This week, Microsoft disclosed yet another printing related vulnerability in Windows. The CVE reveals little information at this point as Microsoft's investigation is still ongoing.

According to the provided information, it is a remote code execution vulnerability that does affect the Windows Print Spooler.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft does not list the affected versions and editions of the company's Windows operating system, as research is still ongoing. All versions of Windows were affected by PrintNightmare, and it is possible that the new 0-day vulnerability affects all versions as well.

Microsoft notes that it is working on a security patch, which it will likely release as an out-of-band patch once produced.

Workaround: disable the Print Spooler

Microsoft's workaround for protecting systems against attacks targeting the new Print Spooler vulnerability is to disable the Print Spooler. The downside to disabling the Print Spooler is that printing becomes unavailable.

One of the PrintNightmare vulnerability workarounds was to stop the Print Spooler as well.

Disable Print Spooler via PowerShell

1. Open Start.
2. Type PowerShell.
3. Select Run as administrator.
4. Run Get-Service -Name Spooler to get the status of the print spooler-
5. Run Stop-Service -Name Spooler -Force to stop the Print Spooler service.
6. Run Set-Service -Name Spooler -StartupType Disabled to set the startup type of the service to disabled so that it is not activated on system start.

Disable Print Spooler via Services

You may also use the Services management interface to stop the Print Spooler service and set its startup type to disabled.

1. Open Start.
2. Type services.msc
3. Locate the Print Spooler service. The list is sorted alphabetically by default.
4. Right-click on Print Spooler and select Stop.
5. Double-click on Print Spooler.
6. Set the Startup Type to disabled.
7. Select Ok.

Effect of the workaround

You won't be able to print anymore on the device if the Print Spooler service is not running. You could enable it on demand, e.g. just the moment before you start a new print job on the device, and turn it off afterwards again.

Microsoft suggests once again to disable the Print Spooler to protect against new 0-day vulnerability

Dubbed the "Glowworm attack," the findings were published by a group of academics from the Ben-Gurion University of the Negev earlier this week, describing the method as "an optical TEMPEST attack that can be used by eavesdroppers to recover sound by analysing optical measurements obtained via an electro-optical sensor directed at the power indicator LED of various devices."

Accompanying the experimental setup is an optical-audio transformation (OAT) that allows for retrieving sound by isolating the speech from the optical measurements obtained by directing an electro-optical sensor at the device's power indicator LED.

TEMPEST is the codename for unintentional intelligence-bearing emanations produced by electronic and electromechanical information-processing equipment.

Glowworm builds on a similar attack called Lamphone that was demonstrated by the same researchers last year and enables the recovery of sound from a victim's room that contains an overhead hanging bulb.

While both methods retrieve sound from light via an electro-optical sensor, they are also different in that while the Lamphone attack "is a side-channel attack that exploits a light bulb's miniscule vibrations, which are the result of sound waves hitting the bulb," Glowworm is a "TEMPEST attack that exploits the way that electrical circuits were designed. It can recover sound from devices like USB hub splitters that do not move in response to the acoustic information played by the speakers."

The attack hinges on the optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED, which are not only connected directly to the power line but also that the intensity of a device's power indicator LED is influenced by the power consumption. What's more, the quality of the sound recovered is proportional to the quality of the equipment used by the eavesdropper.

In a real-world scenario, the threat model takes aim at the speech generated by participants in a virtual meeting platform such as Zoom, Google Meet, and Microsoft Teams, with the malicious party located in a room in an adjacent building, enabling the adversary to recover sound from the power indicator LED of the speakers.

In an indirect attack scenario where the power indicator LED isn't visible from outside the room, the eavesdropper can recover sound from the power indicator LED of the device used to provide the power to the speaker.

Although such attacks can be countered on the consumer side by placing a black tape over a device's power indicator LED, the researchers recommend device manufacturers to integrate a capacitor or an operational amplifier to eliminate the power consumption fluctuations that occur when the speakers produce sound.

"While the cost of our countermeasures might seem negligible, given the likelihood that the devices are mass produced, the addition of a component to prevent the attack could cost a manufacturer millions of dollars," the researchers said. "Given the cost-driven nature of consumers and the profit-driven nature of manufacturers, known vulnerabilities are often ignored as a means of reducing costs. This fact may leave many electrical circuits vulnerable to Glowworm attack for years to come."

Source

Once the new feature rolls out, Microsoft Teams will alert Office 365 users when they're receiving what looks like spam calls.

While incoming calls will be tagged as "spam likely" automatically, Teams users will still be able to decide if they want to answer.

Announced last year, rolling out in late August

As Microsoft Teams General Manager Nicole Herskowitz said, "Teams will identify potential spam calls so you can feel confident answering incoming calls" and "will digitally attest outgoing calls to prevent these calls from being rejected by external recipients."

"The spam call notification feature automatically evaluates incoming calls and identifies probable spam calls as 'spam likely' in the call toast," Redmond explained on the Microsoft 365 roadmap.

"Users still have the option to answer or reject the call, and all 'spam likely' calls (regardless of whether they were answered or rejected) will also be reflected in the call history list."

Microsoft is planning on rolling out the new feature (initially announced in December 2020) by the end of this month, making it generally available on desktop and the web.

Blocking incoming PSTN calls

Enterprises that use PBX (Private Branch Exchange) phone systems can already block inbound calls originating from the Public Switched Telephone Network (PSTN), which don't match a pre-defined list of number patterns at the tenant global level.

Individual Teams client users can also block PSTN calls and manage their blocked numbers by going into the "Edit blocked contacts" menu under Settings > Privacy > Blocked contacts.

They can also block all anonymous incoming calls by toggling on the "Block calls with no caller ID" under "Blocked contacts."

More info on how to manage your call settings in Teams (e.g., setting call answering rules and adjusting voicemail settings) is available on Microsoft's Office support website.

In related news, Microsoft is rolling out later Teams end-to-end encryption for 1:1 VoIP calls until the end of this month.

In July, Redmond also extended Defender for Office 365 Safe Links protection to Microsoft Teams to block phishing attempts automatically

Microsoft Teams will alert users of incoming spam calls

To be clear, Facebook doesn’t encrypt your normal messages, instead, you need to tap the ‘i’ in the current chat and press ‘Go to secret conversation’; any messages sent there are encrypted. From today, these secret conversation windows will come with a call option and a video option, you must select these items from a secret conversation to benefit from the E2E encryption.

Facebook launched secret conversations five years ago but due to COVID-19, it has seen an uptick in the number of audio and video calls being made. For this reason, it decided it would be worthwhile offering these services from the secret conversation window to give users greater privacy and help people gain more trust in the Facebook brand.

Disappearing messages is another option unique to secret conversations. With today’s update, users will be given greater choice over how long they’d like to have a message stick around; you can now choose to have messages disappear from anywhere between five seconds and 24 hours.

In coming updates, Facebook will enable end-to-end encrypted group chats and calls in Messenger as well as opt-in end-to-end encryption for Instagram DMs. Some users may see these options before they’re released publicly and could begin showing up in just a matter of weeks.

Messenger will now encrypt your voice and video calls

Microsoft touts Windows 365, Microsoft’s cloud PC solution, as being much safer than running software directly on your PC, but hackers have already found a way to exploit the remote access software to steal your user name and password credentials.

Security researcher Benjamin Delphy achieved this feat by using a combination of tools. He used the Mimikatz tool, which can read passwords from memory, and an exploit of Windows Terminal he discovered which lets him decrypt the password to deliver the user name and password users use for Windows 365.

These credentials can then be used to access other resources on a network and spread from computer to computer, likely installing ransomware in the process.

Delphy notes that Windows Hello, Smartcards and other 2FA may have helped prevent this attack, but that Windows 365 relies on user names and passwords, so is not easy to protect.

Read all the detail associated with the hack at BleepingComputer here.

Hacker finds a way to steal Windows 365 user names and passwords

A new dark web service is marketing to cybercriminals who are curious to see how their various cryptocurrency holdings and transactions may be linked to known criminal activity. Dubbed “Antinalysis,” the service purports to offer a glimpse into how one’s payment activity might be flagged by law enforcement agencies and private companies that try to link suspicious cryptocurrency transactions to real people.

Sample provided by Antinalysis.

“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” reads the service’s announcement, pointing to a link only accessible via ToR. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

The ad continues:

Some people might ask, why go into all that? Just cash out in XMR and be done with it. The problem is, cashing out in Monero raises eyebrows on exchanges and mail by cash method is sometimes risky as well. If you use BTC->XMR->BTC method, you’ll still get flagged down by our services labelled as high risk exchange (not to mention LE and exchanges). Our service provides you with a view from LE/exchange’s perspective of things (with similar accuracy, but quite different approach) that provides you with basic knowledge of how “clean” your address is.”

Tom Robinson, co-founder of blockchain intelligence firm Elliptic, said Antinalysis is designed to help crypto money launderers test whether their funds will be identified as proceeds of crime by regulated financial exchanges.

“Cryptoassets have become an important tool for cybercriminals,” Robinson wrote. “The likes of ransomware and darknet markets rely on payments being made in Bitcoin and other cryptocurrencies. However, laundering and cashing-out these proceeds is a major challenge.”

Cryptocurrency exchanges make use of blockchain analytics tools, he said, to check customer deposits for links to illicit activity. By tracing a transaction back through the blockchain, these tools can identify whether the funds originated from a wallet associated with ransomware or any other criminal activity.

“The launderer therefore risks being identified as a criminal and being reported to law enforcement whenever they send funds to a business using such a tool,” Robinson said. “Antinalysis seeks to help crypto launderers to avoid this, by giving them a preview of what a blockchain analytics tool will make of their bitcoin wallet and the funds it contains.”

Each lookup at Antinalysis costs roughly USD $3, with a minimum $30 purchase. Other plans go as high as $6,000 for 5,000 requests.

Robinson says the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.

“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” he wrote. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”

Elliptic wasn’t impressed with the quality of the intelligence provided by Antinalysis, saying it performs poorly on detecting links to major darknet markets and other criminal entities. But with countless criminals now making millions from ransomware, there is certainly a vast, untapped market for services that help those folks improve their operational security.

“It is also significant because it makes blockchain analytics available to the public for the first time,” Robinson wrote. “To date, this type of analysis has been used primarily by regulated financial service providers.”

That may not be entirely true. Nick Bax is an independent expert in tracing cryptocurrency transactions, and he said it appears Antinalysis may be little more than a clone of AMLBot, an anti- anti-money laundering intelligence service that first came online in 2019.

AMLBot’s user interface.

“It looks almost identical to the cheap version of AMLBot,” Bax told KrebsOnSecurity. “My guess is they’re just white-labeling that.”

Bax said a lookup at AMLBot on the virtual currency address used in the sample provided by Antinalysis shows a near identical result. Here’s AMLBot’s result for the same crypto analysis performed by Antinalysis in the screenshot at the top of this story:

AMLBot’s response for the same cryptocurrency address provided as an example by Antinalysis.

“If you look at the breakdown the percentages are all almost identical,” Bax said. “I use AMLBot occasionally for good and righteous purposes. And it could also be useful for people who are just selling stuff online to make sure they aren’t receiving tainted funds.”

Update, 1:42 p.m. ET: Corrected the story to note that AMLBot has been around since 2019.

Update, 1:52 p.m. ET: Elliptic updated its blog post to confirm the connection between Antinanlysis and AMLBot, noting that AMLBot itself is a reseller of yet another service: “As first suggested in an article by Brian Krebs, we can now confirm that the results provided by Antinalysis are identical to those provided by AMLBot. It is therefore likely that Antinalysis makes use of the AMLBot API. AMLBot is itself a reseller for Crystal Blockchain, an analytics provider.”

New Anti Anti-Money Laundering Services for Crooks

Mixed content refers to sites using secure connections and insecure connections. Imagine the following scenario: you visit a secure site that is using HTTPS and start a download by clicking on a link. The linked resource is not on a HTTPS resource, but on a HTTP resource; this is what mixed content in the context of downloads refer to.

Files that are transferred via insecure connections may be tampered with, for instance by other actors on a network.

Firefox will block insecure downloads that originated from HTTPS sites soon, likely in Firefox 92, which will be released on September 7, 2021.

Firefox won't download the file in this case automatically; the browser displays a warning in the download panel -- File not downloaded. Potential security risk -- with a red exclamation mark icon.

A click or tap on the download in the panel opens additional information and options.

Firefox users may allow the download using the prompt that opens or remove the file.

The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content. It may still be a good idea to run the file through a virus scanner or service such as Virustotal to make sure it is clean and likely without danger.

Firefox 92 comes with a preference switch that controls the behavior. It can be turned off to restore the previous downloading behavior:

1. Load about:config in the Firefox address bar.
2. Confirm that you accept the risk.
3. Search for dom.block_download_insecure.
4. Use the toggle icon to set the value to
   1. TRUE: to keep the security feature enabled.
   2. FALSE: to disable the security feature.

Mozilla notes that about 98.5% of all downloads in Firefox Nightly use HTTPS. In other words: 15 in 1000 downloads will be blocked once the change lands in Firefox Stable, provided that the percentage value is about the same.

Google introduced the blocking of downloads in an insecure context earlier this year in Chrome 86. Most Chromium-based browsers block downloads from HTTP sources if the originating page uses HTTPS. Chrome displays a notification in the download panel if a file cannot be downloaded because it originates from a HTTP server. Chrome users may discard or keep the download, similarly to how Firefox handles these downloads.

Closing Words

HTTP downloads that originate on HTTPS pages will be blocked by default; users do have the option to override the blocking and to disable the security feature entirely.

Firefox will block insecure downloads soon by default

In a new paper, researchers found the implications of these types of hacks—which they call "code poisoning"—to be wide-reaching for everything from algorithmic trading to fake news and propaganda.

"With many companies and programmers using models and codes from open-source sites on the internet, this research shows how important it is to review and verify these materials before integrating them into your current system," said Eugene Bagdasaryan, a doctoral candidate at Cornell Tech and lead author of "Blind Backdoors in Deep Learning Models," which was presented Aug. 12 at the virtual USENIX Security '21 conference. The co-author is Vitaly Shmatikov, professor of computer science at Cornell and Cornell Tech.

"If hackers are able to implement code poisoning," Bagdasaryan said, "they could manipulate models that automate supply chains and propaganda, as well as resume-screening and toxic comment deletion."

Without any access to the original code or model, these backdoor attacks can upload malicious code to open-source sites frequently used by many companies and programmers.

As opposed to adversarial attacks, which require knowledge of the code and model to make modifications, backdoor attacks allow the hacker to have a large impact, without actually having to directly modify the code and models.

"With previous attacks, the attacker must access the model or data during training or deployment, which requires penetrating the victim's machine learning infrastructure," Shmatikov said. "With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected—and a single attack can actually target multiple victims."

The new paper investigates the method for injecting backdoors into machine-learning models, based on compromising the loss-value computation in the model-training code. The team used a sentiment analysis model for the particular task of always classifying as positive all reviews of the infamously bad movies directed by Ed Wood.

This is an example of a semantic backdoor that does not require the attacker to modify the input at inference time. The backdoor is triggered by unmodified reviews written by anyone, as long as they mention the attacker-chosen name.

How can the "poisoners" be stopped? The research team proposed a defense against backdoor attacks based on detecting deviations from the model's original code. But even then, the defense can still be evaded.

Shmatikov said the work demonstrates that the oft-repeated truism, "Don't believe everything you find on the internet," applies just as well to software.

"Because of how popular AI and machine-learning technologies have become, many nonexpert users are building their models using code they barely understand," he said. "We've shown that this can have devastating security consequences."

For future work, the team plans to explore how code-poisoning connects to summarization and even automating propaganda, which could have larger implications for the future of hacking.

Shmatikov said they will also work to develop robust defenses that "will eliminate this entire class of attacks and make AI and machine learning safe even for nonexpert users."

Source

The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file ("XLS.HTML"). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts.

Microsoft likened the attachment to a "jigsaw puzzle," noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. "The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments

Opening the attachment launches a browser window that displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. The dialog box shows a message urging the recipients to sign in again due to reasons that their access to the Excel document has purportedly timed out. In the event the user enters the password, the individual is alerted that the typed password is incorrect, while the malware stealthily harvests the information in the background.

The campaign is said to have undergone 10 iterations since its discovery in July 2020, with the adversary periodically switching up its encoding methods to mask the malicious nature of the HTML attachment and the different attack segments contained within the file.

Microsoft said it detected the use of Morse code in the attacks' February and May 2021 waves, while later variants of the phishing kit were found to direct the victims to a legitimate Office 365 page instead of showing a fake error message once the passwords were entered.

"Email-based attacks continue to make novel attempts to bypass email security solutions," the researchers said. "In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.

Source

It's pretty simple for hackers to gain financially, using malicious software to access and encrypt data and hold it hostage until the victim pays the ransom.

Cyber attacks are more frequent now because it is effortless for hackers to execute them. Further, the payment methods are now friendlier to them. In addition, businesses are willing to pay a ransom because of the growing reliance on digital infrastructure, giving hackers more incentives to attempt more breaches.

Bolder cybercriminals

A few years back, cybercriminals played psychological games before getting bank passwords and using their technical know-how to steal money from people's accounts. They are bolder now because it is easy for them to buy ransomware software-as-a-service and learn hacking techniques from online video-sharing sites, like YouTube. Some cyber gangs are even offering their services for a business hacking set up for a fee, typically a share of the profits.

Cryptocurrency made the hackers bolder, as they can extort unlimited and anonymous cash payments. With the anonymity of bitcoin transfers, hackers found out they can demand higher amounts from their victims.

You can also blame the rise in cyberattacks on the behavior of some firms that are willing to pay millions of dollars in bitcoin.

However, attacks will stop if firms and data security experts ensure that hacking will not be profitable anymore.

Are cyber attacks getting a higher profile or actually rising?

The answer to both questions is yes. Ransomware is becoming more common because it is straightforward to execute. Hackers use software to poke around security holes or by tricking network users using phishing scam tactics like sending malware that seem to come from a trusted source. In addition, some large companies have been lax with their network security protocols, which cybersecurity experts learned recently.

One such case is the supply chain attack at Colonial Pipeline, whose CEO Joseph Blount admitted before Congress that the company does not use multifactor authentication when users log in.

Based on the Internet Crime Report released in 2020, the FBI received close to 2,500 ransomware reports in 2020, 20 percent higher than the reported cases in 2019. The FBI also noted that the collective cost of the ransomware attacks in 2020 was close to $29.1 million. It is equivalent to a 200 percent increase over 2019, wherein the cost reached $8.9 million.

Another contributing factor to the rise in ransomware attacks is the growing number of online users. The coronavirus pandemic caused a spike in worldwide internet usage. Many students and workers are working and learning remotely.

Cybercrime Magazine predicts that ransomware will cost victims about $265 billion each year starting 2031. Attacks are likely to occur every two seconds as hackers refine their malware attacks and extortion practices.

Impact of ransomware on business

We already know how ransomware can have devastating effects on businesses, large or small. But it pays to be reminded time and again because even enterprises can become victims. Cybercriminals continue to exploit vulnerabilities in network security systems. In addition, many hacking gangs are using ransomware and denial-of-service attacks for financial gains.

Aside from the increasing occurrence of ransomware attacks, the cost of the attacks is growing as well. Ransomware paralyzes a company's digital network and associated devices. Because sensitive business data is breached, business operations, particularly for supply chains, are affected--thus, companies prefer to pay a ransom.

But theoretically, even if the company pays ransom, there is no guarantee that the sensitive data has not been copied. Likewise, there is no guarantee that attackers will return all the data or that the decryption key will work. In the case of Colonial, the decryption key hackers gave them after paying the ransom was too slow. So Colonial resorted to using their backup files. Kaseya, on the other hand, preferred to work with a third party for a decryption key.

Preventing ransomware infection

The FBI advises companies never to pay ransom to cybercriminals because it encourages them to launch more attacks. Some ways to prevent such attacks include:

• Working with a cybersecurity firm that provides the best security system that fits a business' current and future needs is one of your primary options.

• Staying vigilant is another way to thwart infection. If your systems are slowing down for no apparent reason, disconnect from the internet and shut it down. Then, you can call your network security provider and seek their help. The Biden administration encourages businesses to beef up their cybersecurity programs and review their corporate security plans. Further, you should cooperate with the FBI and the Ransomware and Digital Extortion Task Force of the U.S. Department of Justice.

Aside from the technical aspect of assuring cybersecurity, sometimes it pays to go back to basics.

• Use security training so your employees will have a better understanding of the importance and meaning of cybersecurity. In addition, employees should learn to ensure the protection of the entire company from cyber attacks.

• Train yourself and your staff not to click on links from unverified sources, as phishing emails are one of the methods to spread malware and make your company an easy target. Always scan emails, and notify employees of out-of-network emails.

• Practice creating regular backups of your data. Have at least two data backups and store them at separate locations. Grant access to your backup only to your most trusted staff.

• Use data encryption to protect emails, file exchanges, and personal information.

• Ensure that you upgrade all your applications regularly so you can fix vulnerabilities.

• Use password managers to ensure that all employees will have stronger passwords. Instruct employees to use different passwords to log in to the other applications you use in your company.

Conclusion

Ransomware attacks are rampant, due to their ease and profitability. Knowing about the activities of cybercriminal gangs and providing employee training on cybersecurity is vital. Combining technological expertise and basic security practices will help mitigate ransomware infection. However, it's important not to panic and know the security measures you should follow.

Source

ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.

The three vulnerabilities, listed below, were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April's Pwn2Own 2021 hacking contest.

• CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
• CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
• CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

Last week, Orange Tsai gave a Black Hat talk about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface.

Tsai revealed that the ProxyShell exploit uses Microsoft Exchange's AutoDiscover feature to perform an SSRF attack as part of the talk.

After watching the talk, security researchers PeterJson and Nguyen Jang published more detailed technical information about successfully reproducing the ProxyShell exploit.

Soon after, security researcher Kevin Beaumont began seeing threat actors scan for Microsoft Exchange servers vulnerable to ProxyShell.

ProxyShell actively exploited to drop webshells

Today, Beaumont and NCC Group's vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.

When exploiting Microsoft Exchange, the attackers are using an initial URL like:

https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com

Note: The email address listed in the URL does not have to exist and change between attackers.

The exploit is currently dropping a webshell that is 265KB in size to the 'c:\inetpub\wwwroot\aspnet_client\' folder.

Last week, Jang explained to BleepingComputer that 265KB is the minimum files size that can be created using the ProxyShell exploit due to its abuse of the Mailbox Export function of Exchange Powershell to create PST files.

From a sample shared by Warren with BleepingComputer, the webshells consist of a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.

Warren said the threat actors use the first webshell to upload an additional webshell to a remotely accessible folder and two executables to the C:\Windows\System32 folders, listed below:

C:\Windows\System32\createhidetask.exe
C:\Windows\System32\ApplicationUpdate.exe

If the two executables can't be found, another webshell will be created in the following folder as random-named ASPX files.

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

The attackers use the second webshell to launch the 'createhidetask.exe,' which creates a scheduled task named 'PowerManager' that launches the 'ApplicationUpdate.exe' executable at 1 AM every day.

Warren told BleepingComputer that the ApplicationUpdate.exe executable is a custom .NET loader used as a backdoor.

"ApplicationUpdate.exe is the .NET loader which fetches another .NET binary from a remote server (which is currently serving a benign payload)," explained Warren.

While the current payload is benign, it is expected to be swapped out with a malicious payload once enough servers are compromised.

Cybersecurity intelligence firm Bad Packets told BleepingComputer that they currently see threat actors scan for vulnerable ProxyShell devices from IP addresses in the USA, Iran, and the Netherlands.

The known addresses are:

• 3.15.221.32
• 194.147.142.0/24

BadPackets also said that the email domains used in the scans have been from @abc.com and @1337.com, as shown below.

Now that threat actors are actively exploiting vulnerable Microsoft Exchange servers, Beaumont advises admins to perform Azure Sentinel queries to check if their devices have been scanned.

W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "PowerShell" | where csMethod == "POST"

For those who have not updated their Microsoft Exchange server recently, it is strongly recommended to do so immediately.

As the previous ProxyLogon attacks led to ransomware, malware, and data theft on exposed servers, we will likely see similar attacks using ProxyShell.

Microsoft Exchange servers are getting hacked via ProxyShell exploits

At the same time, the admin announced plans for setting up a platform for darknet markets to set up shop with a strong focus on anonymity.

AlphaBay OG announces comeback

AlphaBay started in 2014 and it became the largest darknet market. The business ended when law enforcement took it down on July 5, 2017.

In Thailand, the police arrested Alexander Cazes, a Canadian citizen using the online alias Alpha02/Admin and one of the two AlphaBay administrators.

Someone named DeSnake was the other partner, responsible for the security of the market, and was never caught by the police.

At the end of last week, DeSnake announced on a dark web forum that the AlphaBay market reopened and was ready for business.

Tom Robinson, co-founder of blockchain analysis company Elliptic, found DeSnake’s messages to the darknet market community, where they introduced themselves as the “security administrator and co-founder of AlphaBay.”

DeSnake provided their original public PGP key used in the heydays of the illegal market to prove their claims, allowing anyone to verify the identity on public PGP keyservers:

One darknet user confirmed DeSnake’s key and that they were part of the original AlphaBay tech staff. Another one confirmed the admin’s identity after private conversations on “things that only he knew as a staff member of AlphaBay.”

One concern is that the admin may be doing this project from a compromised position, following instructions from law enforcement to trap vendors of illegal products.

One network for many markets

In a lengthy, five-part statement, DeSnake explains that they want to set new standards for a sustainable model and build a “professionally-run, anonymous, secure marketplace.”

The vision down the line is bigger than this, though. DeSnake aims to develop an autonomous and anonymous Decentralized Market Network where anyone can set up a marketplace.

From their description, it looks like an Amazon of darknet markets that allows vendors and buyers to roam from one market to another using one account and without having to trust any of them with their cryptocurrency.

DeSnake says that the new AlphaBay has been built to last, using secure and audited code, bulletproof servers, and safeguards against disruptions caused by hardware failure, police raids, or seizures.

The admin also advertised an automated system called AlphaGuard that “assures users/vendors can access their wallet funds (including escrow) at any time on I2P/Tor.”

Another system in place is Automatic Dispute Solver, which aims at solving problems between buyers and sellers without the intervention of a moderator.

DeSnake also laid out a set of rules for the new AlphaBay to avoid drawing unnecessary attention from law enforcement:

• NO harming others (hitman service etc.)
• NO guns/guns discussions (even for self-defense)
• NO erotica/porn of any sorts (logins for major sites are okay)
• NO fentanyl or fentanyl-laced/based substances
• NO Covid-19 vaccines of any sorts
• NO doxing or threats of doxing
• NO any Russia/Belarus/Kazakhstan/Armenia/Kyrgyzstan-related activity (people, organizations, governments) or citizens data
• NO ransomware selling, recruiting for access to deploy ransomware or ransomware discussions

Flashpoint researchers note that the rule restricting activity related to former Soviet Union countries is typical for threat actors based in those regions, to avoid scrutiny from local law enforcement.

AlphaBay now uses only Monero cryptocurrency and currently has only two featured listings, both for drugs.

Statistics for the forum show 19 members that exchanged 72 messages.

In its glory days, AlphaBay served over 200 000 users and 40 000 vendors. It had more than 250,000 listings for drugs and toxic chemicals alone.

Stolen and fake identification documents, malware, hacking tools, firearms, and fraudulent services accounted for another 100,000 listings.

It is estimated that the market transacted at least $1 billion worth of cryptocurrency (mostly Bitcoin) since its creation.

By comparison, the infamous SilkRoad had a little over 950,000 users and about 14,000 listings, most of them for drugs. It transacted 9.5 million bitcoins in two-years time, valued at $1.2 billion at the time.

Notorious AlphaBay darknet market comes back to life

Netflix's new "VPN" block policies can catch innocent users in the crossfire.

Netflix is adding residential IP addresses to its VPN blocklists

Dubbed "Ficker Stealer," it's notable for being propagated via Trojanized web links and compromised websites, luring in victims to scam landing pages purportedly offering free downloads of legitimate paid services like Spotify Music, YouTube Premium, and other Microsoft Store applications.

"Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums," BlackBerry's research and intelligence team said in a report published today. "Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program."

First seen in the wild in August 2020, the Windows-based malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets, and browser information, in addition to functioning as a tool to grab sensitive files from the compromised machine, and act as a downloader to download and execute additional second-stage malware.

Additionally, Ficker is known to be delivered through spam campaigns, which involve sending targeted phishing emails with weaponized macro-based Excel document attachments that, when opened, drops the Hancitor loader, which then injects the final payload using a technique called process hollowing to avoid detection and mask its activities.

In the months that followed since its discovery, the digital threat has been found leveraging DocuSign-themed lures to install a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware last month, noted its heavily obfuscated nature and Rust roots, making the analysis more difficult, if not prohibitive.

"Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command-and-control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download," BlackBerry researchers said.

Aside from relying on obfuscation techniques, the malware also incorporates other anti-analysis checks that prevent it from running on virtualized environments and on victim machines located in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Also worthy of particular note is that, unlike traditional information stealers, Ficker is designed to execute the commands and exfiltrate the information directly to the operators instead of writing the stolen data to disk.

"The malware also has screen-capturing abilities, which allow the malware's operator to remotely capture an image of the victim's screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established," the researchers said. "Once information is sent back to Ficker's C2, the malware owner can access and search for all exfiltrated data."

Source

"These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider," read a message posted on the data leak website. Accenture said it has since restored the affected systems from backups.

LockBit, like its now-defunct DarkSide and REvil counterparts, operates using a ransomware-as-a-service (RaaS) model, roping in other cybercriminals (aka affiliates) to carry out the intrusion using its platform, with the payments often divided between the criminal entity directing the attack and the core developers of the malware.

The ransomware group emerged on the threat landscape in September 2019, and in June 2021 launched LockBit 2.0 along with an advertising campaign to recruit new partners. "LockBit also claims to offer the fastest data exfiltration on the market through StealBit, a data theft tool that can allegedly download 100 GB of data from compromised systems in under 20 minutes," Emsisoft noted in a profile of the crime syndicate.

Some of LockBit's past victims include the Press Trust of India and Merseyrail.

The development comes as ransomware incidents have become a critical threat to national and economic security that have left businesses scrambling to pay hefty extortion demands.

The spike in attacks against corporate and critical infrastructure have also been increasingly accompanied by a tactic called "triple extortion," wherein sensitive data on a target's systems is extracted prior to locking up through encryption, followed by applying pressure on victim companies into paying up by threatening to publish the stolen data online, failing which, the attackers then adopt a third phase, using that data to blackmail its customers or launch DDoS attacks.

"Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture's operations, or on our clients' systems," Accenture said in a statement shared with The Hacker News.

Source

As the Chinese decentralized finance (DeFi) platform Poly Network shared two hours ago, the hacker has already returned almost $260 million worth of stolen cryptocurrency.

In total, the attacker has transferred back $256 million Binance Smart Chain (BSC) tokens, $3.3 million in Ethereum tokens, and $1 million in USD Coin (USDC) on the Polygon network.

To send back all the stolen funds, the hacker still has to return another $269 million on Ethereum and $84 million on Polygon.

Motives behind returning the stolen assets unknown

The threat actor explained the motivation for the hack by embedding Q&A messages in transactions (as Elliptic Chief Scientist and Co-founder Tom Robinson found), the motives behind their decision to give back the stolen cryptocurrency are not yet known.

However, it could have been prompted by blockchain security firm SlowMist's claims that it traced the attacker's email address, IP address, and device fingerprint.

SlowMist also discovered that the assets used to fund the attack were Monero (XMR) exchanged to BNB, ETH, MATIC, and other tokens.

In a weird twist of events, Poly Network also urged the hacker to return the cryptocurrency stolen from "thousands of crypto community members" to avoid landing on law enforcement's radar.

The biggest cryptocurrency hack ever

Following a preliminary investigation of the attack, Poly Network said the threat actor exploited a vulnerability between contract calls which allowed them to gain ownership of funds and transfer them to attacker-controlled wallets:

• Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
• Binance Smart Chain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
• Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

"This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function," SlowMist further explained.

"Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract."

After Poly Network disclosed the attack, Binance CEO Changpeng Zhao said the company was coordinating with security partners to remediate the situation.

OKEx, Tether, and Huobi also added that their security teams were working on freezing cryptocurrency assets identified as stolen in the attack.

Hacker behind biggest cryptocurrency heist ever returns stolen funds

"We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said.

Calling it a "bottomless well of valuable intel," the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations' web domains. The findings were presented at the Black Hat USA 2021 security conference last week.

"The traffic that leaked to us from internal network traffic provides malicious actors all the intel they would ever need to launch a successful attack," the researchers added. "More than that, it gives anyone a bird's eye view on what's happening inside companies and governments. We liken this to having nation-state level spying capability – and getting it was as easy as registering a domain."

The exploitation process hinges on registering a domain on Amazon's Route53 DNS service (or Google Cloud DNS) with the same name as the DNS name server — which provides the translation (aka resolution) of domain names and hostnames into their corresponding Internet Protocol (IP) addresses — resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.

In other words, by creating a new domain on the Route53 platform inside AWS name server with the same moniker and pointing the hosted zone to their internal network, it causes the Dynamic DNS traffic from Route53 customers' endpoints to be hijacked and sent directly to the rogue and same-named server, thus creating an easy pathway into mapping corporate networks.

"The dynamic DNS traffic we wiretapped came from over 15,000 organizations, including Fortune 500 companies, 45 U.S.

government agencies, and 85 international government agencies," the researchers said. "The data included a wealth of valuable intel like internal and external IP addresses, computer names, employee names, and office locations."

While Amazon and Google have since patched the issues, the Wiz research team has also released a tool to let companies test if their internal DDNS updates are being leaked to DNS providers or malicious actors.

Source

A new AdLoad malware variant is slipping through Apple's YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne.

AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), 

This malware can also harvest system information that later gets sent to remote servers controlled by its operators.

Increasingly active since July

These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August.

Once it infects a Mac, AdLoad will install a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject advertisements into web pages for monetary gain.

It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and, in some cases, user cronjobs that run every two and a half hours.

While monitoring this campaign, the researcher observed more than 220 samples, 150 of them unique and undetected by Apple's built-in antivirus even though XProtect now comes with roughly a dozen AdLoad signatures.

Many of the samples detected by SentinelOne are also signed with valid Apple-issued Developer ID certificates, while others are also notarized to run under default Gatekeeper settings.

"At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules," Stokes concluded.

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices."

Hard to ignore threat

To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect before and infect Macs with other malicious payloads, has hit over 10% of all Apple computers monitored by Kaspersky.

Its creators also got their malware through Apple's automated notarizing process and included the ability to disable the Gatekeeper protection mechanism to run unsigned second-stage payloads.

Shlayer also recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs.

While both AdLoad and Shlayer now only deploy adware and bundleware as secondary payloads, their creators can quickly switch to more dangerous malware, including ransomware or wipers, at any time.

"Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS," said Craig Federighi, Apple’s head of software, under oath while testifying in the Epic Games vs. Apple trial in May.

New AdLoad malware variant slips through Apple's XProtect defenses

The universal decryption key for REvil's attack on Kaseya's customers has been leaked on hacking forums allowing researchers their first glimpse of the mysterious key.

On July 2nd, the REvil ransomware gang launched a massive attack on managed service providers worldwide by exploiting a zero-day vulnerability in the Kaseya VSA remote management application.

This attack encrypted approximately sixty managed service providers and an estimated 1,500 businesses, making it possibly the largest ransomware attack in history.

After the attack, the threat actors demanded a $70 million ransom to receive a universal decryptor that could be used to decrypt all victims of the Kaseya ransomware attack.

However, the REvil ransomware gang mysteriously disappeared, and soon after, the gang's Tor payment sites and infrastructure were shut down.

The gang's disappearance prevented companies who may have needed to purchase a decryptor now unable to do so.

On July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious "trusted third party" and began distributing it to affected customers.

Before sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure agreement, which may explain why the decryption key hasn't shown up until now.

It is generally believed that Russian intelligence received the decryptor from the ransomware gang and shared it with US law enforcement as a gesture of goodwill.

Decryption key leaked on a hacking forum

Yesterday, security researcher Pancak3 told BleepingComputer that someone posted a screenshot of what they claimed was a universal REvil decryptor on a hacking forum.

This post linked to a screenshot on GitHub that showed an REvil decryptor running while displaying a base64 hashed 'master_sk' key. This key is 'OgTD7co7NcYCoNj8NoYdPoR8nVFJBO5vs/kVkhelp2s=', as shown below.

When REvil ransomware victims pay a ransom, they receive either a decryptor that works for a single encrypted file extension or a universal decryptor that works for all encrypted file extensions used in a particular campaign or attack.

The screenshot above is for a universal REvil decryptor that can decrypt all extensions associated with the attack.

To be clear, while it was originally thought that the decryption key in this screenshot might be the master 'operator' key for all REvil campaigns, BleepingComputer has confirmed that it is only the universal decryptor key for victims of the Kaseya attack.

This was also confirmed by Emsisoft CTO and ransomware expert Fabian Wosar.

BleepingComputer tested the leaked key by patching an REvil universal decryptor with the decryption key leaked in the screenshot.

After patching the decryptor, we encrypted a virtual machine with REvil ransomware samples used in the Kaseya attack.

As shown in our video below, we then used our patched REvil Universal Decryptor to decrypt the encrypted files successfully.

Security firm Flashpoint also confirmed that they could decrypt files encrypted during the Kaseya ransomware attack using this decryption key.

We also tried the decryptor on other REvil samples we have accumulated over the past two years. The decryptor did not work, indicating it is not the master decryption key for all REvil victims.

It is not clear why the Kaseya decryptor was posted on a hacking forum, which is an unlikely place for a victim to post.

However, BleepingComputer was told by numerous sources in the cybersecurity intelligence industry that they believe that the poster is affiliated with the REvil ransomware gang rather than a victim.

Regardless of the reasons for it being posted, for those following the Kaseya ransomware attack, this is our first access to the universal decryptor key that Kaseya mysteriously received.

Kaseya's universal REvil decryption key leaked on a hacking forum

New features build on Total Cookie Protection, simplifying privacy management.

Today’s Firefox 91 release adds new site-wide cookie-clearing action

Mozilla says that starting with Firefox 91, users will be able to fully erase the browser history for all visited websites, thus preventing privacy violations due to "sneaky third-party cookies sticking around."

This change builds on the inclusion of default blocks for cross-site tracking in private browsing, first introduced after Total Cookie Protection was released with Firefox 86 in February.

The new feature, dubbed Enhanced Cookie Clearing, helps you delete all cookies and supercookies stored on your computer by websites or web trackers.

Enhanced Cookie Clearing is triggered automatically whenever you're clearing cookies and other site data after enabling Strict Tracking Protection.

"When you decide to tell Firefox to forget about a website, Firefox will automatically throw away all cookies, supercookies and other data stored in that website's cookie jar," Mozilla said.

"This 'Enhanced Cookie Clearing' makes it easy to delete all traces of a website in your browser without the possibility of sneaky third-party cookies sticking around."

HTTPS enabled by default in private browsing

Mozilla also announced today that, starting with Firefox 91, private browsing windows will automatically switch to secure HTTPS connections by default.

By upgrading all connections to HTTPS, Mozilla aims to protect users from man-in-the-middle (MITM) attacks trying to snoop on or alter data exchanged with web servers over the unencrypted HTTP protocol.

"Whenever you enter an insecure (HTTP) URL in Firefox's address bar, or you click on an insecure link on a web page, Firefox will now first try to establish a secure, encrypted HTTPS connection to the website," Mozilla explained.

"In the cases where the website does not support HTTPS, Firefox will automatically fall back and establish a connection using the legacy HTTP protocol instead."

Mozilla has added an HTTPS-Only Mode starting with Firefox 83 to secure web browsing by rewriting URLs to use HTTPS (even though this feature is disabled by default, it can be easily enabled from the browser's settings).

Microsoft Edge can also be configured to switch secure HTTPS connections when connecting over HTTP by enabling an experimental Automatic HTTPS option available in the Canary and Developer preview channels.

In April, Google updated Chrome to default to HTTPS for all URLs typed in the address bar if the user doesn't specify a protocol.

According to Mozilla, while browsing the web in private mode, Firefox defends your privacy using several privacy protection technologies, all enabled by default:

• Total Cookie Protection isolates cookies to the site where they were created
• Supercookie protections stop supercookies from following you from site to site
• Cookies and caches are cleared at the end of every Private Browsing session and aren't shared with standard windows
• Trackers are blocked, including cookies, scripts, tracking pixels, and other resources from domains on Disconnect's list of known trackers
• Many fingerprinting scripts are blocked, according to Disconnect's list of invasive fingerprinting domains
• SmartBlock intelligently fixes up web pages that were previously broken when tracking scripts were blocked

To go into private browsing mode, you have to open the Application Menu by clicking the button (☰) on the top right and choosing "New Private Window."

You can also use keyboard shortcuts to enable private browsing mode using Ctrl + Shift + P (or Cmd + Shift + P on macOS)

Firefox adds enhanced cookie clearing, HTTPS by default in private browsing

Netgear might have revealed its most secure router software yet

Some of the products are free to use at the time of writing, but Mozilla revealed plans to increase the functionality of the products to make the bundle more attractive.

Sören Hentzschel, a blogger and Mozilla contributor from Germany, discovered mockups of Mozilla Privacy Packs. The mockups provide an overview but may differ from the final product when it is released. The price point, as displayed in the mockups, is between $9.99 and $12.99 per month. Mozilla VPN is available for $9.99 per month or $4.99 for the 12-month plan as a standalone product.

Firefox Relay, Mozilla's email forwarding service, and Firefox Monitor, the organization's data breach monitoring service, are both included in the package.

Mozilla Privacy Pack customers get enhanced versions of both products. Firefox Relay will support an unlimited number of email aliases, opposed to five email aliases of the free version of the product. Customers may also integrate custom domains in the product, but only as a subdomain of Mozilla's mozmail.com domain. Aliases would then be available in the form alias@<yourdomain>.mozmail.com.

Firefox Monitor removes the email address limit of the service. Mozilla Privacy Pack subscribers are not limited in the number of email addresses that they may add to the service. Another new feature is the "remove my data" form. Customers may order Mozilla to remove their data from websites using a new form. It is not entirely clear how this removal feature will work at this point.

Mozilla VPN, the third service that is part of the organization's Privacy Pack subscription service, does not come with extra features.

Hentzschel notes that the pack may include additional services and tools. Mozilla seems to be working on a mobile application to control all three services in a single interface. Customers may gain access to privacy guides.

Closing Words

Mozilla Privacy Pack is another commercial product by Mozilla. The organization launched Mozilla VPN some time ago in order to reduce its dependence on search engine deals.

Who is this for? Mozilla VPN customers who pay by the month may get a better deal out of the new offer. The enhanced Firefox Relay and Firefox Monitor functionality improves both services. It is unclear if the improved versions will also be available as standalone upgrades, or if they are exclusively available in the Privacy Pack.

All in all, it may be an attractive package for Firefox enthusiasts who are already using Mozilla VPN and/or the other services, or Firefox supporters, provided that the price of the product is not too high.

Mozilla's plan to offer a Privacy Pack

Microsoft has fixed 44 vulnerabilities (51 including Microsoft Edge) with today's update, with seven classified as Critical and 37 as Important.

Of the 44 vulnerabilities, 13 are remote code execution, eight are information disclosure, two are denial of service, and four are spoofing vulnerabilities.

For information about the non-security Windows updates, you can read about today's Windows 10 KB5005033 & KB5005031 cumulative updates.

Microsoft fixes PrintNightmare and PetitPotam attacks

Microsoft has released security updates for two eagerly anticipated zero-day vulnerabilities that were discovered over the past month.

One of the security updates fixes the PrintNightmare vulnerabilities that allow threat actors to gain SYSTEM level privileges simply by connecting to a remote print server under their control.

Microsoft has fixed this vulnerability by requiring users have administrative privileges to install printer drivers using the Point and Print Windows feature.

You can find more detailed information about the PrintNightmare vulnerability and the Point and Print mitigations in a dedicated article published today.

Microsoft also fixed the PetitPotam NTLM relay attack vector that uses the MS-EFSRPC API to force a device to negotiate with a remote relay server under an attacker's control.

A threat actor with low privileges could use this attack to take over a domain controller and thus the entire Windows domain.

Three zero-days fixed, with one actively exploited

August's Patch Tuesday includes three zero-day vulnerabilities, with one actively exploited in the wild.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official security updates or released.

The two publicly disclosed, but not actively exploited, zero-day vulnerabilities are:

• CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
• CVE-2021-36942 - Windows LSA Spoofing Vulnerability

The CVE-2021-36942 vulnerability is associated with the PetitPotam NTLM relay attack vector that allows the take over of domain controllers.

Finally, one actively exploited elevation of privileges vulnerability was discovered by the Microsoft Security Response Center (MSRC) and Microsoft Threat Intelligence Center (MSTIC).

• CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability

It is unknown how threat actors used this vulnerability in attacks at this time.

Recent updates from other companies

Other vendors who released updates in July include:

• Adobe released security updates for two products.
• Android's August security updates were released last week.
• Cisco released security updates for numerous products this month.
• SAP released its August 2021 security updates.
• VMware released security updates for VMware Workspace ONE 

The August 2021 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the August 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

PrintNightmare is a vulnerability that allows privilege escalation by letting regular users install fake printer drivers which grant hackers admin privileges.

After a number of patched is various efficacy Microsoft has chosen to fix the issue with this month’s Patch Tuesday by requiring users to have admin privileges before they can install printer drivers.

Microsoft notes:

Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks.

 

Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August?10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.

This means regular users will not be able to install printer drivers without the assistance of an admin, but given how rarely this is needed this is unlikely to be a major issue. If it is a major inconvenience however this behaviour can be bypassed via the registry, but this is of course not recommended.

Admins can read more about the issue at CVE-2021-34481.

via onMSFT

Patch Tuesday fixes PrintNightmare by requiring admin privileges to install print drivers