing and analyzing employee email traffic when that access is funneled through a Web page or VPN, versus when that access happens via IMAP.

“It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”

Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.

“For context, our research indicates that multi-factor authentication prevents more than 99.9% of account compromises,” reads a statement from Microsoft. “Moreover, for enterprise customers, innovations like Security Defaults, which disables basic authentication and requires users to enroll a second factor, have already significantly decreased the proportion of compromised accounts. In addition, for consumer accounts, adding a second authentication factor is required on all accounts.”

A Mess That’s Likely to Stay That Way

Bill said he’s frustrated by having such visibility into this credential testing botnet while being unable to do much about it. He’s shared his data with some of the bigger ISPs in Europe, but says months later he’s still seeing those same inboxes being accessed by the gift card gang.

The problem, Bill says, is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP. That is, they lack any sort of instrumentation to be able to tell the difference between legitimate and suspicious logins for their customers who read their messages using an email client.

“My guess is in a lot of cases the IMAP servers by default aren’t logging every search request, so [the ISP] can’t go back and see this happening,” Bill said.

Confounding the challenge, there isn’t much of an upside for ISPs interested in voluntarily monitoring their IMAP traffic for hacked accounts.

“Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

Which means those 10,000 customers are then going to start receiving error messages whenever they try to access their email.

“Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”

Indictators of Compromise (IoCs)

It’s not often KrebsOnSecurity has occasion to publish so-called “indicators of compromise” (IoC)s, but hopefully some ISPs may find the information here useful. This group automates the searching of inboxes for specific domains and trademarks associated with gift card activity and other accounts with stored electronic value, such as rewards points and mileage programs.

This file includes the top inbox search terms used in a single 24 hour period by the gift card gang. The numbers on the left in the spreadsheet represent the number of times during that 24 hour period where the gift card gang ran a search for that term in a compromised inbox.

Some of the search terms are focused on specific brands — such as Amazon gift cards or Hilton Honors points; others are for major gift card networks like CashStar, which issues cards that are white-labeled by dozens of brands like Target and Nordstrom. Inboxes hacked by this gang will likely be searched on many of these terms over the span of just a few days.

Gift Card Gang Extracts Cash From 100k Inboxes Daily

EU data regulators can impose maximum GDPR fines of up to €20 million (about $24.3 million) or 4% of the infringing company's annual global turnover – whichever is greater – for violating EU's privacy laws.

The fine follows an investigation started in December 2018 after the data watchdog received multiple complaints from "individual data subjects" (both users and non-users) regarding WhatsApp data processing activities.

Throughout the investigation, Ireland's DPC "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service."

"This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," the regulator explained.

WhatsApp's fine reflects the infringements the EU regulators found:

• In respect of Article 5(1)(a) of the GDPR (a fine of €90 million);
• In respect of Article 12 of the GDPR (a fine of €30 million);
• In respect of Article 13 of the GDPR (a fine of €30 million); and
• In respect of Article 14 of the GDPR (a fine of €75 million).

On top of the fine, the Irish data watchdog also ordered WhatsApp to bring its processing into compliance with GDPR's requirements by taking a range of specified remedial actions with a deadline that will expire in three months. The decision of the Irish DPC can be found and read in full here.

Fine quadrupled after objection from other EU data regulators

What makes this fine stand out—besides its size—is the fact that eight other EU privacy regulators (including Germany, France, Hungary, Italy, Portugal, Holland, and Poland) opposed the initial €50 million fine the Irish data privacy watchdog proposed and ordered it to reassess.

This led to the fine being increased by more than four times after the Irish watchdog was forced to consider all of WhatsApp's infringements when calculating the amount of the fine.

"Following a lengthy and comprehensive investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. The DPC subsequently received objections from eight CSAs," the Irish regulator said today.

"The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021. On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC.

"This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp."

WhatsApp will appeal the decision

"WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," the company said in a statement.

"We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision."

In May, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) banned Facebook from processing WhatsApp user data until the end of August after WhatsApp said it would restrict account features for users who refuse to give up control of their data and have it shared with Facebook companies.

After the HmbBfDI ban, WhatsApp backtracked on its plans stating that "given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update."

In related news, Amazon has also been hit with a record-breaking €746 million fine in July by the Luxembourg National Commission for Data Protection (CNPD) for GDPR violations regarding its targeted behavioral advertising, the largest ever fine issued by an EU data watchdog for GDPR violations.

Amazon also told BleepingComputer that it would appeal the decision as it "strongly [disagreed] with the CNPD’s ruling."

"The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."

WhatsApp to appeal $266 million fine for violating EU privacy laws

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.”

One denizen of a Russian language crime forum who complained about the unexplained closure of VIP72 last month said they noticed a change in the site’s domain name infrastructure just prior to the service’s disappearance. But that claim could not be verified, as there simply are no signs that any of that infrastructure changed prior to VIP72’s demise.

In fact, until mid-August VIP72’s main home page and supporting infrastructure had remained at the same U.S.-based Internet address for more than a decade — a remarkable achievement for such a high-profile cybercrime service.

Cybercrime forums in multiple languages are littered with tutorials about how to use VIP72 to hide one’s location while engaging in financial fraud. From examining some of those tutorials, it is clear that VIP72 is quite popular among cybercriminals who engage in “credential stuffing” — taking lists of usernames and passwords stolen from one site and testing how many of those credentials work at other sites.

Corpse/Revive also long operated an extremely popular service called check2ip[.]com, which promised customers the ability to quickly tell whether a given Internet address is flagged by any security companies as malicious or spammy.

Hosted on the same Internet address as VIP72 for the past decade until mid-August 2021, Check2IP also advertised the ability to let customers detect “DNS leaks,” instances where configuration errors can expose the true Internet address of hidden cybercrime infrastructure and services online.

Check2IP is so popular that it has become a verbal shorthand for basic due diligence in certain cybercrime communities. Also, Check2IP has been incorporated into a variety of cybercrime services online — but especially those involved in mass-mailing malicious and phishous email messages.

It remains unclear what happened to VIP72; users report that the anonymity network is still functioning even though the service’s website has been gone for two weeks. That makes sense since the infected systems that get resold through VIP72 are still infected and will happily continue to forward traffic so long as they remain infected. Perhaps the domain was seized in a law enforcement operation.

But it could be that the service simply decided to stop accepting new customers because it had trouble competing with an influx of newer, more sophisticated criminal proxy services, as well as with the rise of “bulletproof” residential proxy networks. For most of its existence until recently, VIP72 normally had several hundred thousand compromised systems available for rent. By the time its website vanished last month — that number had dwindled to fewer than 25,000 systems globally.

15-Year-Old Malware Proxy Network VIP72 Goes Dark

The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a 60-day deadline to fix the weaknesses.

The Fortress S03 Wi-Fi Home Security System is a do-it-yourself (DIY) alarm system that enables users to secure their homes and small businesses from burglars, fires, gas leaks, and water leaks by leveraging Wi-Fi and RFID technology for keyless entry. The company's security and surveillance systems are used by "thousands of clients and continued customers," according to its website.

Calling the vulnerabilities "trivially easy to exploit," Rapid7 researchers noted CVE-2021-39276 concerns an unauthenticated API Access that enables an attacker in possession of a victim's email address to query the API to leak the device's International Mobile Equipment Identity (IMEI) number, which also doubles up as the serial number. Armed with the device's IMEI number and the email address, the adversary can proceed to make a number of unauthorized changes, such as disabling the alarm system via an unauthenticated POST request.

CVE-2021-39277, on the other hand, relates to an RF Signal replay attack, wherein a lack of adequate encryption grants the bad actor the ability to capture the radio frequency command and control communications over the air using software-defined radio (SDR), and playback the transmission to perform specific functions, such as "arm" and "disarm" operations, on the target device.

"For CVE-2021-39276, an attacker with the knowledge of a Fortress S03 user's email address can easily disarm the installed home alarm without that user's knowledge," the researchers said in a report shared with The Hacker News.

"CVE-2021-39277 presents similar problems, but requires less prior knowledge of the victim, as the attacker can simply stake out the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then replay the 'disarm' command later, without the victim's knowledge."

Rapid7 said it notified Fortress Security of the bugs on May 13, 2021, only for the company to close the report 11 days later on May 24. We have reached out to Fortress Security for comment, and we will update the story if we hear back.

In light of the fact that the issues continue to persist, it's recommended that users configure their alarm systems with a unique, one-time email address to work around the IMEI number exposure.

"For CVE-2021-39277, there seems to be very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals. Users concerned about this exposure should avoid using the key fobs and other RF devices linked to their home security systems," the researchers said.

Source

You’ll have to tell Instagram your birthday to keep using the app