It reads:

How navigation data makes Maps better Google uses your and other people’s navigation data to improve Maps for everyone.

As you navigate, Google collects details, such as GPS location and the route you took. This data may be used to make information, including real-time traffic conditions and disruptions, visible to others and help them find the fastest route.

These updates to the map won’t be associated with your Google Account or device.

Notably however if you do not consent by pressing Start your navigation is limited to a static list of directions, similar to mapping apps in 2001.

Additionally, users are not told in the pop-up that it is a consent request, and the consequence of refusing is not explained.

The consent request is expected to start rolling out on Monday on both iOS and Android.

via 9to5Google

From tomorrow, Google Maps will limit navigation features if you don’t agree to share your live location data

Called LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles only every alternate 16 bytes of a file, thereby giving it the ability to evade ransomware defences.

"Partial encryption is generally used by ransomware operators to speed up the encryption process and we've seen it implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware," Mark Loman, Sophos director of engineering, said in a statement. "What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document."

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added.

Sophos' analysis of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.

Once deposited, the malware also takes steps to terminate critical processes associated with virtualization software and databases via the Windows Management Interface (WMI), before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

The ransom note also urges the victim to contact a specific email address "contact@contipauper.com," which Sophos suspects could be a derogatory reference to a competing ransomware group called Conti.

What's more, the ransomware deletes itself from the system post successful encryption of all the documents on the machine, meaning that "there is no ransomware binary for incident responders or antivirus software to find or clean up."

"The message here for defenders is that the cyberthreat landscape never stands still, and adversaries will quickly seize every possible opportunity or tool to launch a successful attack," Loman said.

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) released a Flash report detailing the tactics of a new Ransomware-as-a-Service (RaaS) outfit known as Hive, consisting of a number of actors who are using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.

Source

This summit was held by President Biden and members of his cabinet to discuss and coordinate a plan with business leaders on how they could work together to help protect US businesses and interests against increasing cyberattacks.

Some of the executives who attended the summit included Apple CEO Tim Cook, Amazon CEO Andy Jassy, Alphabet CEO Sundar Pichai, Microsoft CEO Satya Nadella, JPMorgan Chase Jamie Dimon, and Bank of America CEO Brian Moynihan.

As part of the summit, various companies and institutions have committed to increased investments in cybersecurity and education, which are listed below:

Government initiatives:

• The National Institute of Standards and Technology (NIST) will work with Microsoft, Google, IBM, Travelers, and Coalition to create new standards for securing technology and open-source software. Open-source software is a critical component that needs strengthening due to its wide use in other software, leading to potential supply chain attacks.
• The Biden administration has added natural gas pipelines to the Industrial Control Systems Cybersecurity Initiative, aiming to strengthen critical infrastructure cybersecurity.

Big tech initiatives:

• Apple will push for mass adoption of multi-factor authentications, vulnerability remediation, event logging, and security training.
• Google is investing $10 billion over the next five years to expand zero-trust programs and secure open-source security and the software supply chain risks.
• Microsoft will invest $20 billion over the next five years to increase its security solutions and initiatives. They are also immediately making $150 million available to federal, state, and local governments to upgrade their security protection.
  
  "Thank you, President Biden for convening a critical conversation on cybersecurity. Microsoft will invest $20 billion to advance our security solutions over the next 5 years, $150 million to help US government agencies upgrade protections, and expand our cybersecurity training partnerships," Microsoft CEO Satya Nadella said in a LinkedIn post.
• Amazon will make the security awareness training used by employees available to the public at no charge. Amazon will also provide a free multi-factor authentication device to AWS customers to help secure their accounts.
• IBM will train 150,000 in cybersecurity skills over the next three years and partner with 20 Historically Black Colleges & Universities to create a more diverse cyber workforce.

Insurance initiatives:

• Cyber insurance provider Resilience will require policyholders to meet a threshold of cybersecurity best practice as a condition of receiving coverage. It is not clear what this threshold is at this time.
• Cyber insurance provider Coalition will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization.

Education initiatives:

• Code.org announced it would teach cybersecurity concepts to over 3 million students across 35,000 classrooms over three years.
• Girls Who Code announced it would establish a micro-credentialing program for historically excluded groups in technology.
• The University of Texas System announced it would expand existing and develop new short-term credentials in cyber-related fields to strengthen America's cybersecurity workforce. 
• Whatcom Community College announced it has been designated the new NSF Advanced Technological Education National Cybersecurity Center and will provide cybersecurity education and training to faculty and support program development for colleges to "fast-track" students from college to career. 

Microsoft and Google to invest billions to bolster US cybersecurity

Hacker claims responsibility for T-Mobile attack, bashes the carrier’s security

Google has explained that its $10 billion commitment will be used to strengthen cybersecurity across the nation. This includes improving open-source security, enhancing the security of supply chains, developing and expanding Zero Trust programs, and training 100,000 Americans in data analytics and IT through the Google Career Certificate program. All of this is part of a five-year initiative across which this $10 billion will be utilized.

The tech giant highlighted that there are multiple reasons as to why the U.S. is currently in a cybersecurity crisis. These revolve around organizations using legacy infrastructure and also having a severe lack of tooling, expertise, and trained professionals in the domain of cybersecurity.

Google has emphasized that in order to tackle cybersecurity threats head-on, companies need to utilize Zero Trust security models, which is exactly the approach Microsoft has been recommending as well. Google has also highlighted that this is not a new field for the tech giant. In the past, it has published 160 research papers on cybersecurity, developed an end-to-end framework for supply chain integrity called Supply Chain Levels for Software Artifacts (SLSA), and made significant investments in open-source security.

Google announces $10 billion cybersecurity investment following meeting with U.S. president

This popular WhatsApp mod riddled with malicious code

This was revealed by the company South Korean multinational in a press release issued earlier this month in response to the July South African riots that led to large-scale looting, which also impacted Samsung warehouses and stores.

"TV Block is a remote, security solution that detects if Samsung TV units have been unduly activated, and ensures that the television sets can only be used by the rightful owners with a valid proof of purchase," Samsung said.

"The aim of the technology is to mitigate against the creation of secondary markets linked to the sale of illegal goods, both in South Africa and beyond its borders. This technology is already pre-loaded on all Samsung TV products."

As Samsung explains, the goal behind remotely disabling stolen TV sets is to limit looting and "third party purchases," and ensuring that the TVs can only be used by "rightful owners with a valid proof of purchase."

How TV Block works

The TV Block function is activated remotely on all TV sets stolen from one of its warehouses or distributors by adding their serial numbers to a list on Samsung's servers.

After a stolen TV is connected to the Internet, the device will check the list of stolen devices on Samsung's servers, and it will automatically disable all television functions if it finds a match.

If Samsung TVs belonging to actual customers get blocked by mistake, full functionality can be restored within 48 hours after sending proof of purchase and a valid TV license to the Samsung retailer or the serv.manager@samsung.com email.

"In keeping with our values to leverage the power of technology to resolve societal challenges, we will continuously develop and expand strategic products in our consumer electronics division with defence-grade security, purpose-built, with innovative and intuitive business tools designed for a new world," Mike Van Lier, Samsung South Africa's Director of Consumer Electronics, said.

"This technology can have a positive impact at this time, and will also be of use to both the industry and customers in the future."

While Samsung says TV Block is an innovative function that can only have a positive impact, one must think about what would happen if malicious actors would breach the company's servers and gain access to the block list used to disable stolen TVs remotely.

Samsung can remotely disable their TVs worldwide using TV Block

Leveraging the bug is possible during the device setup process, using a link in the License Agreement screen that is opened with SYSTEM privileges. A real SteelSeries device is not necessary to exploit the bug.

Emulating a device also works

The discovery comes after news broke over the weekend that the Razer Synapse software can be used to gain elevated privileges when connecting a Razer mouse or keyboard.

Encouraged by the research from jonhat, offensive security researcher Lawrence Amer (research team leader at 0xsp) found that the same can be achieved with the SteelSeries device installation software.

Playing with a recently acquired SteelSeries keyboard on Monday, the researcher discovered a privilege escalation vulnerability that allowed him to run the Command Prompt in Windows 10 with admin privileges.

The SteelSeries software is not just for keyboards (Apex 7/Pro), though. It also installs and allows configuring mice (Rival 650/600/710) and headsets (Arctis 9, Pro) from the maker; it even lets users control the RGB lighting on the QCK Prism gaming mousepad.

Amer started by plugging in his keyboard and monitoring the installation process, which started with downloading the SteelSeries software (SteelSeriesGG6.2.0Setup.exe) to the Windows temporary folder.

A real SteelSeries device is not necessary for this attack to work. Penetration testing researcher István Tóth published an open-source script that can mimic human interface devices (HID) on an Android phone, specifically for testing local privilege escalation (LPE) scenarios.

Although an experimental version, the script can successfully emulate both Razer and SteelSeries devices.

After Amer published his research, Tóth published a video demonstrating that LPE discovered by Amer can be achieved using his USB Gadget Generator Tool.

Finding the right context

In trying to find a weak spot, Amer poked around trying to find a way to load a missing DLL or EXE from folders accessible to unprivileged users but did not find any.

However, he noticed that the device setup app was launched with SYSTEM rights immediately after downloading it. Another process running with the highest privileges provided a new opportunity for attack.

Amer tried the same method that worked for the Razer zero-day vulnerability, but it did not work because the installation carries on without user interaction.

The researcher caught a lucky break when the License Agreement appeared with a link to SteelSeries’ privacy policy. When clicking on the link, the dialog for choosing a launching app appeared.

Amer tested the scenario in a virtual machine that did not have file associations defined. The only process available for opening the link was Internet Explorer, which spawned as SYSTEM.

From there, it was a simple matter of using IE to save the web page and launch an elevated privileges Command Prompt from the right-click menu of the “Save As” dialog.

Amer told BleepingComputer that he tried informing SteelSeries about the vulnerability but could not find a public bug bounty program or a contact for product security.

BleepingComputer reached out to SteelSeries about this but did not hear back by publishing time.

The researcher says that the vulnerability could still be exploited even after patching it. An attacker could save the vulnerable signed executable dropped in the temporary folder when plugging in a SteelSeries device and serve it in a DNS poisoning attack.

SteelSeries bug gives Windows 10 admin rights by plugging in a device

The data, including names, addresses, financial information and Covid-19 vaccination statuses, was made vulnerable—but not compromised—before the problem was resolved, according to the digital security company's investigation.

Among the 47 affected organizations were American Airlines, Ford, JB Hunt and public agencies such as the Maryland Department of Health and New York City's public transit system.

They all used a Microsoft product called Power Apps, which allows for the creation of websites and mobile apps to interact with the public.

The service's default software configuration setting meant the data of the affected organizations was left without protection up until June 2021, according to UpGuard.

"As a result of this research project, Microsoft has since made changes to Power Apps portals," the report said.

Microsoft said it had let clients know when potential security risks were uncovered so that they could fix the problems themselves.

"We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs," a spokesperson said.

But UpGuard said it would have been better to change the way the software works at the source, and based on how customers use it, rather than "to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist."

Source

"While the ransomware crisis appears poised to get worse before it gets better, the cast of cybercrime groups that cause the most damage is constantly changing," Palo Alto Networks' Unit 42 threat intelligence team said in a report shared with The Hacker News.

"Groups sometimes go quiet when they've achieved so much notoriety that they become a priority for law enforcement. Others reboot their operations to make them more lucrative by revising their tactics, techniques and procedures, updating their software and launching marketing campaigns to recruit new affiliates."

The development comes as ransomware attacks are getting bigger and more frequent, growing in size and severity, while also evolving beyond financial extortion to an urgent national security and safety concern that has threatened schools, hospitals, businesses, and governments across the world, prompting international authorities to formulate a series of actions against both operators of ransomware and the broader ecosystem of IT and money laundering infrastructure that's abused to siphon funds.

Chief among the new entrants is AvosLocker, a ransomware-as-a-service (RaaS) group that commenced operations in late June via "press releases" that are branded with a blue beetle logo to recruit new affiliates. The cartel, which also runs a data leak and extortion site, is said to have breached six organizations in the U.S., U.K., U.A.E., Belgium, Spain, and Lebanon, with ransom demands ranging anywhere from $50,000 to $75,000.

In contrast, Hive, despite opening shop in the same month as AvosLocker, has already hit several healthcare providers and mid-size organizations, including a European airline company and three U.S.-based entities, among other victims located in Australia, China, India, Netherlands, Norway, Peru, Portugal, Switzerland, Thailand, and the U.K.

Also detected in the wild is a Linux variant of the HelloKitty ransomware, which singles out Linux servers running VMware's ESXi hypervisor. "The observed variants impacted five organizations in Italy, Australia, Germany, the Netherlands and the U.S.," Unit 42 researchers Doel Santos and Ruchna Nigam said. "The highest ransom demand observed from this group was $10 million, but at the time of writing, the threat actors have only received three transactions that sum up to about $1.48 million."

Last to join the list is LockBit 2.0, an established ransomware group that resurfaced in June with 2.0 version of their affiliate program touting its "unparalleled benefits" of "encryption speed and self-spread function." Not only do the developers claim it's "the fastest encryption software all over the world," the group offers a stealer named StealBit that enables the attackers to download victims' data.

Since its June 2021 debut, LockBit 2.0 has compromised 52 organizations in accounting, automotive, consulting, engineering, finance, high-tech, hospitality, insurance, law enforcement, legal services, manufacturing, non-profit energy, retail, transportation, and logistics industries spanning across Argentina, Australia, Austria, Belgium, Brazil, Germany, Italy, Malaysia, Mexico, Romania, Switzerland, the U.K., and the U.S.

If anything, the emergence of new ransomware variants show that cybercriminals are doubling down on ransomware attacks, underscoring the extremely profitable nature of the crime.

"With major ransomware groups such as REvil and DarkSide lying low or rebranding to evade law enforcement heat and media attention, new groups will emerge to replace the ones that are no longer actively targeting victims," the researchers said. "While LockBit and HelloKitty have been previously active, their recent evolution makes them a good example on how old groups can re-emerge and remain persistent threats."

Source

Botnet targets hundreds of thousands of devices using Realtek SDK

Sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps, according to Upguard.

Upguard Research disclosed multiple data leaks exposing 38 million data records via Microsoft Power Apps portals configured to allow public access.

The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. Upguard first discovered the issue involving the ODdata API for a Power Apps portal on May 24 and submitted a vulnerability report to Microsoft June 24.

According to Upguard, the primary issue is that all data types were public when some data like personal identifying information should have been private. Misconfiguration led to some private data being surfaced.

Microsoft Power Apps are low-code tools to design apps and create public and private web sites.

Source

To help remedy this, David A. Wheeler, the LF's director of Open Source Supply Chain Security, recently revealed the LF or its related foundations and projects directly fund people to do security work. Here's how it works.

The funding comes from a variety of pro-Linux and open-source organizations. These include Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself. When a problem is found, a developer reaches out to the appropriate LF organization. Generally speaking, a contract that briefly describes what problem needs to be fixed and how it will be done, the funds required for it, and who will do the work is set up.  

The proposal is then examined by the appropriate LF technical review point of contact (POC). This POC is often Wheeler himself. 

Once your project is approved, progress reports are made approximately once a month. These must include:

• A stable URL of a publicly accessible post (e.g., a blog or archived mailing list post) describing what you did that month.
• The post must briefly describe what has been accomplished using the funding since the last invoice. Include its date and hyperlinks to details. If git commits were involved, include hyperlinks to them. Make it easy for technical people to learn details (e.g., via hyperlinks).
• Also briefly describe why this work is important or link to such description(s), for someone who is not intimately familiar with it. Some readers may see your post out of context.
• Give credit, similar to National Public Radio. (e.g., "This work to <X> was [partially] funded by the OpenSSF, Google, and The Linux Foundation.") Thanking others is always polite. We also want people to consider funding OSS security as normal.
• Publicly provide an identifier (a personal name, pseudonym, or project name) of who's doing the work. This simplifies referring to the work. You do not need to reveal your personal name(s) publicly, though you're welcome to do so.

This is a lightweight process. It shouldn't take more than 20 minutes to write these reports. You may find it easier to write your post while you do the work. Funded work must be available under the appropriate open-source licenses. For example, bug fixes to Linux must be licensed under the Gnu General Public Licenses Version 2 (GPLv2).

The POC will then review the post, and if it seems reasonable, approve the payment. Wheeler explained: "We understand that sometimes problems arise. We just want to see credible efforts. If there's a serious roadblock, try to suggest ways to overcome it or provide partial/incremental benefits. We need to provide confidence to funders that we aren't wasting their money."

So, what kind of projects are we walking about? Wheeler cites several examples. These include:

Ariadne Conill, the Alpine Linux security team chair, is improving this important container Linux distro's security. In particular, Conill has improved its vulnerability processing and made it reproducible. For example, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. 

On Git, the vital distributed version control system, David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code.

It's not just Linux-related programs that get security help. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, has received funding to secure OpenSSH's plumbing. OpenSSH is an important suite of secure Secure Shell (ssh)networking utilities based on the protocol. De Raadt has also been funded to help secure Resource Public Key Infrastructure (RPKI), which protects internet routing protocols from attack. 

Besides fixing known problems, the LF and company are also looking for security troubles we don't know about yet. That's being done with security audits via the Open Source Technology Improvement Fund (OSTIF). These projects include two Linux kernel security audits. One for signing and key management policies and the other for vulnerability reporting and remediation. Subject matter experts perform the audit reports, while Wheeler ensures these reports are clear to non-experts while still being accurate.

Looking ahead, OpenSSF is also working on improving overall open-source software security. These include free courses on how to develop secure software and the CII Best Practices badge project. Other projects improve OSS security, include sigstore, which is making cryptographic signatures much easier and improving software bill-of-materials (SBOMs).

If you'd like to help pay for this kind of work, the LF wants to hear from you. You can contribute to the OpenSSF by just contacting the organization, Or, if you'd rather, you can create a grant directly with the Linux Foundation itself. If you have questions just email Wheeler at dwheeler@linuxfoundation.org. For smaller amounts -- say, to fund a specific project -- you can also use the LFX crowdfunding tools to fund or request funding.

Having trouble with the business side of funding security coding and audits? You're not alone. As Wheeler said: "Many people and organizations struggle to pay individual open-source software developers because of the need to handle taxes and oversight. If that's your concern, talk to us. The LF has experience and processes to do all that, letting experts focus on getting the work done."

Source

The information offered for sale was similar in both breaches, including full names, addresses, birth dates and Social Security numbers. In short, it's the foundation for identity theft.

AT&T responded Friday by casting doubt about the claim by the prolific ShinyHunters cabal, stating that "based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems."

Regardless of where the data came from, though, if it's valid it could be a nightmare for anyone whose sensitive information is exposed. Here's a quick guide to the risks you may face and some of the things you can do to protect yourself.

What are the risks?

Social Security numbers are widely used by the federal government, banks, investment companies, government benefit programs and insurers to verify your identity. Your stolen Social Security number can be used to open fraudulent credit card accounts, divert or fraudulently collect benefits and commit workplace fraud, among other forms of deceit. Throw in your name, birth date and email address (which the ShinyHunters claim to have stolen too), and it's significantly easier for someone to pretend to be you.

Identity thieves could use that information to target both you and the banks, insurers and other companies you do business with. For example, they could use it to make phishing emails seem more realistic, helping to persuade you to give up additional sensitive information such as a password or personal identification number (PIN). Or they could use it to dupe your bank into letting them change the password on your account, giving them access to your money.

The T-Mobile breach also exposed the phone numbers, device identifiers and SIM-card numbers for more than 13 million of its current customers. That creates an opening for at least one more malign possibility: a SIM-swap attack. That's where someone persuades your mobile phone company to transfer your number to a different device, which he or she then uses to try to break into the accounts that you've tied to your phone number.

It's increasingly common for people to use their mobile phone numbers as a way to verify their identity—for example, when they log into their online banking account, or when they want to reset their password. But that convenience can backfire if your number is hijacked, then used to impersonate you online.

Why do phone companies want your Social Security number?

Because it's the easiest way to check your credit rating. Companies like AT&T and T-Mobile want to know if you have a record of paying your bills on time before agreeing to provide you an account or to sell you a phone in monthly installments. And the major credit rating agencies use Social Security numbers to match people to their credit histories.

"The SSN is the only unique universal identifier across the entire population," explained Francis Creighton of the Consumer Data Industry Association, which represents the credit agencies. "There's nothing else that can replace it in today's market."

Social Security numbers also help guard against people setting up fraudulent credit reports, Creighton said. And while there are ways to establish a credit score that don't rely on your Social Security number, he said, the first step is for a lender or service provider not to ask for it. You can't be compelled by a phone company or other private-sector business to reveal your number, but in California and most other states, the business can refuse to serve you as a result.

Once you've paid off your new phone or switched carriers, though, your mobile company will no longer be filing reports about you to the credit bureaus, Creighton said. Nevertheless, the hackers behind the latest T-Mobile breach were able to steal Social Security numbers for former T-Mobile customers that the company held onto for some reason.

For the last decade, tech companies have been developing alternative ways of identifying people to make it easier to guard against identify theft, said André Ferraz, chief executive of Incognia, one of those tech companies. Ideally, Ferraz said, companies would supplement identifiers that cannot be changed, such as Social Security numbers, with identifiers based on a person's unique behaviors, which evolve over time. Unfortunately, those solutions haven't been widely adopted yet.

How do you protect yourself?

The single best thing to do is to put a freeze on your credit files, which will prevent anyone from opening a new account. It's free to place a freeze and to lift it for your own needs. But you have to contact each of the three major credit bureaus individually, which you can do online. Cybersecurity expert Brian Krebs also suggests freezing the credit files maintained by a handful of smaller, specialized agencies. You should also check your credit score regularly, which is a good way to detect fraud after it happens.

Credit- and identity-monitoring services, which typically carry a monthly fee, can also help reveal the work of identity thieves. They provide tools to prevent you from phishing and other forms of hacking combined with scanning services that look for your Social Security number or email address in places online where it doesn't belong.

T-Mobile is offering two years of McAfee's monitoring service for free to anyone affected by the breach. It has set up a website suggesting more steps people can take to guard against fraud. Anyone with a smartphone would be wise to take them:

• Create a PIN for your mobile phone account to provide an extra layer of security against unauthorized changes in your account, such as a malicious SIM swap. If you're a T-Mobile customer and you have a PIN, set a new one.

• Activate T-Mobile's "account takeover protection" feature, which provides an extra layer of protection on top of the PIN. Verizon goes further, automatically blocking SIM swaps by shutting down both the new device and the existing one until the account holder weighs in with the existing device.

• Change the password you use to get into your mobile phone account online. Changing passwords periodically is a good practice for all your accounts. And if you have trouble remembering dozens of passwords, try a password manager app that can keep track of them for you.

On the plus side, two-factor authentication is becoming the standard online, and that's improving security across the web. But too many sites encourage you to make that second factor a text message sent to your phone number, which encourages SIM swap fraud. Wherever possible, use an authentication app instead.

Source

That's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro, detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.

The company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.

In addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) —

• CVE-2017-5638 (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability
• CVE-2017-9805 (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability
• CVE-2018-7600 (CVSS score: 9.8) - Drupal Core RCE vulnerability
• CVE-2020-14750 (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability
• CVE-2020-25213 (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability
• CVE-2020-17496 (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability
• CVE-2020-11651 (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability
• CVE-2017-12611 (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability
• CVE-2017-7657 (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability
• CVE-2021-29441 (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability
• CVE-2020-14179 (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability
• CVE-2013-4547 (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability
• CVE-2019-0230 (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability
• CVE-2018-11776 (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability
• CVE-2020-7961 (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability

Even more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to secure containers from a wide range of potential threats at each stage of the development pipeline.

"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model," the researchers concluded.

Source

Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards.

When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.

Razer claims that that their Razer Synapse software is used by over 100 million users worldwide.

Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.

SYSTEM privileges are the highest user rights available in Windows and allow someone to perform any command on the operating system. Essentially, if a user gains SYSTEM privileges in Windows, they attain complete control over the system and can install whatever they want, including malware.

After not receiving a response from Razer, jonhat disclosed the zero-day vulnerability on Twitter yesterday and explained how the bug works with a short video.

Getting SYSTEM privileges by plugging in a mouse

As BleepingComputer has a Razer mouse available, we decided to test out the vulnerability and have confirmed that it took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse.

It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.

To test this bug, we created a temporary 'Test' user on one of our Windows 10 computers with standard, non-administrator privileges, as shown below.

When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.

Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges, as shown below.

When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong.

When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder shown in the dialog.

As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges.

As you can see below, once we opened the PowerShell prompt and typed the 'whoami' command, it showed that the console has SYSTEM privileges allowing us to issue any command we want.

As explained by Will Dormann, a Vulnerability Analyst at the CERT/CC, similar bugs are likely to be found in other software installed by the Windows plug-and-play process.

A video demonstration of the Razer Synapse vulnerability has also been shared by jonhat, which can be watched below.

Razer to fix the vulnerability

After this zero-day vulnerability gained wide attention on Twitter, Razer has contacted the security researcher to let them know that they will be issuing a fix.

Razer also told the researcher that he would be receiving a bug bounty reward even though the vulnerability was publicly disclosed.

Razer bug lets you become a Windows 10 admin by plugging in a mouse

Trend Micro spotted recent malicious activity conducted by cybercriminal group Confucius. The hackers launched a spear-phishing campaign using Pegasus lures to trick users into clicking on a malicious document that downloads a data theft code.  

The attack begins with a clean email that contains a text copied from a legitimate Pakistani newspaper article.Two days later, the victim receives a new email with a warning from a Pakistani military official about the Pegasus spyware that includes a cutt.ly link to encrypted Word document and a decryption password.

Regardless of the action taken by the victim, clicking on either of the links leads to downloading the Word document. If the target makes the mistake of entering the emailed password, a document with macros appears on the computer screen. In case the macros are enabled on that particular machine, the next step is simply loading the malicious code.

Users should remember to follow basic security standards

Once the code is inside, a .NET DLL file named skfk.txt is created in the temporary directory that contains material from the document's comment field. PowerShell is used to load the file into memory and used to steal data. Simply put, when the MD5 hash of the listed extension match, the file is retrieved via the C&C server. Files that are not listed are saved to a different folder in the same C&C server using a machine name-username string.

The Confucius cybercrime gang used several file stealers in the past for cyberespionage attacks on the Pakistani military. Even though the file stealers code is not top-notch, malware developers still use innovative techniques when creating malicious documents. Some of these techniques include using encrypted documents to prevent automated analysis or hiding the harmful code in the comments section.

Trend Micro suggests users adhere to standard security practices because they are still applicable in most attacks. To put it simply, users should inspect links carefully before accessing and refrain from clicking or downloading anything questionable.

Source

Microsoft and Google release urgent browser security update for Risk Level 4 Drive-by exploit

The attack, launched via a Mirai botnet, is said to have targeted an unnamed customer in the financial industry last month. "Within seconds, the botnet bombarded the Cloudflare edge with over 330 million attack requests," the company noted, at one point reaching a record high of 17.2 million requests-per-second (rps), making it three times bigger than previously reported HTTP DDoS attacks.

Volumetric DDoS attacks are designed to target a specific network with an intention to overwhelm its bandwidth capacity and often utilize reflective amplification techniques to scale their attack and cause as much operational disruption as possible.

They also typically originate from a network of malware-infected systems — consisting of computers, servers, and IoT devices — enabling threat actors to seize control and co-opt the machines into a botnet capable of generating an influx of junk traffic directed against the victim.

In this specific incident, the traffic originated from more than 20,000 bots in 125 countries worldwide, with almost 15% of the attack originating from Indonesia, followed by India, Brazil, Vietnam, and Ukraine. What's more, the 17.2 million rps alone accounted for 68% of the average rps rate of legitimate HTTP traffic processed by Cloudflare in Q2 2021, which is at 25 million HTTP rps.

This is far from the first time similar attacks have been detected in recent weeks. Cloudflare noted that the same Mirai botnet was used to strike a hosting provider with an HTTP DDoS attack that peaked a little below 8 million rps.

Separately, a Mirai-variant botnet was observed launching over a dozen UDP and TCP-based DDoS attacks that peaked multiple times above 1 Tbps. The company said the unsuccessful attacks were aimed at a gaming company and a major Asia Pacific-based internet services, telecommunications, and hosting provider.

"While the majority of attacks are small and short, we continue to see these types of volumetric attacks emerging more often," Cloudflare said. "It's important to note that these volumetric short burst attacks can be especially dangerous for legacy DDoS protection systems or organizations without active, always-on cloud-based protection."

Source

"Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities."

First documented by Netlab 360 in December 2019, Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. The botnet is evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper.

Mozi spreads via the use of weak and default remote access passwords as well as through unpatched vulnerabilities,, with the IoT malware communicating using a BitTorrent-like Distributed Hash Table (DHT) to record the contact information for other nodes in the botnet, the same mechanism used by file-sharing P2P clients. The compromised devices listen for commands from controller nodes and also attempt to infect other vulnerable targets.

An IBM X-Force analysis published in September 2020 noted that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 through June 2020, indicating that threat actors are increasingly taking advantage of the expanding attack surface offered by IoT devices. In a separate investigation released last month, Elastic Security Intelligence and Analytics Team found that at least 24 countries have been targeted to date, with Bulgaria and India leading the pack.

Now fresh research from Microsoft's IoT security team has discovered that the malware "takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation," including achieving persistence on targeted devices and blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000) that are used to gain remote access to the gateway.

What's more, Mozi has been upgraded to support new commands that enable the malware to hijack HTTP sessions and carry out DNS spoofing so as to redirect traffic to an attacker-controlled domain.

Businesses and users using Netgear, Huawei, and ZTE routers are recommended to secure the devices using strong passwords and update the devices to the latest firmware. "Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques," Microsoft said.

Source

"The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security said in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username."

Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found exploiting ProxyLogon flaws impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.

Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the solicitation attempt by creating a fictitious persona and reached out to the actor on Telegram messenger, only to have the individual inadvertently spill the attack's modus operandi, which included two links for an executable ransomware payload that the "employee" could download from WeTransfer or Mega.nz.

"The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin. Based on the actor's responses, it seems clear that he 1) expects an employee to have physical access to a server, and 2) he's not very familiar with digital forensics or incident response investigations," said Crane Hassold, director of threat intelligence at Abnormal Security.

Besides taking a flexible approach to their ransom demands, the plan is believed to have been concocted by the chief executive of a Lagos-based social networking startup called Sociogram, with the goal of using the siphoned funds to "build my own company." In one of the conversations that took place over the course of five days, the individual even took to calling himself "the next Mark Zuckerberg."

Also of particular note is the method of using LinkedIn to collect corporate email addresses of senior-level executives, once again highlighting how business email compromise (BEC) attacks originating from Nigeria continue to evolve and expose businesses to sophisticated attacks like ransomware.

"There's always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are intertwined. As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals," Tim Erlin, vice president of product management and strategy at Tripwire, said.

"The idea of a disgruntled insider as a cybersecurity threat isn't new. As long as organizations require employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there's almost zero guarantee that this kind of complicity will actually be rewarded, and it's highly likely that someone taking this attacker up on their offer would get caught," Erlin added.

Source

ShinyHunters, the notorious hacker is claiming to have access to the AT&T database containing personal and sensitive records of more than 70 million customers.

For your information, AT&T Inc. is the largest provider of mobile telephone services in the U.S. and also the world’s largest telecommunications company.

In a post published on the infamous hacker forum and marketplace Raid Forums, ShinyHunters is offering the database for starting price of $200,000.

Hackread.com has seen the sample records shared by ShinyHunters on the forum and a quick review of it reveals that these records include the following customers’ details:

• Full names
• Addresses
• Zipcodes
• Date of birth
• Email addresses
• Social security numbers (SSN)

Although AT&T is yet to comment on the breach if the data is legitimate it will be a disaster for the company and its customers.

The database can be bought off by government-backed hacking groups, spy agencies, ransomware gangs, or scammers while customers can end up being sitting ducks and exposed to online and physical threats – The possibilities are endless for threat actors.

It is worth noting that as of 2019, AT&T had a subscriber base of approximately 77 million post-paid and 18 million prepaid customers in the United States.

The news came just days after a hacker was selling T-Mobile customers’ records on the same forum. The data breach was also confirmed by T-Mobile however so far, we have failed to establish any connection between T-Mobile and AT&T’s alleged breach.

Hackread.com has contacted AT&T therefore expect an update. Stay tuned!

Update:

In a statement to Hackread.com, AT&T has denied being breached. 

“Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” AT&T maintains.

ShinyHunters – Previous data breaches

Shiney Hunters is known for top data breaches since 2020. Some of their targeted companies include the following:

Mashable – 5.22GB worth of data

123RF – 8.3M accounts leaked

WedMeGood – 41.5 GB worth of data

Big Basket – 20 million accounts leaked

WattPad – 271 million accounts leaked

Dunzo – 11GB worth of data leaked

Dave.com – 7 million accounts leaked

Bhinneka – 1 million+ accounts leaked

Minted – 5 million accounts leaked

ProctorU – 444,267 accounts leaked

Tokopedia – 91 million accounts leaked

Couchsurfing – 17 million accounts leaked

Animal Jam – Tens of millions of users’ data, especially children.

Source

After the largest heist in the history of decentralized financial systems, PolyNetwork decided to use an original approach by offering the attacker a job and allowing him to keep a small portion of the loot, according to NDTV. 

PolyNetwork, a platform that allows users to move tokens between multiple blockchains, has been recently dispossessed of $610. The hacker stated that the assault was carried out to prevent the project from being shut down. Consequently, he committed to repaying the stolen cash and has already supplied approximately half of the total amount due.

After the attack, PolyNetwork raved about the hacker, whom the company referred to as Mr. White Hat, a term that refers to ethical hackers who identify vulnerabilities in computer networks and inform companies or organizations how to fix them. The identity of the hacker or the hacking organization has not been revealed at this time.

The DeFi platform wishes to reclaim its clients' digital assets 

PolyNetwork said in a statement that “To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with PolyNetwork, we cordially invite Mr. White Hat to be the Chief Security Adviser of PolyNetwork,” emphasizing that they do not want the cybercriminal to be held legally liable as they trust he will return the stolen digital assets as soon as possible.

The company is still attempting to recover all customer funds. After reclaiming half of the network's assets, the hacker moved the remaining cash (about $235 million) to a shared account safeguarded by two unique keys. One of the keys was handed to PolyNetwork, while the hacker retained the other. To make that the money is still there, PolyNetwork demanded the threat actor hand over his key. Although the hacker has been a job and can keep $500,000 in cash, he is still required to comply.

Source

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

Image: Abnormal Security.

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.

Image: Abnormal Security.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were an inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

Image: FBI

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”

“While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

DON’T QUIT YOUR DAY JOB

Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider).

Indeed, perhaps this enterprising Nigerian scammer is just keeping up with current trends. Several established ransomware affiliate gangs that have recently rebranded under new banners seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks.

For example, the Lockbit 2.0 ransomware-as-a-service gang actually includes a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware.

“Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company,” LockBit’s unusual ad reads. “You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.”

Image: Sophos.

Likewise, the newly formed BlackMatter ransomware gang kicked off its presence on the cybercrime forums with the unassuming thread, “Buying/monetizing your access to corporate networks.” The rest of the post reads:

We are looking for access to corporate networks in the following countries:

– the USA
– Canada
– Australia
– the UK

 

All lines of business except for:
– Healthcare
– Government entities.

 

Requirements:
– Revenue according to ZoomInfo: over 100 million.
– Number of hosts: 500 to 15,000.
– We do not accept networks that anybody else has already tried to work on.

 

Two options of cooperation:
– We buy networks: 3 to 100k.
– We monetize them (subject to negotiation on a case-by-case basis).

 

How we work:
You select an option of cooperation. -> You provide access to the network. -> We check it. -> We take it or not (depending on whether it meets the requirements).

Wanted: Disgruntled Employees to Deploy Ransomware