News: Security & Privacy News

FlyTrap malware hijacks thousands of Facebook accounts

Tue, 10 Aug 2021 05:38:31 +0000

A new Android threat that researchers call FlyTrap has been hijacking Facebook accounts of users in more than 140 countries by stealing session cookies.

FlyTrap campaigns rely on simple social engineering tactics to trick victims into using their Facebook credentials to log into malicious apps that collected data associated with the social media session.

Researchers at mobile security company Zimperium detected the new piece of malware and found that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server.

Luring with high-quality apps

FlyTrap campaigns have been running since at least March. The threat actor used malicious applications with high-quality design, distributed through Google Play and third-party Android stores.

The lure consisted of offers for free coupon codes (for Netflix, Google AdWords) and voting for the favorite soccer team or player, in tune with the delayed UEFA Euro 2020 competition.

Getting the promised reward required logging into the app using Facebook credentials, authentication occurring on the legitimate social media domain.

Since the malicious apps use the real Facebook single sign-on (SSO) service, they can’t collect users’ credentials. Instead, FlyTrap relies on JavaScript injection to harvest other sensitive data.

“Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code”

All the information collected this way goes to FlyTrap’s C2 server. More than 10,000 Android users in 144 countries fell victim to this social engineering.

The numbers come straight from the command and control server, which the researchers were able to access because the database with the stolen Facebook session cookies was exposed to anyone on the internet.

Zimperium’s Aazim Yaswant says in a blog post today that FlyTrap’s C2 server had multiple security vulnerabilities that facilitated access to the stored information.

The researcher notes that accounts on social media platforms are a common target for threat actors, who can use them for fraudulent purposes like artificially boosting the popularity of pages, sites, products, misinformation, or a political message.

He highlights the fact that phishing pages that steal credentials are not the only way to log into the account of an online service. Logging onto the legitimate domain can also come with risks.

“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent” - Aazim Yaswant, Android malware researcher, Zimperium

Despite not using a new technique, FlyTrap managed to hijack a significant number of Facebook accounts. With a few modifications, it could turn into a more dangerous threat for mobile devices, the researcher says.

FlyTrap malware hijacks thousands of Facebook accounts

Vulnerability found in Kindle e-reader

Tue, 10 Aug 2021 01:32:01 +0000

A team of researchers at security firm Check Point Research has discovered a vulnerability in Kindle e-readers—one that could allow hackers to take over the device, delete data and potentially gain access to Amazon account information. The group has posted an extensive review of the work they have done to discover vulnerabilities in the e-reader on their web page, describing what they found and divulging what Amazon has done to correct the problem.

E-readers are portable electronic devices that allow users to read downloaded text—such devices can be used to read PDF files or books formatted specifically for e-readers. They are typically very thin and light, with screens designed to make text look very similar to printed pages. Amazon began working on an e-reader back in 2004 and began selling its first Kindle in 2007. Since that time the company has produced a very popular series of Kindle devices. In this new effort, the researchers found that the latest version of the Kindle e-reader has a vulnerability that makes it possible for hackers to break into the device by attaching code to an e-book they had created.

The vulnerability was found in the firmware and was determined to be related to a heap overflow in the part of the firmware code related to rendering PDF files, along with a flaw in the code related to escalating local privileges on the device. A hacker, it was found, could attach code to a book they had written and then send it to an unsuspecting victim. Upon opening the e-book, code would launch that would give the hacker unlimited access to the device. Such access, the researchers note, could involve not only stealing e-books, but preventing the user from accessing them, or deleting those that had been downloaded. It could also have allowed the hacker to access the user's Amazon account information.

< Watch the video at the source page. >

The team at Check Point notified Amazon of the vulnerability they had found this past February and Amazon responded by issuing a patch this past May—thus, the vulnerability does not currently pose a threat to Kindle owners; though it does remind them that any device that connects to the Internet holds the potential for breaches by hackers.

Source

Hackers reportedly threaten to leak data from Gigabyte ransomware attack

Mon, 09 Aug 2021 21:56:27 +0000

They reportedly claim to have 112GB of AMD, Intel, and other documents

Gigabyte has been the victim of a cyberattack, which was reportedly the work of a ransomware outfit called RansomEXX. According to The Record, the attack didn’t have an impact on any of the company’s production systems, but it did affect some internal servers. Currently, some parts of Gigabyte’s website, including its support section, are down, giving customers issues when trying to access warranty repair information and updates. The hackers who claim to have carried out the attack are reportedly threatening to release data from the company, including confidential documents from Intel, AMD, and American Megatrends.

Gigabyte is mainly known for its PC components such as motherboards and graphics cards, but it also has a line of laptops and peripherals like gaming monitors, which are often branded with the Aorus name.

According to a ransom note and dark web webpage, seen by Bleeping Computer and The Record, RansomEXX threatens to publish 112GB of data it got from Gigabyte and an American Megatrends Git repo. Bleeping Computer reports that the hackers also include screenshots of documents from Intel, AMD, and American Megatrends that are under an NDA. American Megatrends creates firmware for motherboard and computer manufacturers as well as for certain Chromebook manufacturers.

Various parts of Gigabyte’s website are nonfunctional.

PC manufacturers aren’t an uncommon target for hackers: earlier this year, Acer was reportedly hit with an attack by the REvil group, which would later go on to target one of Apple’s suppliers. In both cases, hackers threatened to release valuable data if the companies didn’t pay exorbitantly high ransoms of $50 million. The scourge of ransomware has also gone beyond traditional tech companies, affecting hospitals, fuel pipelines, insurance companies, and more.

In Gigabyte’s case, the sum that the hackers are seeking doesn’t yet appear to be public. Bleeping Computer reports, however, that RansomEXX’s ransom notes direct companies to contact an email address to start negotiations.

Gigabyte didn’t respond to a request for comment, but it told The Record that the company has isolated the affected servers, notified law enforcement, and is beginning an investigation. Gigabyte hasn't publicly named RansomEXX as the responsible party.

Hackers reportedly threaten to leak data from Gigabyte ransomware attack

Instagram is now testing ads in the Shop tab

Mon, 09 Aug 2021 21:53:27 +0000

Ads everywhere

If you thought Instagram had run out of ad real estate, think again. The company confirmed to TechCrunch today that it’s starting a new test that’ll involve putting ads on its Shop tab. Ads will involve either a single image or carousel of them, and of course, will be shoppable. Only certain advertisers will have access at first, but there are plans to expand the product in the future. (Initial US-based partners include Away, Fenty Beauty, and Clare paint.)

Of course, it’s no surprise Instagram is trying more ads in more places — that’s Instagram and its parent company Facebook’s main revenue driver. Earlier this year, Instagram officially rolled out ads in Reels, another new format that debuted only last year. The company also began testing sticker ads, which would allow people to include stickers in their stories advertising a product. Users will receive a cut of any revenue made through people tapping on the sticker and buying a product.

Basically, if there’s unused space on Instagram, you should expect ads to show up there soon enough. It’s unclear how successful these ads are in driving purchases, but brands presumably will want to try it out regardless, if only to ensure their products are seen by Instagram’s billion users.

Instagram is now testing ads in the Shop tab

Privacy is now the most important factor when picking a browser

Mon, 09 Aug 2021 21:50:37 +0000

New research shows users are willing to switch browsers for better privacy

Privacy is becoming an increasing concern for internet users worldwide and new research from eyeo and Opera has revealed that 83 percent of users would consider switching to a different browser if it offered improved privacy protection.

To compile their new research, the German ad-filtering company and the maker of the Opera browser surveyed 2,500 global internet users to gain a better understanding of their attitudes toward privacy.

Surprisingly the survey found that only a quarter (25%) of respondents trust their current browser with their personal information which underlines the need for better trust and transparency.

Founder and CEO of eyeo, Till Faida provided further insight on the survey's findings in a press release, saying:

“The research shows that internet users have quite a complex relationship with their browsers. They clearly hold them in high regard in many respects and recognise the major benefits they bring to their online experience. At the same time, users are very privacy-conscious, particularly when it comes to intrusive advertising or excessive use of tracking cookies. There’s a better balance to be struck here, where advertising remains a core element of the browsing experience, but is done in a responsible manner that respects user privacy.”

Striking the right balance

In order to protect their privacy when browsing the web, 50 percent of respondents admitted to using an ad blocker in the last month to prevent ads from being displayed while 64 percent have made a conscious decision to delete tracking cookies.

Although more users are now leveraging ad blockers and calling for improved privacy protection, the data from eyeo and Opera's survey shows that many are willing to compromise when advertising is concerned. Of those surveyed, 35 percent acknowledge the valuable role cookies play in the internet ecosystem and 69 percent are happy to see some ads if doing so provides them with access to free news.

Faida also explained that most internet users realize that ads are necessary to help maintain a free and accessible internet. By using technologies such as ad filtering, consumers can allow noninvasive ads to appear when browsing while hiding the more annoying ones such as pop-ups or animated ads.

Those interested in making the switch to a more privacy-focused browser should check out our complete list of the best anonymous browsers as they allow you to browse the web securely without being tracked online.

Privacy is now the most important factor when picking a browser

iMazing iPhone backup and management app can now scan for Pegasus spyware infection

Mon, 09 Aug 2021 21:48:10 +0000

We recently reported on Pegasus, a zero-click iPhone spyware attack via a silent iMessage message, that once in place it can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories. It can even activate cameras or microphones, and listen to calls and voice mails. It can also collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.

The iPhone malware was used by NSO Group to target more than 50,000 people, going by a list liberated from the company. The hack is effective even against the latest iPhones, with hackers apparently able to bypass Apple’s latest security updates over the course of a number of years, challenging the company’s reputation for security and privacy.

Because iPhones are a closed platform it is nearly impossible for iPhone owners to know they have been compromised.

Mobile device management platform iMazing has now released a spyware detection tool that can be used to detect signs of infection by NSO’s Pegasus and has the potential to evolve to detect other threats.

The methodology implemented closely mirrors that of the open-source Mobile Verification Kit by Amnesty International’s Security Lab by looking for known malicious file names, links, process names and emails.

The ability for the user to customize the analyzer by providing indicators of compromise in STIX format may be useful for early investigations of future threats.

The tool is available for free, but does require you to connect your iPhone via USB to your desktop.

Read more about the iPhone spyware scanner at iMazing here.

iMazing iPhone backup and management app can now scan for Pegasus spyware infection

Phishing Sites Targeting Scammers and Thieves

Mon, 09 Aug 2021 21:45:43 +0000

I was preparing to knock off work for the week on a recent Friday evening when a curious and annoying email came in via the contact form on this site:

“Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.”

The real BriansClub login page.

Several things stood out in Mitch’s message. For starters, that is not the actual domain for BriansClub. And it’s easy to see why Mitch got snookered: The real BriansClub site is currently not at the top of search results when one queries that shop name at Google.

Also, this greenhorn criminal clearly had bought into BriansClub’s advertising, which uses my name and likeness in a series of ads that run on all the top cybercrime forums. In those ads, a crab with my head on it zigs and zags on the sand. This is all meant to be a big joke: Krebs means “crab” or “cancer” in German, but a “crab” is sometimes used in Russian hacker slang to refer to a “carder,” or a person who regularly engages in street-level credit card fraud. Like Mitch.

In late 2019, BriansClub changed its homepage to include doctored images of my Social Security and passport cards, credit report and mobile phone bill information. That was right after KrebsOnSecurity broke the news that someone had hacked BriansClub and siphoned information on 26 million stolen debit and credit accounts. The hacked BriansClub database had an estimated collective street value of $566 million, and that data was subsequently shared with thousands of financial institutions.

Mitch said he’d just made a deposit of $240 worth of bitcoin at BriansClub[.]com, and was wondering when the funds would be reflected in the balance of his account on the shop.

Playing along, I said I was sorry to hear about his ordeal, and asked Mitch if there were any stolen cards issued by a particular bank or to a specific region that he was seeking.

Mitch didn’t bite, but neither would he be dissuaded that I was at fault for his wayward funds. He shared a picture showing funds he’d sent to the bitcoin address instructed by BriansClub[.]com — 1PLALmM5rrmLTGGVRHHTnB6VnZd3FFwh1Z — using a Bitcoin ATM in Canada.

The real BriansClub uses a dodgy virtual currency exchange service based in St. Petersburg, Russia called PinPays. The company’s website has long featured little more than a brand icon and an instant messenger address to reach the proprietor. The fake BriansClub told Mitch the Bitcoin address he was asked to pay was a PinPays address that would change with each transaction.

The payment message displayed by the carding site phishing domain BriansClub[.]com.

However, upon registering at the phishing site and clicking to fund my account, I was presented with the exact same Bitcoin address that Mitch said he paid. Also, the site wasn’t using PinPays; it was just claiming to do so to further mimic the real BriansClub.

According to the Blockchain, that Bitcoin address Mitch paid has received more than a thousand payments over the past five months totaling more than USD $40,000 worth of Bitcoin. Most are relatively small payments like Mitch’s.

The screenshot Mitch sent of his deposit.

Unwary scammers like Mitch are a dime a dozen, as are phishing sites that spoof criminal services online. Shortly after it came online as a phishing site last year, BriansClub[.]com was hosted at a company in Moscow with just a handful of other domains phishing popular cybercrime stores, including Jstashbazar[.]com, vclub[.]cards, vclubb[.]com and vclub[.]credit.

Whoever’s behind these sites is making a decent income fleecing clueless crooks. A review of the Bitcoin wallet listed as the payment address for BriansClub[.]org, for example, shows a similar haul: 704 transactions totaling $38,000 in Bitcoin over the past 10 months.

“Wow, thanks for ripping me off,” Mitch wrote, after I’d dozed off for the evening without responding to his increasingly strident emails. “Should have spent the last money on my bills I’m trying to pay off. Should have known you were nothing but a thief.”

Deciding the ruse had gone too far, I confessed to Mitch that I wasn’t really the administrator of BriansClub, and that the person he’d reached out to was an independent journalist who writes about cybercrime. I told him not to feel bad, as more than a thousand people had been similarly duped by the carding shop.

But Mitch did not appear to accept my confession.

“If that’s the case then why is your name all over it including in the window that opens up when you go to make a deposit?,” Mitch demanded, referring to the phishing site.

Clearly, nothing I said was going to deter Mitch at this point. He asked in a follow-up email if a link he included in the message was indeed the “legitimate” BriansClub address. My only reply was that he should maybe consider another line of work before he got ripped off yet again, or the Royal Canadian Mounted Police showed up at his doorstep.

Scammers who fall for fake carding sites can expect to have their accounts taken over at the real shop, which usually means someone spends your balance on stolen cards. But mostly, these imposter carding sites are asking new members to fund their accounts by making deposits in virtual currency like Bitcoin.

In 2018, KrebsOnSecurity examined a huge network of phishing sites masquerading as the top carding stores which all traced back to a web development group in Pakistan that’s apparently been stealing from thieves for years.

As I noted in that piece, creating a network of fake carding sites is the perfect cybercrime. After all, nobody who gets phished or scammed is going to report the crime to the authorities. Nor will anyone help the poor sucker who gets snookered by one of these fake carding sites. Caveat Emptor!

The most one can hope for is that the occasional enterprising phisher is brought to justice. While it may be hard to believe that authorities would go after crooks stealing from one another, in 2017 a Connecticut man pleaded guilty to charges of phishing several criminal dark web markets in a scheme that eventually netted over $365,000 and more than 10,000 stolen user credentials.

And what about the provenance of the phishing domain briansclub[.]com? Looking closer at the original WHOIS registration records for briansclub[.]com via DomainTools (an advertiser on this site), we can see it was registered in November 2015 — several months after the real BriansClub came online. It was registered to a “Brian Billionaire,” a.k.a. Brian O’Connor, an apparently accomplished music deejay, rapper and rap music producer in Florida.

Brian Billionaire.

For several years after it came online, BriansClub[.]com and other domains apparently registered to Mr. Billionaire redirected to his main site — newhotmusic.com, which predates the carding shop BriansClub and also has a members-only section of the site called Brian’s Club.

Mr. Billionaire did not respond to multiple requests for comment, but it looks like his only crime is being a somewhat cringeworthy DJ. DomainTools’ record for briansclub[.]com says the domain was abandoned or dormant for a period in 2019, only to be scooped up again by someone in May 2020 when it became a phishing site spoofing the real BriansClub.

Phishing Sites Targeting Scammers and Thieves

Google drops Bluetooth Titan Security Keys in favor of NFC versions

Mon, 09 Aug 2021 21:41:34 +0000

Google is discontinuing the Bluetooth Titan Security Key to focus on security keys with Near Field Communication (NFC) functionality.

As part of this move, Google has also announced a new Titan Security Key with USB-C and NFC to go along with the previously available USB-A + NFC security key.

Google's Titan Security Keys were introduced in 2018 and are designed to help users prevent Google account takeover attempts using credentials stolen in data breaches or following phishing attacks.

They work with the most popular devices, browsers, and an increasing number of apps that come with FIDO standard support.

Only USB-A and USB-C NFC keys for sale starting tomorrow

"Since NFC functionality is now supported by a wide range of Android phones and iPhones, we are discontinuing the Bluetooth Titan Security Key and focusing on the easier and more widely available NFC capability," said Christiaan Brand, Google Cloud Product Manager.

"However, for existing users with our Bluetooth Titan Security Keys, these will continue to work with Bluetooth and will continue to work as an NFC key on most modern mobile devices."

The company will also continue to service existing Bluetooth Titan Security Keys until they are out of warranty.

Starting August 10, Google will only offer the USB-A and a USB-C NFC version of Titan Security Keys, with the USB-A (which also comes with USB-A to USB-C adapter) to sell for $30 and the USB-C+NFC key to be priced at $35.

Customers can follow this simple guide to buy a Titan Security key for their device:

If you have a computer with USB-A ports, we recommend you get the USB-A + NFC security key
If you have a computer with USB-C ports, we recommend you get the USB-C + NFC security key
If you have an iPad with a USB-C connector you can use the USB-C Titan Security Key.
If you have an iPad with a lightning connector, it’s recommended to get a USB-A Titan Security Key with an Apple Lightning adapter

Work with Google's Advanced Protection Program

"Paired with our Advanced Protection Program and its industry-leading automatic protections, the Titan Security Key remains one of the best ways to keep your Google Account safe," Brand said.

APP allows high-risk or regular users to defend their accounts from state-sponsored spear-phishing attempts with a more secure login procedure requiring them to use security keys or smartphones to verify their identity.

Google advises anyone at risk of targeted online attacks, including but not limited to business leaders, journalists, activists, and IT administrators, to enroll in Advanced Protection as the most accessible defense against account takeover attempts with the help of additional identity checks.

Advanced Protection applies all of the following protections at once, automatically overriding similar and manually configured settings:

Strong authentication with security keys
Use of security codes with security keys (as needed)
Restrictions on third-party access to account data
Deep Gmail scans
Google Safe Browsing protection in Chrome (when users are signed in to Chrome using the same identity as their Advanced Protection Program identity)
Account recovery through admin

Google provides more information on how security keys can help protect you from phishing attacks on the Titan Security Key product page.

Google drops Bluetooth Titan Security Keys in favor of NFC versions

A Critical Random Number Generator Flaw Affects Billions of IoT Devices

Mon, 09 Aug 2021 14:00:39 +0000

A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things (IoT) devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks.

"It turns out that these 'randomly' chosen numbers aren't always as random as you'd like when it comes to IoT devices," Bishop Fox researchers Dan Petro and Allan Cecil said in an analysis published last week. "In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use."

Random number generation (RNG) is a crucial process that undergirds several cryptographic applications, including key generation, nonces, and salting. On traditional operating systems, it's derived from a cryptographically secure pseudorandom number generator (CSPRNG) that uses entropy obtained from a high-quality seed source.

When it comes to IoT devices, this is supplied from a system-on-a-chip (SoC) that houses a dedicated hardware RNG peripheral called true random number generators (TRNG) that's used to capture randomness from physical processes or phenomenа.

Stating that the manner in which the peripheral is being current invoked was incorrect, the researchers noted the lack of checks for error code responses across the board, leading to a scenario where the random number generated isn't simply random, and worse, predictable, resulting in partial entropy, uninitialized memory, and even crypto keys containing plain zeros.

"The HAL function to the RNG peripheral can fail for a variety of reasons, but by far the most common (and exploitable) is that the device has run out of entropy," the researchers noted. "Hardware RNG peripherals pull entropy out of the universe through a variety of means (such as analog sensors or EMF readings) but don't have it in infinite supply.

"They're only capable of producing so many random bits per second. If you try calling the RNG HAL function when it doesn't have any random numbers to give you, it will fail and return an error code. Thus, if the device tries to get too many random numbers too quickly, the calls will begin to fail."

The problem is unique to the IoT landscape as they lack an operating system that typically comes with a randomness API (e.g., "/dev/random" in Unix-like OSes or BCryptGenRandom in Windows), with the researchers highlighting the larger entropy pool of a CSPRNG subsystem, thus removing "any single points of failure among the entropy sources."

Although the issues can be remediated with software updates, the ideal solution would be for IoT device manufacturers and developers to include a CSPRNG API that's seeded from a set of diverse entropy sources and ensure the code doesn't ignore error conditions, or fail to block calls to the RNG when no more entropy is available.

"One of the hard parts about this vulnerability is that it's not a simple case of 'you zigged where you should have zagged' that can be patched easily," the researchers said, stressing the need for implementing CSPRNG in an IoT operating system. "In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device."

Source

The UK government wants you to use passwords made of three random words

Sun, 08 Aug 2021 22:34:29 +0000

While some organizations such as Google and Microsoft want to kill off passwords, it's not an easy task considering that it's a traditional form of authentication used heavily by almost all online services. Back in 2016, the National Cyber Security Centre (NCSC) - which is a UK Government organization that provides guidance on cybersecurity - pushed people to choose a combination of three random words as their password when signing up online instead of thinking up or reusing a complex password. The topic sparked quite a debate, and now, the organization has shed more light on why it gave this advice.

The NCSC has highlighted that most websites enforce the use of complex passwords which usually includes a combination of multiple characters and symbols. This counter-intuitively makes the job of malicious actors easier too since they can use these rules and knowledge of existing password patterns to optimize brute-force attacks. It also means that people reuse the same password or variations of it across multiple websites because it's tedious to create and remember numerous complex passwords. This action is also driven by the belief that storing passwords online or offline is risky. While the NCSC admits that passwords can be stolen from either type of repository, the chances are quite low in secure storage solutions and the benefits usually outweigh the risks.

In this vein, the organization believes that it is better to use a combination of three random words. Some reasons for this move includes the increased length of passwords, its adoption as an easy-to-understand standard, its novelty in the current tech landscape, and its usability.

The NCSC has also responded to some concerns that have been raised since it initially provided this guidance both for personal and work use. Some have claimed that search algorithms to guess "three random words" already exist. The organization claims that under its proposed technique, people will still generate their passwords through multiple personalized ways, which means that an attacker may have to use several algorithms to figure out useful passwords. In comparison, given the fixed set of lexical rules that most website enforce on passwords currently, it's easier for an attacker to use a single algorithm to guess passwords.

Regarding claims that this technique will lead to weaker passwords, the NCSC had the following to say:

There are many common passwords that conform to complexity requirements. For example, ‘Pa55word!’ may follow the complexity requirements for a website or service, but is a lousy password as it's quite guessable. Similarly, there are unique complex passwords (generated using three random words) that would not be permitted. Complexity requirements alone is a blunt instrument; to provide a more targeted removal of weak passwords, the NCSC recommend a minimum length requirement combined with the application of password deny lists.

Finally, the cybersecurity body has noted that even three random words as your password is not a silver bullet. It strongly recommends using secure solutions to store passwords generated with this technique and has placed hopes that the wider strategy of reducing reliance on passwords is successful before password diversity in this domain is minimized as well - as is the problem with seemingly complex passwords currently.

The UK government wants you to use passwords made of three random words

Google working on transferring SMS One Time Passwords from your phone to your PC

Thu, 01 Jan 1970 00:00:00 +0000

It is a very common experience to have to verify your identity on the desktop web by having to enter a passcode sent via SMS to your smartphone. Often this involved having to dig up your phone and accurately copy over the code.

With Chrome 93, Google is working on the ability for your desktop browser to automatically read the code sent to your Android phone.

Chrome 93 supports the WebOTP (Web One Time Password) interface, so if websites also use the technology, your web browser will automatically detect that your phone has received the code.

For this of course you need an Android phone, and both your handset and desktop browser must be signed into the same Google account.

WebOTP API in action.

WebOTP API on desktop.

You can try out the feature now with Chrome 93 beta at this demo page here.

Unfortunately, the feature is dependent on the Chromium web engine and is currently unsupported on iOS.

via Winfuture

Google working on transferring SMS One Time Passwords from your phone to your PC

A Batch of 1 Million Credit Cards Is Shared for Free on New Dark Web Carding Site

Sun, 08 Aug 2021 13:45:24 +0000

A recently-launched carding platform is giving away one million cards for free as a promotion.

The site features sets from around the world and also offers a powerful search engine.

Roughly half of the cards offered are still good for exploitation as their owners don’t know they have been compromised.

A new credit card dump has appeared on ‘AllWorld.cards’, a recently-launched dark web marketplace where cybercriminals buy, sell, or freely share goods of this kind, and it contains one million records including full holder names, expiration dates, the CVV number, and the owner’s address.

According to researchers of the d3lab, who analyzed the card pack, it appears to be a compilation of cards stolen from various sources like malware-infected PoS terminals deployed in petrol stations and supermarkets, as well as websites compromised by Magecart skimmers.

Source: d3lab

The particular set has been advertised on various dark web forums since the beginning of June. It is offered for free to promote AllWorld.cards, which is a relatively new marketplace that was registered in May 2021. The site only accepts Bitcoin for payment, and cybercriminals can only use Jabber to contact the sellers, while everything else on the platform is currently offered at a 50% discount. The site also follows a three-level loyalty system that prioritizes returning buyers so that they can exploit fresh packs before other members access the data.

Image: TechNadu

More specifically, users who spend $5,000 or more on the site get the “Gold” level status and are given early access to freshly loaded cards within 5 hours from their upload on the site. “Silver” and “Bronze” users won’t even see the full card number and will be given 12 hours to verify what they got or ask for a refund. Anything credited to the balance cannot be touched, and the site declared trust to its own third-party checkers, so no tricks can be played there.

Image: TechNadu

We have looked into some of the offerings on the site, and there’s really a plethora of listings from around the world. The price for each card ranges between $5.5 and $9.9, at least from what we were able to check. There is also a powerful search filtering system that offers quite a few options for crooks to narrow down their results and locate what they’re after quickly.

Image: TechNadu

Back to the 1,000,000 cards offering, d3lab has made a bulk analysis of the pack and believes that roughly 50% are still operational and exploitable, as they have not been reported as stolen/compromised to the financial institutes that issued them. The researchers have sent notifications to the affected banks, but taking the appropriate action may take a while.

Source

Google makes privacy trade-off more explicit in new Chrome Privacy Review settings page

Sat, 07 Aug 2021 22:45:06 +0000

We all know vaguely our data has value and that privacy is not free, but after the backlash Google received for their FLoC proposal it appears the company is aiming to make the trade-off between privacy and the services your data pay for a bit more explicit.

The company has been working on a new Privacy Review page in Chrome Settings, and in the latest Chrome Canary release that section has been filled in with a page called “Review settings for search and browsing optimization.”

The page explains that if you share the site you are currently browsing with Google with the intent to allow Google to process it to “understand the browsing behaviour“, Google will reward you with:

Faster browsing: For example, proactively load specific further content based on the current page
Improved browsing: For example, suggestions in the Omnibox before you start typing
Improved Chrome using page metrics

Of course, Google is not completely honest on the page, since the company wants to understand YOUR browsing behaviour, not the nebulous 3rd person Google appears to be referring to.

We assume at some point this page will be used to gain the consent of users for targeted advertising.

Google’s FLoC proposal would have used your Chrome browsing history to categorise you into a small group of similar people and then pass this data to websites so they can deliver relevant ads.

Of course, Google is not wrong in that much of the internet is funded by advertising, and being able to explicitly opt both into and out of the deal is a welcome improvement over assuming consent simply by using the browser.

via techdows

Google makes privacy trade-off more explicit in new Chrome Privacy Review settings page

Apple VP on iCloud Photos scanning: We know people have misunderstandings and are worried

Sat, 07 Aug 2021 16:16:58 +0000

Apple recently announced that it is introducing new child safety features to its ecosystem, including the ability to scan photos uploaded to iCloud using on-device machine learning and comparing it to known images of child sexual abuse material (CSAM) from the National Center for Missing and Exploited Children's (NCMEC) repository. Another feature may also inform parents if their child - who is below 13 years old - shares or receives sexually explicit content.

The move has drawn criticism from a lot of tech experts and entities such as the Head of WhatsApp, the Electronic Frontier Foundation (EFF), Edward Snowden, and more, who call it a breach of privacy despite being well-intentioned. Apple is fully aware of the the debate it has created, as can be seen in an internal company memo.

The document in question was obtained by 9to5Mac and contains words from Apple's Software VP Sebastien Marineau-Mes. An excerpt from the memo reads:

Keeping children safe is such an important mission. In true Apple fashion, pursuing this goal has required deep cross-functional commitment, spanning Engineering, GA, HI, Legal, Product Marketing and PR. What we announced today is the product of this incredible collaboration, one that delivers tools to protect children, but also maintain Apple’s deep commitment to user privacy.

We’ve seen many positive responses today. We know some people have misunderstandings, and more than a few are worried about the implications, but we will continue to explain and detail the features so people understand what we’ve built. And while a lot of hard work lays ahead to deliver the features in the next few months, I wanted to share this note that we received today from NCMEC. I found it incredibly motivating, and hope that you will as well.

The attached note from NCMEC congratulates Apple for its efforts and says that "we know that the days to come will be filled with the screeching voices of the minority".

Overall, it's clear that Apple is aware that it has opened up a somewhat difficult topic since it involves scanning photos of its users, computing hashes, and then comparing them against CSAM databases. While the company claims that it is doing this in a privacy-protective manner using on-device machine learning, many are understandably concerned about the potential for misuse. Marineau-Mes does say that the firm will be explaining the features in more detail "in the next few months", so it will be interesting to see whether it can tackle the concerns that are being raised by the public.

Source

The logic behind three random words

Sat, 07 Aug 2021 14:34:41 +0000

Whilst not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements.

One of the most popular pages on the NCSC website, nearly 5 years after its first publication, is 'Three random words or #thinkrandom'. It explains how - by combining three random words - you can create a password that's 'random enough' to keep the bad guys out, but also 'easy enough' for you to remember.

In this blog, we're going to:

explain why the NCSC continue to promote 'three random word' strategy (both at home and at work)

respond to some concerns raised by NCSC customers who may be considering this strategy

The problems of complexity requirements

We've covered, at length, how enforcing complexity requirements is a poor defence against guessing attacks. Our minds struggle to remember random character strings, so we use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria.

Of course, attackers are familiar with these strategies and use this knowledge to optimise their attacks. Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords. Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).

None of this is helped by:

Longstanding (and poor) advice that passwords have to be memorised, and storing them in any way (either in a password manager, a browser, or on a piece of paper) is risky.

The continued low uptake of password managers to both store and generate passwords (the NCSC has encouraged organisations and individuals to use password managers for some time now).

To be absolutely clear, there are a number of ways you can securely store your passwords, in a password manager, a browser, or on a piece of paper, so remembering them is no longer a problem*.

Why three random words?

The traditional password advice built around 'password complexity' failed because it told us to do things that most of us simply can't do (i.e. memorise lots of long, complex passwords).

Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. This is also good for those who aren't aware of password managers, or are reluctant to use them. However, there are several other reasons why the NCSC chose the three random words strategy.

1 Length

Passwords made from multiple words will generally be longer than passwords made from a single word. Length is a common (and recommended) requirement for passwords, and promoting the use of a 'passphrase' created by combining words provides a way to achieve this without relying on predictable patterns (such as the addition of ! at the end of a password).

2 Impact

To have a meaningful impact, the NCSC needed to be able to promote a technique across different media, in a way that could be quickly understood in most contexts. 'Three random words' contains all the essential information in the title, and can be quickly explained, even to those who don't consider themselves computer experts.

3 Novelty

The stereotypical password is a single dictionary word or name, with predictable character replacements. By recommending multiple words we immediately challenge that perception, and encourage a range of passwords that have not previously been considered.

4 Usability

The main issue with enforcing complexity requirements is that it's difficult for users to generate, remember, and enter complex passwords correctly without substantial effort, which further encourages the re-use of passwords. Three random words' power is in its usability, because security that's not usable doesn't work.

Responding to concerns

We do appreciate that some system owners may have concerns using the three random words technique over others. It may not be necessary across all organisations. For example, some will already be using good strategies for creating strong, unique passwords, and others will be uncomfortable moving to a model that's so different from what they currently use.

However, if you're not using 'three random words' for any of the following reasons, then you may want to consider adopting it.

1. 'There are search algorithms optimised for three random words'

This is true, but there are also search algorithms optimised for 'complex' passwords generated by humans (by far the most common type in use today). There have been many attempts to show which of these algorithms would be fastest at discovering human-generated complex passwords or three random word passwords, with the 'winner' depending on the assumptions made about people's behaviour. But it ultimately doesn't matter.

To be able to get an advantage from any optimised algorithm, you need to know which algorithm to use. So, given a large database where everyone is using different ways to generate their passwords, the effectiveness of any optimised algorithm is reduced. In the real world, this means the attacker must try several algorithms, which is harder (and takes longer) than trying just one.

Some people compare 'three random words' passwords with the 'random passwords created by password managers'. The latter are stronger than either 'three random words' or 'human-generated complex passwords'. However, this is not currently a useful comparison to make, as there is still a very low uptake of password managers. We hope more people will adopt password managers and this will also increase the diversity of passwords.

2. 'Three random words will generate 'weak' passwords, such as those that appear in common password lists'

There are many common passwords that conform to complexity requirements. For example, ‘Pa55word!’ may follow the complexity requirements for a website or service, but is a lousy password as it's quite guessable. Similarly, there are unique complex passwords (generated using three random words) that would not be permitted. Complexity requirements alone is a blunt instrument; to provide a more targeted removal of weak passwords, the NCSC recommend a minimum length requirement combined with the application of password deny lists.

3. 'People will struggle to remember passwords made from three random words for multiple accounts'

As we've discussed, to create passwords that meet complexity requirements we use coping mechanisms (which are well known to cyber criminals). Adopting three random words is not a panacea that solves the issue of remembering a lot of passwords in a single stroke, and we expect it to be used alongside secure storage.

Towards 'password diversity'

To make it harder for attackers, we need to increase the diversity of password use. This means reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.

Currently, complexity requirements are actively working against password diversity (for all the reasons mentioned above). This has led to convergence in strategies and a reduction in password diversity. To increase diversity, we need to encourage people to use other password construction strategies (such as 'three random words'), that use length rather than character sets to achieve the desired strength. This effectively encourages the adoption of passwords that are currently unused, increasing password diversity in the ecosystem.

In the meantime, we hope that wider efforts across the technology sector to reduce our long-term reliance on passwords will bear fruit before convergence becomes a problem for three random words.

Source

[Another article: Password of three random words better than complex variation, experts say]

Anatomy of native IIS malware

Sat, 07 Aug 2021 13:56:30 +0000

ESET researchers publish a white paper putting IIS web server threats under the microscope

ESET researchers have discovered a set of previously undocumented malware families, implemented as malicious extensions for Internet Information Services (IIS) web server software. Targeting both government mailboxes and e-commerce transactions, as well as aiding in malware distribution, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications.

Along with a complete breakdown of the newly discovered families, our new paper, Anatomy of native IIS malware, provides a comprehensive guide to help fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats. In this blogpost, we summarize the findings of the white paper.

Today, we are also launching a series of blogposts where we introduce the most notable of the newly discovered IIS malware families, as case studies of how this type of malware is used for cybercrime, cyberespionage and SEO fraud. As well as this overview piece, you can read the first of the three installments, IIStealer: A server-side threat to e-commerce transactions.

The findings of our IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the community at the Virus Bulletin 2021 conference on October 8th.

Anatomy of native IIS malware

Download Research Paper

IIS is Microsoft Windows web server software with an extensible, modular architecture that, since v7.0, supports two types of extensions – native (C++ DLL) and managed (.NET assembly) modules. Focusing on malicious native IIS modules, we have found over 80 unique samples used in the wild and categorized them into 14 malware families – 10 of which were previously undocumented. ESET security solutions detect these families as Win{32,64}/BadIIS and Win{32,64}/Spy.IISniff.

How IIS malware operates

IIS malware is a diverse class of threats used for cybercrime, cyberespionage, and SEO fraud – but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests.

With the default installation, IIS itself is persistent, so there is no need for extension-based IIS malware to implement additional persistence mechanisms. Once configured as an IIS extension, the malicious IIS module is loaded by the IIS Worker Process (w3wp.exe), which handles requests sent to the server – this is where IIS malware can interfere with the request processing.

We identified five main modes in which IIS malware operates, as illustrated in Figure 1:

IIS backdoors allow their operators to remotely control the compromised computer with IIS installed

IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors, to steal information such as login credentials and payment information. Using HTTPS doesn’t prevent this attack, as IIS malware can access all data handled by the server – which is where the data is processed in its unencrypted state.

IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content

IIS proxies turn the compromised server into an unwitting part of the C&C infrastructure for another malware family, and misuse the IIS server to relay communication between victims of that malware and the real C&C server

SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers

Figure 1. Overview of IIS malware mechanisms

All of these malware types are discussed at length in the paper.

How (and where) it spreads

Native IIS modules have unrestricted access to any resource available to the server worker process – thus, administrative rights are required to install native IIS malware. This considerably narrows down the options for the initial attack vector. We have seen evidence for two scenarios:

IIS malware spreading as a trojanized version of a legitimate IIS module

IIS malware spreading through server exploitation

For example, between March and June 2021, we detected a wave of IIS backdoors spread via the Microsoft Exchange pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon. Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is used to implement OWA, these were a particularly interesting target for espionage.

After our colleagues reported the first such case in March 2021, we have detected four more campaigns of various IIS backdoors spreading to Microsoft Exchange servers through the same vulnerability. To complement our telemetry, we have performed internet-wide scans to detect the presence of these backdoors, which allowed us to identify and notify other victims of the malware.

Figure 2 shows the geographical locations of servers affected by these five campaigns, using data from our telemetry and internet-wide scans.

Figure 2. Victims of native IIS backdoors spread via the ProxyLogon vulnerability chain

The following entities were among the victims:

Government institutions in three countries in Southeast Asia

A major telecommunications company in Cambodia

A research institution in Vietnam

Dozens of private companies in a range of industries, located mostly in Canada, Vietnam and India, and others in the USA, New Zealand, South Korea, and other countries

Note that while IIS backdoors may be well-suited for spying on high-profile mailboxes, victims of IIS malware are not limited to compromised servers – all legitimate visitors of the websites hosted by these servers are potential targets, as the malware can be used to steal sensitive data from the visitors (IIS infostealers) or serve malicious content (IIS injectors). Please refer to the full white paper for the details on the targets of the other analyzed IIS families.

The insides of native IIS malware

From the technical perspective, all types of native IIS malware are implemented as dynamic-link libraries (DLLs), written using the IIS C++ API. Any such DLL must:

Implement a class inherited from either the CHttpModule or CGlobalModule class (or both), and override a number of that class’s methods (event handlers)

Export the RegisterModule function, which is the library entry point, responsible for creating the instances of these classes and registering the implemented handlers for server events, as illustrated in Figure 3.

Figure 3. A typical RegisterModule function of native IIS malware

Server events refer to the steps that the IIS server takes during request processing (see Figure 4), but also to other actions taken by the server (for example, sending an HTTP response). These events generate event notifications, which are handled by event handlers implemented in the server’s modules (see Figure 5).

Figure 4. HTTP request-processing pipeline in IIS

In short, the event handlers (or the methods of IIS module core classes) are where the IIS malware functionality is implemented and where any reverse engineers should focus their analysis. For a deep dive into IIS malware essentials and how to analyze such binaries, refer to the Anatomy of native IIS malware section of our white paper.

Figure 5. Event handlers: methods of the module classes, CHttpModule and CGlobalModule

Network communication

A notable feature of IIS malware is how it communicates with its operators. Malicious IIS modules, especially IIS backdoors, don’t usually create new connections to their C&C servers. They work as passive implants, allowing the attackers to control them by providing some “secret” in an HTTP request sent to the compromised IIS web server. That’s why IIS backdoors usually have a mechanism to recognize attacker requests that are used to control the server and have a predefined structure, such as:

URL or request body matching a specific regex

A specific custom HTTP header present

An embedded token (in the URL, request body or one of the headers) matching a hardcoded password

A hash value of an embedded token matching a hardcoded value

A more complex condition – for example, a relationship between all of the above

Figure 6. Passive C&C communication channel (IIS backdoors)

On the other hand, some IIS malware categories do implement an alternative C&C channel – using protocols such as HTTP or DNS – to obtain the current configuration on the fly. For example, an IIS injector contacts its C&C server every time there is a new request from a legitimate visitor of the compromised website, and uses the server response to modify the content served to that visitor (such as malicious code or adware).

Figure 7. Alternative C&C communication mechanism (IIS injectors)

Table 1 summarizes how the C&C channels, as well as other notable techniques, are implemented by the 14 analyzed IIS malware families.

< View the Table 1 at the source page. >

Mitigation

Since native IIS modules can only be installed with administrative privileges, the attackers first need to obtain elevated access to the IIS server. The following recommendations could help make their work harder:

Use dedicated accounts with strong, unique passwords for the administration of the IIS server. Require multifactor authentication (MFA) for these accounts. Monitor the usage of these accounts.

Regularly patch your OS, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.

Consider using a web application firewall, and/or endpoint security solution on your IIS server.

Native IIS modules have unrestricted access to any resource available to the server worker process; you should only install native IIS modules from trusted sources to avoid downloading their trojanized versions. Be especially aware of modules promising too-good-to-be-true features such as magically improving SEO.

Regularly check the IIS server configuration to verify that all the installed native modules are legitimate (signed by a trusted provider, or installed on purpose).

For details on how to detect and remove IIS malware, refer to the Mitigation section of the white paper. We are also publishing a set of YARA rules that you can leverage to detect all the 14 analyzed IIS malware families.

Conclusion

Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers to become a part of the IIS server, and intercept or modify its traffic.

It is still quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organizations that use OWA should also pay attention, as it depends on IIS and could be an interesting target for espionage.

While IIS server threats are not limited to native IIS malware, we believe this paper will be a helpful starting point for defenders for understanding, identifying, and removing IIS threats, and a guide to our fellow researchers to reverse engineer this class of threats and understand their common tactics, techniques and procedures.

Additional technical details on the malware and Indicators of Compromise can be found in our comprehensive white paper, and on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.

Acknowledgements to fellow ESET malware researchers Marc-Étienne Léveillé and Mathieu Tartare for their work on this investigation.

Source

Computer hardware giant GIGABYTE hit by RansomEXX ransomware

Fri, 06 Aug 2021 23:46:33 +0000

Taiwanese motherboard maker has been hit by the RansomEXX ransomware gang, who threaten to publish 112GB of stolen data unless a ransom is paid

Gigabyte is best known for its motherboards but also manufactures other computer components and hardware, such as graphics cards, data center servers, laptops, and monitors.

The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website

Gigabyte support down due to ransomware attack

Customers have also reported issues accessing support documents or receiving updated information about RMAs, which is likely due to the ransomware attack.

According to the Chinese news site United Daily News, Gigabyte confirmed they suffered a cyberattack that affected a small number of servers.

After detecting the abnormal activity on their network, they had shut down their IT systems and notified law enforcement.

If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Gigabyte suffers RansomEXX ransomware attack

While Gigabyte has not officially stated what ransomware operation performed the attack, BleepingComputer has learned it was conducted by the RansomEXX gang.

When the RansomEXX operation encrypts a network, they will create ransom notes on each encrypted device.

These ransom notes contain a link to a non-public page meant to only be accessible to the victim to test the decryption of one file and to leave an email address to begin ransom negotiations.

Today, a source sent BleepingComputer a link to a non-public RansomEXX leak page for Gigabytes Technologies, where the threat actors claim to have stolen 112GB of data during the attack.

In a ransom note also seen by BleepingComputer, the threat actors state, "Hello, Gigabyte (gigabyte.com)!" and include the same link to the private leak page shared with us by our source.

Non-public Gigabyte data leak page

On this non-public leak page, the threat actors claim to have stolen 112 GB of data from an internal Gigabyte network as well as the American Megatrends Git Repository,

We have downloaded 112 GB (120,971,743,713 bytes) of your files and we are ready to PUBLISH it.
Many of them are under NDA (Intel, AMD, American Megatrends).

Leak sources: newautobom.gigabyte.intra, git.ami.com.tw and some others.

On the private data leak page, the threat actors also shared screenshots of four documents under NDA stolen during the attack.

While we will not be posting the leaked images, the confidential documents include an American Megatrends debug document, an Intel "Potential Issues" document, an "Ice Lake D SKU stack update schedule," and a AMD revision guide.

BleepingComputer has attempted to contact Gigabyte about the attack but has not heard back at this time.

What you need to know about RansomEXX

The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they become more active.

Like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials.

Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortions.

RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers.

Over the past month, the RansomEXX gang has become more active as they have recently attacked Italy's Lazio region and Ecuador's state-run Corporación Nacional de Telecomunicación (CNT).

Other high-profile attacks by the ransomware gang include Brazil's government networks, the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies.

Computer hardware giant GIGABYTE hit by RansomEXX ransomware

Apple to Scan Every Device for Child Abuse Content — But Experts Fear for Privacy

Fri, 06 Aug 2021 19:35:23 +0000

Apple on Thursday said it's introducing new child safety features in iOS, iPadOS, watchOS, and macOS as part of its efforts to limit the spread of Child Sexual Abuse Material (CSAM) in the U.S.

To that effect, the iPhone maker said it intends to begin client-side scanning of images shared via every Apple device for known child abuse content as they are being uploaded into iCloud Photos, in addition to leveraging on-device machine learning to vet all iMessage images sent or received by minor accounts (aged under 13) to warn parents of sexually explicit photos in the messaging platform.

Furthermore, Apple also plans to update Siri and Search to stage an intervention when users try to perform searches for CSAM-related topics, alerting the "interest in this topic is harmful and problematic."

"Messages uses on-device machine learning to analyze image attachments and determine if a photo is sexually explicit," Apple noted. "The feature is designed so that Apple does not get access to the messages." The feature, called Communication Safety, is said to be an opt-in setting that must be enabled by parents through the Family Sharing feature.

How Child Sexual Abuse Material is Detected

Detection of known CSAM images involves carrying out on-device matching using a database of known CSAM image hashes provided by the National Center for Missing and Exploited Children (NCMEC) and other child safety organizations before the photos are uploaded to the cloud. "NeuralHash," as the system is called, is powered by a cryptographic technology known as private set intersection. However, it's worth noting that while the scanning happens automatically, the feature only works when iCloud photo sharing is turned on.

What's more, Apple is expected to use another cryptographic principle called threshold secret sharing that allows it to "interpret" the contents if an iCloud Photos account crosses a threshold of known child abuse imagery, following which the content is manually reviewed to confirm there is a match, and if so, disable the user's account, report the material to NCMEC, and pass it on to law enforcement.

Researchers Express Concern About Privacy

Apple's CSAM initiative has prompted security researchers to express anxieties that it could suffer from a mission creep and be expanded to detect other kinds of content that could have political and safety implications, or even frame innocent individuals by sending them harmless but malicious images designed to appear as matches for child porn.

U.S. whistle-blower Edward Snowden tweeted that, despite the project's good intentions, what Apple is rolling out is "mass surveillance," while Johns Hopkins University cryptography professor and security expert Matthew Green said, "the problem is that encryption is a powerful tool that provides privacy, and you can't really have strong privacy while also surveilling every image anyone sends."

Apple already checks iCloud files and images sent over email against known child abuse imagery, as do tech giants like Google, Twitter, Microsoft, Facebook, and Dropbox, who employ similar image hashing methods to look for and flag potential abuse material, but Apple's attempt to walk a privacy tightrope could renew debates about weakening encryption, escalating a long-running tug of war over privacy and policing in the digital age.

The New York Times, in a 2019 investigation, revealed that a record 45 million online photos and videos of children being sexually abused were reported in 2018, out of which Facebook Messenger accounted for nearly two-thirds, with Facebook as a whole responsible for 90% of the reports.

Apple, along with Facebook-owned WhatsApp, have continually resisted efforts to intentionally weaken encryption and backdoor their systems. That said, Reuters reported last year that the company abandoned plans to encrypt users' full backups to iCloud in 2018 after the U.S. Federal Bureau of Investigation (FBI) raised concerns that doing so would impede investigations.

"Child exploitation is a serious problem, and Apple isn't the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy," the Electronic Frontier Foundation (EFF) said in a statement, noting that Apple's move could break encryption protections and open the door for broader abuses.

"All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children's, but anyone's accounts. That's not a slippery slope; that's a fully built system just waiting for external pressure to make the slightest change," it added.

The CSAM efforts are set to roll out in the U.S. in the coming months as part of iOS 15 and macOS Monterey, but it remains to be seen if, or when, it would be available internationally. In December 2020, Facebook was forced to switch off some of its child abuse detection tools in Europe in response to recent changes to the European commission's e-privacy directive that effectively ban automated systems scanning for child sexual abuse images and other illegal content without users' explicit consent.

Source

Critical Vulnerabilities Found in macOS Privacy Protections

Fri, 06 Aug 2021 16:39:59 +0000

Even though the TCC can prevent encryption during a ransomware attack, it still has some flaws that hackers can exploit

Wojciech Ragula from SecureRing and Csaba Fitzl from Offensive Security, revealed at a Black Hat USA briefing two days ago that applications allowed to run on macOS can override permissions granted by the operating system or the user, according to Dark Reading.

Several security holes and bad configurations allowed them to evade Apple's TCC privacy scheme. Bypassing security permissions can lead to a variety of privacy risks, including accessing system files, taking screenshots, and collecting information from the contact book.

However, while the vulnerabilities themselves are not remotely exploitable, attackers can use them to bypass system protections on sensitive data. For the exploit to happen, bad actors need to convince the user to run malicious code. Regula explained that while Apple takes a considerable amount of time, in some cases as long as six months, to investigate and fix bugs, the company maintains its commitment to rewarding such issues.

It's not the first time Apple's macOS has been affected by malware-related privacy issues

In May, Apple took action to address three bugs in tvOS and macOS that had previously allowed malware (known as XCSSET) to take screenshots and collect Safari browser cookies without user consent. Another way to circumvent Apple's operating system privacy permissions is to ask the user to grant permission through a dialog box.

The good news is that TCC is still strong enough to prevent system file encryption during a ransomware attack after a TCC bypass, since privacy-protected files are read and write protected, according to SecuRing's Wojciech Regula. SIP (System Integrity Protection), the basis for TCC, restricts user access to various folders even if they have administrator capabilities. In order to get access to features or programs that have the capability to change TCC permissions, the researchers used multiple approaches, methods that can also be used by skilled hackers.

Source

VMware Issues Patches to Fix Critical Bugs Affecting Multiple Products

Fri, 06 Aug 2021 13:14:37 +0000

VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information.

Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the "/cfg" web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.

"A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication," the company said in its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.

Also addressed by VMware is an information disclosure vulnerability impacting VMware Workspace One Access and Identity Manager through an inadvertently exposed login interface on port 7443. An attacker with network access to port 7443 could potentially stage a brute-force attack, which the firm noted: "may or may not be practical based on lockout policy configuration and password complexity for the target account."

For customers who cannot upgrade to the latest version, VMware is offering a workaround script for CVE-2021-22002 that can be deployed independently without taking the vRA appliances offline. "The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality," the company said.

Source

India's Koo, a Twitter-like Service, Found Vulnerable to Critical Worm Attacks

Fri, 06 Aug 2021 13:10:53 +0000

Koo, India's homegrown Twitter clone, recently patched a serious security vulnerability that could have been exploited to execute arbitrary JavaScript code against hundreds of thousands of its users, spreading the attack across the platform.

The vulnerability involves a stored cross-site scripting flaw (also known as persistent XSS) in Koo's web application that allows malicious scripts to be embedded directly into the affected web application.

To carry out the attack, all a malicious actor had to do was log into the service via the web application and post an XSS-encoded payload to its timeline, which automatically gets executed on behalf of all users who saw the post.

The issue was discovered by security researcher Rahul Kankrale in July, following which a fix was rolled out by Koo on July 3.

Using cross-site scripting, an attacker can perform actions on behalf of users with the same privileges as the user and steal web browser's secrets, such as authentication cookies.

Due to the fact that malicious JavaScript has access to all objects that the website can access, it could allow adversaries to sneak into sensitive data such as private messages, or spread misinformation, or display spam using users' profiles.

The end result of this vulnerability in Koo, also known as XSS worm, is more worrisome because it automatically propagates malicious code among a website's visitors to infect other users—without any user interaction, like a chain reaction.

Koo, which launched in November 2019, bills itself as an Indian alternative to Twitter and boasts of 6 million active users on its platform. The Bengaluru-based company has also emerged as the social media service of choice in Nigeria after the country indefinitely banned Twitter for deleting a tweet by Nigerian President Muhammadu Buhari.

Aprameya Radhakrishna, co-founder, and chief executive officer of Koo, announced the entry of the app into the Nigerian market earlier this week.

Also patched was a reflected XSS vulnerability associated with the hashtag feature, thus allowing an adversary to pass malicious JavaScript code in the endpoint used for searching for a specific hashtag ("https://www[.]kooapp[.]com/tag/[hashtag]").

The fixes follow another critical vulnerability in the Koo app was patched earlier this February that could have allowed attackers to gain access to any user account on the platform without requiring a password or user interaction.

It was discovered by Prasoon Gupta, an independent security researcher. In an interview with The Hacker News, Prasoon explained that the vulnerability arises due to the way the app validates access tokens when a user is authenticated with a phone number and an one-time password (OTP) sent to it.

The disclosure comes a little over a month after similar XSS-related vulnerabilities were uncovered in Microsoft's Edge browser, which can be exploited to trigger an attack simply by adding a comment to a YouTube video or sending a Facebook friend request from an account that contains non-English language content accompanied by an XSS payload.

Source

New Amazon Kindle Bug Could've Let Attackers Hijack Your eBook Reader

Fri, 06 Aug 2021 13:04:07 +0000

Amazon earlier this April addressed a critical vulnerability in its Kindle e-book reader platform that could have been potentially exploited to take full control over a user's device, resulting in the theft of sensitive information by just deploying a malicious e-book.

"By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to single out a specific group of people or demographic, it's possible for the adversary to choose a popular e-book in a language or dialect that's widely spoken among the group to tailor and orchestrate a highly targeted cyber attack.

Upon responsibly disclosing the issue to Amazon in February 2021, the retail and entertainment giant published a fix as part of its 5.13.5 version of Kindle firmware in April 2021.

Attacks exploiting the flaw commence by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence sans any interaction, allowing the bad actor to delete the user's library, gain full access to the Amazon account, or convert the Kindle into a bot for striking other devices in the target's local network.

The problem resides in the firmware's e-book parsing framework, specifically in the implementation associated with how PDF documents are opened, permitting an attacker to execute a malicious payload on the device.

This is made possible, thanks to a heap overflow vulnerability in the PDF rendering function (CVE-2021-30354), which can be leveraged to gain arbitrary write primitive, and a local privilege escalation flaw in the Kindle application manager service (CVE-2021-30355) that enables the threat actor to chain the two flaws to run malware-laced code as a root user.

Earlier this January, Amazon fixed similar weaknesses — collectively named "KindleDrip" — that could have allowed an attacker to take control of victims' devices by delivering a malicious e-book to the targets and make unauthorized purchases.

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

Source

Ransomware Gangs and the Name Game Distraction

Fri, 06 Aug 2021 00:17:29 +0000

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene.

GOOD GRIEF

The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.

All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”

The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade.

The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI

Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself.

CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks.

“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.”

That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said.

REBRANDING TO AVOID SANCTIONS

Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI

In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data.

On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware.

“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down.

All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises.

Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.

Ransomware Gangs and the Name Game Distraction

Facebook scatters privacy settings all over the place on mobile

Fri, 06 Aug 2021 00:13:26 +0000

Every other year, Facebook announces that it has changed the settings of its web version and/or applications. This month's change is rolling out to all users of Facebook's mobile application, and its main purpose is to streamline the layout, make things easier to find, but without removing any of the previous settings.

Facebook's privacy settings were changed in 2018 the last time. Back then, the company claimed that the new design would make "things easier to find", because settings were now found in a single place.

Today's update changes Facebook's setting page significantly. The company reduced the number off categories and decided to rename these to "more closely match people's mental models". Facebook notes its new system takes into account user expectations, so that specific settings are easier to find in the application.

The six categories that Facebook's settings page is divided into are Account, Preferences, Audience and Visibility, Permissions, Your Information, and Community Standards and Legal Policies.

And Privacy? The privacy settings have been moved to the relevant categories, to meet user expectation, according to Facebook.

Facebook's research suggest that "privacy settings can be easier to find when they're presented in short, well-organized menus, and that "grouping settings based on users' mental modes about which privacy topic(s) the settings address can be even more helpful".

Our research shows that using more specific and descriptive names makes settings easier to find. That’s why we’ve unbundled the Privacy Settings category and moved the settings previously contained within it into other categories. Finally, to more easily guide you through important privacy and security settings on Facebook, we’ve added another shortcut to Privacy Checkup, right at the top of the Settings landing page.

As a user of Facebook's mobile application, you will find location privacy settings under permission, post visibility settings under audience and visibility, and the activity log under your information.

Users may also use the search tool to find specific settings, and there is the privacy checkup tool to make some privacy-related changes using the tool.

Closing Words

Many existing users will have difficulties finding specific settings that they accessed in previous versions of Facebook's mobile apps. Critics might argue that the redesigned settings make it more difficult for users to find and change privacy settings; tighter privacy settings may provide Facebook and third-parties with less data, and that may affect the company's bottom line.

Ultimate, users need to go through all the settings one-by-one to make sure that they don't miss an important setting.

Facebook scatters privacy settings all over the place on mobile

CISA teams up with Microsoft, Google, Amazon to fight ransomware

Fri, 06 Aug 2021 00:10:37 +0000

CISA has announced the launch of Joint Cyber Defense Collaborative (JCDC), a partnership across public and private sectors focused on defending US critical infrastructure from ransomware and other cyber threats.

The new initiative's goal is to allow CISA to develop cyber defense plans in collaboration with federal agencies, SLTT (state, local, tribal and territorial) partners, and private sector orgs for national resilience against malicious cyber activity targeting critical infrastructure.

"The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions," CISA Director Jen Easterly said.

"With these extraordinarily capable partners, our initial focus will be on efforts to combat ransomware and developing a planning framework to coordinate incidents affecting cloud service providers."

The first industry partners to joint the JCDC include Microsoft, Google Cloud, Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon, with plans to expand with more private sector and SLTT partners from across sectors.

Government partners already participating include the Department of Defense, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation, the U.S. Cyber Command, and the Office of the Director of National Intelligence, with additional Sector Risk Management Agencies (SRMAs) to join the effort at a later time.

The launch of this parnership between the US public and private sector platform comes after an almost continuous barrage of cyberattacks targeting US government agencies and critical infrastructure, starting with the December 2020 SolarWinds supply-chain attack.

Since the start of 2021, both state-sponsored and financially motivated hacking groups have coordinated widespread attacks on Microsoft Exchange servers worldwide and hit the networks of Colonial Pipeline, JBS Foods, and Kaseya customers in ransomware incidents.

President Joe Biden issued a national security memorandum during late July in response to this stream of attacks, a memorandum designed to help bolster the security of US critical infrastructure by setting baseline performance goals for infrastructure owners and operators.

The US President also warned lasat month that severe security breaches could potentially escalate to a "real shooting war" with another major world power.

"In recent months, various major cyber incidents have had an impact on our critical infrastructure community and caused downstream consequences to Americans that rely on it for everyday functions," CISA said today, after announcing JCDC's formation.

"As a community, the JCDC will deploy innovation, collaboration, and imagination to protect American businesses, government agencies, and our people against cyber intrusions."

CISA teams up with Microsoft, Google, Amazon to fight ransomware